Information security risk

orangesvetElectronics - Devices

Nov 8, 2013 (3 years and 7 months ago)

83 views

Information Security

EDU 5815

1

IT Security Terms

EDU 5815

2

Backup

An extra copy of the data and/or programs, kept in a secure location(s).

Decryption

Transformation of scrambled code into readable data after transmission.

Encryption

Transformation of data into scrambled code after transmission.

Exposure

The harm, loss, or damage that can result if something has gone wrong
in an information system.

Fault tolerance

The ability of an information system to continue to operate (usually for a
limited time and/or at a reduced level) when failure occurs.

Information
system controls

The procedures, devices, or software that attempt to ensure that the
system performs as planned.

Integrity (of data)


A guarantee of the accuracy, completeness, and reliability of data.
System integrity is provided by the integrity of its components and their
integrations.

Risk

The likelihood that a threat will materialized.

Threats (or
hazards)

The various dangers to which a system may be exposed.

Vulnerability

Given that a threat exists, the susceptibility of the system to harm
caused by the threat.

Malware

General term for software that enables malicious acts against a
computing system.

EDU 5815

3

Organizational needs for security and
control


Importance of keeping all of the resources,
virtual as well as physical, secure from both
inside and outside threats


Two critical issues must be addressed:


Security vs. individual rights


Security vs. availability

EDU 5815

4

Security vs. individual rights


Implement adequate security and control
measures that do not infringe on the individual
rights guaranteed by the constitution

EDU 5815

5

Security vs. availability


Prominent in the medical area


Concerns over the privacy of the individuals’
records are receiving attention

EDU 5815

6

Objective of Information Security


Confidentiality


Availability


Integrity


EDU 5815

7

Confidentiality


The organization seek to protect its data and
information from disclosure to unauthorized
persons.


Executive information systems, human
resources information systems, and such
transaction processing systems as payroll,
accounts receivable, purchasing, and accounts
payable are especially critical in this regard.

EDU 5815

8

Availability


The purpose of the organization’s information
infrastructure is to make its data and
information available to those who are
authorized to used it.


This objective is especially important to
information
-
oriented systems such as human
resources information systems

EDU 5815

9

Integrity


All the information systems should provide an
accurate representation of the physical systems
that they represent.

EDU 5815

10

System Vulnerability

EDU 5815

11


A
universal vulnerability

is a state in a computing
system which either: allows an attacker to execute
commands as another user; allows an attacker to
access data that is contrary to the access restrictions
for that data; allows an attacker to pose as another
entity; or allows an attacker to conduct a denial of
service.


An
exposure

is a state in a computing system (or set
of systems) which is not a universal vulnerability, but
either: allows an attacker to conduct information
gathering activities; allows an attacker to hide
activities; includes a capability that behaves as
expected, but can be easily compromised; is a
primary point of entry that an attacker may attempt
to use to gain access to the system or data; and is
considered a problem according to some reasonable
security policy.

System Vulnerability
Continued


These threats can be classified as:


Unintentional


Human errors


Environmental hazards


Computer system failures


Intentional


Theft of data


Inappropriate use of data


Theft of mainframe computer time


Theft of equipment and/or programs

EDU 5815

12

The vulnerability of information systems is increasing as we
move to a world of networked and especially wireless
computing. Theoretically, there are hundreds of points in a
corporate information system that can be subject to some
threats.

System Vulnerability
Continued


Intentional
continued


Deliberate manipulation in handling


Entering data


Processing data


Transferring data


Programming data


Labor strikes


Riots


Sabotage


Malicious damage to computer resources


Destruction from viruses and similar attacks


Miscellaneous computer abuses


Internet fraud.


Terrorists


attack

EDU 5815

13

Threats


An information security threat is a person,
organization, mechanism, or event that has
potential to inflict harm on the organization’s
information resources.


Threats can be internal as well as external, and
they can be accidental as well as intentional.

EDU 5815

14

Type of threats


A virus is one example of a type of software that
bears the name
malicious software


Malicious software

or
malware
consists of
complete programs or segments of code that can
invade a system and perform functions not
intended by the system owners


In addition to viruses, there are worms, Trojan
horses, adware, and spyware

EDU 5815

15

Type of threats


A
virus

is a computer program that can
replicate itself without being observable and
embed copies of itself in other programs and
boot sectors


A
worm

cannot replicate itself within a system,
but it can transmit its copies by means of email

EDU 5815

16

Type of threats


A
Trojan horse

can neither replicate nor
distribute itself; users distributes it as utility.


When the utility is used, it produced unwanted
changes in the system’s functionality.

EDU 5815

17

Type of threats


Adware generates intrusive advertising messages


Spyware gathers data from the user’s machine

EDU 5815

18


EDU 5815

19

Risks


Information security risk

is a potential
undesirable outcome of a breach of information
security by an information security threat


All risks represent unauthorized acts

EDU 5815

20

Four type of risks

1.
Unauthorized Disclosure and Theft


When the database and software library are made
available to persons not entitled to have access


The result can be the loss of information or money

2.
Unauthorized Use


When persons who are not ordinarily entitled to use the
organization’s resources are able to do so


hacker


EDU 5815

21

Four type of risks

3.
Unauthorized Destruction and Denial of Service


Individuals can damage or destroy hardware or software,
causing the organization’s computer operation to shut
down

4.
Unauthorized Modification


Changes been made to the data, information and
software.


Changes go unnoticed and cause the users of the system
outputs to make the wrong decisions

EDU 5815

22

Challenges and Ethics of IT


Application of IT


Customer relationship management


Human resources management


Business intelligence systems


Potential Harm


Infringements on privacy


Inaccurate information


Collusion

EDU 5815

23

Challenges and Ethics of IT


Possible Responses


EDU 5815

24

Protecting Information Resources



Aligned
. The program must be aligned with organizational goals.


Enterprisewide
. Everyone in the organization must be included.


Continuous
. The program must be operational all the time.


Proactive
. Use innovative, preventive, and protective measures.


Validated
. The program must be tested to ensure it works.


Formal
. It must include authority, responsibility & accountability.


EDU 5815

25

Information security problems are increasing rapidly, causing damage to
many organizations. Protection is expensive and complex. Therefore,
companies must not only use controls to prevent and detect security
problems, they must do so in an organized manner. An approach similar to
TQM (total quality management) would have the following characteristics:

Difficulties


Protecting (discussion)


EDU 5815

26

Defense Strategy

-

Protecting



The major objectives of a defense strategy are:

1.
Prevention and deterrence.

2.
Detection.

3.
Limitation of damage.

4.
Recovery.

5.
Correction

6.
Awareness and compliance

EDU 5815

27

Defense Strategy

-

Controls

EDU 5815

28

Any defense strategy involves the use of several controls. These
controls are divided into two categories
general controls

that

protect
the system regardless of the specific application and
application

controls

that safeguard specific applications.

General

Application

Defense Strategy



Internet Security

EDU 5815

29

Security Layers

The major objective of
border security

is access control. Then
authentication

or proof of identity and finally
authorization

which determine
the action or activities a user is allowed to perform.

Ethical Responsibilities


What uses of IT might be considered improper
or harmful to other individuals or society?


What is the proper use of the Internet or
organization's IT resources?


How can you protect yourself from computer
crime?

EDU 5815

30