Is System Security

8/6/2019 Is System Security

http://slidepdf.com/reader/full/is-system-security 1/30

INFORMATION SYSTEM SECURITY,INFORMATION SYSTEM SECURITY,

CONTROL AND AUDITCONTROL AND AUDIT



WHAT IS INFORMATION SECURITY?WHAT IS INFORMATION SECURITY?

Means protecting information and information systems fromunauthorized access, use disclosure, disruption,

modification, or destruction

The process of ensuring business systems and information

assets are protected, secure and available.



INFORMATIONINFORMATION SYSTEMSSYSTEMS

SECURITYSECURITY

A discipline that protects the A discipline that protects the

CConfidentiality,onfidentiality,

IIntegrity andntegrity and

A Availabilityvailability

of information and information servicesof information and information services

aka: Network Security, Computer Security, Informationaka: Network Security, Computer Security, Information

Assurance, Cyber Warfare Assurance, Cyber Warfare



WHY IT IS IMPORTANTWHY IT IS IMPORTANT

Information security can be expected to achieve important

business objectives by protecting:

�Information assets

�Mission critical applications and systems

�Productivity ± daily activities and operations

�The privacy of individuals and their confidential information

�The legal position of the organization by complying with laws and

contracts

With the migration toward an Internet-based world, it becomes morecritical to protect Internet-based applications. Web-based applications,Ecommerce, Voice over IP (Internet Protocol) , etc.



INFORMATION

A

COMMUNICATIONS

Products ( Physical Security)

Availa bility

Int egrity confid entiality



SECURITY CLASSIFICATION FORSECURITY CLASSIFICATION FOR

INFORMATIONINFORMATION

Important aspect of information security andImportant aspect of information security andrisk management is recognizing the value orisk management is recognizing the value o

information and defining appropriateinformation and defining appropriateprocedures and protection requirements for theprocedures and protection requirements for theinformationinformation

Not all information is equal and so not allNot all information is equal and so not all

information requires the same degree of information requires the same degree of protection.protection.



SYSTEM VULNERABILITY ANDSYSTEM VULNERABILITY AND

ABUSEABUSE

Security incase of Information System refersSecurity incase of Information System refersto Policies, Procedures and Technicalto Policies, Procedures and TechnicalMeasuresMeasures

Computer Hardware, SoftwareComputer Hardware, Software

Communication NetworksCommunication Networks

DataData Threats to the computerized IS are: Threats to the computerized IS are:

Hardware FailureHardware Failure

Software FailureSoftware FailurePersonnel ActionsPersonnel Actions

Theft data, Service or equipmentTheft data, Service or equipmentFireFire

Electrical ProblemsElectrical ProblemsUser ErrorsUser Errors

Program ChangesProgram ChangesTelecommunication ProblemsTelecommunication Problems



WHY SYSTEMS ARE VULNERABLEWHY SYSTEMS ARE VULNERABLE

Client(User)

1. Unauthorized

Access

2. Errors

Data

Bases

CommunicationLines

1. Tapping

2. Sniffing

3. MessageAlteration

4. Theft & Fraud

1. Hacking

2. Viruses

3. Theft & Fraud4. Vandalism

5. Denial of

Service Attacks

CorporateServices

CorporateSystems

1. Theft of Data

2. Copying Data3. Alteration of Data

4. Hardware Failure

5. Software Failure



TYPES OF VULNERABILITIESTYPES OF VULNERABILITIES Internet VulnerabilitiesInternet Vulnerabilities

Wireless Security ChallengesWireless Security Challenges

Legitimate User

Intruder

Authentication Request

Challenge

Response

Success



Malicious Software: Viruses, Worms,Malicious Software: Viruses, Worms,Trojan Horses, & Spy wareTrojan Horses, & Spy ware

HackersHackers

Computer Crime & Cyber TerrorismComputer Crime & Cyber Terrorism

Internal Threats:Internal Threats:

EmployeesEmployees

Software VulnerabilitySoftware Vulnerability



HACKER MOTIVATIONSHACKER MOTIVATIONS

Attack the Evil EmpireAttack the Evil Empire(Microsoft)(Microsoft)

Display of dominance

Misdirected creativity

´Who knows what evil lurks in the hearts of men?µ

Showing off, revenge

Embezzlement, greed



THREATS: MALWARETHREATS: MALWARE

Malware isMalicious SoftwareMalware isMalicious Software --deliberately created anddeliberately created andspecifically designed tospecifically designed to

damage, disrupt or destroydamage, disrupt or destroynetwork services, computernetwork services, computerdata and software.data and software.

