Scribd
Upload
24 views31 pages

Chapter 3 B Mis

This document discusses system vulnerabilities and security controls. It outlines various threats like hackers, viruses, denial of service attacks, and internal threats from employees. It also describes different types of attacks such as spoofing, sniffing, and social engineering. Finally, it discusses the importance of establishing a framework of general and application controls to secure information systems from these threats. This includes implementing controls around software, hardware, operations, data, implementation and administration.

Uploaded by

belachewh8
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
24 views31 pages

Chapter 3 B Mis

This document discusses system vulnerabilities and security controls. It outlines various threats like hackers, viruses, denial of service attacks, and internal threats from employees. It also describes different types of attacks such as spoofing, sniffing, and social engineering. Finally, it discusses the importance of establishing a framework of general and application controls to secure information systems from these threats. This includes implementing controls around software, hardware, operations, data, implementation and administration.

Uploaded by

belachewh8
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 31

Management Information Systems

CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Security:
 Policies, procedures and technical measures used to
prevent unauthorized access, alteration, theft, or
physical damage to information systems
Controls:
 Methods, policies, and organizational procedures that
ensure safety of organization’s assets; accuracy and
reliability of its accounting records; and operational
adherence to management standards

1
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Why systems are vulnerable


 Accessibility of networks
 Hardware problems (breakdowns, configuration
errors, damage from improper use or crime)
 Software problems (programming errors, installation
errors, unauthorized changes)
 Disasters
 Use of networks/computers outside of firm’s control
 Loss and theft of portable devices

2
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Internet vulnerabilities
 Network open to anyone
 Size of Internet means abuses can have wide impact
 Use of fixed Internet addresses with cable or DSL
modems creates fixed targets hackers
 Unencrypted VOIP
 E-mail, P2P, IM
 Interception
 Attachments with malicious software
 Transmitting trade secrets

3
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Wireless security challenges


 Radio frequency bands easy to scan
 SSIDs (service set identifiers)
 Identify access points
 Broadcast multiple times
War driving
 Eavesdroppers drive by buildings and try to detect SSID and gain access to
network and resources
 WEP (Wired Equivalent Privacy)
 Security standard for 802.11; use is optional
 Uses shared password for both users and access point
 Users often fail to implement WEP or stronger systems

4
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Malware (malicious software)


 Viruses
 Rogue software program that attaches itself to other software
programs or data files in order to be executed
 Worms
 Independent computer programs that copy themselves from
one computer to other computers over a network.
 Trojan horses
 Software program that appears to be benign but then does
something other than expected.

5
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Malware (cont.)
 SQL injection attacks
 Hackers submit data to Web forms that exploits site’s
unprotected software and sends rogue SQL query to database
 Spyware
 Small programs install themselves surreptitiously on
computers to monitor user Web surfing activity and serve up
advertising
 Key loggers
 Record every keystroke on computer to steal serial numbers,
passwords, launch Internet attacks

6
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Hackers and computer crime


Hackers vs. crackers
System intrusion
System damage
Cyber vandalism
Intentional disruption, defacement, destruction of
Web site or corporate information system

7
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Spoofing
 Misrepresenting oneself by using fake e-mail addresses
or masquerading as someone else
 Redirecting Web link to address different from
intended one, with site masquerading as intended
destination
Sniffer
 Eavesdropping program that monitors information
traveling over network
 Enables hackers to steal proprietary information such
as e-mail, company files, etc.
8
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Denial-of-service attacks (DoS)


 Flooding server with thousands of false requests to
crash the network.
Distributed denial-of-service attacks (DDoS)
 Use of numerous computers to launch a DoS
 Botnets
 Networks of “zombie” PCs infiltrated by bot malware
 Worldwide, 6 - 24 million computers serve as zombie PCs in
thousands of botnets

9
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Computer crime
 Defined as “any violations of criminal law that involve
a knowledge of computer technology for their
perpetration, investigation, or prosecution”
 Computer may be target of crime, e.g.:
 Breaching confidentiality of protected computerized data
 Accessing a computer system without authority
 Computer may be instrument of crime, e.g.:
 Theft of trade secrets
 Using e-mail for threats or harassment

10
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Identity theft
 Theft of personal Information (social security id,
driver’s license or credit card numbers) to impersonate
someone else
Phishing
 Setting up fake Web sites or sending e-mail messages
that look like legitimate businesses to ask users for
confidential personal data.
Evil twins
 Wireless networks that pretend to offer trustworthy
Wi-Fi connections to the Internet

11
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Pharming
 Redirects users to a bogus Web page, even when
individual types correct Web page address into his or
her browser
Click fraud
 Occurs when individual or computer program
fraudulently clicks on online ad without any intention
of learning more about the advertiser or making a
purchase
Cyberterrorism and Cyberwarfare
12
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Internal threats: employees


Security threats often originate inside an organization
Inside knowledge
Sloppy security procedures
User lack of knowledge
Social engineering:
Tricking employees into revealing their passwords by
pretending to be legitimate members of the company in need
of information

13
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

System Vulnerability and Abuse

Software vulnerability
 Commercial software contains flaws that create
security vulnerabilities
 Hidden bugs (program code defects)
 Zero defects cannot be achieved because complete testing is not possible
with large programs
 Flaws can open networks to intruders
 Patches
 Vendors release small pieces of software to repair flaws
 However exploits often created faster than patches be released
and implemented

