Title: Securing Information Systems
16
Chapter
Securing Information Systems
66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs. Webroot (2005)
2Learning Objectives
3Information Systems Security
- All systems connected to a network are at risk
- Internal threats
- External threats
- Information systems security
- Precautions to keep IS safe from unauthorized
access and use - Increased need for good computer security with
increased use of the Internet
4Primary Threats to Information Systems Security
- Accidents and natural disasters
- Power outages, cats walking across keyboards
- Employees and consultants
- Links to outside business contacts
- Travel between business affiliates
- Outsiders
- Viruses
5Unauthorized Access
- Unauthorized people
- Look through electronic data
- Peek at monitors
- Intercept electronic communication
- Theft of computers or storage media
- Determined hackers gain administrator status
6Gaining Access to a Password
- Brute force
- Try combinations until a match is found
- Protection
- Wait time requirements after unsuccessful login
attempt - CAPTCHA
7Information Modification
- User accesses electronic information
- User changes information
- Employee gives himself a raise
8Denial of Service Attack
- Attackers prevent legitimate users from accessing
services - Zombie computers
- Created by viruses or worms
- Attack Web sites
9Computer Viruses
- Corrupt and destroy data
- Destructive code can
- Erase a hard drive
- Seize control of a computer
- Worms
- Variation of a virus
- Replicate endlessly across the Internet
- Servers crash
- MyDoom attack on Microsofts Web site
10Spyware
- Within freeware or shareware
- Within a Web site
- Gathers information about a user
- Credit card information
- Behavior tracking for marketing purposes
- Eats up computers memory and network bandwidth
- Adware special kind of spyware
- Collects information for banner ad customization
11Spam
- Electronic junk mail
- Advertisements of products and services
- Eats up storage space
- Compromises network bandwidth
- Spim
- Spam over IM
12Protection Against Spam
- Barracuda Spam Firewall 600
- Filters spam and other email threats
- Decreases amount of spam processed by the central
e-mail server - Handles 3,000 10,000 active email users
- Spam messages blocked or quarantines
13Phishing
- Attempts to trick users into giving away credit
card numbers - Phony messages
- Duplicates of legitimate Web sites
- E.g., eBay, PayPal have been used
14Cookies
- Messages passed to a Web browser from a Web
server - Used for Web site customization
- Cookies may contain sensitive information
- Cookie management and cookie killer software
- Internet Explorer Web browser settings
15Other Threats to IS Security
- Employees writing passwords on paper
- No installation of antivirus software
- Use of default network passwords
- Letting outsiders view monitors
Information Systems Today Managing in the
Digital World
6-15
16Other Threats to IS Security (II)
- Organizations fail to limit access to some files
- Organizations fail to install firewalls
- Not doing proper background checks
- Lack of employee monitoring
- Fired employees who are resentful
17Learning Objectives
18Safeguarding Information Systems Resources
- Information systems audits
- Risk analysis
- Process of assessing the value of protected
assets - Cost of loss vs. cost of protection
- Risk reduction
- Measures taken to protect the system
- Risk acceptance
- Measures taken to absorb the damages
- Risk transfer
- Transferring the absorption of risk to a third
party
19Technological Safeguards
- Physical access restrictions
- Authentication
- Use of passwords
- Photo ID cards, smart cards
- Keys to unlock a computer
- Combination
- Authentication limited to
- Something you have
- Something you know
- Something you are
20Biometrics
- Form of authentication
- Fingerprints
- Retinal patterns
- Body weight
- Etc.
- Fast authentication
- High security
21Access-Control Software
- Access only to files required for work
- Read-only access
- Certain time periods for allowed access
- Business systems applications
- Built-in access control capabilities
22Wireless LAN Control
- Wireless LAN cheap and easy to install
- Use on the rise
- Signal transmitted through the air
- Susceptible to being intercepted
- Drive-by hacking
23Virtual Private Networks
- Connection constructed dynamically within an
existing network - Secure tunnel
- Encrypted information
24Firewalls
- System designed to detect intrusion and prevent
unauthorized access - Implementation
- Hardware, software, mixed
- Approaches
- Packet filter each packet examined
- Application-level control security measures
only for certain applications - Circuit-level control based on certain type of
connection - Proxy server firewall acts as the server and
intercepts all messages Network Address
Translation
25Firewall Architecture
- Basic software firewall for a home network
- Firewall router
- Home office
- Small office
26Firewall Architecture Larger Organization
27Encryption
- Message encoded before sending
- Message decoded when received
- Encryption allows for
- Authentication proving ones identity
- Privacy/confidentiality only intended recipient
can read a message - Integrity assurance of unaltered message
- Nonrepudiation use of digital signature
28The Encryption Process
- Key code that scrambles the message
- Symmetric secret key system
- Sender and recipient use the same key
- Cons Management problems
- Public key technology
- Asymmetric key system
- Each individual has a pair of keys
- Public key freely distributed
- Private key kept secret
29How Encryption Works (Asymmetric)
30Encryption for Websites
- Certificate Authority
- Third party trusted middleman
- Verifies trustworthiness of a Web site
- Checks for identity of a computer
- Provides public keys
- Secure Sockets Layer (SSL)
- Developed by Netscape
- Popular public-key encryption method
31Other Encryption Approaches
- 1976 Public/private key
- 1977 RSA
- Technology licensed to Lotus and Microsoft
- Federal law prohibited exporting encryption
technology - Limited use by organizations
- 1991 Pretty good privacy
- Versatile encryption program
- Global favorite
- 1993 Clipper chip
- Chip generating uncrackable codes
