1 / 17

Securing Information Systems: Vulnerabilities and Mitigation Strategies

In our connected world, securing information systems is paramount. This article delves into common vulnerabilities, including unauthorized access, data theft, and malicious acts like hacking and viruses. It explores the importance of security policies, technical measures, and business continuity plans tailored to address potential disasters. Learn about preventive, detective, and corrective controls, alongside access management strategies such as biometrics and firewalls. Understanding these aspects will enhance your capability to protect assets and ensure data reliability in an increasingly digital landscape.

noma
Download Presentation

Securing Information Systems: Vulnerabilities and Mitigation Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. More? • Blog • Wiki • Social Media • Semantic web

  2. And … • Bluetooth • 802.15 wireless network standard • 10 meter range, up to 8 devices • Wimax • RFID

  3. homework • 2 Decision Problems • Discussion question 2

  4. BUS 290: Chapter 8 Securing Information Systems

  5. System Vulnerability • Security • Policies & procedures • Technical measures to prevent • Unauthorized access • Alteration • Theft • Physical Damage • Controls • Safety of assets • Accuracy & reliability of data • Adherence to managerial standards

  6. Why systems are vulnerable Depends on the system part: Client: unauthorized access, errors Communication: tapping, sniffing, theft/fraud, message alteration Servers: Hacking, Viruses, theft/fraud, vandalism, denial of service Corp. Systems: Data theft, Copying, Alteration, H/W & S/W failure

  7. Malicious Acts • Infections – viruses, Trojan horses, worms • Unauthorized S/W – spyware, adware, keyloggers • Unauthorized uses of computers • Theft, sabotage, or destruction of hardware • Denial of service attacks • Passwords (capitals, numbers) • Website/server attacks/spoofing • Electronic theft or sabotage of electronic data • Financial fraud

  8. Who? • Employees • “idiots”, suckers & angry people • Hackers • Terrorists • Competitors

  9. Other Concepts • Bugs • Patches • PITA … time, downtime & cost • Personal Information Protection & Electronic Documents Act

  10. Controls • Preventive, detective and corrective measures • 2 categories of controls • General • Applications • Guided by company strategy, policies and procedures

  11. General Controls Common across all applications • Security management • Physical & logical access controls … • System Acquisition & Development controls • System maintenance & change controls • Operations control • Business continuity controls …

  12. Physical & Logical Access • Physical • Access to servers, tape storage etc. • Security features like cameras, alarms, etc. • Logical • ID’s, Passwords, Biometrics • CAPTCHA • Firewalls (double walls?) • Intrusion detection systems (false positives)

  13. Business Continuity Plan How do we handle a system problem? Includes a disaster recovery plan addressing .. • Listing of potential disasters • Roles & responsibilities • Scripts, contact lists • Critical processing priorities • Backup plans, location and access • Power requirements, backups • Rebuilding procedures, timelines

  14. Application Controls Needed for the 4 basic areas: • Input • Check digits • Processing • Logs, control totals, hash, time stamping • Output • Distribution, access, printer use • Storage • Logical access to databases etc. Access requests

  15. And.. • Intrusion detection systems • Password errors • Files modified or removed • Encryption • HTTPS • Symmetric Key encryption (single key) • Public & private keys • Digital certificates (proof of ID) • Secure, encrypted online communication • Third party (Certification Authority) • Public Key Infrastructure

  16. Odds & Ends • Cloud security • Who looks after security • Software metrics

  17. Homework • Management Decision Problem #1 • Spreadsheet problem Page 275 • Midterm … Chapters 4 – 8 • 10-12 Short answer questions

More Related