Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security and Control

Published byAllan Houston Modified over 6 years ago

Similar presentations

Presentation on theme: "IT Security and Control"— Presentation transcript:

1 IT Security and Control
Chapter 4 IT Security and Control [Laudon] Chap 8 Dr. Yeffry Handoko Putra, M.T Magister of Information System Universitas Komputer Indonesia

2

3 Why Systems Are Vulnerable
Information System Managements Chapter 4 Security and Control SYSTEM VULNERABILITY AND ABUSE Why Systems Are Vulnerable Contemporary Security Challenges and Vulnerabilities

4 Why Systems Are Vulnerable (Continued) Internet Vulnerabilities:
Information System Managements Chapter 4 Security and Control SYSTEM VULNERABILITY AND ABUSE Why Systems Are Vulnerable (Continued) Internet Vulnerabilities: Use of fixed Internet addresses through use of cable modems or DSL Lack of encryption with most Voice over IP (VoIP) Widespread use of and instant messaging (IM)

5 Wi-Fi Security Challenges
Information System Managements Chapter 4 Security and Control SYSTEM VULNERABILITY AND ABUSE Wi-Fi Security Challenges

6 Information System Managements
Chapter 4 Security and Control SYSTEM VULNERABILITY AND ABUSE Malicious Software: Viruses, Worms, Trojan Horses, and Spyware, Hackers and Cybervandalism Computer viruses, worms, trojan horses Spyware Spoofing and Sniffers Denial of Service (DoS) Attacks Identity theft (e.g. Man in The Middle Attack/ MiTMA) Phishing Cyberterrorism and Cyberwarfare Vulnerabilities from internal threats (employees); software flaws What is different between spoofing and sniffing? sniffing : to gather information without actually touching it (or being detected or in hiding), e.g., network packet sniffing.  spoofing : to mimic something and create an illusion of the presence of the original, e.g., spoofing. Identity theft: In identity theft, an impostor obtains key pieces of personal information to impersonate someone else and obtain credit, merchandise, or false credentials. Phishing: Setting up fake Web sites or sending messages that appear legitimate in order to coerce users for confidential data. Other phishing techniques include evil twins (wireless networks masquerading as legitimate Internet hotspots, used to capture personal information) and pharming, redirecting users bogus Web sites posing as legitimate Web sites.

7

8 Worldwide Damage from Digital Attacks
Information System Managements Chapter 4 Security and Control SYSTEM VULNERABILITY AND ABUSE Worldwide Damage from Digital Attacks

9 Inadequate security and control may create serious legal liability.
Information System Managements Chapter 4 Security and Control BUSINESS VALUE OF SECURITY AND CONTROL Inadequate security and control may create serious legal liability. Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Failure to do so can lead to costly litigation for data exposure or theft. A sound security and control framework that protects business information assets can thus produce a high return on investment.

10 Information System Managements
Chapter 4 Security and Control BUSINESS VALUE OF SECURITY AND CONTROL

11 Information System Managements
Chapter 4 Security and Control BUSINESS VALUE OF SECURITY AND CONTROL

12 Security Incidents Continue to Rise
Information System Managements Chapter 4 Security and Control BUSINESS VALUE OF SECURITY AND CONTROL Security Incidents Continue to Rise Source: CERT Coordination Center, accessed July 6, 2004.

13 Data Security and Control Laws:
Information System Managements Chapter 4 Security and Control BUSINESS VALUE OF SECURITY AND CONTROL Data Security and Control Laws: The Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act Sarbanes-Oxley Act of 2002 Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Recent U.S. government regulations mandate the protection of data from abuse, exposure, and unauthorized access, and include: The Health Insurance Portability and Accountability Act (HIPAA) of 1996, which requires members of the healthcare industry to retain patient information for six years and ensure the confidentiality of those records The Gramm-Leach-Bliley Act, which requires financial institutions to ensure the security and confidentiality of customer data The Sarbanes-Oxley Act, which imposes responsibility on companies and their management to use internal controls to safeguard the accuracy and integrity of financial information

14 Legal and Regulatory Requirements for Electronic Records Management
Information System Managements Chapter 4 Security and Control BUSINESS VALUE OF SECURITY AND CONTROL Legal and Regulatory Requirements for Electronic Records Management Electronic Records Management (ERM): Policies, procedures and tools for managing the retention, destruction, and storage of electronic records

15 Electronic Evidence and Computer Forensics
Information System Managements Chapter 4 Security and Control BUSINESS VALUE OF SECURITY AND CONTROL Electronic Evidence and Computer Forensics Electronic Evidence: Computer data stored on disks and drives, , instant messages, and e-commerce transactions Computer Forensics: Scientific collection, examination, authentication, preservation, and analysis of computer data for use as evidence in a court of law

16 Types of Information Systems Controls
Information System Managements Chapter 4 Security and Control ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL Types of Information Systems Controls General controls: Software and hardware Computer operations Data security Systems implementation process

17 Application controls:
Information System Managements Chapter 4 Security and Control ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL Application controls: Input Processing Output

