1 / 51

Chapter

6. COIS11011 WEEK 9. Chapter. Securing Information Systems. “66 percent of all Webroot-scanned personal computers are infected with at least 25 spyware programs.” Webroot (2005). Learning Objectives. Learning Objectives. Information Systems Security.

reya
Download Presentation

Chapter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 6 COIS11011 WEEK 9 Chapter Securing Information Systems “66 percent of all Webroot-scanned personal computers are infected with at least 25 spyware programs.” Webroot (2005) Information Systems Today: Managing in the Digital World

  2. Learning Objectives Information Systems Today: Managing in the Digital World

  3. Learning Objectives Information Systems Today: Managing in the Digital World

  4. Information Systems Security • All systems connected to a network are at risk • Internal threats • External threats • Information systems security • Precautions to keep IS safe from unauthorized access and use • Increased need for good computer security with increased use of the Internet Information Systems Today: Managing in the Digital World

  5. Primary Threats to Information Systems Security • Accidents and natural disasters • Power outages, cats walking across keyboards • Employees and consultants • Links to outside business contacts • Travel between business affiliates • Outsiders • Viruses Information Systems Today: Managing in the Digital World

  6. Unauthorized Access • Unauthorized people • Look through electronic data • Peek at monitors • Intercept electronic communication • Theft of computers or storage media • Determined hackers gain administrator status Information Systems Today: Managing in the Digital World

  7. Gaining Access to a Password • Brute force • Try combinations until a match is found • Protection: • Wait time requirements after unsuccessful login attempt • CAPTCHA Information Systems Today: Managing in the Digital World

  8. Information Modification • User accesses electronic information • User changes information • Employee gives himself a raise Information Systems Today: Managing in the Digital World

  9. Denial of Service Attack • Attackers prevent legitimate users from accessing services • Zombie computers • Created by viruses or worms • Attack Web sites Information Systems Today: Managing in the Digital World

  10. Computer Viruses • Corrupt and destroy data • Destructive code can • Erase a hard drive • Seize control of a computer • Worms • Variation of a virus • Replicate endlessly across the Internet • Servers crash • MyDoom attack on Microsoft’s Web site Information Systems Today: Managing in the Digital World

  11. Spyware • Within freeware or shareware • Within a Web site • Gathers information about a user • Credit card information • Behavior tracking for marketing purposes • Eats up computer’s memory and network bandwidth • Adware – special kind of spyware • Collects information for banner ad customization Information Systems Today: Managing in the Digital World

  12. Spam • Electronic junk mail • Advertisements of products and services • Eats up storage space • Compromises network bandwidth • Spim • Spam over IM Information Systems Today: Managing in the Digital World

  13. Protection Against Spam • Barracuda Spam Firewall 600 • Filters spam and other email threats • Decreases amount of spam processed by the central e-mail server • Handles 3,000 – 10,000 active email users • Spam messages blocked or quarantines Information Systems Today: Managing in the Digital World

  14. Phishing • Attempts to trick users into giving away credit card numbers • Phony messages • Duplicates of legitimate Web sites • E.g., eBay, PayPal have been used Information Systems Today: Managing in the Digital World

  15. Cookies • Messages passed to a Web browser from a Web server • Used for Web site customization • Cookies may contain sensitive information • Cookie management and cookie killer software • Internet Explorer Web browser settings Information Systems Today: Managing in the Digital World

  16. Other Threats to IS Security Employees writing passwords on paper No installation of antivirus software Use of default network passwords Letting outsiders view monitors Information Systems Today: Managing in the Digital World 6-16

  17. Other Threats to IS Security (II) • Organizations fail to limit access to some files • Organizations fail to install firewalls • Not doing proper background checks • Lack of employee monitoring • Fired employees who are resentful Information Systems Today: Managing in the Digital World

