Is System Security
-
Upload
madhu-sudhan-reddy -
Category
Documents
-
view
215 -
download
0
Transcript of Is System Security
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 1/30
INFORMATION SYSTEM SECURITY,INFORMATION SYSTEM SECURITY,
CONTROL AND AUDITCONTROL AND AUDIT
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 2/30
WHAT IS INFORMATION SECURITY?WHAT IS INFORMATION SECURITY?
Means protecting information and information systems fromunauthorized access, use disclosure, disruption,
modification, or destruction
The process of ensuring business systems and information
assets are protected, secure and available.
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 3/30
INFORMATIONINFORMATION SYSTEMSSYSTEMS
SECURITYSECURITY
A discipline that protects the A discipline that protects the
CConfidentiality,onfidentiality,
IIntegrity andntegrity and
A Availabilityvailability
of information and information servicesof information and information services
aka: Network Security, Computer Security, Informationaka: Network Security, Computer Security, Information
Assurance, Cyber Warfare Assurance, Cyber Warfare
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 4/30
WHY IT IS IMPORTANTWHY IT IS IMPORTANT
Information security can be expected to achieve important
business objectives by protecting:
�Information assets
�Mission critical applications and systems
�Productivity ± daily activities and operations
�The privacy of individuals and their confidential information
�The legal position of the organization by complying with laws and
contracts
With the migration toward an Internet-based world, it becomes morecritical to protect Internet-based applications. Web-based applications,Ecommerce, Voice over IP (Internet Protocol) , etc.
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 5/30
INFORMATION
A
COMMUNICATIONS
Products ( Physical Security)
Availa bility
Int egrity confid entiality
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 6/30
SECURITY CLASSIFICATION FORSECURITY CLASSIFICATION FOR
INFORMATIONINFORMATION
Important aspect of information security andImportant aspect of information security andrisk management is recognizing the value orisk management is recognizing the value o
information and defining appropriateinformation and defining appropriateprocedures and protection requirements for theprocedures and protection requirements for theinformationinformation
Not all information is equal and so not allNot all information is equal and so not all
information requires the same degree of information requires the same degree of protection.protection.
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 7/30
SYSTEM VULNERABILITY ANDSYSTEM VULNERABILITY AND
ABUSEABUSE
Security incase of Information System refersSecurity incase of Information System refersto Policies, Procedures and Technicalto Policies, Procedures and TechnicalMeasuresMeasures
Computer Hardware, SoftwareComputer Hardware, Software
Communication NetworksCommunication Networks
DataData Threats to the computerized IS are: Threats to the computerized IS are:
Hardware FailureHardware Failure
Software FailureSoftware FailurePersonnel ActionsPersonnel Actions
Theft data, Service or equipmentTheft data, Service or equipmentFireFire
Electrical ProblemsElectrical ProblemsUser ErrorsUser Errors
Program ChangesProgram ChangesTelecommunication ProblemsTelecommunication Problems
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 8/30
WHY SYSTEMS ARE VULNERABLEWHY SYSTEMS ARE VULNERABLE
Client(User)
1. Unauthorized
Access
2. Errors
Data
Bases
CommunicationLines
1. Tapping
2. Sniffing
3. MessageAlteration
4. Theft & Fraud
1. Hacking
2. Viruses
3. Theft & Fraud4. Vandalism
5. Denial of
Service Attacks
CorporateServices
CorporateSystems
1. Theft of Data
2. Copying Data3. Alteration of Data
4. Hardware Failure
5. Software Failure
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 9/30
TYPES OF VULNERABILITIESTYPES OF VULNERABILITIES Internet VulnerabilitiesInternet Vulnerabilities
Wireless Security ChallengesWireless Security Challenges
Legitimate User
Intruder
Authentication Request
Challenge
Response
Success
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 10/30
Malicious Software: Viruses, Worms,Malicious Software: Viruses, Worms,Trojan Horses, & Spy wareTrojan Horses, & Spy ware
HackersHackers
Computer Crime & Cyber TerrorismComputer Crime & Cyber Terrorism
Internal Threats:Internal Threats:
EmployeesEmployees
Software VulnerabilitySoftware Vulnerability
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 11/30
HACKER MOTIVATIONSHACKER MOTIVATIONS
Attack the Evil EmpireAttack the Evil Empire(Microsoft)(Microsoft)
Display of dominance
Misdirected creativity
´Who knows what evil lurks in the hearts of men?µ
Showing off, revenge
Embezzlement, greed
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 12/30
THREATS: MALWARETHREATS: MALWARE
Malware isMalicious SoftwareMalware isMalicious Software --deliberately created anddeliberately created andspecifically designed tospecifically designed to
damage, disrupt or destroydamage, disrupt or destroynetwork services, computernetwork services, computerdata and software.data and software.
