Information Technology For Management 5th Edition

About This Presentation

Title:

Information Technology For Management 5th Edition

Description:

Chapter 16 Security Information Technology For Management 5th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by A. Lekacos, Stony Brook University – PowerPoint PPT presentation

Number of Views:424

Avg rating:3.0/5.0

Slides: 59

Provided by: BHA151

Category:

more less

Transcript and Presenter's Notes

Title: Information Technology For Management 5th Edition

1
Chapter 16
Security

Information Technology For Management 5th Edition
Turban, Leidner, McLean, Wetherbe
Lecture Slides by A. Lekacos,
Stony Brook University
John Wiley Sons, Inc.

2
Learning Objectives

??????????????????????????????????????
information resources.
??????????????????????? IS department
?????????????????? end users.
??????????????????????? chief information officer
(CIO)
???????????????????????????????????, ???????????,
??????????????????????????????????????????????????
????????? ? (malfunction)
???????????????????? ? ???????????? information
systems.
?????????????????????????????? Web ??? electronic
commerce.
?????????????????????????????????????????
disaster recovery planning.
????????????????????? economics of security ???
risk management.
????????????????? IT ?????????????????????????????
????????

3
Cybercrime in the new millennium

Jan 1,2000 ??????????????????????????? Y2K
??????????????????????????????????? ??? Feb 6,
2000 e-commerce site ???? ? ????
?????????????????????????????? ? ?????????????
???????? Yahoo ??????????? Amazon, Etrade ???? ?
???????????????????????????????? Denial of
Service
???????????????? Denial of Service (DoS) ???
????????????????????????????????????????? ?
????????????????????????????????????
?????????????????????????? ???????????????????????
????????????????????????? ? ???
?????????????????? ????????????????????
???????????? Web Server, Mail Server ???? Domain
Name Server ??????????????????
??????
???????????????????????????????
?????????????????? ???????????????????????????????
?????????????? ??????????????????????????
?????????????????????????????????????
???????????????? ?????????????????????????????????
????????????????????????????? ????????????????????
?????????????????????????????????? ? ???
??????????????????

???????
?????????????????????????????????? ? ???????
???????????? ?????????????????????????????????????
???????????????????? ? ??? Web Server ????????
?????????????????????? Web page ??? ??? Mail
Server ???????? ???????????????? mail ???????
??????? Domain Name Server ?????????????????? url
???? ip ?????????????? ?????????
????????????????????????? ? ???????????????
bandwidth ??????????? ????????????????????????????
???????????????

5
16.1 Securing the Enterprise

CSI/FBI ?????????????????????????? 2004 ??? 2005
????????????????? 16.1
??????????????? IT at Work 16.1 VA Policy
Violation and Home Burglary Cause Security Breach
Estimated to Cost 100 Million, page 626

Global Reach Increase IS Vulnerability
Time-To-Exploit is Shrinking?????????????????????
???????????????????????????? ?????????????????????
???????????????????????????????????????????(exploi
t) ???????????????????????? patch
????????????????????????????????????????????????
??????????????????????????????????????????????????
??????????????????????????????????????????????????
???? ??????? ?????????????????????????????????????
???????????????????????????? ????????????
????????????????????????????????????
??????????????????????????????????????????????????
???????????????????????????? ?????????????????????
??????????????????????????????????????????????????
??
??????????????? A Closer Look 16.1 IT
Governance ???? 627

National And International Regulations Demand
Tougher IT Security
Industry Self-Regulations ???????????????????????
???????????????????????????????????
??????????????????????????????????????? ? ????
Payment Card Industry (PCI) Data Security
Standard ?????????????????????????????????????????
??????????? ???? Visa, MasterCard, American
Express ???????
Small Business Regulations ?????????? ?
?????????????????????????? ????????????????? ?
??????????????????????????????????????????????????
data security procedure ???????????? consumer
data
Cyber-Blackmail ???????????????????? Hacker
????????????????????????? (Trojan encrypt)
??????????????????????????????????????????????????
??????

