Securing Information Systems - PowerPoint PPT Presentation

1 / 53
About This Presentation
Title:

Securing Information Systems

Description:

Access only to files required for work. Read-only access. Certain time periods for ... Network scanners distinguish between real and fake APs. Netstumbler ... – PowerPoint PPT presentation

Number of Views:64
Avg rating:3.0/5.0
Slides: 54
Provided by: ITED6
Category:

less

Transcript and Presenter's Notes

Title: Securing Information Systems


1
6
Chapter
Securing Information Systems
66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs. Webroot (2005)
2
Learning Objectives
3
Information Systems Security
  • All systems connected to a network are at risk
  • Internal threats
  • External threats
  • Information systems security
  • Precautions to keep IS safe from unauthorized
    access and use
  • Increased need for good computer security with
    increased use of the Internet

4
Primary Threats to Information Systems Security
  • Accidents and natural disasters
  • Power outages, cats walking across keyboards
  • Employees and consultants
  • Links to outside business contacts
  • Travel between business affiliates
  • Outsiders
  • Viruses

5
Unauthorized Access
  • Unauthorized people
  • Look through electronic data
  • Peek at monitors
  • Intercept electronic communication
  • Theft of computers or storage media
  • Determined hackers gain administrator status

6
Gaining Access to a Password
  • Brute force
  • Try combinations until a match is found
  • Protection
  • Wait time requirements after unsuccessful login
    attempt
  • CAPTCHA

7
Information Modification
  • User accesses electronic information
  • User changes information
  • Employee gives himself a raise

8
Denial of Service Attack
  • Attackers prevent legitimate users from accessing
    services
  • Zombie computers
  • Created by viruses or worms
  • Attack Web sites

9
Computer Viruses
  • Corrupt and destroy data
  • Destructive code can
  • Erase a hard drive
  • Seize control of a computer
  • Worms
  • Variation of a virus
  • Replicate endlessly across the Internet
  • Servers crash
  • MyDoom attack on Microsofts Web site

10
Spyware
  • Within freeware or shareware
  • Within a Web site
  • Gathers information about a user
  • Credit card information
  • Behavior tracking for marketing purposes
  • Eats up computers memory and network bandwidth
  • Adware special kind of spyware
  • Collects information for banner ad customization

11
Spam
  • Electronic junk mail
  • Advertisements of products and services
  • Eats up storage space
  • Compromises network bandwidth
  • Spim
  • Spam over IM

12
Protection Against Spam
  • Barracuda Spam Firewall 600
  • Filters spam and other email threats
  • Decreases amount of spam processed by the central
    e-mail server
  • Handles 3,000 10,000 active email users
  • Spam messages blocked or quarantines

13
Phishing
  • Attempts to trick users into giving away credit
    card numbers
  • Phony messages
  • Duplicates of legitimate Web sites
  • E.g., eBay, PayPal have been used

14
Cookies
  • Messages passed to a Web browser from a Web
    server
  • Used for Web site customization
  • Cookies may contain sensitive information
  • Cookie management and cookie killer software
  • Internet Explorer Web browser settings

15
Other Threats to IS Security
  • Employees writing passwords on paper
  • No installation of antivirus software
  • Use of default network passwords
  • Letting outsiders view monitors

Information Systems Today Managing in the
Digital World
6-15
16
Other Threats to IS Security (II)
  • Organizations fail to limit access to some files
  • Organizations fail to install firewalls
  • Not doing proper background checks
  • Lack of employee monitoring
  • Fired employees who are resentful

17
Learning Objectives
18
Safeguarding Information Systems Resources
  • Information systems audits
  • Risk analysis
  • Process of assessing the value of protected
    assets
  • Cost of loss vs. cost of protection
  • Risk reduction
  • Measures taken to protect the system
  • Risk acceptance
  • Measures taken to absorb the damages
  • Risk transfer
  • Transferring the absorption of risk to a third
    party

19
Technological Safeguards
  • Physical access restrictions
  • Authentication
  • Use of passwords
  • Photo ID cards, smart cards
  • Keys to unlock a computer
  • Combination
  • Authentication limited to
  • Something you have
  • Something you know
  • Something you are

20
Biometrics
  • Form of authentication
  • Fingerprints
  • Retinal patterns
  • Body weight
  • Etc.
  • Fast authentication
  • High security