There are several typesThere are several types......
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 13/30
MALWARE TYPESMALWARE TYPES
Viruses: Viruses:
Conceal themselvesConceal themselves
Infect computer systemsInfect computer systems Replicate themselvesReplicate themselves
Deliver a payload Deliver a payload
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 14/30
W orms W orms::
Programs that are capable ofPrograms that are capable of
independently propagatingindependently propagatingthroughout a computerthroughout a computernetwork.network.
They replicate fast and consumeThey replicate fast and consumelarge amounts of the hostlarge amounts of the hostcomputers memory.computers memory.
MALWARE TYPESMALWARE TYPES
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 15/30
Trojan Horses:Trojan Horses:
Programs that contain hiddenPrograms that contain hidden
functionality that can harm thefunctionality that can harm thehost computer and the data ithost computer and the data itcontains.contains.
THs are not automatic replicatorsTHs are not automatic replicators-- computer users inadvertentlycomputer users inadvertentlyset them off.set them off.
Malware TypesMalware Types
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 16/30
Software Bombs:Software Bombs:
Time BombsTime Bombs -- triggered by a specifictriggered by a specific
time/datetime/dateLogic BombsLogic Bombs -- triggered by a specifictriggered by a specific
eventevent
Both are introduced some timeBoth are introduced some timebefore and will damage the hostbefore and will damage the hostsystemsystem
Malware TypesMalware Types
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 17/30
BUSINESS VALUE OF SECURITY &BUSINESS VALUE OF SECURITY &
CONTROLCONTROL
1.1. Security and Control have become a critical , althoughSecurity and Control have become a critical , althoughperhaps unappreciated, area of information systemsperhaps unappreciated, area of information systemsinvestmentinvestment
2.2. The longer computer systems are down, the more serious theThe longer computer systems are down, the more serious theconsequences for the firmconsequences for the firm
3.3. Computers have very valuable information assets to protectComputers have very valuable information assets to protect
Types of Information Systems Controls:Types of Information Systems Controls:
General ControlsGeneral ControlsApplication ControlsApplication Controls
Input ControlsInput Controls
Processing ControlsProcessing ControlsOutput ControlsOutput ControlsRisk AssessmentRisk Assessment
Security PolicySecurity PolicyEnsuring Business ContinuityEnsuring Business Continuity
Security OutsourcingSecurity Outsourcing
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 18/30
TECHNOLOGIES AND TOOLS FORTECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROLSECURITY AND CONTROL Access Control Access Control
It consists of all policies and procedures aIt consists of all policies and procedures acompany uses to prevent improper access tocompany uses to prevent improper access to
systems by unauthorized insiders andsystems by unauthorized insiders andoutsiders.outsiders.
Access control software is designed to allow Access control software is designed to allowauthorized persons to use systems or to accessauthorized persons to use systems or to access
data using some method for authentication.data using some method for authentication.Some times systems use tokens such as smart Some times systems use tokens such as smart
cards for access controlcards for access control
Biometric Authentication.Biometric Authentication.
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 19/30
FIREWALLSFIREWALLS
A firewall is a combination of hardware and software A firewall is a combination of hardware and softwarethat controls the flow of incoming and outgoing networkthat controls the flow of incoming and outgoing networktraffic.traffic.
It is placed between the organizations private internal It is placed between the organizations private internal networks and untrusted external networks such as thenetworks and untrusted external networks such as theInternet.Internet.
Internet DataBase
Policy
Rules
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 20/30
Intrusion Detection SystemsIntrusion Detection Systems
Feature fullFeature full--time monitoring tools placed at thetime monitoring tools placed at themost vulnerable points or hot spots of corporatemost vulnerable points or hot spots of corporatenetworks to detect and deter intruders continually.networks to detect and deter intruders continually.