14
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Business Value of Security and Control

Electronic evidence
 Evidence for white collar crimes often in digital form
 Data on computers, e-mail, instant messages, e-commerce
transactions
 Proper control of data can save time and money when
responding to legal discovery request
Computer forensics:
 Scientific collection, examination, authentication,
preservation, and analysis of data from computer
storage media for use as evidence in court of law
 Includes recovery of ambient and hidden data

15
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Establishing a Framework for Security and Control

Information systems controls


Manual and automated controls
General and application controls
General controls
Govern design, security, and use of computer
programs and security of data files in general
throughout organization’s information technology
infrastructure.
Apply to all computerized applications
Combination of hardware, software, and manual
procedures to create overall control environment
16
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Establishing a Framework for Security and Control

Types of general controls


Software controls
Hardware controls
Computer operations controls
Data security controls
Implementation controls
Administrative controls

17
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Establishing a Framework for Security and Control

Application controls
Specific controls unique to each computerized application,
such as payroll or order processing
Include both automated and manual procedures
Ensure that only authorized data are completely and accurately
processed by that application
Include:
Input controls
Processing controls
Output controls

18
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Establishing a Framework for Security and Control

Security policy
 Ranks information risks, identifies acceptable security
goals, and identifies mechanisms for achieving these
goals
 Drives other policies
 Acceptable use policy (AUP)
 Defines acceptable uses of firm’s information resources and computing
equipment
 Authorization policies
 Determine differing levels of user access to information assets

19
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Establishing a Framework for Security and Control

Identity management
Business processes and tools to identify valid users
of system and control access
 Identifies and authorizes different categories of users
 Specifies which portion of system users can access
 Authenticating users and protects identities
Identity management systems
 Captures access rules for different levels of users

20
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Establishing a Framework for Security and Control

Disaster recovery planning: Devises plans for


restoration of disrupted services
Business continuity planning: Focuses on restoring
business operations after disaster
Both types of plans needed to identify firm’s most
critical systems
Business impact analysis to determine impact of an
outage
Management must determine which systems restored
first

21
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Technologies and Tools for Protecting Information Resources

Identity management software


Automates keeping track of all users and privileges
Authenticates users, protecting identities, controlling
access
Authentication
Password systems
Tokens
Smart cards
Biometric authentication

22
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Technologies and Tools for Protecting Information Resources

Firewall:
Combination of hardware and software that
prevents unauthorized users from accessing
private networks
Technologies include:
Static packet filtering
Network address translation (NAT)
Application proxy filtering

23
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Technologies and Tools for Protecting Information Resources

Intrusion detection systems:


 Monitor hot spots on corporate networks to detect
and deter intruders
 Examines events as they are happening to discover
attacks in progress
Antivirus and antispyware software:
 Checks computers for presence of malware and can
often eliminate it as well
 Require continual updating
Unified threat management (UTM) systems

24
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Technologies and Tools for Protecting Information Resources

Securing wireless networks


WEP security can provide some security by
Assigning unique name to network’s SSID and not
broadcasting SSID
Using it with VPN technology
Wi-Fi Alliance finalized WAP2 specification,
replacing WEP with stronger standards
Continually changing keys
Encrypted authentication system with central server

25
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Technologies and Tools for Protecting Information Resources

Encryption:
Transforming text or data into cipher text
that cannot be read by unintended recipients
Two methods for encryption on networks
Secure Sockets Layer (SSL) and successor
Transport Layer Security (TLS)
Secure Hypertext Transfer Protocol (S-HTTP)

26
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Technologies and Tools for Protecting Information Resources

Two methods of encryption


Symmetric key encryption
Sender and receiver use single, shared key
Public key encryption
Uses two, mathematically related keys: Public key
and private key
Sender encrypts message with recipient’s public key
Recipient decrypts with private key

27
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Technologies and Tools for Protecting Information Resources

Ensuring system availability


 Online transaction processing requires 100%
availability, no downtime
Fault-tolerant computer systems
 For continuous availability, e.g. stock markets
 Contain redundant hardware, software, and power
supply components that create an environment that
provides continuous, uninterrupted service
High-availability computing
 Helps recover quickly from crash
 Minimizes, does not eliminate downtime

28
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Technologies and Tools for Protecting Information Resources

Recovery-oriented computing
 Designing systems that recover quickly with capabilities
to help operators pinpoint and correct of faults in
multi-component systems
Controlling network traffic
 Deep packet inspection (DPI)
 Video and music blocking
Security outsourcing
 Managed security service providers (MSSPs)

29
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Technologies and Tools for Protecting Information Resources

Security in the cloud


 Responsibility for security resides with company
owning the data
 Firms must ensure providers provides adequate
protection
 Service level agreements (SLAs)
Securing mobile platforms
 Security policies should include and cover any special
requirements for mobile devices
 E.g. updating smart phones with latest security patches, etc.

30
Management Information Systems
CHAPTER 3: SECURING INFORMATION SYSTEMS

Technologies and Tools for Protecting Information Resources

Ensuring software quality


 Software metrics: Objective assessments of system in
form of quantified measurements
 Number of transactions
 Online response time
 Payroll checks printed per hour
 Known bugs per hundred lines of code
 Early and regular testing
 Walkthrough: Review of specification or design
document by small group of qualified people
 Debugging: Process by which errors are eliminated

31

You might also like