Securing Information Systems

dashingincestuousSécurité

22 févr. 2014 (il y a 3 années et 3 mois)

105 vue(s)

Chapter 7

Securing Information Systems



Information security



Types of computer and network attacks



Countermeasures



Miscellaneous tips

Information Security

The concepts, techniques, technical
measures, and administrative measures
used to protect information assets from
deliberate or inadvertent unauthorized
acquisition, damage, disclosure,
manipulation, modification, loss or use.

Computer Security 101

Information Security

Integrity

Information should be modified only by those
who are authorized to do so


Availability

Information should be accessible to those who
need it when they need it


Confidentiality

Information should be available only to those
who rightfully have access to it.


Information security is concerned with three main areas:

Information Systems
Security Risk

Any event or action that has the
potential of causing a loss of
computer equipment, software, data
and information, or processing
capability.

System
Vulnerabilities and

Security Challenges



Network open to anyone


Size of Internet means abuses can have wide impact


Use of fixed Internet addresses with permanent
connections to Internet eases identification by
hackers


E
-
mail attachments


E
-
mail used for transmitting trade secrets


IM messages lack security, can be easily intercepted


Internet Vulnerabilities


Radio frequency bands
easy to scan


Eavesdroppers can
easily intercept wireless
network traffic and gain
access to the network


Eavesdropping tools can
be freely accessible via
Internet.


Wireless
Vulnerability


Software Vulnerability


Commercial software contains flaws that create
security vulnerabilities.


Hidden bugs (program code defects)


Zero defects cannot be achieved because complete testing is
not possible with large programs


Flaws can open networks to intruders


Patches


Vendors release small pieces of software to repair
flaws.


However, exploits created faster than patches can be
released and implemented.

Main Sources of Threats to IS


Hardware problems


Breakdowns, configuration errors, damage from improper
use or crime


Software problems


Programming errors, installation errors, unauthorized
changes


Disasters


Power failures, flood, fires, and so on


Use of networks and computers outside of firm’s control


E.g., with domestic or offshore outsourcing vendors



D
efined as “any violations of criminal law that involve a
knowledge of computer technology for their perpetration,
investigation, or prosecution”


Computer may be target of crime:


Breaching confidentiality of protected computerized
data


Accessing a computer system without authority


Computer may be instrument of crime:


Theft of trade secrets


Using e
-
mail for threats or harassment


Computer Crime

Who Would Want To Break Into
Your Systems?

Hacker: The person who
attempts to bypass the security
mechanisms of an information system or network without
authorization.


38% of hackers are internal to the system hacked
(i.e. disgruntled employees)


The external hacker community is comprised of two
groups:


Benevolent hackers



Tend to use their talents to
increase the level of expertise and awareness of
information security


Malicious hackers



Main purpose is to disrupt, steal,
or damage data/information in static or transport mode

Percentage compiled by FBI, 2008

Hacker Motivations


Attack the Evil Empire (e.g. Microsoft)


Display of dominance


Showing off, revenge


Misdirected creativity


Embezzlement, greed


Steal data/information


Watch all your actions on the computer


Damage your computer by reformatting your hard drive
or changing your data


Control your computer to hid their true identifies as they
launch attacks against high
-
profile computer systems
such as government or financial systems

Hacking and Computer Crime


Hacking:
Intentionally accesses a computer without
authorization or exceeds authorized access. Various state
and federal laws govern computer hacking.


Hacking activities include:


System intrusion


System damage


Cybervandalism


I
ntentional disruption, defacement, destruction of Web site or
corporate information system


Type of Attacks


Malicious code and software


Data sniffing and spoofing


Denial of Service (DoS) Attacks


Identity theft


Website defacement


Pharming and fraud


Internal threats

Malicious Code and Software


Viruses:
R
ogue program that attaches itself to other
software programs or data files in order to be executed


Worms:
I
ndependent computer program that copies itself
from one computer to other computers over a network


Trojan horses:
S
oftware program that appears to be benign
but then does something other than expected.