18 Information System Managements Chapter 4 Security and Control
WHAT TO DO? Risk Assessment Security Policy Ensuring Business Business continuity and disaster recovery planning continuity

19 Information System Managements
Chapter 4 Security and Control ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL Risk Assessment: Determines the level of risk to the firm if a specific activity or process is not properly controlled

20 Acceptable Use Policy (AUP) Authorization policies
Information System Managements Chapter 4 Security and Control ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL Security Policy: Policy ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals Acceptable Use Policy (AUP) Authorization policies

21 Security Profiles for a Personnel System
Information System Managements Chapter 4 Security and Control ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL Security Profiles for a Personnel System

22 Ensuring Business Continuity
Information System Managements Chapter 4 Security and Control ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL Ensuring Business Continuity Downtime: Period of time in which a system is not operational Fault-tolerant computer systems: Redundant hardware, software, and power supply components to provide continuous, uninterrupted service High-availability computing: Designing to maximize application and system availability As companies increasingly rely on digital networks for their revenue and operations, they need to take additional steps to ensure that their systems and applications are always available. Downtime refers to periods of time in which a system is not operational. Several techniques can be used by companies to make reduce downtime. Fault-tolerant computer systems use hardware or software to detect hardware failures and automatically switch to backup systems. High-availability computing environments use backup servers, distributing processing among multiple servers, high-capacity storage, and disaster recovery planning and business continuity planning to recover quickly from a system crash. In recovery-oriented computing, systems are designed to recover quickly, and implementing capabilities and tools to help operators pinpoint the sources of faults in multicomponent systems and easily correct their mistakes. Disaster recovery planning devises plans for the restoration of computing and communications services after they have been disrupted by an event such as an earthquake, flood, or terrorist attack. Business continuity planning focuses on how the company can restore business operations after a disaster strikes. Some companies outsource security functions to managed security service providers (MSSPs) that monitor network activity and perform vulnerability testing and intrusion detection.

23 Ensuring Business Continuity (Continued)
Information System Managements Chapter 4 Security and Control ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL Ensuring Business Continuity (Continued) Load balancing: Distributes access requests across multiple servers Mirroring: Backup server that duplicates processes on primary server Recovery-oriented computing: Designing computing systems to recover more rapidly from mishaps

24 Ensuring Business Continuity (Continued)
Information System Managements Chapter 4 Security and Control ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL Ensuring Business Continuity (Continued) Disaster recovery planning: Plans for restoration of computing and communications disrupted by an event such as an earthquake, flood, or terrorist attack Business continuity planning: Plans for handling mission-critical functions if systems go down

25 Information System Managements
Chapter 4 Security and Control ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL Auditing: MIS audit: Identifies all of the controls that govern individual information systems and assesses their effectiveness Security audits: Review technologies, procedures, documentation, training, and personnel

26 Sample Auditor’s List of Control Weaknesses
Information System Managements Chapter 4 Security and Control ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL Sample Auditor’s List of Control Weaknesses

27 Biometric authentication
Information System Managements Chapter 4 Security and Control TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Access Control Access control: Consists of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders Authentication: Passwords Section 8.4: Bullet Text Study GuideChapter Contents Technologies and Tools for Security and ControlVarious tools and technologies used to help protect against or monitor intrusion include authentication tools, firewalls, intrusion detection systems, and antivirus and encryption software. Access control consists of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders. Authentication refers to the ability to know that a person is who he or she claims to be. Access control software is designed to allow only authorized persons to use systems or to access data using some method for authentication. New authentication technologies include: Token: A physical device similar to an identification card that is designed to prove the identity of a single user. Smart card: A device about the size of a credit card that contains a chip formatted with access permission and other data. Biometric authentication: Compares a person's unique characteristics, such as fingerprints, face, or retinal image, against a stored set profile. A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic and prevents unauthorized communication into and out of the network. The firewall identifies names, Internet Protocol (IP) addresses, applications, and other characteristics of incoming traffic. It checks this information against the access rules programmed into the system by the network administrator. There are a number of firewall screening technologies: Packet filtering examines fields in the headers of data packets flowing between the network and the Internet, examining individual packets in isolation.  Stateful inspection determines whether packets are part of an ongoing dialogue between a sender and a receiver.  Network Address Translation (NAT) conceals the IP addresses of the organization's internal host computer(s) to protect against sniffer programs outside the firewall.  Application proxy filtering examines the application content of packets. A proxy server stops data packets originating outside the organization, inspects them, and passes a proxy to the other side of the firewall. If a user outside the company wants to communicate with a user inside the organization, the outside user first "talks" to the proxy application and the proxy application communicates with the firm's internal computer. Tokens, smart cards Biometric authentication