Information Systems Breakdown ???????????????????
628
Directed and Refined Threats Call For New IT
Security Strategies
????? 9 ??? 10 ????????????????????
???????????????????? (Human error)
???????????????? (System malfunctioning)
??????????????????????????????????????????????????
??????????????????
??????????????? A Close Look 16.2 Money
Laundering, Organizing Crime and Terrorist
Financing page 629

9
IT Security and Internal Control Model

1 ????????????????????????????????????????????????
????
2 ??????????????????????????????????????????
?????????????????????????? AUP (acceptable use
policy) ???????????????????????????
????????????????
1 ????????????????????????????????????????????????
??????????????????????????
2 ????????????????????????????????????????????????
??????????????????
??????????????? IT at Work 16.2 Employee-Caused
Breaches on the Risepage631

3 ??????????????????????????????????????????????
(?????????????????????? 16.2)
4) ???????????????????????????????????????????????
?????????????

11
16.2 IS Vulnerabilities and Threats

??????????????????????? IT Security Term
?????????? 12.2 ???????? (?????? ?????????)
Identity theft ??????? ???????????????????????????
???????????????????????? ???????????? false
identity ?????????????????????????????????
???????????????????? (Information resources)
(??????????? physical resources, data, software,
procedures, and other information resources)
??????????????????????????????????????????????????
????????????????????????????????????
??????????????????????????????????? ?
?????????????? ?

12
Security Terms
Term Definition
Backup An extra copy of data and/or programs, kept in a secured location (s)
Decryption Transformation of scrambled code into readable data after transmission
Encryption Transmission of data into scrambled code prior to transmission
Exposure The harm, loss, or damage that can result if something has gone wrong in information system.
Fault tolerance The ability of an information system to continue to operate (usually for a limited time and/or at reduced level) when a failure occurs
13
Information system controls The procedure, devices, or software that attempt to ensure that system performs as planned.
Integrity (of data) The procedure, devices or software that attempt to ensure that the system performs as planned.
Risk A guarantee of the accuracy, completeness, and reliability of data, system integrity is provided by the integrity of its components and their integration
Threats (or hazards) The likelihood that a threat will materialize
Vulnerability Given that a threat exists, the susceptibility of the system to harm caused by the threat.
14
????????????????? (System Vulnerability)

Universal vulnerability ??????? ?????????????? ?
(state) ?? computing system ??????
??????????????????????? execute ?????????? ?
??????????????????? (another user)
??????????????????????????????????????????????????
???????????????????????????????????????
??????????????????????????????????????????????????
????? (pose as another entity) ????
????????????????????????????????????????????
denial of service (DoS)
Exposure ??? ?????????????? ? ?? computing system
(???? set of systems) ????????????????? universal
vulnerability ???? ???????????????????????????????
????????????????????????????? ???????????????????
????????????????? ? ????????????? ????????????? ?
???????????????????????? (???????????????????)
???? ??? a primary point of entry
??????????????????????????????????????????????????
??????????????????? ??? ??????????????????????????
????????? security policy.

15
Security Threats
16
????????????????? (System Vulnerability)

??????????????????????????????????????????????????
??????????????????????? ?????????????????
wireless computing ??????????????
????????????????????? ???????????????????
(???????????????) ?????????????????
????????????????
???????????? (Unintentional)
Human errors
Environmental hazards ???? ?????????? ???????
???????
Computer system failures ???? ???????????????
????????????????
?????? (Intentional)
Theft of data
Inappropriate use of data
Theft of mainframe computer time
Theft of equipment and/or programs

Deliberate manipulation in handling
Entering data
Processing data
Transferring data
Programming data
Labor strikes
Riots (???????????)
Sabotage (????????????)
Malicious damage to computer resources
Destruction from viruses and similar attacks
Miscellaneous computer abuses (??????????????)
Internet fraud (??????????????????????????)
Terrorists attack

18
??????????????????????? (Computer Crimes)

Type of computer crimes and criminals
????????? ????????????????????????????????????????
?????????? ???? ??????????????????????????????????
??????????????????????
???????? (Hacker) ??????? ????????????????????????
??????????????????? ????????????
???????????????????????? (no criminal intent)
????????? (Cracker) ??????? ??????????????????????
Social engineering ??????? ???????????????????????
????????????? ?????? ??????????
???????????????????????? sensitive information
???? ????????????????? ?????????????????????
?????????????????????????????

19
Type of computer crimes and criminals

Cybercrimes ??????? ??????????????????????
Internet
Identify theft ??????? ??????? (the identity
thief) ?????????????????????
Cyberwar ?????????????????????????????????????????
???? ???????????? ????????? massive attack
????????? destructive software.

