C8- Securing Information Systems Facebook Virus Update your Adobe Flash! Security and Control ***

Slides:



Advertisements
Similar presentations
Lecture 14 Securing Information Systems
Advertisements

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Module 2: Information Technology Infrastructure
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
7.1 © 2007 by Prentice Hall 7 Chapter Securing Information Systems.
7.1 Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall 7 Chapter Securing Information Systems.
Lecture 10 Security and Control.
Lecture 10 Security and Control.
10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
7.1 © 2007 by Prentice Hall 7 Chapter Securing Information Systems.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Misbahuddin Azzuhri SE. MM. CPHR.
Chapter 8 Security and Control.
1.1 © 2007 by Prentice Hall 7 Chapter Securing Information Systems.
10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.
Securing Information Systems
7.1 © 2007 by Prentice Hall 10 Chapter Securing Information Systems.
ISNE101 Dr. Ken Cosh Week 14. This Week  Challenges (still) facing Modern IS  Reliability  Security.
Module 2: Information Technology Architecture Chapter 7: Information Systems Security.
PART THREE E-commerce in Action Norton University E-commerce in Action.
7.1 © 2007 by Prentice Hall 7 Chapter Securing Information Systems.
BUSINESS B1 Information Security.
Prepared by: Dinesh Bajracharya Nepal Security and Control.
8.1 © 2010 by Prentice Hall 8 Chapter Securing Information Systems.
1.Too many users 2.Technical factors 3.Organizational factors 4.Environmental factors 5.Poor management decisions Which of the following is not a source.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
8.1 CSC 601 Management Information Systems Chapter 8 Securing Information Systems.
C8- Securing Information Systems
8.1 © 2010 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall Minggu ke 6 Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems.
Management Information Systems Chapter Eight Securing Information Systems Md. Golam Kibria Lecturer, Southeast University.
SESSION 14 INFORMATION SYSTEMS SECURITY AND CONTROL.
Chapter 7 Securing Information Systems. Security & Controls Security: – Policies, procedures, and technical measures used to prevent unauthorized access,
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
Topic 5: Basic Security.
7.1 © 2007 by Prentice Hall STUDENT LEARNING OBJECTIVES Essentials of Business Information Systems Chapter 7 Securing Information Systems Why are information.
Chap1: Is there a Security Problem in Computing?.
Chapter 7 1Artificial Intelligent. OBJECTIVES Explain why information systems need special protection from destruction, error, and abuse Assess the business.
Matt Broman Kodiac Gamble Devin Nichol SECTION 4.2 INFORMATION SECURITY.
Information Systems Week 7 Securing Information Systems.
8.1 © 2010 by Prentice Hall 8 Chapter Securing Information Systems.
ESTABLISHING AND MANAGING IT SECURITY Prepared by : Siti Mahani Mahmud Yong Azua Mat Zaliza Azan.
10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.
8.1 © 2010 by Pearson 6 Chapter Securing Information Systems.
7 Chapter Securing Information Systems 1. The Boston Celtics Score Big Points Against Spyware Problem: frequency of wireless usage exposed Celtics’ proprietary.
8.1 © 2010 by Prentice Hall 7 Chapter Securing Information Systems.
Securing Information Systems
Securing Information Systems
Securing Information Systems
Securing Information Systems
– Communication Technology in a Changing World
Week 7 Securing Information Systems
ISNE101 Dr. Ken Cosh Week 13.
Securing Information Systems
Securing Information Systems
Chapter 10 Security and Control.
INFORMATION SYSTEMS SECURITY and CONTROL
Securing Information Systems
Presentation transcript:

C8- Securing Information Systems Facebook Virus Update your Adobe Flash! Security and Control ***

The Security Challenge

Security Vs. Control Security: the policies, procedures and technical measures used to prevent unauthorized access, alteration, threat or physical damage to information systems Controls: methods to ensure the safety of assets, reliability of records and adherence to standards

The potential for unauthorized access, abuse, or fraud is not limited to a single location but can occur at any access point in the network. 8-5 Security- Vulnerabilities Smart Phones

8-6 System Vulnerability and Abuse Internet vulnerabilities Vulnerable to outside attacks Abuses can have widespread impact increases system vulnerability Fixed IP Address- they know where you are! VOIP Service Vulnerabilities

Wireless security challenges Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the resources of a network without authorization. Using the rogue access points!!!

8-8 Malicious Software (Malware)‏ Computer viruses: –Rogue software programs that attach to other programs in order to be executed, usually without user knowledge or permission –Deliver a “payload” –Can spread by attachments Worms: –Programs that copy themselves from one computer to another over networks- rely less on human to spread –Can destroy data, programs, and halt operation of computer networks Trojan Horse: A software program that appears to be benign, but then does something unexpected Often “transports” a virus into a computer system System Vulnerability and Abuse

Malware … SQL injection attacks Spyware –install themselves surreptitiously to monitor user Web surfing activity/ serve advertising. –Keyloggers

8-11 Hackers & Cybervandalism Hackers: individuals who attempt to gain unauthorized access to a computer system Cracker: a hacker with criminal intent System intrusion, theft of goods and information, system damage and cybervandalism –Cybervandalism: intentional disruption, defacement, or destruction of a Web site or system System Vulnerability and Abuse

8-12 Spoofing and Sniffing Spoofing –masquerading as someone else, or redirecting a Web link to an unintended address Sniffing –an eavesdropping program that monitors information travelling over a network System Vulnerability and Abuse

8-13 DoS Attacks Denial of Service Hackers flood a server with false communications in order to crash the system System Vulnerability and Abuse Use thousands of “zombie” PCs infected with malicious software without their owners’ knowledge and organized into a botnet.

