1 I.Assets and Treats Information System Assets That Must Be Protected People People Hardware Hardware Software Software Operating systems Operating systems Applications Applications Data Data Networks Networks Chapter 17 Controls and Security Measures

2 Main Sources of Security Threats Hardware failure Hardware failure Software failure (unknown bug) Software failure (unknown bug) Fire Fire Electrical problem Electrical problem Natural disaster (flood, hurricane, tornado, etc.) Natural disaster (flood, hurricane, tornado, etc.) Alteration or destruction of data Alteration or destruction of data Human error Human error Unauthorized access (internal or external) Unauthorized access (internal or external) Theft of data, information, services, equipment, or money Theft of data, information, services, equipment, or money Telecommunications problems Telecommunications problems Computer viruses Computer viruses

3 II. Classifications For Controls Classification 1 Classification 1 Preventive control – a constraint designed to prevent a security risk from occurring Preventive control – a constraint designed to prevent a security risk from occurring Use of passwords for systems access Use of passwords for systems access Detective control – a constraint designed to detect a security risk as it occurs Detective control – a constraint designed to detect a security risk as it occurs Virus detection software Virus detection software Corrective control – a constraint designed to correct a breach of security after it has occurred Corrective control – a constraint designed to correct a breach of security after it has occurred A disaster recovery plan A disaster recovery plan

4 Classifications For Controls Classification 2 Classification 2 General controls establish a framework for controlling the design and use of information system assets and operations General controls establish a framework for controlling the design and use of information system assets and operations Software controls – monitor the use of system software Software controls – monitor the use of system software Hardware controls – provisions for protection from fire Hardware controls – provisions for protection from fire Computer operations controls – backup and recovery procedures Computer operations controls – backup and recovery procedures Data security controls – unauthorized access Data security controls – unauthorized access Implementation controls – audit the systems development process Implementation controls – audit the systems development process Administrative controls – implement procedures to ensure controls are properly executed and enforced Administrative controls – implement procedures to ensure controls are properly executed and enforced Application controls Application controls Input controls – check data for accuracy Input controls – check data for accuracy Processing controls – establish that data are complete and accurate results are obtained Processing controls – establish that data are complete and accurate results are obtained Output controls – ensure that results are properly distributed Output controls – ensure that results are properly distributed

5 Management Analysis For Reducing Threats: 1 Type of Threat Type of Control PreventiveDetectiveCorrective Hardware failure List controls Software failure List controls Fire

6 Management Analysis For Reducing Threats: 2 Threats Information Systems Asset HardwareSoftwareData Hardware failure List controls Software failure List controls Fire

7 III. Risk Management Risk management consists of Risk management consists of the identification of risks or threats the identification of risks or threats the implementation of controls the implementation of controls the monitoring of the controls for effectiveness the monitoring of the controls for effectiveness Risk assessment is a risk management activity that attempts to determine Risk assessment is a risk management activity that attempts to determine What can wrong? What can wrong? How likely is it to go wrong? How likely is it to go wrong? What are the consequences if it does go wrong? What are the consequences if it does go wrong?

8 The Economic Aspect of Risk Management - 1 Two types of costs to consider when determining how much to spend on data security: Two types of costs to consider when determining how much to spend on data security: The cost of potential damage The cost of potential damage The cost of implementing a preventive measure The cost of implementing a preventive measure The total cost of potential damage is the aggregate of all the potential damages multiplied by the probability of the occurrence of the damage. These numbers can be difficult to estimate. The total cost of potential damage is the aggregate of all the potential damages multiplied by the probability of the occurrence of the damage. These numbers can be difficult to estimate.

9 The Economic Aspect of Risk Management -2 Figure The total cost to the enterprise is lowest at “Optimum.” No less, and no more, should be spent on information security measures.

