CHAPTER 8. WHY SYSTEMS ARE VULNERABLE When large amounts of data are stored in electronic form, they are more vulnerable to threats The potential for.

Slides:



Advertisements
Similar presentations
Lecture 14 Securing Information Systems
Advertisements

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Lecture 10 Security and Control.
Lecture 10 Security and Control.
10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.
Copyright © 2004 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
INTRODUCTION TO COMPUTER TECHNOLOGY
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Misbahuddin Azzuhri SE. MM. CPHR.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
Chapter 8 Security and Control.
10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.
Securing Information Systems
7.1 © 2007 by Prentice Hall 10 Chapter Securing Information Systems.
Defining Security Issues
PART THREE E-commerce in Action Norton University E-commerce in Action.
7.1 © 2007 by Prentice Hall 7 Chapter Securing Information Systems.
Copyright © 2007 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.
BUSINESS B1 Information Security.
Prepared by: Dinesh Bajracharya Nepal Security and Control.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
1.Too many users 2.Technical factors 3.Organizational factors 4.Environmental factors 5.Poor management decisions Which of the following is not a source.
8.1 CSC 601 Management Information Systems Chapter 8 Securing Information Systems.
C8- Securing Information Systems
8.1 © 2010 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall Minggu ke 6 Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems.
Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,
Management Information Systems Chapter Eight Securing Information Systems Md. Golam Kibria Lecturer, Southeast University.
1 Chpt. 12: INFORMATION SYSTEM QUALITY, SECURITY, AND CONTROL.
SESSION 14 INFORMATION SYSTEMS SECURITY AND CONTROL.
Chapter 7 Securing Information Systems. Security & Controls Security: – Policies, procedures, and technical measures used to prevent unauthorized access,
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
Chap1: Is there a Security Problem in Computing?.
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.
C8- Securing Information Systems Facebook Virus Update your Adobe Flash! Security and Control ***
Chapter 7 1Artificial Intelligent. OBJECTIVES Explain why information systems need special protection from destruction, error, and abuse Assess the business.
CONTROLLING INFORMATION SYSTEMS
Information Systems Week 7 Securing Information Systems.
8.1 © 2010 by Prentice Hall 8 Chapter Securing Information Systems.
ESTABLISHING AND MANAGING IT SECURITY Prepared by : Siti Mahani Mahmud Yong Azua Mat Zaliza Azan.
10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.
7 Chapter Securing Information Systems 1. The Boston Celtics Score Big Points Against Spyware Problem: frequency of wireless usage exposed Celtics’ proprietary.
8.1 © 2010 by Prentice Hall 7 Chapter Securing Information Systems.
Securing Information Systems
Securing Information Systems
Add video notes to lecture
INFORMATION SYSTEMS SECURITY AND CONTROL.
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Securing Information Systems
Securing Information Systems
Chapter 10 Security and Control.
Chapter 9 E-Commerce Security and Fraud Protection
INFORMATION SYSTEMS SECURITY and CONTROL
Securing Information Systems
Presentation transcript:

CHAPTER 8

WHY SYSTEMS ARE VULNERABLE When large amounts of data are stored in electronic form, they are more vulnerable to threats The potential for unauthorized access, abuse or fraud is not limited to a single location CONTEMPORARY SECURITY CHALLENGES Technical, organizational and environmental factors.

Contemporary Security Challenges and Vulnerabilities Figure 8-1

Internet vulnerabilities Internet vulnerabilities : Computers that are constantly connected to internet by cable modems or DSL’s are more open to penetration by outsiders because they use fixed internet adresses where they can be easily identified. Wireless Security Challenges: Wireless Security Challenges: Radio frequency bands are easy to scan The service set identifiers (SSID) identifying the access points broadcast multiple times

HACKERS AND COMPUTER CRIME A hacker is an individual who intends to gain unauthorized access to a computer system. Within the hacking community,the term cracker is typically used to denote a hacker with criminal intent,although in the public press, the terms hacker and cracker are used interchangeably.

Spoofing and Sniffing Spoofing also may involve redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination. For example, if hackers redirect customers to a fake Web site that looks almost exactly like the true site, they can then collect and process orders,effectively stealing business as well as sensitive customer information from the true site. A sniffer is a type of eavesdropping program that monitors information travelling over a network.

DENIAL OF SERVICE ATTACKS In a denial of service(DoS) attack, hackers flood a network server or web server with many thousands of false communication or request for services to crash the network. A distributor denial of service (DDoS) attack uses numerous computers to inundate and overwhelm the network from numerous launch points.

COMPUTER CRIME Any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation or prosecution. Its a crime in which an imposter obtains key pieces of personal information such as social security identification numbers, driver license numbers, or credit card numbers to impersonate some one else. IDENTITY THEFT

CLICK FRAUD It occurs when a individual or computer program fraudulently clicks on an online add without any intention of learning more about the advertiser or making a purchase Cybercriminal activities - launching malware, denial of service attacks, and phishing probes are borderless. These vulnerabilities make digital networks easy targets for digital attack by terrorists, foreign intelligence services, or other groups seeking wide spread disruption and harm GLOBAL THREATS CYBER TERRORISM AND CYBER WARFARE

INTERNAL THREATS:EMPLOYEES Many employees forget their passwords to access the computer systems or allow co workers to use them,which compromises the system. Malicious intruders seeking system access some times trick employees into revealing their passwords by pretending to be legitimate members of the company in need of information. This practice is called social engineering.

