Unit v
-
Upload
bharatnaruka90 -
Category
Documents
-
view
159 -
download
0
description
Transcript of Unit v
![Page 1: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/1.jpg)
SECURITY CHALLENGES OF
INFORMATION TECHNOLOGY
![Page 2: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/2.jpg)
SECURITY REQUIREMENTS FOR E-
COMMERCE
� Privacy – about who can see and who should not
� Authenticity – to know the identities of
communicating parties
� Integrity – assurance that stored or transmitted information is unaltered
� Reliability – assurance that systems will be available when needed and will perform
consistently.
� Blocking – ability to block unwanted information or
intrusions
![Page 3: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/3.jpg)
![Page 4: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/4.jpg)
INFORMATION SYSTEM CONTROLS
![Page 5: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/5.jpg)
� Input controls
� Security codes
� Encryption
� Data entry screens
� Error signals
� Control totals (record count, batch totals)
� Processing Controls
� Software controls – checks right data processing
� Hardware controls – malfunction detection circuitry, redundant
components, special-purpose microprocessors and associated
circuitry
� Fire walls
� Checkpoints
![Page 6: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/6.jpg)
� Output Controls
� Security Codes – ensures that information products are
complete and are available to authorized users in timely manner.
� Encryption
� Control totals = input + processing controls
� Control listings – provides hard copy evidence of all output
produced.
� End user feedback
� Storage controls – how can we protect our data resources?
� Security Codes
� Encryption
� Backup files
� Library procedures
� Database administration
![Page 7: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/7.jpg)
![Page 8: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/8.jpg)
![Page 9: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/9.jpg)
FACILITY CONTROLS
� Methods that protect an organizations computing and network facilities and their contents from loss
or destruction.
� Network security – may be provided by specialized system software packages called system security
monitors.
� Protects from unauthorized use, fraud and destruction
(identification codes and passwords).
� Also restricts the use of computer, programs and data
files.
� Collects attempts of improper use.
![Page 10: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/10.jpg)
FACILITY CONTROLS
1. Encryption –scrambling the data
using mathematical
algorithms, or keys.
� Software encryption
standards are RSA data security & PGP
(Pretty Good Privacy)
![Page 11: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/11.jpg)
FACILITY CONTROLS
2. Firewalls
� External firewall keeps out unauthorized internet
users.
� Internal firewall prevents users from accessing sensitive human resources and financial data.
� Passwords and browser security features control access to specific intranet resources.
![Page 12: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/12.jpg)
FACILITY CONTROLS3. Physical Protection Controls –
� Identification badges
� Electronic door locks
� Burglar alarms
� Security police
� CCTV, etc
� Fire detection and extinguishing systems
� Fireproof storage vaults
� Emergency power controls
� Humidity
� Dust controls
![Page 13: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/13.jpg)
FACILITY CONTROLS
4. Biometric Controls – devices use special
sensors to measure and digitize a biometric
profile
�Voice verification
�Finger prints
�Hand geometry
�Signature dynamics
�Keystroke analysis
�Retina scanning
�Face recognition
![Page 14: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/14.jpg)
FACILITY CONTROLS
5. Failure Controls – reasons of system failure
are:
�Power failure
�Electronic circuitry malfunctions
�Telecommunications network problems
�Hidden programming errors
�Computer viruses
�Computer operator errors
�Electronic damage
![Page 15: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/15.jpg)
![Page 16: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/16.jpg)
PROCEDURAL CONTROLS
1. Standard Procedures and documentation – an IS organization develops and follows standard procedures for its operations
� This promotes quality and minimizes
errors and fraud
� Documentation helps in the maintenance
of the system and must be kept up to
date
![Page 17: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/17.jpg)
PROCEDURAL CONTROLS
2. Authorization requirements –
� requests for systems development and program changes need review before
authorization
� Conversion to new hardware, software,
network components and installation requires a formal notification
![Page 18: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/18.jpg)
PROCEDURAL CONTROLS
3. Disaster Recovery – damage can be caused by:� Hurricanes
� Earthquakes
� Fire
� Floods
� Criminal and terrorists acts
� Human error
� Disaster recovery plans are made by organizations which specifies –� Which employee will participate in disaster recovery
and what will be their duties
� What hardware, software and facilities will be used
� Priority of applications that will be processed.
![Page 19: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/19.jpg)
PROCEDURAL CONTROLS
4. Controls for End User Computing – this includes –� Methods for testing user-developed systems for
compliance with company policies and work procedures
� Methods for notifying other users when changes are planned
� Thorough documentation of user-developed systems
� Training several people in the operation and maintenance of a system
� Formal backup and recovery procedures
� Security controls
![Page 20: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/20.jpg)
AUDITING INFORMATION SYSTEMS
� Information system should be audited periodically.
� Review and evaluate whether proper and
adequate system, procedural, facility and
managerial controls have been developed and implemented.
� 2 types
� Auditing around the computer system – verifying
the accuracy and Suitability of input data and output produced
� Auditing through the computer system –verifying the accuracy and integrity of software.
� Auditors develop test programs to test the
data.
![Page 21: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/21.jpg)
Audit Trial
� Presence of documentation that allows a transaction to be
traced through all stages of its information processing.