- Scrapped before it became reality
32The Evolution of Encryption
- Future encryption programs will provide
- Strong security
- High speed
- Usability on any platform
- Encryption for cellular phones
- Encryption for PDAs
33Recommended Virus Precautions
- Purchase and install antivirus software
- Update frequently
- Do not download data from unknown sources
- Flash drives, disks, Web sites
- Delete (without opening) e-mail from unknown
source - Warn people if you get a virus
- Your department
- People on e-mail list
34Audit Control Software
- Keeps track of computer activity
- Spots suspicious action
- Audit trail
- Record of users
- Record of activities
- IT department needs to monitor this activity
35Other Technological Safeguards
- Backups
- Secondary storage devices
- Regular intervals
- Closed-circuit television (CCTV)
- Monitoring for physical intruders
- Video cameras display and record all activity
- Digital video recording
- Uninterruptible power supply (UPS)
- Protection against power surges
36Human Safeguards
- Use of federal and state laws as well as ethics
37Learning Objectives
38Managing Information Systems Security
- Non-technical safeguards
- Management of peoples use of IS
- Acceptable use policies
- Trustworthy employees
- Well-treated employees
39Developing an Information Systems Security Plan
- Ongoing five-step process
- Risk analysis
- Determine value of electronic information
- Assess threats to confidentiality, integrity and
availability of information - Identify most vulnerable computer operations
- Assess current security policies
- Recommend changes to existing practices to
improve computer security
40Security Plan Step 2
- Policies and procedures actions to be taken if
security is breached - Information policy handling of sensitive
information - Security policy technical controls on
organizational computers - Use policy appropriate use of in-house IS
- Backup policy
- Account management policy procedures for adding
new users - Incident handling procedures handling security
breach - Disaster recovery plan restoration of computer
operations
41Security Plan Remaining Steps
- Implementation
- Implementation of network security hardware and
software - IDs and smart cards dissemination
- Responsibilities of the IS department
- Training organizations personnel
- Auditing
- Assessment of policy adherence
- Penetration tests
42Responding to a Security Breach
- 1988 Computer Emergency Response Team (CERT)
- Started after Morris worm disabled 10 of all
computers connected to the Internet - Computer Security Division (CSD)
- Raising of awareness of IT risks
- Research and advising about IT vulnerabilities
- Development of standards
- Development of guidelines to increase secure IT
planning, implementation, management and operation
43The State of Systems Security Management
- Financial losses of cybercrime are decreasing
- Computer virus attacks result in the greatest
financial losses - Only about 25 of organizations utilize
cyberinsurance - Only about 20 of organizations report intrusions
to the law enforcement - Fear of falling stock prices
- Most organizations do not outsource security
activities - 90 of organizations conduct routine security
audits - Most organizations agree security training is
important - Majority said they do not do enough of training
44Use of Security Technologies
- CSI/FBI computer crime and security survey
respondents (2006)
45End of Chapter Content
46Opening Case Managing in the Digital World
Drive-by-Hacking
- 60 - 80 of corporate wireless networks do not
use security - War driving a new hacker tactic
- Driving around densely populated areas
- War spamming
- Attackers link to an e-mail server and send out
millions of spam messages - Companies pay millions in bandwidth fees
- Businesses fight back using bogus access points
- FakeAP
- Network scanners distinguish between real and
fake APs - Netstumbler
- Fast Packet Keying to fix shortcomings of WEP
47Spyware Lurks on Most PCs
- Webroot
- Producer of software to scan and eliminate
spyware - Webroot company data
- 66 of scanned PCs infected with at least 25
spyware programs - Incidents of spyware slightly decreasing
48To Cookie or Not to Cookie
- Cookies collected by companies to get data about
customers - Footprints that marketers can trace
- Sometimes sold to other companies
- Web browsers can protect against accepting
cookies - Constant pop-ups
- Some sites will not work properly
- Customized information will not be available
- National Security Agency (NSA)
49Anne Mulcahy, CEO and Chairman, Xerox Corporation
- 1974 B.A. in English and journalism
- 1976 joined Xerox
- 2002 promoted to CEO
- Xerox in 2002
- 17 billion debt
- Xerox under Mulcahy
- First time profitable in years
- Cut expenses by 1.7 billion
- Sold non-core assets for 2.3 billion
50Voiceprint
- 1976 case State of Maine v. Thomas Williams
- Bomb threat
- Voiceprint used for conviction of terrorism
- Each individual has unique voice characteristics
- 1967-2006 more than 5,000 law enforcement voice
identification cases - Spectrogram visual inspection of waves
- Voiceprints used for access authorization
51Is Big Brother Watching You
- Employers can use equipment to
- Read your email
- Monitor Web-surfing behavior
- Collect keystrokes
- Follow the movement of employees
- RFID and GPS
- Companies have rights to collect almost any
information about employees while on the job
52Backhoe Cyber Threat
- Telecommunications infrastructure is vulnerable
- Damage to telephone lines, fiber-optic cables,
water lines, gas pipelines - 675,000 incidents in 1 year
- Infrastructure information publicly available
- Most of Internet communication goes through
cables buried along major highways and railroads - Only two major routes across US for Internet
traffic
53Banking Industry
- In the past highly regulated industry
- Banks limited to certain locations and services
- Efforts to make banks safer
- Regulations prevented banks from competition
- 1970 to present many regulations eliminated
- Acquisitions, consolidations and integration
across state lines - Better customer service at lower prices
- Benefits to overall economy
- Internet era
- Customers assess banks based on online banking
services