Chapter 7- Securing Informatio Systems

Download Report

Transcript Chapter 7- Securing Informatio Systems

Chapter 7
Artificial Intelligent
1
OBJECTIVES
• Explain why information systems need special
protection from destruction, error, and abuse
• Assess the business value of security and control
• Evaluate elements of an organizational and managerial
framework for security and control
• Evaluate the most important tools and technologies for
safeguarding information resources
• Identify the challenges posed by information systems
security and control and management solutions
Artificial Intelligent
2
Wesfarmers Limited Case
• Challenge: provide network and infrastructure
•
•
•
security to a financial services firm in a Webenabled high-threat environment
Solutions: outsource to a well-known security
firm the task of providing 24 x 7 network and
infrastructure monitoring and reporting
Real-time security monitoring 24 x 7, best
practices, online security portal, data mining of
network transactions
Illustrates the role of system and network
security in providing customers with service and
managing corporate risk in online environments
Artificial Intelligent
3
SYSTEM VULNERABILITY AND ABUSE
Why Systems Are Vulnerable
Contemporary Security Challenges and Vulnerabilities
Artificial Intelligent
Figure
10-1
4
SYSTEM VULNERABILITY AND ABUSE
Internet Vulnerabilities:
• Use of fixed Internet addresses through use of cable
modems or DSL
• Lack of encryption with most Voice over IP (VoIP)
• Widespread use of e-mail and instant messaging (IM)
Artificial Intelligent
5
SYSTEM VULNERABILITY AND ABUSE
Wireless Security Challenges:
• Radio frequency bands are easy to scan
• The service set identifiers (SSID) identifying the access
points broadcast multiple times
Artificial Intelligent
6
SYSTEM VULNERABILITY AND ABUSE
Wi-Fi Security Challenges
Artificial Intelligent
Figure
10-2
7
SYSTEM VULNERABILITY AND ABUSE
Malicious Software: Viruses, Worms, Trojan Horses, and
Spyware
• Virus – rogue software program that attaches itself to other
software programs or data files in order to be executed, usually
without user knowledge or permission
• Worms – independent computer programs that copy themselves
from one computer to other computer over a network. Can rely on
their own without attaching to other computer program files, and
spread rapidly.
• Trojan Horse – software program that appears to be benign but
then does something other than expected. A way for virus or other
malicious code to be introduced in a computer system.
• Spyware – Small programs that nstall themselves surreptitously on
computers to monitor user web surfing activity and serve up
advertising.
Artificial Intelligent
8
SYSTEM VULNERABILITY AND ABUSE
Hackers and Cybervandalism
• Spoofing and Sniffers
• Denial of Service (DoS) Attacks
• Identity theft
• Cyberterrorism and Cyberwarfare
• Vulnerabilities from internal threats (employees);
software flaws
Artificial Intelligent
9
BUSINESS VALUE OF SECURITY AND
CONTROL
• Inadequate security and control may create serious legal
liability.
• Businesses must protect not only their own information assets
but also those of customers, employees, and business partners.
Failure to do so can lead to costly litigation for data exposure
or theft.
• A sound security and control framework that protects business
information assets can thus produce a high return on
investment.
Artificial Intelligent
10
BUSINESS VALUE OF SECURITY AND CONTROL
Legal and Regulatory Requirements for Electronic Records
Management
• Electronic Records Management (ERM): Policies,
procedures and tools for managing the retention,
destruction, and storage of electronic records
Artificial Intelligent
11
BUSINESS VALUE OF SECURITY AND CONTROL
Data Security and Control Laws:
• The Health Insurance Portability and Accountability Act
(HIPAA)
• Gramm-Leach-Bliley Act
• Sarbanes-Oxley Act of 2002
Artificial Intelligent
12
BUSINESS VALUE OF SECURITY AND CONTROL
Electronic Evidence and Computer Forensics
• Electronic Evidence: Computer data stored on disks and
drives, e-mail, instant messages, and e-commerce
transactions
• Computer Forensics: Scientific collection, examination,
authentication, preservation, and analysis of computer data
for use as evidence in a court of law
Artificial Intelligent
13
ESTABLISHING FRAMEWORK FOR SECURITY
MANAGEMENT STRATEGIES AND CONTROL
Types of Information Systems Controls
General controls:
• Software and hardware
• Computer operations
• Data security
• Systems implementation process
Artificial Intelligent
14