21
Access-Control Software
  • Access only to files required for work
  • Read-only access
  • Certain time periods for allowed access
  • Business systems applications
  • Built-in access control capabilities

22
Wireless LAN Control
  • Wireless LAN cheap and easy to install
  • Use on the rise
  • Signal transmitted through the air
  • Susceptible to being intercepted
  • Drive-by hacking

23
Virtual Private Networks
  • Connection constructed dynamically within an
    existing network
  • Secure tunnel
  • Encrypted information

24
Firewalls
  • System designed to detect intrusion and prevent
    unauthorized access
  • Implementation
  • Hardware, software, mixed
  • Approaches
  • Packet filter each packet examined
  • Application-level control security measures
    only for certain applications
  • Circuit-level control based on certain type of
    connection
  • Proxy server firewall acts as the server and
    intercepts all messages Network Address
    Translation

25
Firewall Architecture
  • Basic software firewall for a home network
  • Firewall router
  • Home office
  • Small office

26
Firewall Architecture Larger Organization
27
Encryption
  • Message encoded before sending
  • Message decoded when received
  • Encryption allows for
  • Authentication proving ones identity
  • Privacy/confidentiality only intended recipient
    can read a message
  • Integrity assurance of unaltered message
  • Nonrepudiation use of digital signature

28
The Encryption Process
  • Key code that scrambles the message
  • Symmetric secret key system
  • Sender and recipient use the same key
  • Cons Management problems
  • Public key technology
  • Asymmetric key system
  • Each individual has a pair of keys
  • Public key freely distributed
  • Private key kept secret

29
How Encryption Works (Asymmetric)
30
Encryption for Websites
  • Certificate Authority
  • Third party trusted middleman
  • Verifies trustworthiness of a Web site
  • Checks for identity of a computer
  • Provides public keys
  • Secure Sockets Layer (SSL)
  • Developed by Netscape
  • Popular public-key encryption method

31
Other Encryption Approaches
  • 1976 Public/private key
  • 1977 RSA
  • Technology licensed to Lotus and Microsoft
  • Federal law prohibited exporting encryption
    technology
  • Limited use by organizations
  • 1991 Pretty good privacy
  • Versatile encryption program
  • Global favorite
  • 1993 Clipper chip
  • Chip generating uncrackable codes
  • Scrapped before it became reality

32
The Evolution of Encryption
  • Future encryption programs will provide
  • Strong security
  • High speed
  • Usability on any platform
  • Encryption for cellular phones
  • Encryption for PDAs

33
Recommended Virus Precautions
  • Purchase and install antivirus software
  • Update frequently
  • Do not download data from unknown sources
  • Flash drives, disks, Web sites
  • Delete (without opening) e-mail from unknown
    source
  • Warn people if you get a virus
  • Your department
  • People on e-mail list

34
Audit Control Software
  • Keeps track of computer activity
  • Spots suspicious action
  • Audit trail
  • Record of users
  • Record of activities
  • IT department needs to monitor this activity

35
Other Technological Safeguards
  • Backups
  • Secondary storage devices
  • Regular intervals
  • Closed-circuit television (CCTV)
  • Monitoring for physical intruders
  • Video cameras display and record all activity
  • Digital video recording
  • Uninterruptible power supply (UPS)
  • Protection against power surges

36
Human Safeguards
  • Use of federal and state laws as well as ethics

37
Learning Objectives
38
Managing Information Systems Security
  • Non-technical safeguards
  • Management of peoples use of IS
  • Acceptable use policies
  • Trustworthy employees
  • Well-treated employees

39
Developing an Information Systems Security Plan
  • Ongoing five-step process
  • Risk analysis
  • Determine value of electronic information
  • Assess threats to confidentiality, integrity and
    availability of information
  • Identify most vulnerable computer operations
  • Assess current security policies
  • Recommend changes to existing practices to
    improve computer security

40
Security Plan Step 2
  • Policies and procedures actions to be taken if
    security is breached
  • Information policy handling of sensitive
    information
  • Security policy technical controls on
    organizational computers
  • Use policy appropriate use of in-house IS
  • Backup policy
  • Account management policy procedures for adding
    new users
  • Incident handling procedures handling security
    breach
  • Disaster recovery plan restoration of computer
    operations