Spyware:
S
mall programs install themselves surreptitiously
on computers to monitor user Web surfing activity


Key loggers:
R
ecord every keystroke on computer to steal
serial numbers, passwords, launch Internet attacks

Spyware

Top 5 Tips to Avoid Viruses and Spyware

Data Sniffing and Spoofing


Spoofing


M
isrepresenting oneself by using fake e
-
mail addresses
or masquerading as someone else


Redirecting Web link to address different from intended
one, with site masquerading as intended destination


Sniffing


E
avesdropping program that monitors information
traveling over network


Enables hackers to steal proprietary information such
as e
-
mail, company files, and so on

Denial of Service


Denial
-
of
-
service attacks (DoS)


F
looding server with thousands of false
requests to crash the network.


Distributed denial
-
of
-
service attacks
(DDoS)


Us
e of numerous computers to launch a
DoS


Identity theft:
Theft of
personal information
(social security id, driver’s license, or credit card
numbers) to impersonate someone else


Phishing:
S
etting up fake Web sites or sending
e
-
mail messages that look like legitimate
businesses to ask users for confidential personal
data


Evil twins:
W
ireless networks that pretend to
offer trustworthy Wi
-
Fi connections to the Internet


Identity Theft

Website Defacement


Attacker probes web services through
normal Internet connection


Attacker modifies Web codes, which
changes website or web storefront


Conducted using free “hacking” software
easily downloaded from Internet


Increasing tremendously


Experts no
longer keep record of defaced sites


could not keep up.



Pharming


R
edirects users to a bogus Web page, even when
individual types correct Web page address into his or
her browser


Click fraud


O
ccurs when individual or computer program
fraudulently clicks on online ad without any intention
of learning more about the advertiser or making a
purchase


Pharming and Fraud

Internal Threats: Employees

Security threats often originate inside an organization.


Inside knowledge


Sloppy security procedures


User lack of knowledge


Social engineering:


T
ricking employees into revealing their passwords by
pretending to be legitimate members of the company in
need of information

Information Systems
Security and Control


Security:


Policies, procedures, and technical measures used
to prevent unauthorized access, alteration, theft, or
physical damage to information systems


Controls:


Methods, policies, and organizational procedures
that ensure safety of organization’s assets;
accuracy and reliability of its accounting records;
and operational adherence to management
standards



Failed computer systems can lead to
significant or total loss of business function.


Firms now more vulnerable than ever.


A security breach may cut into firm’s market
value almost immediately.


Inadequate security and controls also bring
forth issues of liability.

Business Value of
Security and Control

Legal Requirements for
Electronic Records Management


Firms face new legal obligations for the retention and
storage of electronic records as well as for privacy
protection


HIPAA:
medical security and privacy rules and procedures


Gramm
-
Leach
-
Bliley Act:
r
equires financial institutions to
ensure the security and confidentiality of customer data


Sarbanes
-
Oxley Act:
imposes responsibility on companies
and their management to safeguard the accuracy and integrity
of financial information that is used internally and released
externally

Information Systems Security

Information systems is the process of
preventing and detecting unauthorized
use of your computer systems.

Prevention measures
help you to stop
unauthorized users
(intruders) from
accessing any part
of your computer
system.

Detection helps you to
determine whether or not
someone attempted to break
into your system, if they were
successful, and what they
may have done.


General controls:

Govern design, security, and use of
organization’s information technology infrastructure.

Information System Control

√ Software control √ Hardware control √ Data security
control √ Computer operations control √ Implementation
control √ Administrative control


Application controls:
Specific controls unique to each
computerized application, such as payroll or order
processing; Ensure that only authorized data are
completely and accurately processed by that application.