The system generates an alarm if it finds aThe system generates an alarm if it finds asuspicious or anomalous event.suspicious or anomalous event.
It also be customized to shut down a particularlyIt also be customized to shut down a particularlysensitive part of a network if it receivessensitive part of a network if it receivesunauthorized traffic.unauthorized traffic.
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 21/30
Antivirus Software Antivirus Software
It is designed to check computer systems and drivesIt is designed to check computer systems and drivesfor the presence of computer viruses.for the presence of computer viruses.
The software can eliminate the virus from theThe software can eliminate the virus from the
infected area.infected area.
However, most antivirus software is effective onlyHowever, most antivirus software is effective onlyagainst viruses already known when the software wasagainst viruses already known when the software was
written.written.
To remain effective, the antivirus software must beTo remain effective, the antivirus software must becontinually updated.continually updated.
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 22/30
Securing Wireless NetworksSecuring Wireless Networks
Extensible Authentication ProtocolExtensible Authentication Protocol
Encryption and Public Key InfrastructureEncryption and Public Key InfrastructureIt is the coding and scrambling of messages toIt is the coding and scrambling of messages to
prevent unauthorized access to or understanding of prevent unauthorized access to or understanding of the data being transmitted.the data being transmitted.
Public Key EncryptionPublic Key Encryption
Sender Scrambled
MessageRecipient
Encrypt
With
Public key
Encrypt
With
Private key
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 23/30
Ensuring Software ReliabilityEnsuring Software Reliability
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 24/30
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 25/30
NEED FOR SECURITYNEED FOR SECURITY
ConfidentialityConfidentiality
IntegrityIntegrity
AvailabilityAvailability
AuthenticityAuthenticity
NonNon--repudiationrepudiation
RiskManagementRiskManagement
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 26/30
METHODS OF MINIMIZING RISKSMETHODS OF MINIMIZING RISKS
The threats of accidents & malfunctions in the The threats of accidents & malfunctions in the
ISS are many such as:ISS are many such as:
Controlling software development & modificationsControlling software development & modifications
Providing security trainingProviding security training
Maintaining Physical SecurityMaintaining Physical Security Accidents Accidents
Uncontrollable external eventsUncontrollable external events
Attacks Attacks
Controlling access to data, computers & networksControlling access to data, computers & networks Controlling traditional transaction processingControlling traditional transaction processing
Data Preparation & authorizationData Preparation & authorization
Data ValidationData Validation
Error CorrectionError Correction
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 27/30
Maintaining security in webMaintaining security in web--basedbasedtransactionstransactions
PrivacyPrivacy
Authentication Authentication IntegrityIntegrity
Motivating efficient & effective operationMotivating efficient & effective operation
Auditing IS Auditing IS
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 28/30
Risk Control MeasuresRisk Control Measures
Three types of controlsThree types of controls Administrative Administrative
Corporate security policy, Password policy, Hiring policy &Corporate security policy, Password policy, Hiring policy &Disciplinary policyDisciplinary policy
LogicalLogical Passwords, network & host based firewalls, networkPasswords, network & host based firewalls, networkdetection systems, access control list detection systems, access control list
PhysicalPhysical
Doors, locks, heating, fencing, security guards, airDoors, locks, heating, fencing, security guards, air
conditioning, smoke, fire alarms, fire suppression systems,conditioning, smoke, fire alarms, fire suppression systems,cameras, etccameras, etc
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 29/30
8/6/2019 Is System Security
http://slidepdf.com/reader/full/is-system-security 30/30
Ensuring SystemEnsuring SystemQualityQuality
Software Quality AssuranceSoftware Quality Assurance
MethodologiesMethodologies
Resource AllocationResource Allocation
Software MetricsSoftware MetricsCarefully designedCarefully designed
FormalFormal
ObjectiveObjective
Measure significant aspects of the systemMeasure significant aspects of the system
Used consistentlyUsed consistently
Agreed to by users advanceAgreed to by users advance
Quality toolsQuality tools
Data Quality AuditsData Quality Audits