Chapter 6 - Information Systems Security

expertpanelSecurity

Feb 23, 2014 (7 years and 5 months ago)

392 views

Chapter 6


Information Security


Page
1

of
5

Chapter 6
-

Information Systems Security


Info Security Life Cycle




Systems Planning


Tone at top



System Analysis
-

Analyze system vulnerabilities (threats & loss exposure)



Systems Design


Design security measures & contingency plans



Systems Implemen
tation


Implement security measures & contingency plans



Systems Operation, Evaluation & Control
-

Operate system & assess
effectiveness & efficiency. Make changes as needed


Analyzing Vulnerabilities & Threats



Quantitative Approach



Qualitative Approach

c
onsider......



business interruption



loss of software or hardware



loss of data



loss of facilities



loss of personnel



loss of customers / negative publicity!!!!!!!




Vulnerability
-

weakness in a system




Threat
-

potential exploitation of a vulnerability



Activ
e Threats
-

Fraud and Computer Sabotage



Passive Threats
-




System Faults (component equipment failures (disk failures, power outages))



Natural Disasters (earthquakes, floods, fires, hurricanes)


This is serious.....



Computer
-
based crimes are part of the ge
neral problem of white collar crime



fraud and embezzlement exceed losses from bribery, burglary, and shoplifting

Chapter 6


Information Security


Page
2

of
5

Who to watch out for....it could be anyone!!!



Computer systems personnel



Computer maintenance personnel



Programmers



Network Operators



Informat
ion Systems Management



Data Control Clerks



Users



Intruders & Hackers
(unnoticed intruders, wiretappers, piggy backers, impersonating
intruders, eavesdroppers)


Control Environment

(the foundation for overall control)



Mgt Philosophy & Operating Style



Org.
Structure



Board of Directors and Committee



Mgt Control Activities



Internal Audit Function



Personnel Policies & Practices



External Influences


What are Active Threats?



Input Manipulation
-

the easiest & most common



Program Alteration
(trap door)



Direct File

Alteration



Data Theft



Sabotage



Logic bomb



Trojan horse



Virus program



Worm



Misappropriation /Theft of Info Resources


Computer Virus



A computer program that alters the performance of the system or its computer files



Computer virus detection programs are on
e guard against this


Chapter 6


Information Security


Page
3

of
5


Controls for Active Threats



Use the layered look (layered approach to access control)



1st
-

classify data

(according to importance & vulnerability)



Site Access Controls

(badges, biometric hardware authentication)



System Access Contro
ls

(User ID & Passwords)



File Access Controls

(data & program files)


AUTHENTICATE



Make sure something is what it is
-

Potential users are valid



Biometrics


fingerprints, retina eye patterns, signatures, voice recognition.



PINs



ID or plastic cards

PASSWOR
DS




1
st

line of defense!



Easy to remember but hard to guess



Combines Alpha & Numeric



Which of the following would be most common? Now which is best?



CATDOG



12345678



BUSTER



GGGG1234



GR1267JE



Typical Passwords


are static (stay the same


at least for 30
days or so)



TOKEN “Smart” cards


dynamic password


one
-
time only (strongest protection against
unauthorized access to a network



Controls for Passive Threats



Fault
-
Tolerant Systems



monitoring & redundancy

Network communications

(dup. Communication path
s)

CPU processors

(watchdog processor)

DASDs

(read
-
after
-
write checks, bad
-
sector lockouts, disk mirroring or shadowing)

power supply

(uninterruptible power supply (UPS))

individual transactions

(rollback processing / database shadowing)

Chapter 6


Information Security


Page
4

of
5



Correcting Faults:

File Back
-
ups

(Over 50% of individuals do not properly back
-
up their files)

full back up, incremental or differential back up


Internet Security



Intranets



Firewalls



Reject incoming packets of data that do not originate from pre
-
approved IP
addresses



Enc
ryption


Encryption



Encryption is the transformation of input data (referred to as plain text or cleartext) it
cipher text using a cryptographic technique



Secret
-
Key Encryption

-

A single private key is used of both encryption and decryption.
The DES (dat
a encryption standard) is probably the most widely used private
-
key
encryption algorithm



Public Key Encryption

-

2 keys
--

public key that everyone knows, and a private key that
only one person knows. Each key unlocks the code that the other makes. RSA i
s a well
-
known public
-
key encryption



Double
-
Key Encryption

-

Uses elements of bother private
-
key & public
-
key encryption


Disaster Risk Management



Preventing Disasters



Contingency Planning



Disaster Recovery & Business Resumption



Assess Critical Needs



List

Priorities for Recovery


Recovery Strategies & Procedures



Emergency Response Center



Escalation Procedures



Alternate Processing Arrangements



hot site (dedicated contingency facility)



warm site



cold site (empty shell)



service bureau (may be good for small
companies)
-

Comdisco



Shared contingency agreement / reciprocal disaster agreement



Personal Relocation / Replacement



Salvage Plan

Chapter 6


Information Security


Page
5

of
5



Testing & Maintaining the System


Seg. of Duties in Data Processing



Systems Analysts



Database Administrators



Programmers



Compu
ter Operators



Librarian



Data Control Group




Most critical


separate developing applications from those operating apps


WHY???