Today’s Lecture Covers < Chapter 6 - IS Security [email protected].
-
Upload
mitchell-singleton -
Category
Documents
-
view
213 -
download
0
Transcript of Today’s Lecture Covers < Chapter 6 - IS Security [email protected].
![Page 2: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/2.jpg)
Security
The system is protected against unauthorized physical and logical access.
![Page 3: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/3.jpg)
A typical network today?
INTERNET
ExternalRouter
Corporate Backbone
Human Resources
Payroll - Accounting
e-Business Network
Human Resources
AP Cyberwall
Payroll - Accounting
AP Cyberwall
IP Firewall
DMZ
IP Firewall
DMZ
Internal Firewall
DMZ SystemsDMZ Systems
![Page 4: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/4.jpg)
Control over Info Transmission
procedures to protect in bound information and outbound information
network design should incorporate information integrity, confidentiality and availability requirements for transmissions
network implementation and config mgt needs to be controlled
![Page 5: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/5.jpg)
Control over Data Mgt
roles and responsibilities for data mgt needed
database design and implementation needs to address security, integrity and control requirements
also incorporate reliability and availability requirements
![Page 6: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/6.jpg)
Control over End-Using Computing
procedures to ensure that end-users conform with organizational strategy
stds for development, acquisition, documentation and operation of applications procedures.
Effective support and training
monitoring end-using computing
![Page 7: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/7.jpg)
The issue of IT Security
must id risks and design effective security processes and practices
not too much security - causes rule breaking to do job
balance between enabling staff and others to access easily and efficiently and controlling that access
![Page 8: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/8.jpg)
Security Controls- to prevent
unauthorized access to IS by outsiders
unauthorized access to IS by insiders
interruptions in processing
at application (into each program) and
general level (e.g., electronic access, physical security, back-up and recovery and contingency planning)
![Page 9: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/9.jpg)
To meet Security Objectives
need an integrated approach: develop policies assign roles and responsibilities and
communicate them design a security control framework implement on risk-prioritized
and timely basis monitor
![Page 10: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/10.jpg)
Broad Organizational Issues
policies and stds
risk assessment
plan, design, test and implement
user and mgt involvement
monitor and update
![Page 11: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/11.jpg)
Policies & Stds
responsibility of all personnel
roles and responsibilities for security administrator
classify systems and data in terms of sensitivity
role of I/A
![Page 12: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/12.jpg)
Risk Assessment
analyze risks and exposures
assess what is acceptable
need to understand potential losses
![Page 13: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/13.jpg)
Plan Design Test and Implement
assess what is needed
test - ensure authorized accepted/unauthorized rejected
access time is reasonable
audit trails are adequate
![Page 14: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/14.jpg)
Monitoring and Update
need logs
need to ensure controls up to date
adequate resources
![Page 15: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/15.jpg)
Physical Access Controls -
Safeguard against physical abuse, damage and destruction.
Isolation and restriction - use locks, effective key management, video, sensing devices
![Page 16: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/16.jpg)
Communication Access Controls
Firewalls - hardware and software between 2 networks, all traffic must go through it, only authorized traffic may pass, and is protected from tampering
Simplifies security mgt - only have to manage single point
![Page 17: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/17.jpg)
Communication Access Controls
can hide internal network since no direct outside connection
can limit damage of security breaches
do not protect against insider attacks
often ineffective with viruses
do not protect against other connections that bypass firewall
![Page 18: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/18.jpg)
Communication Access Controls
Packet filter gateway - router between 2 gateways, either forwards or blocks them (less secure than firewall)
Application gateway - all packets are addressed to a user layer application at the gateway that relays them between 2 communication points
![Page 19: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/19.jpg)
Communication Access Controls
use proxies to prevent a direct connection between external and internal networks acts as middleman - decides whether traffic is secure
between the hosts , forwards only secure traffic
Stateful inspection - all packets queried + application, user and transportation method queried - both the state of the transmission and context in which used cannot deviate from expectations ; otherwise rejected
![Page 20: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/20.jpg)
Dial-Up Lines
Modem lines create problems
use callback modems, terminal authentication devices (id terminal as authentic before connecting), passwords, encryption, human hook-ups, warnings and look at communication bills
![Page 21: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/21.jpg)
Encryption
coding messagesrely on mathematical algorithmsprivate key system - receiver must know what key is used to encipher message. Such keys must be protectedpublic key system - use 2 keys encipher is made public different key used to decipher
![Page 22: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/22.jpg)
Electronic Access Controls- first classify info
sensitivity - need to classify information as to confidentiality and access rights
access time requirements - classify according to range of tolerable access times- for example many users may need to access certain files at a particular time
authorized users - based on need to know basis
![Page 23: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/23.jpg)
Access management
identification process - use userids personal characteristic userids - name - easy transferred
but easy to guess.. also little privacy functional characteristic id - based on job, no need for
personal id, more privacy - someone transfers however, must give new id
no association ids - arbitrary - best privacy and can use if transferred
![Page 24: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/24.jpg)
Access management
authentication - obtaining proof that user is who says he/she is plastic magnetic-strip cards - atm cards, carry fixed
password (PIN), can be stolen/duplicated smart cards- contain processor that allows card to
interact with number of control devices and define boundary of each specific access
biometric devices - fingerprints, hand geometry, eye retina patterns
![Page 25: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/25.jpg)
Access management
passwords - traditional for log-on procedure system-generated- randomly generated are less hard to
guess- problem is are not really random and are meaningless to users - therefore write them down makes easier to find
user- selected - has meaning but often easier to guess word association password - use cue lists that only user
should know - too much computer space req'd, must be uniform
![Page 26: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/26.jpg)
Access management
Increased use of single-sign on- authenticate once across multiple platforms must be very careful due to potential access hazard
Could also use profile management - allocate standard access privileges to users based on their group, rather than individual basisreduces admin costs and allows easier access and rule setting
![Page 27: Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca.](https://reader036.fdocuments.us/reader036/viewer/2022062718/56649e945503460f94b9913f/html5/thumbnails/27.jpg)
Access management
access control software- allows controlled access - locks out illegimate users