20
Methods of Attack on Computing Facility

(?????????????????????????????????????????????????
?) ??????????????????????? ???????????????????????
????? (Data Tampering) ??? ??????????????????????
(Programming attack)
????? (Virus) ??????? ????????????????????????????
?????????????????????????? ????????????
??????????????????????????????????????????????????
????????????
Denial of Service (DoS)??????? Cyber-attack
?????????????????????? data packets ?????
?????????????????????????????? ???????????????????
???????? overload ???? ???????????????????????
???? ????????????????? Zombied PC
Botnets ?????????????????????????????????????
?????? Spam???????????????????????????? ?
?????????????????????? ???????????????????????????
???? computer robot ???? bot

21
Virus
22
Security Terms
Method Definition
Virus Secret instructions inserted into programs (or data) that are innocently ordinary tasks. The secret instructions may destroy or alter data as well as spread within or between computer systems
Worm A program that replicates itself and penetrates a valid computer system. It may spread within a network, penetrating all connected computers.
Trojan horse An illegal program, contained within another program, that sleep' until some specific event occurs then triggers the illegal program to be activated and cause damage.
Salami slicing A program designed to siphon off small amounts of money from a number of larger transactions, so the quantity taken is not readily apparent.
23
Super zapping A method of using a utility zap program that can bypass controls to modify programs or data
Trap door A technique that allows for breaking into a program code, making it possible to insert additional instructions.
Logic bomb An instruction that triggers a delayed malicious act
Denial of services Too many requests for service, which crashes the site
Sniffer A program that searches for passwords or content in packet of data as they pass through the Internet
Spoofing Faking an e-mail address or web-page to trick users to provide information instructions
24
Password cracker A password that tries to guess passwords (can be very successful)
War dialling Programs that automatically dial thousands of telephone numbers in an attempt to identify one authorized to make a connection with a modem, then one can use that connection to break into databases and systems
Back doors Invaders to a system create several entry points, even if you discover and close one, they can still get in through others
Malicious applets Small Java programs that misuse your computer resource, modify your file, send fake e-mail, etc
25
16.3 Fraud and Computer Crimes

Fraud (?????,???????) ??????? ????????????????????
??????????????????????????????????????????????????
???????????????????????????????????????????????
???????? Occupational fraud

26
Computer CrimesIdentify Theft
27
16.4 IT Security Management Practices Defense
Strategy How Do We Protect ?
??????????????? potential threats ??? IS
????????????????? ????????????????????????????????
??? ?????????????? ?????????? controls (defense
mechanisms) ??? developing awareness
??????????????

The major objectives of a defense strategy are
????????????????? (?????????????????)
???????
????????????????
??????????
???????????? (???????????????????????????????)
Awareness and compliance

28
Major defense control
29
General Controls

Physical control
?????? data center ?????????? ???? ?????????
??????
??????????????????????????????????
????????????? ??????? ??? ?????
????????????? ??? ???? UPS
??????????? ????????? ??? ??????
?????????????????????????
?????????????????????? ???? ????????????????
???????????

Access Control
??????????????????? ??? ??????????? (Authorize)
??? ???????????????????????????????? (??????
????????? ? )(Authentication) ????????????????????
?Unique user-identifier (UID)
Biometric Control
Photo face Fringerprints
Hand geometry Iris scan
Retina scan Voice scan
Signature Keystroke dynamic

31
Defense Strategy Biometric
32

Data Security controls
?????????????? 2 ?????????????????? data security
???
Minimal privilege ????????????????????????????????
????????????
Minimal exposure ?????????????????????????????????
??????? ??????????????????????????????????????????
?????????????????????? ????????? ??????? ????
?????? ?????
Communications and Network controls
Administrative controls
Other General Controls
Programming controls
Documentation controls
System Development controls

Application Controls
Input controls ??????
Completeness
Format
Range
Consistency
Processing controls ?????????????????????????
????????????? ??????? ?????? ?????????????????????
???????????
Output controls ?????????????????? ?????????
??????? ??????????????

34
16.5 Network Security

Border Security
??????????????????? border security ??? access
control ??????? ????? authentication ???? proof
of identity ????????????????? ?????????????????
authorization ????????????????????????????????????
??????? user ????? ? ????????????????????????