8-16 Computers As Targets Of Crime Breaching the confidentiality of protected computerized data Accessing a computer system without authority Knowingly accessing a protected computer to commit fraud Intentionally accessing a protected computer and causing damage, negligently or deliberately Knowingly transmitting a program, program code or command that causes damage to it Threatening to cause damage to a computer

Computers As Instruments Of Crime Theft of trade secrets Unauthorized copying of software or copyrighted intellectual property,s uch as articles, books, music, and video Schemes to defraud Using for threats or harassment Intentionally attempting to intercept electronic communication Illegally accessing and voice mail Transmitting or possessing child pornography

8-16 Computer Crime Identity theft –A crime in which the imposter obtains key pieces of personal information –Phishing- Setting up fake Web sites or sending messages that look legitimate, and using them to ask for confidential data –Eviltwins are wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet, such as those in airport lounges, hotels, or coffee shops. –Pharming redirects users to a bogus Web page, even when the individual types the correct Web page address into his or her browser.

8-16 Computer Crime … Click Fraud Cyberterrorism and Cyberwarfare –Exploitation of systems by terrorists Internal Threats: Employees –lack of knowledge is the single greatest cause of network security breaches Software vulnerability –bugs or program code defects- virtually impossible to eliminate all bugs from large programs. –Patches- To correct software flaws vendor creates small pieces of software called patches

Phishing

8-18 Business Value of Security and Control Different govt. regulations/acts Protect own information assets and customers, employees, and business partner legal liability –litigation for data exposure or theft A sound security and control framework= high return on investment

Computer forensics is the scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law. –Recovering data from computers while preserving evidential integrity –Securely storing and handling recovered electronic data –Finding significant information in a large volume of electronic data –Presenting the information to a court of law

8-20 Establishing a Framework General controls –The design, security, and use of computer programs and the security of data files in throughout the organization’s IS infrastructure. –Include software controls, physical hardware controls, computer operations controls, data security controls, controls over implementation of system processes, and administrative controls. Application controls –unique to each application, like payroll –(1) input controls, (2) processing controls, and (3) output controls

8-20 Establishing a Framework … Risk Assessment –Determine level of risk to the firm in the case of improper controls Security policy –ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals. –Acceptable Use Policy (AUP)‏ defines unacceptable and acceptable actions –Identity Management of business processes and software tools for identifying the valid users of a system and controlling their access to system resources. Chief Security Officer (CSO)‏

Two security profiles or data security patterns Access rules for different levels of users in the human resources function.

8-20 Establishing a Framework … Disaster recovery planning –duplicate computer center Business continuity planning –Fault-tolerant computer systems –High-availability computing –Recovery-oriented computing –Security outsourcing Auditing –An MIS audit examines the firm’s overall security environment as well as controls governing individual information systems.

Technologies And Tools Access controls –Consist of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders Authentication –ability to know that a person is who she or he claims to be Passwords, tokens, biometric authentication Biometric authentication uses systems that read and interpret individual human traits, such as fingerprints, irises, and voices, in order to grant or deny access.

Firewalls Firewalls: Hardware and software controlling flow of incoming and outgoing network traffic –Packet Filtering examines selected fields in the headers of data packets flowing back and forth from network and the Internet –Stateful inspection provides additional security by determining whether packets are part of an ongoing dialogue between a sender and receiver –Application proxy filtering- examines the application content of packets. A proxy server stops data packets originating outside the organization, inspects them, and passes a proxy to the other side of the firewall. ……………….

A Corporate Firewall

Intrusion Detection Systems, and Antivirus Intrusion Detection Systems –Full-time monitoring tools placed at the most vulnerable points of the corporate networks to detect and deter intruders Antivirus and Antispyware Unified Threat Management Systems –combined into a single appliance various security tools, including firewalls, virtual private networks, intrusion detection systems, and Web content filtering and antispam software Technologies And Tools For Security And Control

Improve Security Wi-Fi Network –Setting HTTPS- SSL/TLS- secure connection Mail/Message Encryption

Encryption Encryption-rmvtu[yopm-fodszqujpo –Coding and scrambling of messages to prevent unauthorized access to, or understanding of, the data being transmitted Public key encryption: –Uses two different keys, one private and one public. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key Public Key Infrastructure (PKI): –Use of public key cryptography working with a certificate authority Technologies And Tools For Security And Control

A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock the data when they are received Technologies And Tools For Security And Control Public Key Encryption The sender locates the recipient’s public key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message.

Ensuring System Availability

Solution Guidelines Security and control must become a more visible and explicit priority and area of information systems investment Support and commitment from top management is required to show that security is indeed a corporate priority and vital to all aspects of the business Security and control should be the responsibility of everyone in the organization Management Opportunities, Challenges, And Solutions

8-35 Learning Objectives Analyze why information systems need special protection from destruction, error, and abuse. Assess the business value of security and control. Design an organizational framework for security and control. Evaluate the most important tools and technologies for safeguarding information resources.