� Electronic audit trial / Control logs – automatically
records all network activity on magnetic disk or tape
devices
![Page 22: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/22.jpg)
Denial of Service Attacks
� Denial of service attacks depend on three layers of networked computer systems
� The victim’s website
� The victim’s Internet service provider
� Zombie or slave computers that have been commandeered by
the cybercriminals
22
![Page 23: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/23.jpg)
Defending Against Denial of Service
� At Zombie Machines
� Set and enforce security policies
� Scan for vulnerabilities
� At the ISP
� Monitor and block traffic spikes
� At the Victim’s Website
� Create backup servers and network connections
23
![Page 24: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/24.jpg)
![Page 25: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/25.jpg)
4 ETHICAL DIMENSIONS
� Egoism – what is best for a given individual is right
� Natural – promote health and life, propagate,
pursue knowledge of world and God, have close
relationships with other people.
� Utilitarianism – those actions are right that produce
the greatest good for the greatest number of people.
� Respect for persons –
![Page 26: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/26.jpg)
WESTERN AND NON-WESTERN VALUES
Non-western Western Common Values
Kyosei (Japanese):
Living and working
together for the
common good
Individual liberty Respect for human
dignity
Dharma (Hindu): the
Fulfillment of inherited
duty
Political participation Respect for basic
rights
Zakat (Muslim): the
duty to give alms to
the Muslim poor
Human rights Good citizenship
![Page 27: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/27.jpg)
MODEL OF ETHICAL DECISION
MAKING
![Page 28: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/28.jpg)
![Page 29: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/29.jpg)
![Page 30: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/30.jpg)
![Page 31: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/31.jpg)
SPOOFING
� To fool. In networking, the term is used to describe a variety
of ways in which hardware and software can be fooled. IP
spoofing, for example, involves trickery that makes a
message appear as if it came from an authorized IP address
� E.g. - A technique used to gain unauthorized access to
computers, whereby the intruder sends messages to a
computer with an IP address indicating that the message is
coming from a trusted host. To engage in IP spoofing,
a hacker must first use a variety of techniques to find an IP
address of a trusted host and then modify the packet headers
so that it appears that the packets are coming from that host.
![Page 32: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/32.jpg)
OUTSOURCING
� Is a phrase used to describe the practice of seeking resources -
- or subcontracting -- outside of an organizational structure for
all or part of an IT (Information Technology) function.
� Outsourcing for functions ranging from infrastructure
to software development, maintenance and support.
� For example, an enterprise might outsource its IT
management because it is cheaper to contract a third-party to
do so than it would be to build its own in-house IT
management team. Or a company might outsource all of
its data storage needs because it does not want to buy and
maintain its own data storage devices. Most large
organizations only outsource a portion of any given IT
function.
![Page 33: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/33.jpg)
Information Protection - Why?
• Information are an important strategic and operational
asset for any organization.
• Damages and misuses of information affect not only a
single user or an application; they may have disastrous
consequences on the entire organization
• Additionally, the advent of the Internet as well as
networking capabilities has made the access to
information much easier
![Page 34: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/34.jpg)
Information Security: Main Requirements
Confidentiality Information
SecurityIntegrity
Availability
![Page 35: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/35.jpg)
Information Security: Examples
• Consider a payroll database in a
corporation, it must be ensured that:
- salaries of individual employees are not
disclosed to arbitrary users of the database
- salaries are modified by only those
individuals that are properly authorized
- pay-checks are printed on time at the end of
each pay period
![Page 36: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/36.jpg)
Information Security: Examples
• In a military environment, it is important
that:
- the target of a missile is not given to an
unauthorized user
- the target is not arbitrarily modified
- the missile is launched when it is fired
![Page 37: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/37.jpg)
Information Security - main requirements
• Confidentiality - it refers to information protection fromunauthorized read operations
- the term privacy is often used when data to be protectedrefer to individuals
• Integrity - it refers to information protection frommodifications; it involves several goals:- Assuring the integrity of information with respect to the original
information (relevant especially in web environment) - often referredto as authenticity
- Protecting information from unauthorized modifications
- Protecting information from incorrect modifications - referred to assemantic integrity
• Availability - it ensures that access to information is notdenied to authorized subjects
![Page 38: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/38.jpg)
Information Security -
additional requirements
• Information Quality - it is not considered
traditionally as part of information security but
it is very relevant
• Completeness - it refers to ensure that subjects
receive all information they are entitled to
access, according to the stated security policies
![Page 39: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/39.jpg)
Classes of Threats
• Disclosure
- Snooping (Interfering), Trojan Horses
• Deception
-Modification, spoofing (fooling), repudiation (denial) of origDenial of receipt
• Disruption
- Modification
• Usurpation
- Modification, spoofing, delay, denial of service
![Page 40: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/40.jpg)
Goals of Security
• Prevention
- Prevent attackers from violating securitypolicy
• Detection
- Detect attackers’ violation of security policy
• Recovery
- Stop attack, assess and repair damage
- Continue to function correctly even if attacksucceeds
![Page 41: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/41.jpg)
Information Security - How?
• Information must be protected at various
levels:
- The operating system
- The network
- The data management system
- Physical protection is also important
![Page 42: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/42.jpg)
Information Security - Mechanisms
• Confidentiality is enforced by the access control
mechanism
• Integrity is enforced by the access control mechanism
and by the integrity constraints
• Availability is enforced by the recovery mechanism and
by detection techniques.
![Page 43: Unit v](https://reader034.fdocuments.us/reader034/viewer/2022052522/547aef12b4af9f81798b4624/html5/thumbnails/43.jpg)
Information Security - How?
Additional mechanisms
• User authentication - to verify the identity of subjectswishing to access the information
• Information authentication - to ensure informationauthenticity - it is supported by signature mechanisms
• Encryption - to protect information when beingtransmitted across systems and when being stored onsecondary storage
• Intrusion detection - to protect against impersonation oflegitimate users and also against insider threats