THREATS TO INFORMATION SYSTEMS

1
THREATS TO INFORMATION SYSTEMS

• HARDWARE FAILURE, FIRE
• SOFTWARE FAILURE, ELECTRICAL PROBLEMS
• PERSONNEL ACTIONS, USER ERRORS
• ACCESS PENETRATION, PROGRAM CHANGES
• THEFT OF DATA, SERVICES, EQUIPMENT
• TELECOMMUNICATIONS PROBLEMS

2
WHY SYSTEMS ARE VULNERABLE

3
VULNERABILITIES

• RADIATION Allows Recorders, Bugs to Tap System
• CROSSTALK Can Garble Data
• HARDWARE Improper Connections, Failure of
  Protection Circuits
• SOFTWARE Failure of Protection Features, Access
  Control, Bounds Control
• FILES Subject to Theft, Copying, Unauthorized
  Access
• USER Identification, Authentication, Subtle
  Software Modification
• PROGRAMMER Disables Protective Features Reveals
  Protective Measures
• MAINTENANCE STAFF Disables Hardware Devices
  Uses Stand-alone Utilities
• OPERATOR Doesnt Notify Supervisor, Reveals
  Protective Measures
• HACKER Person Gains Access to Computer for
  Profit, Criminal Mischief, Personal Pleasure
• COMPUTER VIRUS Rogue Program Difficult to
  Detect Spreads Rapidly Destroys Data Disrupts
  Processing Memory

4
COMMON COMPUTER VIRUSES

• CONCEPT, MELISSA, I-LOVE-YOU
• Word documents, e-mail. Deletes files
• FORM Makes clicking sound, corrupts data
• EXPLORE.EXE Attached to e-mail, tries to e-mail
  to others, destroys files
• MONKEY Windows wont run
• CHERNOBYL Erases hard drive, ROM BIOS
• JUNKIE Infects files, boot sector, memory
  conflicts

5
ANTIVIRUS SOFTWARE

• SOFTWARE TO DETECT
• ELIMINATE VIRUSES
• ADVANCED VERSIONS RUN IN MEMORY TO PROTECT
  PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND
  ON INCOMING NETWORK FILES

6
CONCERNS FOR BUILDERS USERS

• DISASTER
• BREACH OF SECURITY
• ERRORS

7
DISASTER

• LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER
  FAILURE, FLOOD OR OTHER CALAMITY
• FAULT-TOLERANT COMPUTER SYSTEMS

8
SECURITY

• POLICIES, PROCEDURES, TECHNICAL MEASURES TO
  PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT,
  PHYSICAL DAMAGE TO INFORMATION SYSTEMS

9
WHERE ERRORS OCCUR

• DATA PREPARATION
• TRANSMISSION
• CONVERSION
• FORM COMPLETION
• ON-LINE DATA ENTRY
• KEYPUNCHING SCANNING OTHER INPUTS
• VALIDATION
• PROCESSING / FILE MAINTENANCE
• OUTPUT
• TRANSMISSION
• DISTRIBUTION

10
SYSTEM QUALITY PROBLEMS

• SOFTWARE DATA
• BUGS
• MAINTENANCE
• DATA QUALITY PROBLEMS

11
COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE
6.00
5.00
4.00
3.00
COSTS
2.00
1.00
ANALYSIS PROGRAMMING POSTIMPLEMENTATION
DESIGN
CONVERSION
12
CREATING A CONTROL ENVIRONMENT

• CONTROLS Methods, Policies, Procedures to
  Protect Assets Accuracy Reliability of
  Records Adherence to Management Standards
• GENERAL
• APPLICATION

13
GENERAL CONTROLS

• IMPLEMENTATION Audit System Development to
  Assure Proper Control, Management
• SOFTWARE Ensure Security, Reliability of
  Software
• PROGRAM SECURITY Prevent Unauthorized Changes to
  Programs
• HARDWARE Ensure Physical Security, Performance
  of Computer Hardware
• COMPUTER OPERATIONS Ensure Procedures
  Consistently, Correctly Applied to Data Storage,
  Processing
• DATA SECURITY Ensure Data Disks, Tapes Protected
  from Wrongful Access, Change, Destruction
• ADMINISTRATIVE Ensure Controls Properly
  Executed, Enforced
• SEGREGATION OF FUNCTIONS
• WRITTEN POLICIES AND PROCEDURES
• SUPERVISION

14
APPLICATION CONTROLS

• INPUT
• INPUT AUTHORIZATION, DATA CONVERSION, BATCH
  CONTROL TOTALS, EDIT CHECKS
• PROCESSING
• ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING
  PROCESSING, RUN CONTROL TOTALS, COMPUTER MATCHING
• OUTPUT
• ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE,
  PROPERLY DISTRIBUTED, BALANCE INPUT/ PROCESSING/
  OUTPUT TOTALS, REVIEW PROCESSING LOGS, ENSURE
  ONLY AUTHORIZED RECIPIENTS GET RESULTS

15
SECURITY AND THE INTERNET

• Firewalls - combination of hardware and software
  placed between internal and external networks to
  prevent unauthorized access to private networks
• verifies names, IP addresses, access rules

16
SECURITY E- COMMERCE

• ENCRYPTION
• SSL(Secure Sockets Layer), S-HTTP - Web
• DES(Data Encryption Standard) - US Govt
• Public key encryption
• AUTHENTICATION
• Message integrity- Changes could indicate
  tampering
• Digital signatures
• Digital certificates,digital codes

17
SECURITY AND THE INTERNET
PUBLIC KEY ENCRYPTION
18
SECURITY AND THE INTERNET
ELECTRONIC PAYMENT SYSTEMS

• CREDIT CARD-SET Protocol for payment security
• ELECTRONIC CASH Digital currency
• ELECTRONIC CHECK Encrypted digital signature
• SMART CARD Chip stores e-cash
• ELECTRONIC BILL PAYMENT Electronic funds
  transfer
• DIGITAL WALLET Software stores credit card,
  electronic cash, owner ID, address for e-commerce
  transactions

19
CONTROL STRUCTURE

• COSTS Can be Expensive to Build Complicated to
  Use
• BENEFITS Reduces Expensive Errors, Loss of Time,
  Resources, Good Will
• RISK ASSESSMENT Determine Frequency of
  Occurrence of Problem, Cost, Damage if it Were to
  Occur

20
MIS AUDIT

• IDENTIFIES CONTROLS OF INFORMATION SYSTEMS,
  ASSESSES THEIR EFFECTIVENESS
• TRACE FLOW OF SAMPLE TRANSACTIONS NOTE HOW
  CONTROLS WORK
• LIST, RANK WEAKNESSES
• ESTIMATE PROBABILITIES, IMPACT
• REPORT TO MANAGEMENT

21
SOFTWARE QUALITY ASSURANCE

• USE PROVEN DEVELOPMENT METHODOLOGIES
• RESOURCES ALLOCATION How are Costs, Time, People
  Assigned During Development?
• SOFTWARE METRICS Quantifiable System
  Measurements for Objective Software Assessment
• TESTING Walkthrough of Design Documentation,
  Debugging to Discover, Eliminate Defects, Data
  Quality Audit to Sample, Measure Accuracy,
  Completeness of Data
• QUALITY TOOLS Project management software, CASE
  tools, data dictionaries, etc