  18. Learning Objectives Information Systems Today: Managing in the Digital World

  19. Safeguarding Information Systems Resources • Information systems audits • Risk analysis • Process of assessing the value of protected assets • Cost of loss vs. cost of protection • Risk reduction • Measures taken to protect the system • Risk acceptance • Measures taken to absorb the damages • Risk transfer • Transferring the absorption of risk to a third party Information Systems Today: Managing in the Digital World

  20. Technological Safeguards • Physical access restrictions • Authentication • Use of passwords • Photo ID cards, smart cards • Keys to unlock a computer • Combination • Authentication limited to • Something you have • Something you know • Something you are Information Systems Today: Managing in the Digital World

  21. Biometrics • Form of authentication • Fingerprints • Retinal patterns • Body weight • Etc. • Fast authentication • High security Information Systems Today: Managing in the Digital World

  22. Access-Control Software • Access only to files required for work • Read-only access • Certain time periods for allowed access • Business systems applications • Built-in access control capabilities Information Systems Today: Managing in the Digital World

  23. Wireless LAN Control • Wireless LAN cheap and easy to install • Use on the rise • Signal transmitted through the air • Susceptible to being intercepted • Drive-by hacking Information Systems Today: Managing in the Digital World

  24. Virtual Private Networks • Connection constructed dynamically within an existing network • Secure tunnel • Encrypted information Information Systems Today: Managing in the Digital World

  25. Firewalls • System designed to detect intrusion and prevent unauthorized access • Implementation • Hardware, software, mixed • Approaches • Packet filter – each packet examined • Application-level control – security measures only for certain applications • Circuit-level control – based on certain type of connection • Proxy server – firewall acts as the server and intercepts all messages; Network Address Translation Information Systems Today: Managing in the Digital World

  26. Firewall Architecture • Basic software firewall for a home network • Firewall router • Home office • Small office Information Systems Today: Managing in the Digital World

  27. Firewall Architecture Larger Organization Information Systems Today: Managing in the Digital World

  28. Encryption • Message encoded before sending • Message decoded when received • Encryption allows for • Authentication – proving one’s identity • Privacy/confidentiality – only intended recipient can read a message • Integrity – assurance of unaltered message • Nonrepudiation – use of digital signature Information Systems Today: Managing in the Digital World

  29. The Encryption Process • Key – code that scrambles the message • Symmetric secret key system • Sender and recipient use the same key • Cons: Management problems • Public key technology • Asymmetric key system • Each individual has a pair of keys • Public key – freely distributed • Private key – kept secret Information Systems Today: Managing in the Digital World

  30. How Encryption Works (Asymmetric) Information Systems Today: Managing in the Digital World

  31. Encryption for Websites • Certificate Authority • Third party – trusted middleman • Verifies trustworthiness of a Web site • Checks for identity of a computer • Provides public keys • Secure Sockets Layer (SSL) • Developed by Netscape • Popular public-key encryption method Information Systems Today: Managing in the Digital World

  32. Other Encryption Approaches • 1976 – Public/private key • 1977 – RSA • Technology licensed to Lotus and Microsoft • Federal law prohibited exporting encryption technology • Limited use by organizations • 1991 – Pretty good privacy • Versatile encryption program • Global favorite • 1993 – Clipper chip • Chip generating uncrackable codes • Scrapped before it became reality Information Systems Today: Managing in the Digital World

  33. The Evolution of Encryption • Future encryption programs will provide • Strong security • High speed • Usability on any platform • Encryption for cellular phones • Encryption for PDAs Information Systems Today: Managing in the Digital World

  34. Recommended Virus Precautions • Purchase and install antivirus software • Update frequently • Do not download data from unknown sources • Flash drives, disks, Web sites • Delete (without opening) e-mail from unknown sources • Warn people if you get a virus • Your department • People on e-mail list Information Systems Today: Managing in the Digital World

  35. Audit Control Software • Keeps track of computer activity • Spots suspicious action • Audit trail • Record of users • Record of activities • IT department needs to monitor this activity Information Systems Today: Managing in the Digital World

