Get documents about "Managing IT security
Shared by: pptfiles
-
Stats
- views:
- 1
- posted:
- 12/28/2012
- language:
- English
- pages:
- 56
Document Sample
Managing IT security
• Why do information systems need special
protection from destruction, error, and
abuse?
• What is the business value of security and
control?
• What tools and technologies exist for
protecting information resources?
Why systems are vulnerable?
Systems vulnerability and abuse
• Security
• Policies, procedures, and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to information
systems
• Controls
• Methods, policies, and organizational procedures that ensure:
• Safety of organization’s assets
• Accuracy and reliability of accounting records
• Operational adherence to management standards
Why systems are vulnerable
• Electronic data vulnerable to more types of
threats than manual data
• Networks
• Potential for unauthorized access, abuse, or fraud is not limited to
single location but can occur at any access point in network
• Vulnerabilities exist at each layer and between layers
• E.g. user error, viruses, hackers, radiation, hardware or software
failure, theft
Internet Vulnerabilities
• Public network, so open to anyone
• Size of Internet means abuses may have
widespread impact
• Fixed IP addresses are fixed target for hackers
• VoIP phone service vulnerable to interception
• E-mail, instant messaging vulnerable to malicious
software, interception
Wireless Security Challenges
• Many home networks and public hotspots open to anyone, so not
secure, communication unencrypted
• LANs using 802.11 standard can be easily penetrated
• Service set identifiers (SSIDs) identify access points in
Wi-Fi network and are broadcast multiple times
• WEP (Wired Equivalent Privacy): Initial Wi-Fi security standard not
very effective as access point and all users share same password
Wi-fi Security Challanges
Systems vulnerability and abuse
• Malicious software (malware)
• Computer virus
• Rogue software program that attaches to other programs or data files
• Payload may be relatively benign or highly destructive
• Worm:
• Independent program that copies itself over network
• Viruses and worms spread via:
• Downloaded software files
• E-mail attachments
• Infected e-mail messages or instant messages
• Infected disks or machines
Systems vulnerability and abuse
• Trojan horse
• Software program that appears to be benign but then does something
other than expected
• Does not replicate but often is way for viruses or malicious code to enter
computer system
• Spyware
• Small programs installed surreptitiously on computers to monitor user
Web surfing activity and serve advertising
• Key loggers
• Record and transmit every keystroke on computer
• Steal serial numbers, passwords
Malicious Software: Viruses, Worms,
and Spyware
• Computer viruses, worms,
• Spyware
• Identity theft, phishing, pharming
• Cyberterrorism and Cyberwarfare
• Vulnerabilities from internal threats
(employees); software flaws
Systems vulnerability and abuse
• Hacker
• Individual who intends to gain unauthorized access to computer system
• Cybervandalism
• Intentional disruption, defacement, or destruction of Web site or
corporate information system
• Spoofing
• Misrepresentation, e.g. by using fake e-mail addresses or redirecting to
fake Web site
• Sniffer:
• Eavesdropping program that monitors information traveling over network
Systems vulnerability and abuse
• Denial-of-service (DoS) attack:
• Flooding network or Web server with thousands of false requests so as to
crash or slow network
• Distributed denial-of-service (DDoS) attack
• Uses hundreds or thousands of computers to inundate and overwhelm
network from many launch points
• Botnet
• Collection of “zombie” PCs infected with malicious software without their
owners’ knowledge and used to launch DDoS or perpetrate other crimes
Computer crime
• Computer as target of crime
• Accessing computer without authority
• Breaching confidentiality of protected computerized data
• Computer as instrument of crime
• Theft of trade secrets and unauthorized copying of software or
copyrighted intellectual property
• Using e-mail for threats or harassment
• Most economically damaging computer crimes
• DoS attacks and viruses
• Theft of service and disruption of computer systems
• Identity theft
• Using key pieces of personal information (social security numbers, driver’s
license numbers, or credit card numbers) to impersonate someone else
• Phishing
• Setting up fake Web sites or sending e-mail messages that look like those
of legitimate businesses to ask users for confidential personal data
• Evil twins
• Bogus wireless networks used to offer Internet connections, then to
capture passwords or credit card numbers
• Pharming
• Redirecting users to bogus Web page, even when individual types correct address
into browser
• Computer Fraud and Abuse Act (1986)
• Makes it illegal to access computer system without authorization
• Click fraud
• Fraudulently clicking on online ad without intention of learning more about
advertiser or making purchase
• Cyberterrorism and cyberwarfare:
• At least twenty countries are believed to be developing offensive and defensive
cyberwarfare capabilities
Internal threats: Employees
• Company insiders pose serious security problems
• Access to inside information– like security codes and passwords
• May leave little trace
• User lack of knowledge: Single greatest cause of network security
breaches
• Compromised passwords
• Social engineering
• Errors introduced into software by:
• Faulty data entry, misuse of system
• Mistakes in programming, system design
• Software vulnerability
• Software errors are constant threat to information systems
• Cost U.S. economy $59.6 billion each year
• Can enable malware to slip past antivirus defenses
• Patches
• Created by software vendors to update and fix vulnerabilities
• However, maintaining patches on all firm’s devices is time consuming
and evolves more slowly than malware
Business value of security and control
• Inadequate security and control may create serious
legal liability.