ESTABLISHING FRAMEWORK FOR SECURITY
MANAGEMENT STRATEGIES AND CONTROL
Application controls:
• Input
• Processing
• Output
Artificial Intelligent
15
ESTABLISHING FRAMEWORK FOR SECURITY
MANAGEMENT STRATEGIES AND CONTROL
Risk Assessment:
• Determines the level of risk to the firm if a specific activity
or process is not properly controlled
Artificial Intelligent
16
ESTABLISHING FRAMEWORK FOR SECURITY
MANAGEMENT STRATEGIES AND CONTROL
Security Policy:
• Consists of statements ranking information risks,
identifying acceptable security goals, and
identifying mechanisms for achieving these goals.
• Identity management – business process and
software tools for identiying the valid users of a
system and controlling their access to system
resources.
Artificial Intelligent
17
ESTABLISHING FRAMEWORK FOR SECURITY
MANAGEMENT STRATEGIES AND CONTROL
Security Profiles for a Personnel System
Artificial Intelligent
Figure
10-5
18
ESTABLISHING FRAMEWORK FOR SECURITY
MANAGEMENT STRATEGIES AND CONTROL
Disaster Recovery Plan and Business Continuity Plan
• Downtime: Period of time in which a system is not
operational
• Fault-tolerant computer systems: Redundant hardware,
software, and power supply components to provide
continuous, uninterrupted service
• High-availability computing: Designing to maximize
application and system availability
Artificial Intelligent
19
ESTABLISHING FRAMEWORK FOR SECURITY
MANAGEMENT STRATEGIES AND CONTROL
Ensuring Business Continuity (Continued)
• Disaster recovery planning: Plans for restoration of
computing and communications disrupted by an event
such as an earthquake, flood, or terrorist attack
• Business continuity planning: Plans for handling missioncritical functions if systems go down
Artificial Intelligent
20
ESTABLISHING FRAMEWORK FOR SECURITY
MANAGEMENT STRATEGIES AND CONTROL
Auditing:
• MIS audit: Identifies all of the controls that govern
individual information systems and assesses their
effectiveness
• Security audits: Review technologies, procedures,
documentation, training, and personnel
Artificial Intelligent
21
ESTABLISHING FRAMEWORK FOR SECURITY
MANAGEMENT STRATEGIES AND CONTROL
Sample Auditor’s List of Control Weaknesses
Artificial Intelligent
Figure
10-6
22
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Access Control
Access control: Consists of all the policies and procedures a
company uses to prevent improper access to systems by
unauthorized insiders and outsiders
Authentication:
• Passwords
• Tokens, smart cards
• Biometric authentication
Artificial Intelligent
23
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Firewalls, Intrusion Detection Systems, and Antivirus
Software
• Firewalls: Hardware and software controlling flow of
incoming and outgoing network traffic
• Intrusion detection systems: Full-time monitoring tools
placed at the most vulnerable points of corporate networks
to detect and deter intruders
Artificial Intelligent
24
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Firewalls, Intrusion Detection Systems, and Antivirus
Software (Continued)
• Antivirus software: Software that checks computer systems
and drives for the presence of computer viruses and can
eliminate the virus from the infected area
• Wi-Fi Protected Access specification
Artificial Intelligent
25
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
A Corporate Firewall
Artificial Intelligent
Figure
10-7
26
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Encryption and Public Key Infrastructure
• Public key encryption: Uses two different keys, one private
and one public. The keys are mathematically related so that
data encrypted with one key can be decrypted using only the
other key
• Message integrity: The ability to be certain that the message
being sent arrives at the proper destination without being
copied or changed
Artificial Intelligent
27
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Encryption and Public Key Infrastructure
(Continued)
• Digital signature: A digital code attached to an electronically
transmitted message that is used to verify the origin and
contents of a message
• Digital certificates: Data files used to establish the identity of
users and electronic assets for protection of online
transactions
• Public Key Infrastructure (PKI): Use of public key
cryptography working with a certificate authority
Artificial Intelligent
28
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Public Key Encryption
Artificial Intelligent
Figure
10-8
29
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Digital Certificates
Artificial Intelligent
30