IS Security and Control

1
IS Security and Control
2
Learning Objectives

• Demonstrate why IS are so vulnerable to
  destruction, error, abuse and system quality
  problems
• Compare general and application controls for
  information systems.

3
System Vulnerability and Abuse

• The concentrated data held on computer systems
  makes the data susceptible to destruction, fraud,
  error and abuse
• The heavy dependence of business now on
  information systems means that it is vital to
  ensure their smooth operation

4
Why Systems are Vulnerable

• Large amounts of data in electronic form are much
  more vulnerable than paper based systems because
• often computer systems are very complex and so
  hard to replace with manual systems
• alterations to computer records are harder to see
  (no tippex)
• there is the possibility of a complete loss of
  data with electronic storage
• on-line systems are open to large scale access,
  some of which could be malicious

5
Hackers and Crackers

• People who use the Internet for specific purposes
  and use certain features to achieve specific
  objectives, but do not actively break security
  barriers, are generally called hackers
• People who actively break security features by
  exploiting the flaws in security systems, or
  force cracking security barriers, are known as
  crackers

6
Hackers and Crackers - Motives

• Cracking systems or hijacking computers for fun,
  but without causing disruption or problems
• Damaging systems or hijacking computers for
  malicious pleasure
• Hijacking computers via the Internet to assist
  cyber (computer-based) crime
• Netspionage (Internet-enabled surveillance and
  spying) by states, corporations or other groups -
  in recent years this has become a cheap and
  popular way of obtaining information or
  intelligence on the use of the Internet by
  governments and other groups in society. These
  people may, like cyber criminals, commandeer
  others' computers to keep one step removed from
  their target).

7
Viruses - Definition

• While there is no widely-accepted definition of
  the term computer virus, the following loose
  definition should suffice A computer virus is
  executable code that, when run by someone,
  infects or attaches itself to other executable
  code in a computer in an effort to reproduce
  itself. Some computer viruses are malicious,
  erasing files or locking up systems others
  merely present a problem solely through the act
  of infecting other code.

8
Viruses - Types

• While there are thousands of variations of
  viruses, most fall into one of the following six
  general categories as below
• Boot Sector Virus replaces or implants itself in
  the boot sector - an area of a disk accessed when
  you first turn on your computer. This kind of
  virus can prevent you from being able to boot
  your hard disk.
• File Virus infects applications. These
  executables then spread the virus by infecting
  associated documents and other applications
  whenever they're opened or run.
• Macro Virus Written using a simplified macro
  programming language, these viruses affect
  Microsoft Office applications, such as Word and
  Excel, and account for about 75 percent of
  viruses found in the wild. A document infected
  with a macro virus generally modifies a
  pre-existing, commonly used command (such as
  Save) to trigger its payload upon execution of
  that command.
• Multipartite Virus infects both files and the
  boot sector--a double whammy that can reinfect
  your system dozens of times before it's caught.
• Polymorphic Virus changes code whenever it
  passes to another machine in theory these
  viruses should be more difficult for anti-virus
  scanners to detect, but in practice they're
  usually not that well written.
• Stealth Virus hides its presence by making an
  infected file not appear infected, but doesn't
  usually stand up to anti-virus software.

9
Viruses Trojans Worms

• Trojans are programs that quietly assimilate
  themselves from within files, but often are not
  damaging. Often, Trojans are written into
  commonly-used programs such as screen savers, or
  as scripted macros in word processing programs
  such as Word i.e. a Trojan Horse is a program
  that performs some undesired yet intended action
  while, or in addition to, pretending to do
  something else. One common class of trojans are
  fake login programs - collecting accounts and
  passwords by prompting for this info just like a
  normal login program does. Another is a disk
  defragger that erases files rather than
  reorganizing them. A Trojan Horse differs from a
  virus in that the former does not attempt to
  reproduce itself.
• Worms are single programs that distribute
  themselves across the 'Net, mining data as they
  go. Often they are designed to enter a system,
  log information about that system, such as
  passwords or stored security data such as
  encryption keys, and transmit it back to a base
  somewhere else on the 'Net i.e. a Worm is just
  a self-propagating virus. The Internet Worm from
  November '88 is a famous example.