There are several typesThere are several types......



MALWARE TYPESMALWARE TYPES

Viruses: Viruses:

Conceal themselvesConceal themselves

Infect computer systemsInfect computer systems Replicate themselvesReplicate themselves

Deliver a payload Deliver a payload



W orms W orms::

Programs that are capable ofPrograms that are capable of

independently propagatingindependently propagatingthroughout a computerthroughout a computernetwork.network.

They replicate fast and consumeThey replicate fast and consumelarge amounts of the hostlarge amounts of the hostcomputers memory.computers memory.

MALWARE TYPESMALWARE TYPES



Trojan Horses:Trojan Horses:

Programs that contain hiddenPrograms that contain hidden

functionality that can harm thefunctionality that can harm thehost computer and the data ithost computer and the data itcontains.contains.

THs are not automatic replicatorsTHs are not automatic replicators-- computer users inadvertentlycomputer users inadvertentlyset them off.set them off.

Malware TypesMalware Types



Software Bombs:Software Bombs:

Time BombsTime Bombs -- triggered by a specifictriggered by a specific

time/datetime/dateLogic BombsLogic Bombs -- triggered by a specifictriggered by a specific

eventevent

Both are introduced some timeBoth are introduced some timebefore and will damage the hostbefore and will damage the hostsystemsystem

Malware TypesMalware Types



BUSINESS VALUE OF SECURITY &BUSINESS VALUE OF SECURITY &

CONTROLCONTROL

1.1. Security and Control have become a critical , althoughSecurity and Control have become a critical , althoughperhaps unappreciated, area of information systemsperhaps unappreciated, area of information systemsinvestmentinvestment

2.2. The longer computer systems are down, the more serious theThe longer computer systems are down, the more serious theconsequences for the firmconsequences for the firm

3.3. Computers have very valuable information assets to protectComputers have very valuable information assets to protect

Types of Information Systems Controls:Types of Information Systems Controls:

General ControlsGeneral ControlsApplication ControlsApplication Controls

Input ControlsInput Controls

Processing ControlsProcessing ControlsOutput ControlsOutput ControlsRisk AssessmentRisk Assessment

Security PolicySecurity PolicyEnsuring Business ContinuityEnsuring Business Continuity

Security OutsourcingSecurity Outsourcing



TECHNOLOGIES AND TOOLS FORTECHNOLOGIES AND TOOLS FOR

SECURITY AND CONTROLSECURITY AND CONTROL Access Control Access Control

It consists of all policies and procedures aIt consists of all policies and procedures acompany uses to prevent improper access tocompany uses to prevent improper access to

systems by unauthorized insiders andsystems by unauthorized insiders andoutsiders.outsiders.

Access control software is designed to allow Access control software is designed to allowauthorized persons to use systems or to accessauthorized persons to use systems or to access

data using some method for authentication.data using some method for authentication.Some times systems use tokens such as smart Some times systems use tokens such as smart

cards for access controlcards for access control

Biometric Authentication.Biometric Authentication.



FIREWALLSFIREWALLS

A firewall is a combination of hardware and software A firewall is a combination of hardware and softwarethat controls the flow of incoming and outgoing networkthat controls the flow of incoming and outgoing networktraffic.traffic.

It is placed between the organizations private internal It is placed between the organizations private internal networks and untrusted external networks such as thenetworks and untrusted external networks such as theInternet.Internet.