  36. Other Technological Safeguards • Backups • Secondary storage devices • Regular intervals • Closed-circuit television (CCTV) • Monitoring for physical intruders • Video cameras display and record all activity • Digital video recording • Uninterruptible power supply (UPS) • Protection against power surges Information Systems Today: Managing in the Digital World

  37. Human Safeguards • Use of federal and state laws as well as ethics Information Systems Today: Managing in the Digital World

  38. Learning Objectives Information Systems Today: Managing in the Digital World

  39. Managing Information Systems Security • Non-technical safeguards • Management of people’s use of IS • Acceptable use policies • Trustworthy employees • Well-treated employees Information Systems Today: Managing in the Digital World

  40. Developing an Information Systems Security Plan Ongoing five-step process • Risk analysis • Determine value of electronic information • Assess threats to confidentiality, integrity and availability of information • Identify most vulnerable computer operations • Assess current security policies • Recommend changes to existing practices to improve computer security Information Systems Today: Managing in the Digital World

  41. Security Plan: Step 2 • Policies and procedures – actions to be taken if security is breached • Information policy – handling of sensitive information • Security policy – technical controls on organizational computers • Use policy – appropriate use of in-house IS • Backup policy • Account management policy – procedures for adding new users • Incident handling procedures –handling security breach • Disaster recovery plan – restoration of computer operations Information Systems Today: Managing in the Digital World

  42. Security Plan: Remaining Steps • Implementation • Implementation of network security hardware and software • IDs and smart cards dissemination • Responsibilities of the IS department • Training – organization’s personnel • Auditing • Assessment of policy adherence • Penetration tests Information Systems Today: Managing in the Digital World

  43. Responding to a Security Breach • 1988 – Computer Emergency Response Team (CERT) • Started after Morris worm disabled 10% of all computers connected to the Internet • Computer Security Division (CSD) • Raising of awareness of IT risks • Research and advising about IT vulnerabilities • Development of standards • Development of guidelines to increase secure IT planning, implementation, management and operation Information Systems Today: Managing in the Digital World

  44. The State of Systems Security Management • Financial losses of cybercrime are decreasing • Computer virus attacks result in the greatest financial losses • Only about 25% of organizations utilize cyberinsurance • Only about 20% of organizations report intrusions to the law enforcement • Fear of falling stock prices • Most organizations do not outsource security activities • 90% of organizations conduct routine security audits • Most organizations agree security training is important • Majority said they do not do enough of training Information Systems Today: Managing in the Digital World

  45. Use of Security Technologies • CSI/FBI computer crime and security survey respondents (2006) Information Systems Today: Managing in the Digital World

  46. End of Chapter Content

  47. Opening Case: Managing in the Digital World: Drive-by-Hacking • 60 - 80 % of corporate wireless networks do not use security • “War driving” – a new hacker tactic • Driving around densely populated areas • “War spamming” • Attackers link to an e-mail server and send out millions of spam messages • Companies pay millions in bandwidth fees • Businesses fight back using bogus access points • FakeAP • Network scanners distinguish between real and fake APs • Netstumbler • Fast Packet Keying – to fix shortcomings of WEP Information Systems Today: Managing in the Digital World

  48. Spyware Lurks on Most PCs • Webroot • Producer of software to scan and eliminate spyware • Webroot company data • 66% of scanned PCs infected with at least 25 spyware programs • Incidents of spyware slightly decreasing Information Systems Today: Managing in the Digital World

  49. To Cookie or Not to Cookie • Cookies collected by companies to get data about customers • Footprints that marketers can trace • Sometimes sold to other companies • Web browsers can protect against accepting cookies • Constant pop-ups • Some sites will not work properly • Customized information will not be available • National Security Agency (NSA) Information Systems Today: Managing in the Digital World

  50. Is Big Brother Watching You • Employers can use equipment to • Read your email • Monitor Web-surfing behavior • Collect keystrokes • Follow the movement of employees • RFID and GPS • Companies have rights to collect almost any information about employees while on the job Information Systems Today: Managing in the Digital World

More Related