Securing Information Systems.ppt

Shared by: huangyuarong
Tags
Stats
views:: 9
posted:: 1/16/2013
language:: English
pages:: 16
Public Domain
Document Sample
							Management Information
Sustems

     Securing Information Systems
        Securing Information Systems
               Learning Objective


   Analyze why information systems need
    special protection from destruction, error,
    and abuse.
   Assess the business value of security and
    control.
   Design an organizational framework for
    security and control.
   Evaluate the most important tools and
    technologies for safeguarding information
    resources.
          Securing Information Systems
                    Phishing

     A phishing attack sends e-mail that claims to be from a bank,
    credit card company, retailer or other company directing the
    recipient to website asking for person’s vital information
   Problem: Large number of vulnerable users of online financial
    services, ease of creating bogus Web sites.
   Solutions: Deploy anti-phishing software and services and a
    multilevel authentication system to identify threats and reduce
    phishing attempts.
   Deploying new tools, technologies, and security procedures,
    along with educating consumers, increases reliability and
    customer confidence.
   Digital technology offers multilevel solution but has limitations
    in overcoming discouraged consumers.
          Securing Information Systems
            Systems Vulnerability and Abuse

   Why systems are vulnerable
    Through communication networks, information systems in different
    locations are interconnected. In a client server computing
    environment, vulnerabilities exist at each layer and in the
    communications between layers
    Users at client layer- Introduce errors, access system without
    authorization, unknowingly downloading spyware and viruses
    Hackers- Access data flowing over networks, stael data during
    transmission, alter messages without authorization
    The architecture of a Web-based application typically includes a Web
    client, a server, and corporate information systems linked to
    databases. Each of these components presents security challenges
    and vulnerabilities. Floods, fires, power failures, and other electrical
    problems can cause disruptions at any point in the network.
        Securing Information Systems
          Systems Vulnerability and Abuse


   Security Challenges and Vulnerability
     Securing Information Systems
       System Vulnerability and Abuse


System vulnerability
 Internet vulnerabilities- Corporate networks
    link to the internet, firm’s Information System
    vulnerable to attack from outsiders. Computers
    connected to internet by cable more prone to
    penetration than older dial-up lines.
   Wireless security challenges- Wireless
    fidelity Wi-Fi hotspots are not secure
    since the communication between the
    laptop and the server is not encrypted.
       Securing Information Systems
          System Vulnerability and Abuse

   Malicious software:
    Viruses- Computer virus is a software programme that attches itself to other
    software programs or data files in order to be executed usually without user
    knowledge. It may destroy programme or data, clog computer memory,
    reformat hard drive. It spreads from computer to computer when users take
    an action such as sending an email attachment or copying an infected file
    Worms- Independent computer programmes that copy themselves from one
    computer to another over a netwok. Worms operate on their own without
    attaching to other computer programme files.
    Trojan horses- It is a software programme that is not a virus itself but a way
    for viruses or other malicious code to be introduced into a computer system.
    Spyware- Acts as a malicious software. These small programmes install
    themselves on computers to monitor user web surfing activity. It offers
    outsiders the possibility of invading privacy, stealing personal identity
    including PIN codes, login and account information
       Securing Information Systems
          System Vulnerability and Abuse

   Hackers and cybervandalism
    Hacker is an individual who intends to gain unauthorized access to a
    computer system.
    Cybervandalism- The intentional disruption, defacement or even destruction
    of a website or corporate information system
        Spoofing- Hide true identity or misrepresent using fake email address.
         Spoofing may also involve redirecting a web link to an address different
         from destination. If hackers redirect customers to fake website, they can
         collect sensitive customer information.
        Sniffing- Type of eavesdropping program that monitors information
         traveling over a network.
        Denial-of-service attacks (Denial of Service)- Hackers flood a
         network server with false communication or requests for services to
         crash the network. Although DoS do not destroy information or access
         restricted areas of a company’s Information System, they often cause a
         website to shut down
        Securing Information Systems
         System Vulnerability and Abuse

   Computer crime and cyberterrorism
       Identity theft
            Phishing- Involves setting up fake websites or sending e-mail
             messages that look like those of legitimate businesses to ask for
             confidential data.
            Evil twins- are wireless networks that pretend to offer trustworthy
             Wi-Fi connections to the internet such as in cafes, airport lounges,
             hotels. The bogus network looks identical to the legitimate public
             network
            Pharming- redirects users to a bogus web page, even when the
             individual types the correct web page address into the browser. This
             is possible if pharming perpetrators gain access to the internet
             address information stored by the service provider.
       Click fraud
       Cyberterrorism and cyberwarfare- Cyber attackes might target the
        software that runs electrical power grids, air traffic control system or
        networks of major banks and finacial institutions.
      Securing Information Systems
        System Vulnerability and Abuse

   Internal threats: Employees
    Employees have access to privileged information in
    the absence of internal security procedures
   Software vulnerability
    Software flaws affect performance as well as make
    system vulnerable to intruders enabling malware to
    slip through
       Securing Information Systems
    Business Value of Security and Control

    Many firms reluctant to spend heavily on security because it is not
    directly related to revenue. Companies have valuable information
    about individuals, Corporate information etc. Government system
    may store information on weapon systems, intelligence operations
    etc.
•   Legal and regulatory requirements for electronic records
    management- Firms face legal obligation for electronic records
    management , document retention as well as for privacy protection.
    Electronic Record Management (ERM) consists of policies,
    procedures and tools for managing the retention, destruction and
    storage of electronic records
•   Electronic evidence and computer forensics- Scientific
    collection , examination, authentication, preservation and analysis of
    data held on or retrieved from computer storage media in such a way
    that information can be used in a court of law
          Securing Information Systems
Establishing a Framework for Security and Control

   Risk Assessment- Determines the level of risk to the firm if a
    specific activity or process is not properly controlled. Identify
    Value of information assets
    Points of vulnerability
    Likely frequency of a problm
    Potential for damage
   Security policy- Define acceptable use of firm’s information
    resources and which members of the company have access to
    its information assets. Involves
    Acceptable User Policy(AUP)
    Authorization Policy
    Authorization Management System
         Securing Information Systems
Establishing a Framework for Security and Control


   Ensuring business continuity
       Disaster recovery planning and business
        continuity planning
       Security outsourcing
       Securing Information Systems
         Technologies and Tools for Security


   Access control- Policies and procedures a company uses
    to prevent improper access to systems by unauthorized
    insiders and outsiders
    Authentication Technologies
    Tokens
    Smart Cards
    Biometric Authentication
       Securing Information Systems
          Technologies and Tools for Security

   Firewalls- Combination of hardware and software that controls the
    flow of incoming and outgoing network traffic. It is generally placed
    between an organization’s private internal networks and distrusted
    external networks
   Network Address Translation (NAT)- Conceals IP address of
    organization’s internal host computer(s) to prevent sniffer
    programsoutside the firewall to penetrate internal system.
   intrusion detection systems- Features full time monitoring tools
    placed at most vulnerable points of corporate networks to
    detect and deter intruders continually
   Antivirus software
   Securing wireless networks
   Encryption and public key infrastructure
Assignment
   Study amazon.com and barnesandnoble.com.
    Prepare an evaluation of each business’s web sites
    in terms of
    - Functions
    - User friendliness
    - Ability to support Company’s business strategy
    - Which web site does a better job?