C8- Securing Information Systems

erosjellySecurity

Feb 23, 2014 (3 years and 6 months ago)

90 views

C8
-

Securing
Information Systems

Definitions


Security: the policies, procedures and technical
measures used to prevent unauthorized access,
alteration, threat or physical damage to
information systems


Controls: methods to ensure the safety of
assets, reliability of records and adherence to
standards



Figure 8
-
1

The architecture of a Web
-
based application typically includes a
Web client, a server, and corporate information systems linked to
databases. Each of these components presents security challenges
and vulnerabilities. Floods, fires, power failures, and other electrical
problems can cause disruptions at any point in the network.

8
-
5

Contemporary Security Challenges
and Vulnerabilities



8
-
6

System Vulnerability and Abuse

Internet vulnerabilities


Vulnerable to outside attacks


Abuses can have widespread impact


E
-
mail increases system vulnerability


Wireless security challenges


The service set identifiers (SSID)

identifying the
access points broadcast multiple times




8
-
8

Malicious Software Programs
(Malware)



Computer viruses:


Rogue software programs that attach to other programs in order
to be executed, usually without user knowledge or permission


Deliver‏a‏“payload”


Can spread by email attachments


Worms:


Programs that copy themselves from one computer to another
over networks


Can destroy data, programs, and halt operation of computer
networks


Trojan Horse:


A software program that appears to be benign, but then does
something unexpected


Often‏“transports”‏a‏virus‏into‏a‏computer‏system

System Vulnerability and Abuse



8
-
11

Hackers and Cybervandalism


Hackers: individuals who attempt to gain
unauthorized access to a computer system


Cracker: a hacker with criminal intent


Cybervandalism
: intentional disruption,
defacement, or destruction of a Web site or
system


System Vulnerability and Abuse



8
-
12

Spoofing and Sniffing


Spoofing


masquerading as someone else, or redirecting a Web
link to an unintended address


Sniffing


an eavesdropping program that monitors information
travelling over a network


System Vulnerability and Abuse



8
-
13

Denial of Service (
DoS
) Attacks


Hackers flood a server with false
communications in order to crash the system


System Vulnerability and Abuse



8
-
16

Computer Crime ...


Identity theft


A crime in which the imposter obtains key
pieces of personal information


Phishing


Setting up fake Web sites or sending
email messages that look legitimate, and
using them to ask for confidential data


Cyberterrorism

and
Cyberwarfare


Exploitation of systems by terrorists


Internal Threats: Employees


Software vulnerability



violation of
criminal law that
involves a
knowledge of
technology for
perpetration,
investigation, or
prosecution

Phishing



8
-
18

Business Value of

Security and Control


Protect own information assets and customers,
employees, and business partner


legal liability


litigation for data exposure or theft


A sound security and control framework= high
return on investment




8
-
20

Establishing a Framework for
Security and Control


Risk Assessment


Determine level of risk
to the firm in the case
of improper controls


Security policy


Chief Security Officer
(CSO)



Acceptable Use Policy
(AUP)



Authorization Policies


Authorization
Management systems



Ensuring business
continuity


Fault
-
tolerant computer
systems


High
-
availability computing


Recovery
-
oriented
computing


Disaster recovery
planning and business
continuity planning


Security outsourcing


The role of auditing



Technologies And Tools for
Security and Control



Access controls


Consist of all the policies and procedures a company
uses to prevent improper access to systems by
unauthorized insiders and outsiders


Authentication


ability to know that a person is who she or he claims
to be


Passwords, tokens, biometric authentication



Firewalls


Firewalls: Hardware and software controlling
flow of incoming and outgoing network traffic


Packet Filtering examines selected fields in the
headers of data packets flowing back and forth from
network and the Internet


Stateful

inspection provides additional security by
determining whether packets are part of an ongoing
dialogue between a sender and receiver

Technologies And Tools For Security And Control




Intrusion Detection Systems,
and Antivirus


Intrusion Detection Systems


Full
-
time monitoring tools placed at the most
vulnerable points of the corporate networks to detect
and deter intruders



Antivirus and Antispyware


Checks computer systems for viruses


8
-
27

Technologies And Tools For Security And Control


Encryption


Encryption
-
rmvtu
[
yopm
-
fodszqujpo


Coding and scrambling of messages to prevent
unauthorized access to, or understanding of, the data
being transmitted


Public key encryption:


Uses two different keys, one private and one public.
The keys are mathematically related so that data
encrypted with one key can be decrypted using only
the other key


Public Key Infrastructure (PKI):


Use of public key cryptography working with a
certificate authority


Technologies And Tools For Security And Control


A public key
encryption
system can be
viewed as a
series of public
and private
keys that lock
data when they
are transmitted
and unlock the
data when they
are received.



8
-
31

Technologies And Tools For Security And Control


Public Key Encryption

The sender locates the
recipient’s public key in a
directory and uses it to
encrypt a message. The
message is sent in
encrypted form over the
Internet or a private
network. When the
encrypted message
arrives, the recipient uses
his or her private key to
decrypt the data and read
the message.

Solution Guidelines


Security and control must become a more visible
and explicit priority and area of information
systems investment


Support and commitment from top management
is required to show that security is indeed a
corporate priority and vital to all aspects of the
business


Security and control should be the responsibility
of everyone in the organization


Management Opportunities, Challenges, And Solutions



8
-
20

Learning Objectives


Analyze why information systems need special
protection from destruction, error, and abuse.


Assess the business value of security and
control.


Design an organizational framework for security
and control.


Evaluate the most important tools and
technologies for safeguarding information
resources.