SOFTWARE VULNERABILITY Software errors pose a constant threat to information systems, causing untold losses in productivity. Growing complexity and size of software programs coupled with demands for timely delivery to markets, have contributed to an increase in software flaws or vulnerability A major problem with software is the presence of hidden bugs or programme code defects.

ESTABLISHING A FRAME WORK FOR SECURITY AND CONTROL

INFORMATION SYSTEMS CONTROLS GENERAL CONTROLS General controls govern the design, security and use of computer programs and the security of data files in general throughout the organization’s information technology infrastructure On the whole,general controls apply to all computerized application and consists of combination of hardware,software and manual procedures.

Type of general controlDescription SOFTWARE CONROLSMonitors the use of system software and prevents un authorized access of software programmes, system software and computer programmes. HARDWARE CONTROLSEnsures that computer hardware is physically secure and check for equipment malfunction. Organizations that are critically dependent on their computers also must make provisions for backup or continued operation to maintain constant service. COMPUTER OPERATIONS CONROLS Oversee the work of the computer department to ensure that programmed procedures are consistently and correctly applied to the storage and processing of data. They include controls over the setup of computer processing jobs and back up and recover procedures for processing that end abnormally.

Type of general controlDescription DATA SECURITY CONTROLSOversee the work of the computer department to ensure that programmed procedures are consistently and correctly applied to the storage and processing of data. They include controls over the setup of computer processing jobs and back up and recover procedures for processing that end abnormally. IMPLEMENTATION CONROLS Audit the systems development process at various points to ensure that the process is properly controlled and managed. ADMINISTRATIVE CONTROLS Formulize standard rules, procedures and control disciplines to ensure that the organizations general and application controls are properly executed and enforced. *

INFORMATION SYSTEMS CONTROLS APPLICATION CONTROLS Application controls are specific controls unique to each computerized application such as pay role or order processing. Application controls can be classified as Input controls Processing controls Output controls

RISK ASSESMENT A risk assessment determines the level of risk to the firm if a specific activity or process in not properly controlled.

SECURITY PROFILES FOR PERSONNEL SYSETM Figure 8-4

DISASTER RECOVERY PLANNING It devises plans for the restoration of computing and communication services after they have been disrupted. Disaster recover plans focus primarily on the technical issues involved in keeping system up and running, such as which files to back up and the maintenance of back up computer systems or disaster recover services.

BUSINESS CONTINUITY PLANNING If focuses on how company can restore business operations after a disaster strikes. The business continuity plans identifies critical business processes and determines action plans for handling mission critical functions if systems go down

ROLE OF AUDITING An MIS audit examines the firm's overall security environment as well as controls governing individuals information systems. The auditor should trace the flow of sample transactions through the system and perform tests using,if appropriate, automated audit software.

ACCESS CONTROL Access control consists of all the policies and procedure a company uses to prevent improper access to system by unauthorized insiders and outsiders. To gain access a user must be authorized and authenticated. Authentication refers to the ability to know that a person is who he or she claims to be.Access control software is designed to allow only authorized users to use systems or to access data using some method for authentication.

ACCESS CONTROL Biometric authentication uses system that read and interpret individual human traits such as finger prints,irises and voices in order to grant or deny access.

FIREWALLS,INTRUSION DETECTION SYSTEM,AND ANTIVIRUS SOFTWARE FIREWALLS Hardware and software controlling flow of incoming and outgoing network traffic Network Address Translation (NAT) can provide another layer of protection when static packet filtering and stateful inspection are employed. Application proxy filtering examines the application content of packets

INTRUSION DETECTION SYSTEMS Intrusion detection systems feature full time monitoring tools placed at the most vulnerable points or ‘hot spots’ of corporate networks to detect and deter intruders continuity.

ANTIVIRUS AND ANTISPYWARE SOFTWARES Anti virus software is designed to check computer systems and drives for the presence of computer viruses. Often the software eliminates the virus from the infected area, however most antivirus software is effective only against viruses already known when the software was written.

UNIFIED THREAT MANAGEMENT SYSTEMS Combination of various security tools including firewalls,virtual private networks, intrusion detection system,web content filtering and antispam software in a single appliance. Initially aimed at small and medium size business, UTM products are available for all sizes of networks.

ENCRYPTION AND PUBLIC KEY INFRASTRUCTRE Encryption is the process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the intended receiver. There are two methods for encrypting network traffic on the web. Secure Sockets Layer(SSL) Secure Hypertext Transfer Protocol(S-HTTP)

PUBLIC KEY ENCRYPTION

ENSURING SYSTEM AVAILABILITY In online transaction processing, transaction entered online are immediately processed by the computer. multitudinous changes to data bases, reporting and request for information occur each instant

ENSURING SOFTWARE QUALITY Good testing begins before a software programme is even written by using a walkthrough –a review of a specification or design document by a small group of people care fully selected based on the skills needed for the particular objectives being tested.