10 IV. Telecommunication Network Vulnerabilities Due to the complex and diverse hardware, software, organizational and personnel arrangements required for telecommunication networks, there are many areas of vulnerability Due to the complex and diverse hardware, software, organizational and personnel arrangements required for telecommunication networks, there are many areas of vulnerability Natural failures of hardware and software Natural failures of hardware and software Misuse by programmers, computer operators, maintenance staff, and end users Misuse by programmers, computer operators, maintenance staff, and end users Tapping of lines and illegal intercepts of data Tapping of lines and illegal intercepts of data Interference such as crosstalk Interference such as crosstalk Interference from radiation of other devices Interference from radiation of other devices

11 Special Threats to the Internet Viruses Viruses Web defacing Web defacing Spoofing Spoofing Denial of service attacks Denial of service attacks Hackers Hackers

12 Computer Viruses Viruses – a computer virus is software that is written with malicious intent to cause annoyance or damage. Viruses can be benign or malignant Viruses – a computer virus is software that is written with malicious intent to cause annoyance or damage. Viruses can be benign or malignant A benign virus displays a message or slows down a computer but does not destroy information A benign virus displays a message or slows down a computer but does not destroy information A malignant virus can do damage to your computer system such as scrambling or deleting files, shut your computer down, or make applications not function. A malignant virus can do damage to your computer system such as scrambling or deleting files, shut your computer down, or make applications not function. Viruses spread by copying infected files from someone else’s disk or by receiving infected files as an attachment. Viruses spread by copying infected files from someone else’s disk or by receiving infected files as an attachment.

13 More On Viruses A macro virus is a malignant virus that spreads by binding itself to application software like Word or Excel and makes copies of itself (replicates) each time you use the application. If you have such a virus on your computer you can infect another machine by attaching an infected file to an . The recipient infects their machine as soon as they open the attachment. A macro virus is a malignant virus that spreads by binding itself to application software like Word or Excel and makes copies of itself (replicates) each time you use the application. If you have such a virus on your computer you can infect another machine by attaching an infected file to an . The recipient infects their machine as soon as they open the attachment. Worms are particularly nasty macro viruses because they spread from computer to computer rather than file to file. Worms do not need your help; worms find your address book and send themselves to your contacts. Worms are particularly nasty macro viruses because they spread from computer to computer rather than file to file. Worms do not need your help; worms find your address book and send themselves to your contacts.

14 Other Threats To the Internet Web defacing – people break into a Web site and replace the site with a substitute site that is neither attractive nor complimentary; electronic graffiti Web defacing – people break into a Web site and replace the site with a substitute site that is neither attractive nor complimentary; electronic graffiti Spoofing – the perpetrator uses flaws in the domain name software (DNS) used on the Internet to redirect a potential Web site visitor to an alternate site that is usually not complimentary to the real site owner. This is similar to someone switching your name with someone else’s in a telephone directory Spoofing – the perpetrator uses flaws in the domain name software (DNS) used on the Internet to redirect a potential Web site visitor to an alternate site that is usually not complimentary to the real site owner. This is similar to someone switching your name with someone else’s in a telephone directory Denial of service attack (DoS) – this occurs when too may requests are received to log on a Web site’s page. Multiple log-on requests are perpetrated by specially designed software that can automatically generate log-in requests over a long period of time. Denial of service attack (DoS) – this occurs when too may requests are received to log on a Web site’s page. Multiple log-on requests are perpetrated by specially designed software that can automatically generate log-in requests over a long period of time. Distributed denial of service attacks (DDoS) are denial of service attacks that are perpetrated from multiple computers Distributed denial of service attacks (DDoS) are denial of service attacks that are perpetrated from multiple computers

15 Hackers A hacker is a person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure. A hacker is a person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure. Hackers are responsible for computer viruses, Web defacing, spoofing, and denial of service attacks Hackers are responsible for computer viruses, Web defacing, spoofing, and denial of service attacks Seventy-three percent of respondents to a survey in 1998 of 1600 companies in 50 countries reported security breaches Seventy-three percent of respondents to a survey in 1998 of 1600 companies in 50 countries reported security breaches 58 % of the breaches were from authorized employees 58 % of the breaches were from authorized employees 24 % of the breaches were from unauthorized employees 24 % of the breaches were from unauthorized employees 13 % of the breaches were from hackers or terrorists 13 % of the breaches were from hackers or terrorists

16 Examples of Network/Internet Controls - 1 Anti-virus software detects and removes or quarantines computer viruses. You must update your anti-virus software frequently since new viruses come along every day. Anti-virus software detects and removes or quarantines computer viruses. You must update your anti-virus software frequently since new viruses come along every day. Firewalls are hardware and/or software that protects a computer or network from intruders. Firewalls also can detect if your computer is communicating with the Internet without your approval Firewalls are hardware and/or software that protects a computer or network from intruders. Firewalls also can detect if your computer is communicating with the Internet without your approval A callback control verifies a remote user’s telephone number before access is allowed A callback control verifies a remote user’s telephone number before access is allowed