41
Security Plan Remaining Steps
  • Implementation
  • Implementation of network security hardware and
    software
  • IDs and smart cards dissemination
  • Responsibilities of the IS department
  • Training organizations personnel
  • Auditing
  • Assessment of policy adherence
  • Penetration tests

42
Responding to a Security Breach
  • 1988 Computer Emergency Response Team (CERT)
  • Started after Morris worm disabled 10 of all
    computers connected to the Internet
  • Computer Security Division (CSD)
  • Raising of awareness of IT risks
  • Research and advising about IT vulnerabilities
  • Development of standards
  • Development of guidelines to increase secure IT
    planning, implementation, management and operation

43
The State of Systems Security Management
  • Financial losses of cybercrime are decreasing
  • Computer virus attacks result in the greatest
    financial losses
  • Only about 25 of organizations utilize
    cyberinsurance
  • Only about 20 of organizations report intrusions
    to the law enforcement
  • Fear of falling stock prices
  • Most organizations do not outsource security
    activities
  • 90 of organizations conduct routine security
    audits
  • Most organizations agree security training is
    important
  • Majority said they do not do enough of training

44
Use of Security Technologies
  • CSI/FBI computer crime and security survey
    respondents (2006)

45
End of Chapter Content
46
Opening Case Managing in the Digital World
Drive-by-Hacking
  • 60 - 80 of corporate wireless networks do not
    use security
  • War driving a new hacker tactic
  • Driving around densely populated areas
  • War spamming
  • Attackers link to an e-mail server and send out
    millions of spam messages
  • Companies pay millions in bandwidth fees
  • Businesses fight back using bogus access points
  • FakeAP
  • Network scanners distinguish between real and
    fake APs
  • Netstumbler
  • Fast Packet Keying to fix shortcomings of WEP

47
Spyware Lurks on Most PCs
  • Webroot
  • Producer of software to scan and eliminate
    spyware
  • Webroot company data
  • 66 of scanned PCs infected with at least 25
    spyware programs
  • Incidents of spyware slightly decreasing

48
To Cookie or Not to Cookie
  • Cookies collected by companies to get data about
    customers
  • Footprints that marketers can trace
  • Sometimes sold to other companies
  • Web browsers can protect against accepting
    cookies
  • Constant pop-ups
  • Some sites will not work properly
  • Customized information will not be available
  • National Security Agency (NSA)

49
Anne Mulcahy, CEO and Chairman, Xerox Corporation
  • 1974 B.A. in English and journalism
  • 1976 joined Xerox
  • 2002 promoted to CEO
  • Xerox in 2002
  • 17 billion debt
  • Xerox under Mulcahy
  • First time profitable in years
  • Cut expenses by 1.7 billion
  • Sold non-core assets for 2.3 billion

50
Voiceprint
  • 1976 case State of Maine v. Thomas Williams
  • Bomb threat
  • Voiceprint used for conviction of terrorism
  • Each individual has unique voice characteristics
  • 1967-2006 more than 5,000 law enforcement voice
    identification cases
  • Spectrogram visual inspection of waves
  • Voiceprints used for access authorization

51
Is Big Brother Watching You
  • Employers can use equipment to
  • Read your email
  • Monitor Web-surfing behavior
  • Collect keystrokes
  • Follow the movement of employees
  • RFID and GPS
  • Companies have rights to collect almost any
    information about employees while on the job

52
Backhoe Cyber Threat
  • Telecommunications infrastructure is vulnerable
  • Damage to telephone lines, fiber-optic cables,
    water lines, gas pipelines
  • 675,000 incidents in 1 year
  • Infrastructure information publicly available
  • Most of Internet communication goes through
    cables buried along major highways and railroads
  • Only two major routes across US for Internet
    traffic

53
Banking Industry
  • In the past highly regulated industry
  • Banks limited to certain locations and services
  • Efforts to make banks safer
  • Regulations prevented banks from competition
  • 1970 to present many regulations eliminated
  • Acquisitions, consolidations and integration
    across state lines
  • Better customer service at lower prices
  • Benefits to overall economy
  • Internet era
  • Customers assess banks based on online banking
    services
Write a Comment
User Comments (0)
About PowerShow.com