√ Input control √ Processing control √ Output control


Determines level of risk to firm if specific activity or
process is not properly controlled


Types of threat


Probability of occurrence during year


Potential losses, value of threat


Expected annual loss

EXPOSURE

PROBABILITY

LOSS RANGE

EXPECTED

ANNUAL LOSS

Power failure

30%

$5K
-

$200K

$30,750

Embezzlement

5%

$1K
-

$50K

$1,275

User

error

98%

$200
-

$40K

$19,698

System Risk Assessment

Online order processing system

Basic Security
Management Principles

The Principle of Least Privilege

Anything that is not expressly permitted is denied.

Personnel should have access to the resources they
need to do their jobs

no more and certainly no less.

Compartmentalization of Information

Need to know

principle.

Does the engineering staff need access to their
department’s AutoCAD archive? Do they need access
to the Payroll databases?



Ranks
information risks, identifies acceptable
security goals, and identifies mechanisms for
achieving these goals


Drives other policies


Acceptable use policy (AUP)


D
efines acceptable uses of firm’s information
resources and computing equipment


Authorization policies


D
etermines differing levels of user access to
information assets

Security Policy

Firewalls


Firewall:
Combination of hardware and
software that prevents unauthorized
users from accessing private networks.
Technologies include:


Static packet filtering


Network address translation (NAT)


Application proxy filtering


Intrusion detection systems:


Monitor hot spots on corporate networks to detect
and deter intruders.


Examine events as they are happening to discover
attacks in progress.


Antivirus and antispyware software:


Check computers for presence of malware and can
often eliminate it as well.


Require continual updating.

Intrusion Detection Systems
and Antivirus Software


The process of transforming data into cipher data
that cannot be read by unintended recipients

Encryption


Symmetric key encryption


Sender and receiver use single, shared key


Public key encryption


Uses two, mathematically related keys: public key
and private key


Sender encrypts message with recipient’s public key


Recipient decrypts with private key


Digital certificate:
Data file used to establish the
identity of users and electronic assets for protection of
online transactions


Uses a trusted third party, certification authority (CA), to validate
a user’s identity


CA verifies user’s identity, stores information in CA server, which
generates encrypted digital certificate containing owner ID
information and copy of owner’s public key


Public key infrastructure (PKI)


Use of public key cryptography working with certificate authority


Widely used in e
-
commerce

Digital Certificate

the Quest for Identity 2.0

IDENTITY 2.0 KEYNOTE


Access Control


Policies and procedures to prevent improper access
to systems by unauthorized insiders and outsiders


Authorization:

Establish where and when a user is
permitted to access certain parts of corporate system
and database, based on a set of access rules and
profile.


Authentication:

comes in 3 forms: What you
know
,
have
, or
are


Password or PIN systems (
Know
)


Smartcard, tokens (
Have
)


Biometric authentication


fingerprint, retina (
Are
)

IBM ZONE TRUSTED
INFORMATION CHANNEL



Fault
-
tolerant computer systems


Contain redundant hardware, software, and power
supply components that create an environment that
provides continuous, uninterrupted service


High
-
availability computing


Helps recover quickly from crash, minimizes, does
not eliminate, downtime

Ensuring System Availability


Recovery
-
oriented computing


Designing systems that recover quickly with
capabilities to help operators pinpoint and correct
faults in multicomponent systems



Disaster recovery planning:
develop plans for
restoration of disrupted computing services


Business continuity planning:
focuses on restoring
business operations after disaster


Both types of plans needed to identify firm’s most
critical systems


Business impact analysis to determine impact of an
outage


Management must determine which systems restored
first

Disaster Recovery Planning and
Business Continuity Planning


Determine if existing security measures and controls are
effective


E
xamines firm’s overall security environment as well as
controls governing individual information systems


Reviews technologies, procedures, documentation,
training, and personnel


May even simulate disaster to test response of
technology, IS staff, other employees


Lists and ranks all control weaknesses and estimates
probability of their occurrence.


Assesses financial and organizational impact of each
threat

MIS Audit

Networked Systems vs.
Secured Systems

Some platforms are more secure than others

Networks

Security

Open
communication

Closed
communication

Full access

Full lockdown

! Business managers must strike a balance !