• Businesses must protect not only their own
information assets but also those of customers,
employees, and business partners. Failure to do so
can lead to costly litigation for data exposure or theft.
• A sound security and control framework that protects
business information assets can thus produce a high
return on investment.
Electronic Records Management
(ERM)
• Policies, procedures, and tools for managing retention, destruction, and
storage of electronic records
Electronic evidence and computer
forensics
• Legal cases today increasingly rely on evidence
represented as digital data
• E-mail most common electronic evidence
• Courts impose severe financial, even criminal
penalties for improper destruction of electronic
documents, failure to produce records, and failure
to store records properly
Computer forensics
• Scientific collection, examination, authentication,
preservation, and analysis of data on computer
storage media so that it can be used as evidence
in a court
• Awareness of computer forensics should be
incorporated into firm’s contingency planning
process
Establishing a Framework for Security
and Control
• ISO 17799
• International standards for security and control specifies best practices
in information systems security and control
• Risk Assessment
• Determines level of risk to firm if specific activity or process is not
properly controlled
• Value of information assets
• Points of vulnerability
• Likely frequency of problem
• Potential for damage
• Once risks are assessed, system builders concentrate on control points
with greatest vulnerability and potential for loss
Online Order Processing Risk
assessment
Technology and tools for security
• Security policy
• Statements ranking information risks, identifying acceptable security
goals, and identifying mechanisms for achieving these goals
• Chief Security Officer (CSO)
• Heads security group in larger firms
• Responsible for enforcing security policy
• Security group
• Educates and trains users
• Keeps management aware of security threats and breakdowns
• Maintains tools chosen to implement security
Technology and tools for security
• Acceptable Use Policy (AUP)
• Defines acceptable uses of firm’s information resources and computing
equipment
• A good AUP defines acceptable actions for every user and specifies
consequences for noncompliance
• Authorization policies
• Determine level of access to information assets for different levels of users
• Authorization management systems
• Allow each user access only to those portions of system that person is
permitted to enter, based on information established by set of access rules
Security’s five pillars
• Authentication: Verifying the authenticity of users – ensuring
people are who they say they are.
• ID/Password, biometric, questions
• Identification: Identifying users to grant them appropriate
access
• Allowing system to know who someone is to give appropriate access
rights
• Privacy: Protecting information from being seen
• E.g., against spyware installed without consent in a computer to
collect information
Security’s five pillars
• Integrity: Keeping information in its original form
• Ensuring data is not altered in any way
• Non-repudiation: Preventing parties from denying
actions they have taken
• Ensuring that the parties in a transaction are who they say they are
and cannot deny that transaction took place
Security profile for a personnel system
Ensuring business continuity
• Fault-tolerant computer systems
• Ensure 100% availability
• Utilize redundant hardware, software, power supply components
• Critical for online transaction processing
• High availability computing
• Tries to minimize downtime
• Helps firms recover quickly from system crash
• Utilizes backup servers, distributed processing, high capacity storage,
disaster recovery and business continuity plans
• Recovery-oriented computing: Designing systems, capabilities, tools that
aid in quick recovery, correcting mistakes
• Disaster recovery planning
• Restoring computing and communication services after earthquake, flood,
etc.
• Can be outsourced to disaster recovery firms
• Business continuity planning
• Restoring business operations after disaster
• Identifies critical business processes and determines how to handle them
if systems go down
• Business impact analysis
• Use to identify most critical systems and impact system outage has on
business
Auditing
• MIS audit: Examines firm’s overall security environment as well as
controls governing individual information systems
• Security audit: Reviews technologies, procedures, documentation,
training, and personnel
• Audits:
• List and rank all control weaknesses
• Estimate probability of occurrence
• Assess financial and organizational impact of each threat
Sample Auditor’s list of control
weaknesses
• Access control
• Policies and procedures used to prevent improper access to systems by
unauthorized insiders and outsiders
• Users must be authorized and authenticated
• Authentication:
• Typically established by password systems
• New authentication technologies:
• Tokens
• Smart cards
• Biometric authentication
Firewalls
• Hardware and software controlling flow of
incoming and outgoing network traffic
• Prevents unauthorized access
• Screening technologies
• Packet filtering
• Stateful inspection
• Network address translation (NAT)
• Application proxy filtering
Corporate firewall
Intrusion detection systems
• Full-time, real-time monitoring tools
• Placed at most vulnerable points of corporate
networks to detect and deter intruders
• Scanning software looks for patterns such as bad
passwords, removal of important files, and
notifies administrators
Technologies and Tools for Security
• Antivirus software:
• Checks computer systems and drives for presence of computer
viruses
• To remain effective, antivirus software must be continually updated
• Antispyware software tools:
• Many leading antivirus software vendors include protection against
spyware
• Standalone tools available (Ad-Aware, Spybot)
Symmetric key encryption
• Each computer has a secret key (code) that it can
use to encrypt a packet of information before it is
sent over the network to another computer.