Security Layers
35
Tool ???????????????? Border Security

Firewalls
Malware Controls
Intrusion Detecting Systems (IDSs)
Virtual Private Networking (VPN)
????????????????? (Encryption)
?????? Tester ??????? Trouble Shooting ????
Protocol analyzer
Payload Security ?????????????????????????????????
????????
Honeypots ????????? hacker ???????????????????????
? (????????????? Honeypots ????? Honetnets)

36
Authentication

Phishing ??? identity theft ?????????????????
weak authentication ????????????????????????
?????????????????????????? strong authentication
????????? two-factor authentication ????
multifactor authentication ????????????? 2
????????(???????????)??????????
????????????????????????????????????????????????
???
1) ?????????? ???? ??????? ?????? ???????
?????????????????????
2) ????????????? ???? ????????????????????????????
???????????????????????????????? remote ??????,
??? remote ?????? ???? IP ?????????????????
3) ??????????????? ?????????? ????????????????????
????????????? (???????? ???? ?????????????????????
???????????????? ? ?? ???? ??????????????????

37
Defense mechanism
38
16.6 Internal Control and Compliance Management

Internal Control (IC) ????????????????? ?
???????????????????????????
1) ???????????????(reliability)???????????????????
???????????
2) ????????????????????????????????
3) ???????????????????????? (Law)
4) ???????????????????????? (Regulation)
????????? (Policy)
5) ?????????????????????????? ?

39
Increasing role of IT in internal control
40
(No Transcript)
41
Internal control procedures and activities

??????????? 5 ????????????????????????????
(internal control)
1) ?????????????????????????????????
????????? fraud ??????????????????????????????????
??????????????????????????????????
2) ??????????????????????????
??????????????????????????????????????????????????
?????????????????????????????????????????????????
????????? fraud ??????
3) ?????????????????(??????)????????????
??????????????????????????????????????????????????
??????????????? ??????????????????????????????????
??????????????????????????????????????????????????
???

4) ????????????????????????? (Physical
safeguards) (???? ????????? ???????????)
??????????????????????????????????????????????????
?????????????????????????? fraud
5) ????????????????????????????????
??????????????????????????????????????????????????
???????

43
16.7 Business Continuity and Disaster Recovery
Planning

?????????????????????????????????????????? ? ???
business continuity plan, ???????????????
Disaster recovery ??????? ???????????????????????
????????????????????????? ???????
????????????????? (???????????????????????????????
???)
Disaster recovery plan. ??????????????????????????
??????????????????????????????????????????????????
?????????????? ? (major disaster)
Disaster avoidance ??????? ???????????????????????
???????????????????????? ???
Backup location ??????? ???????????????????
??????????? ???/???? ???????????????
???????????????? ?????????????????????????????????
????????????????????
Hot site ??????? ?????????? vendors ????????????
access ???????? fully configured backup data
center.

44
Business continuity services managed by IBM
45
Business Continuity Planning

?????????????????? business continuity plan
??????????????????????????????????????????????????
Recovery planning ????????????????????????????????
??????? (asset protection)
??????????????????????????????????????????????????
???????????????????????? ( total loss of all
capabilities)
?????????????????????????????????????? What if
analysis
Application ??????????????????????????????????????
??????????????????????????????????
??????????????????????????????????????????????????
??????????????????????
??????????????? IT at Work 16.3 Business
Continuity and Disaster Recovery page649

46
One of the most logical ways to deal with loss of
data is to back it up. A business continuity plan
should include backup arrangements were all
copies of important files are kept offsite.
47
16.8 Implementing Security Auditing and Risk
Management

??????????????????????????????? ?
??????????????????????????????????????????????????
???????????????????????????????????????????
??????????????? ? ??????????????????????????????
???? auditing task
???????????????? 2 ?????? ???
??????????????????? (internal auditor)
?????????????????????????????????????? ISD.
???????????????????? (external auditor)
??????????????????????????
???????????????? 2 ????????????? ???
Operational audit ?????????? ISD
???????????????????
Compliance audit ?????????????????????????????????
??????????????????????????

48
???????????????????????????????????

???????????????????????????????
?????????????????????????? ??? ???????????????????
????
????????????? ????? ?????????????????????????????
????????????? ? ???????????????????? (???????????
???????????????????????????????????)
?????????????????????????????? ? ?????????????
??????????????? ? ????????????????????????????????
???????
??????????????? ? ?????????????????????????????
???????????????????????????????????????? ???????