10
Viruses Methods of Attachment

• File infectors - these viruses attach themselves
  to regular programs, such as COM or EXE files
  under DOS. Thus, they are invoked each time the
  infected program is run.
• Cluster infectors - They modify the file system
  so that they are run prior to other programs.
  Note that, unlike file infectors, they do not
  actually attach themselves to programs.
• Macro viruses - Word processing documents can
  serve as sources of transmission for viruses that
  take advantage of the auto-execution macro
  capabilities in products such as Microsoft Word.
  Simply by opening an infected document, the
  virus, written in a product's macro language, can
  spread.
• System infectors - Computer operating systems
  typically set aside a portion of each disk for
  code to boot the computer. Under DOS, this
  section is called a boot sector on floppies or a
  master boot record (MBR) for hard disks. System
  infectors store themselves in this area and hence
  are invoked whenever the disk is used to boot the
  system.

11
Michelangelo

• March 6 is the birthday of Michelangelo
  Buonarroti
• The Michelangelo virus triggers on any March 6.
  On that date, the virus overwrites critical
  system data, including boot and file allocation
  table (FAT) records, on the boot disk (floppy or
  hard), rendering the disk unusable. Recovering
  user data from a disk damaged by the Michelangelo
  virus will be very difficult.

12
Viruses Hoaxes

• Hoaxes are not actual viruses but emails
  pretending to be warnings about viruses,
  get-rich-quick schemes, etc.
• Hoaxes rely on users to forward them to other
  users.
• They do not actually damage your computer but if
  forwarded can clog up email accounts and servers,
  spread misinformation and panic, and damage
  credibility.
• All hoaxes contain a combination of the following
  elements, making them easy to spot
• They warn of a new and very serious virus.
• They claim that the virus is unstoppable.
• They say that this information has come from a
  major IT company or an anti-virus company.
• The virus described will often have an
  unrealistic payload.
• You will be asked to forward the warning to
  everyone in your address book.
• Adopt a policy to deal with virus warnings
  incorporating the following steps
• Designate one member of staff to deal with virus
  warnings if possible the same person who updates
  your anti-virus software.
• If you receive a virus warning, only forward it
  to this member of staff to investigate and make
  sure that pupils do the same.

13
Virus Infection Management

• Prevention Of Computer Viruses
• e.g. Firewalls Proxy Servers
• Detection Of Software Viruses
• e.g. Anti-virus detection software
• Isolation Of Software Viruses
• e.g. Quarantine
• Eradication Of Software Viruses
• e.g. Removal and repairing

14
What can I do to protect myself?

• Know thine enemy - learn the techniques and think
  about how you can counter them
• Regularly scan your network for vulnerabilities -
  both inside and out
• Separate your private network from your public
  servers such as email, proxy servers, web
  servers, DNS servers, etc. Double firewalling can
  do this.
• Use strong passwords including special characters
  such as _at_. Your password is often your first
  and last line of defence. Certainly do not have
  ANY blank passwords. Password security also
  applies to network hardware.

15
What can I do to protect myself?

• Do not use the same administrator/root password
  throughout your organisation. It may be
  convenient for you but its also convenient for an
  intruder.
• Harden the operating system on your critical
  servers and perhaps even on user workstations.
• Turn off unnecessary services - minimalism is a
  good thing!
• Apply the latest security patches to ALL the
  applications that run.
• Deploy good intrusion detection (better still
  prevention), baseline your configurations so you
  can detect any changes.

16
What can I do to protect myself?

• Deploy additional perimeter protection against
  virus in emails, web pages, ftp downloads, etc.
• Do not allow your staff to download Active X
  controls into their browsers. The Active X
  technology can give almost total control over a
  PC and its resources from a remote location and
  should only be used on Intranets.
• Do not allow external access to your proxy
  servers and DNS servers. On DNS servers turn-off
  recursive lookup.
• Turn off unnecessary Microsoft and other File and
  Print sharing services. Allocate specific servers
  as file sharers and turn-off workstation shares.
  Consider using Print sharing devices rather than
  PC's for sharing printers.

17
What can I do to protect myself?

• Have a security standards policy and ensure that
  compliance against is regularly checked.
• Be VERY alert at all times and make yourself
  familiar with all your configurations.
• Make backups of new server installations
  immediately after installation. This way you can
  return to a "clean" installation quite easily.

18
Concerns for SystemBuilders and Users

• Disaster
• Natural disaster or otherwise can completely
  destroy information systems
• Must have a disaster recovery strategy
• Security
• To keep information systems secure
• Errors
• Can occur in various points in a typical
  processing cycle.