• Symmetric-key requires that you know which
computers will be talking to each other so you
can install the key on each one.
• Symmetric-key encryption is essentially the same
as a secret code that each of the two computers
must know in order to decode the information.
The code provides the key to decoding the
message.
Symmetric key encryption
Public-key Encryption
• Also known as asymmetric-key encryption, public-key encryption uses two
different keys at once -- a combination of a private key and a public key.
• The private key is known only to your computer, while the public key is
given by your computer to any computer that wants to communicate
securely with it.
• To decode an encrypted message, a computer must use the public key,
provided by the originating computer, and its own private key.
• Although a message sent from one computer to another won't be secure
since the public key used for encryption is published and available to
anyone, anyone who picks it up can't read it without the private key.
• The key pair is based on prime numbers (numbers that only have divisors
of itself and one, such as 2, 3, 5, 7, 11 and so on) of long length.
• This makes the system extremely secure, because there is essentially an
infinite number of prime numbers available, meaning there are nearly
infinite possibilities for keys.
Weakness of symmetric key encryption
• two users attempting to communicate with
each other need a secure way to do so;
otherwise, an attacker can easily pluck the
necessary data from the stream.
Securing wireless networks
• WEP: Provides some measure of security if activated
• VPN technology: Can be used by corporations to help security
• 802.11i specification: Tightens security for wireless LANs
• Longer encryption keys that are not static
• Central authentication server
• Mutual authentication
• Wireless security should be accompanied by appropriate policies and
procedures for using wireless devices
Wired Equivalent Privacy (WEP)
• A security protocol for wireless networks that
encrypts transmitted data WEP has three
settings: Off (no security), 64-bit (weak
security), 128-bit (a bit better security).
• WEP is not difficult to crack, and using it
reduces performance slightly.
Wired Equivalent Privacy (WEP)
• WEP concept of passphrase is introduced so
that the user does not have to enter
complicated strings for keys by hand.
• The passphrase entered is converted into
complicated keys.
WPA/WPA 2
• WPA was designed to be a replacement for WEP networks without
requiring hardware replacements, using a subset IEEE 802.11i
amendment.
• Short for Wi-Fi Protected Access 2, the follow on security method
to WPA for wireless networks that provides stronger data
protection and network access control.
• It provides enterprise and consumer Wi-Fi users with a high level of
assurance that only authorized users can access their wireless
networks.
• Based on the IEEE 802.11i standard, WPA2 provides government
grade security by implementing the National Institute of Standards
and Technology (NIST) FIPS 140-2 compliant AES encryption
algorithm and 802.1x-based authentication.
WPA 2
• There are two versions of WPA2: WPA2-
Personal, and WPA2-Enterprise. WPA2-
Personal protects unauthorized network
access by utilizing a set-up password. WPA2-
Enterprise verifies network users through a
server. WPA2 is backward compatible with
WPA
VPN Technologies
• VPN is a private network that uses a public
network (usually the Internet) to connect
remote sites or users together. The VPN uses
"virtual" connections routed through the
Internet from the business's private network
to the remote site or employee. By using a
VPN, businesses ensure security -- anyone
intercepting the encrypted data can't read it.
Encryption
• Transforming message into cipher text, using encryption key
• Receiver must decrypt encoded message
• Two main methods for encrypting network
traffic
• Secure Sockets Layer (SSL) /Transport Layer Security (TLS)
• Establishes secure connection between two computers
• Secure HTTP (S-HTTP)
• Encrypts individual messages
Encryption: SSL
An SSL Certificate enables encryption of
sensitive information during online
transactions.
Each SSL Certificate contains unique,
authenticated information about the
certificate owner.
A Certificate Authority verifies the identity of
the certificate owner when it is issued.
Encryption: SSL
Each SSL Certificate consists of a public key
and a private key. Public key: scramble;
Private Key: unscramble
Secure Sockets Layer handshake authenticates
the server (Web site) and the client (Web
browser).
Unique session key established and secure
transmission can begin.
Encryption: SSL
Security Goals
Confidentiality
• Confidentiality, keeping information secret
from unauthorized access, is probably the most
common aspect of information security: we
need to protect confidential information. An
organization needs to guard against those
malicious actions that endanger the
confidentiality of its information.
Integrity
• Information needs to be changed constantly. In
a bank, when a customer deposits or withdraws
money, the balance of their account needs to
be changed. Integrity means that changes
should be done only by authorized users and
through authorized mechanisms.
Availability
• The third component of information security is
availability. The information created and stored
by an organization needs to be available to
authorized users and applications. Information is
useless if it is not available. Information needs to
be changed constantly, which means that it must
be accessible to those authorized to access it.
Unavailability of information is just as harmful to
an organization as a lack of confidentiality or
integrity. Imagine what would happen to a bank if
the customers could not access their accounts for
transactions