17 Examples of Network/Internet Controls - 2 Access controls check who you are before you can have access. Ways to check on access are (1) passwords, (2) special ID cards, (3) or biometrics (fingerprints, voice, retina of your eye). Access controls check who you are before you can have access. Ways to check on access are (1) passwords, (2) special ID cards, (3) or biometrics (fingerprints, voice, retina of your eye). Encryption codes a message to prevent unauthorized access to or understanding of the data being transmitted. Encryption codes a message to prevent unauthorized access to or understanding of the data being transmitted. For Web transactions SSL and SHTTP are the encryption standards For Web transactions SSL and SHTTP are the encryption standards When you access data on a secure server the communication between your browser and the secure server is encrypted When you access data on a secure server the communication between your browser and the secure server is encrypted Intrusion-detection software looks for people on a network who are acting suspiciously (e.g., trying lots of passwords) Intrusion-detection software looks for people on a network who are acting suspiciously (e.g., trying lots of passwords)

18 Examples of Network/Internet Controls - 3 Digital signature is a digital code attached to an electronically transmitted message that is used to verify the origins and contents of the message (e.g., similar to a written signature) Digital signature is a digital code attached to an electronically transmitted message that is used to verify the origins and contents of the message (e.g., similar to a written signature) Digital certificates are attachments to an electronic message to verify the identity of the sender and to provide a means to encode a reply. Digital certificates are attachments to an electronic message to verify the identity of the sender and to provide a means to encode a reply. Load balancing is the process of distributing a large number of access requests among multiple servers so that no single server is overwhelmed Load balancing is the process of distributing a large number of access requests among multiple servers so that no single server is overwhelmed

19 Other Controls - 1 Backup is the process of making a copy of the information stored on a computer. There is no action that you can that is more essential than regular backups. Backup is the process of making a copy of the information stored on a computer. There is no action that you can that is more essential than regular backups. Surveillance cameras in areas that contain IS assets can deter theft or destruction. Surveillance cameras in areas that contain IS assets can deter theft or destruction. Surveillance software can record user actions down to individual keystrokes. Surveillance software can record user actions down to individual keystrokes. Anti-theft systems can be installed where alarms go off if unauthorized personnel tamper with computer hardware. Anti-theft systems can be installed where alarms go off if unauthorized personnel tamper with computer hardware.

20 Other Controls - 2 A hot site is a separate and fully equipped facility where a firm can move immediately after a disaster and resume business. A hot site is a separate and fully equipped facility where a firm can move immediately after a disaster and resume business. Fault-tolerant computer systems are systems that contain extra hardware, software, and power supply components that create an environment that provides continuous uninterrupted service. Fault-tolerant computer systems are systems that contain extra hardware, software, and power supply components that create an environment that provides continuous uninterrupted service. Disaster recovery plan is a plan for running the business in the event of a computer outage. The plan states what should be done and by whom. Disaster recovery plan is a plan for running the business in the event of a computer outage. The plan states what should be done and by whom.

21 Other Controls - 3 Data entry controls try to reduce errors in the data entry process by restricting the range of the data or its format (in Access see “validation rules” or “input masks” in the Design View for tables) Data entry controls try to reduce errors in the data entry process by restricting the range of the data or its format (in Access see “validation rules” or “input masks” in the Design View for tables) Separation of duties means that different people are in charge of different activities, allowing checks and balances and minimizing possibility of criminal behavior. Separation of duties means that different people are in charge of different activities, allowing checks and balances and minimizing possibility of criminal behavior. An audit trail is a system that automatically records data such as the date and time of a transaction or the name or password of a user performing a specified activity (often without the knowledge of the user) An audit trail is a system that automatically records data such as the date and time of a transaction or the name or password of a user performing a specified activity (often without the knowledge of the user)

22 V. Impact of Not Having a Recovery Plan When companies are hit with the catastrophic loss of computerized records When companies are hit with the catastrophic loss of computerized records 43 % never reopen 43 % never reopen 51% close within two years 51% close within two years 6% survive long term 6% survive long term Despite these statistics many firms do not have a recovery plan. Despite these statistics many firms do not have a recovery plan.