Security ~ Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems Control ~ Methods, policies, and organizational procedures that ensure safety of organization’s assets; accuracy and reliability of its accounting records; and operational adherence to management standards

Why system are vulnerable? › Accessibility of networks › Hardware problems (breakdowns, configuration errors, damage from improper use or crime) › Software problems (programming errors, installation errors, unauthorized changes) › Disasters › Use of networks/computers outside of firm’s control › Loss and theft of portable devices  Potential for unauthorized access, abuse or fraud is not limited to a single location but can occur at any access point in the network.  System malfunction if computer hardware break down, not configured properly, damaged by improper use or criminal acts.

 Internet Vulnerabilities Open to anyone From widespread use of (contain attachment that serve as springboards for malicious software to internal corporate systems), instant messaging (IM do not use a secure layer for text messages), and peer-to-peer file sharing program ( P2P transmit malicious software or expose information on either individual or corporate computer). The switched voice network if it does not run over a secure private network (encrypted VoIP) Constantly connected to the internet by cable modems or digital subsciber line (DSL) Internet is so huge (size of internet)

 Wireless security challenges Radio frequency bands easy to scan Bluetooth and wifi network are susceptible to hacking by eavesdroppers. Local area network (LANs) can be easily penetrated by outsiders armed with laptops, wireless cards, external antennae, and hacking software. Service set identifiers (SSIDs) identifying the access point in a wifi network are broadcast multiple time and can be picked up easily by intruder’sniffer programs.

 Malicious software program – as malware and include a variety of threats  Computer virus – rogue software program that attaches itself to other software programs or data files in order to be excuted, usually without user knowledge or permission.  Payload (computer viruses delivers) – destroying program or data, clogging computer memory, reformatting a computer’s hard drive, or causing program to run improperly. Malicious software : viruses, worms, trojan horses and spyware

 Worms - Independent programs that copy themselves from one computer to other computers over a network. Worm destroy data and program as disrupt or even halt the operation of computer network.  Worms and viruses spread by  Downloads (drive-by downloads)  , IM attachments  Downloads on Web sites and social networks  Trojan horses  Software that appears benign but does something other than expected. The trojan virus is not itself a virus because it does not replicate but it is often a way for viruses to be introduced into a computer systems.

 SQL injection attacks  These vulnerabilities occur when a web application fails to properly validate or filter data entered by a user on a web page, which might occur when ordering something online.  Spyware  Small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising  Example: Key loggers - record every keystroke on computer to steal serial numbers, passwords, launch Internet attacks, to gain access to account, to obtain pasword, to protected computer system or to pickup personal information. :Reset browser home page :Redirect search requests :Slow computer performance by taking up memory

 Hacker is an individual who intends to gain unauthorized access to a computer systems  Crackers is typically used to denote a hacker with criminal intent.  Hacker activities: System intrusion System damage Cybervandalism – Intentional disruption, defacement, destruction of Web site or corporate information system Hackers and computer crime

 Spoofing – Misrepresenting oneself by using fake addresses or masquerading as someone else – Redirecting Web link to address different from intended one, with site masquerading as intended destination  Sniffer – Eavesdropping program that monitors information traveling over network – Enables hackers to steal proprietary information such as e- mail, company files, and so on  Denial-of-service attacks (DoS) › Flooding server with thousands of false requests to crash the network.  Distributed denial-of-service(DDoS) › Attack use of numerous computers to inundate and overwhelm the network from numerous launch points.

 Computer crime › Most hacker activities are criminal offenses and the vulnerabilities of systems we have just described make them target for other types of computer crime. › Defined as“any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution”  Identity theft › Theft of personal Information (social security ID, driver’s license, or credit card numbers) to impersonate someone else. › Popular tactic is a form of spoofing called Phishing  Setting up fake Web sites or sending messages that look like legitimate businesses to ask users for confidential personal data.  New phishing technique is Evil twins - Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet. › Pharming  Redirects users to a bogus Web page, even when individual types correct Web page address into his or her browser

 Click fraud › Occurs when individual or computer program fraudulently clicks on online ad without any intention of learning more about the advertiser or making a purchase.  Cyberterrorism and Cyberwarfare › Cybercriminal activities  Launching malware, denilal-of-service attacks and phishing probes.

– Employees have access to privileged information, and in the presence of sloopy internal security procedures, they are often able to roam throughout an organization system without leaving trace. – Security threats often originate inside an organization and inside knowledge – Social engineering: Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information Internal threats : Employees

– Commercial software contains flaws that create security vulnerabilities A major problem is Hidden bugs or program code defects) – Zero defects cannot be achieved because complete testing is not possible with large programs – Patches for repair the flow without disturbing the proper operation of the software Create Small pieces of software Exploits often created faster than patches can be released and implemented Software vulnerabilty

 Lack of security, control can lead to : 1. Loss of revenue  Failed computer systems can lead to significant or total loss of business function. 2. Lowered market value  Information asset can have tremendous value A security breach may cut into a firm’s market value almost immediately. 3. Legal liability 4.Lowered employee productivity 5.Higher operational costs

In USA legal and regulatory requirements for electronic records management and privacy protection – HIPAA :Medical security and privacy rules and procedures – Gramm-Leach-Bliley Act: Requires financial institutions to ensure the security and confidentiality of customer data – Sarbanes-Oxley Act: Imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally

Electronic evidence –Evidence for white collar crimes often in digital form Data on computers, , instant messages, e-commerce transactions –Proper control of data can save time and money when responding to legal discovery request Computer forensics: –Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law whi Includes recovery of ambient and hidden data

 Information systems controls 1)General controls Govern design, security, and use of computer programs and security of data files in general throughout organization’s information technology infrastructure. Establishing a Framework for Security and Control Administr ative Controls Software control Impleme ntation Controls Data Security Controls Hardwar e control Compute r Operatio n system Types of general Control

2) Application Controls Specific controls unique to each computerized application, such as payroll or order processing. Application controls can be classified as: Input controls Output controls Processing controls

 Risk Assesment Determines level of risk to firm if specific activity or process is not properly Control Types of threat Probability of occurrence during year Potential losses, value of threat Expected annual loss ExposureProbability of Occurance (%) Loss Range/Avarage ($) Expected Annual Loss ($) Power Failure30%$5,000-$200,000 ($102,000) $30,750 Embezzlemen t 5%$1,000-$50,000 ($25,000) $1,275 User Error98%$200-$40,000 ($20,100) $19,698

 Security policy Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals. Acceptable use policy (AUP) Defines acceptable uses of firm’s information resources and computing equipment Authorization policies Determine differing levels of user access to information assets Drives other policies

Identity management – Business processes and tools to identify valid users of system and control access Identifies and authorizes different categories of users Specifies which portion of system users can access Authenticating users and protects identities – Identity management systems Captures access rules for different levels of users SECURITY PROFILES FOR A PERSONNEL SYSTEM

Disaster recovery planning Business continuity planning Devises plans for restoration of disrupted services Focuses on restoring business operations after disaster  Both types of plans needed to identify firm’s most critical systems  Business impact analysis to determine impact of an outage  Management must determine which systems restored first

MIS  Examines firm’s overall security environment as well as controls governing individual information systems  Reviews technologies, procedures, documentation, training, and personnel.  May even simulate disaster to test response of technology, IS staff, other employees  Lists and ranks all control weaknesses and estimates probability of their occurrence  Assesses financial and organizational impact of each threat

Identity Management and Authentication  Identity Management Software › keeping track of all users and the system privileges › Authenticating users, protecting user identities and controlling access to system resources  Authentication › Ability to know that person is who he or she claims to be › Passwords, tokens, smart cards, and biometric authentication.

Firewalls, Intrusion Detection System, and Antivirus Software  Firewall › Unauthorized users from accessing private network › There are a number of firewall screening technologies  Static packet filtering  Stateful inspection  Network address translation (NAT)  Application proxy filtering

Firewalls, Intrusion Detection System, and Antivirus Software  Intrusion Defection Systems › Protect against suspicious network traffic and attempts to access files and databases Antivirus and Antispyware Software  Antivirus software: designed to check computer systems and drives for the presence of computer viruses  Must be continually updated

Firewalls, Intrusion Detection System, and Antivirus Software  Unified Threat Management (UTM) Systems › To help businesses reduce costs and improve manageability

Encryption and Public Key Infrastructure  Encryption › Transforming plains text or data into cipher text that cannot be read by anyone other than the sender and the intended receiver › Two method for encrypting network traffic on the Web:  Secure Socket Layer (SSL) and its successor Transport Layer Security (TLS)  Secure Hypertext Transfer Protocol (S-HTTP) — Two method of encryption  Symmetric key encryption  Public key encryption

Encryption and Public Key Infrastructure  Digital Certificates › Establish the identity of users and electronic assets for protection of online transaction › Digital Certification System uses a trusted third party (VeriSign, IdenTrust, and Australia’s KeyPost) to validate a user’s identity. Public Key Infrastructure (PKI) – Use of public key cryptography working with a certification authority

Ensuring System Availability  Online transaction process requires 100% availability, no downtime  Fault-tolerant computer system › Contain redundant hardware, software and power supply components that create an environment that provide continuous, uninterrupted service  High-availability computing Downtime › Period of time in which a system is not operational  Recovery-oriented computing › Designing system that recover quickly and implementing capabilities and tools to help operators pinpoint the sources of fault in multi- component system and easily correct their mistakes

 Deep Packet Inspection (DPI) › Examines data files and sorts out low-priority online material while assigning higher priority to business-critical files  Security Outsourcing › Management security service providers (MSSPs)  Monitor network activity and perform vulnerability testing and intrusion detection

 Security in the cloud › Responsibility for security resides with company owning the data › Firms must ensure providers provides adequate protection:  Where data are stored  Meeting corporate requirements, legal privacy laws  Segregation of data from other clients  Audits and security certifications › Service level agreements (SLAs)

 Securing mobile platforms › Security policies should include and cover any special requirements for mobile devices  Guidelines for use of platforms and applications › Mobile device management tools  Authorization  Inventory records  Control updates  Lock down/erase lost devices  Encryption › Software for segregating corporate data on devices

 Ensuring Software Quality – Software metrics: Objective assessments of system in form of quantified measurements Number of transactions Online response time Payroll checks printed per hour Known bugs per hundred lines of code – Early and regular testing – Walkthrough: Review of specification or design document by small group of qualified people – Debugging: Process by which errors are eliminated