Internet DataBase

Policy

Rules



Intrusion Detection SystemsIntrusion Detection Systems

Feature fullFeature full--time monitoring tools placed at thetime monitoring tools placed at themost vulnerable points or hot spots of corporatemost vulnerable points or hot spots of corporatenetworks to detect and deter intruders continually.networks to detect and deter intruders continually.

The system generates an alarm if it finds aThe system generates an alarm if it finds asuspicious or anomalous event.suspicious or anomalous event.

It also be customized to shut down a particularlyIt also be customized to shut down a particularlysensitive part of a network if it receivessensitive part of a network if it receivesunauthorized traffic.unauthorized traffic.



Antivirus Software Antivirus Software

It is designed to check computer systems and drivesIt is designed to check computer systems and drivesfor the presence of computer viruses.for the presence of computer viruses.

The software can eliminate the virus from theThe software can eliminate the virus from the

infected area.infected area.

However, most antivirus software is effective onlyHowever, most antivirus software is effective onlyagainst viruses already known when the software wasagainst viruses already known when the software was

written.written.

To remain effective, the antivirus software must beTo remain effective, the antivirus software must becontinually updated.continually updated.



Securing Wireless NetworksSecuring Wireless Networks

Extensible Authentication ProtocolExtensible Authentication Protocol

Encryption and Public Key InfrastructureEncryption and Public Key InfrastructureIt is the coding and scrambling of messages toIt is the coding and scrambling of messages to

prevent unauthorized access to or understanding of prevent unauthorized access to or understanding of the data being transmitted.the data being transmitted.

Public Key EncryptionPublic Key Encryption

Sender Scrambled

MessageRecipient

Encrypt

With

Public key

Encrypt

With

Private key



Ensuring Software ReliabilityEnsuring Software Reliability



NEED FOR SECURITYNEED FOR SECURITY

ConfidentialityConfidentiality

IntegrityIntegrity

AvailabilityAvailability

AuthenticityAuthenticity

NonNon--repudiationrepudiation

RiskManagementRiskManagement



METHODS OF MINIMIZING RISKSMETHODS OF MINIMIZING RISKS

The threats of accidents & malfunctions in the The threats of accidents & malfunctions in the

ISS are many such as:ISS are many such as:

Controlling software development & modificationsControlling software development & modifications

Providing security trainingProviding security training

Maintaining Physical SecurityMaintaining Physical Security Accidents Accidents

Uncontrollable external eventsUncontrollable external events

Attacks Attacks

Controlling access to data, computers & networksControlling access to data, computers & networks Controlling traditional transaction processingControlling traditional transaction processing

Data Preparation & authorizationData Preparation & authorization

Data ValidationData Validation

Error CorrectionError Correction



Maintaining security in webMaintaining security in web--basedbasedtransactionstransactions

PrivacyPrivacy

Authentication Authentication IntegrityIntegrity

Motivating efficient & effective operationMotivating efficient & effective operation

Auditing IS Auditing IS



Risk Control MeasuresRisk Control Measures

Three types of controlsThree types of controls Administrative Administrative

Corporate security policy, Password policy, Hiring policy &Corporate security policy, Password policy, Hiring policy &Disciplinary policyDisciplinary policy

LogicalLogical Passwords, network & host based firewalls, networkPasswords, network & host based firewalls, networkdetection systems, access control list detection systems, access control list

PhysicalPhysical

Doors, locks, heating, fencing, security guards, airDoors, locks, heating, fencing, security guards, air

conditioning, smoke, fire alarms, fire suppression systems,conditioning, smoke, fire alarms, fire suppression systems,cameras, etccameras, etc



Ensuring SystemEnsuring SystemQualityQuality

Software Quality AssuranceSoftware Quality Assurance

MethodologiesMethodologies

Resource AllocationResource Allocation

Software MetricsSoftware MetricsCarefully designedCarefully designed

FormalFormal

ObjectiveObjective

Measure significant aspects of the systemMeasure significant aspects of the system

Used consistentlyUsed consistently

Agreed to by users advanceAgreed to by users advance

Quality toolsQuality tools

Data Quality AuditsData Quality Audits

Is System Security

Documents

Transcript of Is System Security