19
System Quality Problems Software and Data

• Bugs
• Programme code defects
• Maintenance
• Modifications to a system that is in use
• Data Quality
• Inaccurate, untimely or inconsistent data can
  lead to poor decision making

20
Creating A Control Environment

• To lesson the risks special policies and
  procedures must be incorporated in the design and
  implementation of information systems
• Controls
• all of the methods, policies, and procedures
  that ensure protection of the organisations
  assets, accuracy and reliability of its records,
  and operational adherence to management
  standards
• General Controls
• Application Controls

21
General Controls

• overall controls that establish a framework for
  controlling the design, security, and use of
  computer programs throughout an organisation
• they ensure the effective operation of programmed
  procedures

22
General Controls Include

• Controls over system implementation process
• Software controls
• Physical hardware controls
• Computer operations controls
• Data Security controls
• Administrative disciplines, standards, and
  procedures

23
Controls over system implementation process

• The audit of the systems development process at
  various points to make sure that it is properly
  controlled and managed
• Should check
• level of user involvement
• cost/benefit analysis having been done
• use of controls
• testing
• documentation

24
Software controls

• Controls to ensure the security and reliability
  of software
• Monitor the use of system software to see who is
  logging on
• Check for failed passwords

25
Physical hardware controls

• Controls to ensure the physical security and
  correct performance of computer hardware
• Locks on doors
• Restricted access
• Fireproofing
• Parity checks
• Even Parity The parity bit is set to make sure
  there are an even number of 1s and 0s in the
  byte.
• Odd Parity The parity bit is set to make sure
  there are an odd number of ones and zeros in the
  byte.

26
Computer operations controls

• Procedures to ensure that programmed procedures
  are consistently and correctly applied to data
  storage and processing
• Control over system software
• Backup procedures
• System monitoring
• Instructions for running jobs
• Authority for changes to applications

27
Data Security controls

• Controls to ensure that data files are not
  subject to unauthorised access, change or
  destruction
• Restrict access to terminals
• Password protection
• Selective access
• e.g. payroll, may enter hours, but not change the
  hourly rate
• accounts, may see sales ledger, but not nominal
  ledger

28
Administrative disciplines, standards, and
procedures

• Formalised standards, rules procedures, and
  disciplines to ensure that the organisations
  controls are properly executed and enforced
• Segregation of duties
• Different people have different tasks, e.g.
  separate entry of purchase ledger invoices and
  payments
• Written policies and procedures
• Formalisation of what is required
• Supervision
• Overseeing of operations

29
Application Controls

• Specific controls within each separate computer
  application
• Input
• Check for data accuracy and completeness when
  they enter the system
• Processing
• Check that data are complete and accurate during
  updating
• Output
• Ensure that the results of computer processing
  are accurate, complete, and properly distributed.

30
Input Control

• Check digit
• For example, a bar code includes a single digit
  at the end which is used to check that the number
  is correct when the bar code is scanned.
• If it isn't correct then the code will have to be
  scanned again.
• It works by performing a calculation on the main
  code which will result in a single digit.
• For example, the division-remainder method
  divides the code by a prime number, like 7, and
  the remainder is used as the check digit

31
EAN 13 Barcode Check Digit

• The EAN-13 check digit is calculated by a
  modulo-10 algorithm from all the other digits in
  the number through the following steps
• 1.Starting with the digit on the right of the
  number (excluding the check digit) sum all the
  alternate digit values, reading from right to
  left
• 2. Multiply the result of step 1 by 3
• 3. Sum all the remaining digit values
• 4. Add the result of Step 2 to the result of Step
  3
• 5. The modulo-10 check digit is the smallest
  number which, when added to the result of Step 4,
  produces a multiple of 10

32
EAN 13 Example

• To calculate the check digit for the EAN-13
  number 501234576421C 5 0 1 2 3 4
  5 7 6 4 2 1 C
• 1. 0 2 4 7 4 1 18
• 2. 18 x 3 54
• 3. 5 1 3 5 6 2 22
• 4. 54 22 76
• 5.C 76 80 C 4
• The complete number is 5012345764214
• NOTE! - If the sum to be added to C to get the
  closest multiple of 10, in itself is a multiple
  of 10, the check digit will be 0.