49
Risk Management and Cost-Benefit Analysis

?????????????????????????????????????? ?
?????????????????????? ??????? IT security
program ???????????????????????????????????????
(assessing threats) ??????????????
???????????????????? ?????????????????????
(ignore)
Risk-Management Analysis
Expected loss P1 x P2 x L
????? P1 probability of attack (estimate, based
on judgment)
P2 probability of attack being successful
(estimate, based on judgment)
L Loss occurring if attack is successful
???????? P1 .02, P2 .10, L 1,000,000 usd
Expected loss 0.02 x 0.10 x 1,000,000 usd
2,000

50
16.9 Computer Forensics (?????????????????????????
?????????????)

???????????????????????? ? ?????? 651 ??? 653

51
MANAGERIAL ISSUES

To whom should the IS department report?
???????????????????? degree of IS
decentralization ??? ???????? CIO ????? IS
department ??????? functional area ?? ?
???????????????????????????????????????????
functional area ???? ? ?????????
????????????????? IS ??????????????? CEO
Who needs a CIO?
?????????????????????????????????????????? CIO
?????? senior executive ?????????
????????????????????????????????????????????????
ISD ??????????????? ? ????????????? ???????
???????? ? ???????????????????????? IT
???????????????? ???????????? CIO

52
MANAGERIAL ISSUES

1) What is the business value of IT security and
internal control?
????????????????????????????????? IT ???
??????????????????? ??????? ?????????????? IT
??????????????? business objective
???????????????????????????
2) Why are there legal obligations
(?????????????????????)?
??????????????????????????????????????????????????
??????????????????????????????? transaction ???
?????????? ? ?????????????????????????? ??????
?????????? ???????????????????????????????????
?????????????????????????
3) How important is IT security to management?
????????????????????????????????????????????
???????????????????????????????????
???????????????????????????? hacker, phisher,
spammer, identity thieve, malware ??? terrorist
worldwide ????????????????????

53
MANAGERIAL ISSUES

4) IT security and internal control must be
implemented top-down
?????????????? IT ????????????????????????????????
??????????????????????????????????????????
5) Acceptable use policies (AUPs) and security
awareness training are important for any
organization
??????? 1 ??????????????????????????? IT ???
Human error
6) Digital assets are relied upon for competitive
advantage
?????????????? ???????????????????????????????????
??????????????????????? ??????? ???????????????
BI, ERP, CRM ??? EC ????????????????????
??????????? ??? ?????????????? ??????????????? IT

54
MANAGERIAL ISSUES

7) What does risk management involve?
????????????????????????????? ?????????????? ????
???????? ??? ?????? ?????????????
?????????????????????? ? ?????????
??????????????????????????????????????????????????
????????? ???????????????????????????????? ? ???
???????????????????? malware, spyware ???
profit-motivated hacking
8) What are the impacts of IT security breaches
(????????? IT security)?
??????????????????????????????????????????????????
??????????????????????????????????????????

End users are friends, not enemies, of the IS
department.
??????????????????? end users ??? ISD
???????????????????????? ?????????? ISD
?????????? end-user ??????????????
??????????????????????????????????????????????
???????????????????????????????????????????????
?????????????????? ???????????????????????????????
??????????????????????????????????????????
Ethical issues.
????????????????????????? ISD ????
???????????????????????????????????????????? ????
???ISD ?????????????????? ????????????????????????
???????????????????????????? ? ???????????????????
? ????????????????????????????????

56
MANAGERIAL ISSUES Continued

Responsibilities for security should be assigned
in all areas.
????????????? Internet, extranets, ??? intranets
??????????????????????????????????????????????????
????????????? ????????????????????????????????????
??????????????????????????????????????????????????
????????? ??????? ????????????????? functional
managers ?????????????????????????????? IT
security management and asset management
????????????
Security awareness programs are important for any
organization, especially if it is heavily
dependent on IT.
??????????????????????????????????????????????????
??????????? senior executives ???? ? ????????
????????????? administrative controls
????????????????????? ????????????????

57
MANAGERIAL ISSUES Continued

Auditing information systems should be
institutionalized into the organizational
culture.
?????????????????????? IS ????????????????????????
????? (???????????????????? ? ????????????????????
????????????????????????????????) ????????????
over-auditing ??????????????????????????
Multinational corporations.
??????????? ISD ??????? multinational corporation
?????????????????????????????????????????????????
??????????????????????????? complete
decentralization ????? ISD ?????????????
?????????? ISD ????? ??????????? centralized
staff ?????????????????????? ? ???????????????????
????????? highly centralized structure
?????????????????????