Securing Information Systems Chapter 8 Securing Information Systems

System Vulnerability Security (policies, procedures, technical measures) and controls (methods, policies, procedures) important to ensure your system is not vulnerable Internet Emails and other ways hackers access Wireless security challenges War driving and RFID bands Wi-fi transmission Malware, Viruses, Worms, Trojan horses, Spyware, SQL injection attacks, key loggers

System Vulnerability (cont) Hackers, crackers, Script Kiddies Spoofing (redirecting web address) and Sniffing (eavesdropping program monitoring info over a network) Denial-of-service (DoS) attack Distributed denial-of-service (DoS) attack Botnet Computer Crime

Common Computer Crime

System Vulnerability (cont) Identity Theft Phishing Evil Twins Pharming Click Fraud Cyberterrorism and Cyber Warfare Internal threats Social engineering Software Vulnerability Bugs and patches Chapter 8 Notes

Security and Control Legal and Regulatory HIPPA for medical Gramm-Leach-Bliley (Financial Services Moderation) – consumer data in financial institutions Sarbanes-Oxley Act – protects investors from financial scandals Electronic Evidence and Computer Forensics Computer forensics – collecting, analyzing, authentication, preservation and analysis of data/on storage media/used in court

Security and Control Framework Types of controls General (govern design, security, and use of computer programs/security of data files/throughout organization’s infrastructure) Application (specific controls unique to each computerized application such as payroll or order processing) Input, Processing, output controls Risk Assessment (determines level of risk to the firm) Once risks assessed, system builders will look at control points with greatest vulnerability and potential for loss

Security and Control Framework (cont) Security Policy Created after risk assessment How to protect company’s assets Acceptable Use Policy (AUP) – acceptable uses of firms info systems, etc. Identity Management – determine valid users of the system Disaster Recovery Hot Site vs Cold Site Business Continuity Planning Auditing MIS Audit (examines firm’s security environment)

Technologies and Tools for Protecting Info Resources Identity Management Authentication Passwords Token Smart Cards Biometric authentication (human traits) What you know, what you have, who you are

Technologies (cont) Firewalls (prevent unauthorized users from accessing private networks) Combination of hardware and software that controls the flow of incoming and outgoing network traffic Identifies names, IP address, applications, and other characteristics of incoming traffic Intrusion detection systems (monitor for vulnerability) Antivirus and Antispyware software Unified threat management (UTM) (comprehensive security management systems/inside a single device)

Wireless Security Encryption and Public Key Infrastructure Secure Socket Layer (SSL) – secure connection between computers Secure Hypertext Transfer Protocol (S-HTTP) – encrypts messages Public Key Encryption (PKE) - secure encryption/uses two keys Digital Certificates – data files to establish identity of users and electronic assets Public key infrastructure (PKI) – public key cryptography working with a certification authority.

System Availability Online transaction processing (OLTP) – immediately process transactions Fault-tolerant computer systems – detect hardware failures High-availability computing – for recovering quickly from a crash Downtime – periods when system operational Recovery-oriented computing – try to minimize downtime Deep packet inspection (DPI) – examines data files and sorts out low-priority online material/assigns higher priority to business critical functions Security Outsourcing Managed security service providers (MSSP) – monitor network activity