Transcript Chapter 8
CHAPTER 8
Securing Information Systems
System Vulnerability
Security (policies, procedures, technical measures)
and controls (methods, policies, procedures)
important to ensure your system is not vulnerable
Internet
Emails
and other ways hackers access
Wireless security challenges
War
driving and RFID bands
Wi-fi transmission
Malware, Viruses, Worms, Trojan horses, Spyware,
SQL injection attacks, key loggers
System Vulnerability (cont)
Hackers, crackers, Script Kiddies
Spoofing (redirecting web address) and Sniffing
(eavesdropping program monitoring info over a
network)
Denial-of-service (DoS) attack
Distributed denial-of-service (DoS) attack
Botnet
Computer Crime
Common Computer Crime
System Vulnerability (cont)
Identity Theft
Phishing
Evil Twins
Pharming
Click Fraud
Cyberterrorism and Cyber Warfare
Internal threats
Social engineering
Software Vulnerability
Bugs and patches
Security and Control
Legal and Regulatory
HIPPA
for medical
Gramm-Leach-Bliley (Financial Services Moderation) –
consumer data in financial institutions
Sarbanes-Oxley Act – protects investors from financial
scandals
Electronic Evidence and Computer Forensics
Computer
forensics – collecting, analyzing,
authentication, preservation and analysis of data/on
storage media/used in court
Security and Control Framework
Types of controls
General (govern design, security, and use of computer
programs/security of data files/throughout organization’s
infrastructure)
Application (specific controls unique to each computerized
application such as payroll or order processing)
Input, Processing, output controls
Risk Assessment (determines level of risk to the firm)
Once risks assessed, system builders will look at control
points with greatest vulnerability and potential for loss
Security and Control Framework (cont)
Security Policy
Created after risk assessment
How to protect company’s assets
Acceptable Use Policy (AUP) – acceptable uses of firms info
systems, etc.
Identity Management – determine valid users of the system
Disaster Recovery
Hot Site vs Cold Site
Business Continuity Planning
Auditing
MIS Audit (examines firm’s security environment)
Technologies and Tools for Protecting
Info Resources
Identity Management
Authentication
Passwords
Token
Smart
Cards
Biometric authentication (human traits)
What you know, what you have, who you are
Technologies (cont)
Firewalls (prevent unauthorized users from accessing
private networks)
Combination of hardware and software that controls the
flow of incoming and outgoing network traffic
Identifies names, IP address, applications, and other
characteristics of incoming traffic
Intrusion detection systems (monitor for vulnerability)
Antivirus and Antispyware software
Unified threat management (UTM) (comprehensive
security management systems/inside a single device)
Wireless Security
Encryption and Public Key Infrastructure
Secure Socket Layer (SSL) – secure connection between computers
Secure Hypertext Transfer Protocol (S-HTTP) – encrypts messages
Public Key Encryption (PKE) - secure encryption/uses two keys
Digital Certificates – data files to establish identity of users and
electronic assets
Public key infrastructure (PKI) – public key cryptography working
with a certification authority.
System Availability
Online transaction processing (OLTP) – immediately
process transactions
Fault-tolerant computer systems – detect hardware
failures
High-availability computing – for recovering quickly from
a crash
Downtime – periods when system operational
Recovery-oriented computing – try to minimize downtime
Deep packet inspection (DPI) – examines data files and
sorts out low-priority online material/assigns higher priority
to business critical functions
Security Outsourcing
Managed security service providers (MSSP) – monitor network
activity