28 Firewalls, Intrusion Detection Systems, and Antivirus Software
Information System Managements Chapter 4 Security and Control TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Firewalls, Intrusion Detection Systems, and Antivirus Software Firewalls: Hardware and software controlling flow of incoming and outgoing network traffic. Firewall Technology: Packet Filtering, Stateful inspection, Network Address Translation, Application Proxy Filtering Intrusion detection systems: Full-time monitoring tools placed at the most vulnerable points of corporate networks to detect and deter intruders  firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic and prevents unauthorized communication into and out of the network. The firewall identifies names, Internet Protocol (IP) addresses, applications, and other characteristics of incoming traffic. It checks this information against the access rules programmed into the system by the network administrator. There are a number of firewall screening technologies: Packet filtering examines fields in the headers of data packets flowing between the network and the Internet, examining individual packets in isolation.  Stateful inspection determines whether packets are part of an ongoing dialogue between a sender and a receiver.  Network Address Translation (NAT) conceals the IP addresses of the organization's internal host computer(s) to protect against sniffer programs outside the firewall.  Application proxy filtering examines the application content of packets. A proxy server stops data packets originating outside the organization, inspects them, and passes a proxy to the other side of the firewall. If a user outside the company wants to communicate with a user inside the organization, the outside user first "talks" to the proxy application and the proxy application communicates with the firm's internal computer.

29 Wi-Fi Protected Access specification
Information System Managements Chapter 4 Security and Control TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Firewalls, Intrusion Detection Systems, and Antivirus Software (Continued) Antivirus software: Software that checks computer systems and drives for the presence of computer viruses and can eliminate the virus from the infected area Wi-Fi Protected Access specification Section 8.4: Bullet Text Study GuideChapter Contents Technologies and Tools for Security and ControlVarious tools and technologies used to help protect against or monitor intrusion include authentication tools, firewalls, intrusion detection systems, and antivirus and encryption software. Access control consists of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders. Authentication refers to the ability to know that a person is who he or she claims to be. Access control software is designed to allow only authorized persons to use systems or to access data using some method for authentication. New authentication technologies include: Token: A physical device similar to an identification card that is designed to prove the identity of a single user. Smart card: A device about the size of a credit card that contains a chip formatted with access permission and other data. Biometric authentication: Compares a person's unique characteristics, such as fingerprints, face, or retinal image, against a stored set profile. A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic and prevents unauthorized communication into and out of the network. The firewall identifies names, Internet Protocol (IP) addresses, applications, and other characteristics of incoming traffic. It checks this information against the access rules programmed into the system by the network administrator. There are a number of firewall screening technologies: Packet filtering examines fields in the headers of data packets flowing between the network and the Internet, examining individual packets in isolation.  Stateful inspection determines whether packets are part of an ongoing dialogue between a sender and a receiver.  Network Address Translation (NAT) conceals the IP addresses of the organization's internal host computer(s) to protect against sniffer programs outside the firewall.  Application proxy filtering examines the application content of packets. A proxy server stops data packets originating outside the organization, inspects them, and passes a proxy to the other side of the firewall. If a user outside the company wants to communicate with a user inside the organization, the outside user first "talks" to the proxy application and the proxy application communicates with the firm's internal computer. Figure 8-6 FIGURE 8-6 A CORPORATE FIREWALL The firewall is placed between the firm’s private network and the public Internet or another distrusted network to protect against unauthorized traffic. Intrusion detection systems feature full-time monitoring tools placed at the most vulnerable points of corporate networks to detect and deter intruders continually. Scanning software looks for patterns indicative of known methods of computer attacks, such as bad passwords, checks to see if important files have been removed or modified, and sends warnings of vandalism or system administration errors. Antivirus software is designed to check computer systems and drives for the presence of computer viruses. However, to remain effective, the antivirus software must be continually updated. Vendors of Wi-Fi equipment have developed stronger security standards. The Wi-Fi Alliance industry trade group's i specification tightens security for wireless LAN products. Many organizations use encryption to protect sensitive information transmitted over networks. Encryption is the coding and scrambling of messages to prevent their access by unauthorized individuals. Two methods for encrypting network traffic on the Web are: Secure Sockets Layer (SSL): SSL and its successor Transport Layer Security (TLS) enable client and server computers to establish a secure connection session and manage encryption and decryption activities. Secure Hypertext Transfer Protocol (S-HTTP) is another protocol used for encrypting data flowing over the Internet, but it is limited to individual messages. Data is encrypted by applying a secret numerical code, called an encryption key, so that the data are transmitted as a scrambled set of characters. To be read, the message must be decrypted (unscrambled) with a matching key. There are two alternative methods of encryption: Symmetric key encryption: The sender and receiver create a single encryption key that is shared. Public key encryption: A more secure encryption method that uses two different keys, one private and one public.

30 A Corporate Firewall Information System Managements
Chapter 4 Security and Control TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL A Corporate Firewall

31 Encryption and Public Key Infrastructure
Information System Managements Chapter 4 Security and Control TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Encryption and Public Key Infrastructure Public key encryption: Uses two different keys, one private and one public. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key Message integrity: The ability to be certain that the message being sent arrives at the proper destination without being copied or changed

32 Encryption and Public Key Infrastructure (Continued)
Information System Managements Chapter 4 Security and Control TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Encryption and Public Key Infrastructure (Continued) Digital signature: A digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message Digital certificates: Data files used to establish the identity of users and electronic assets for protection of online transactions Public Key Infrastructure (PKI): Use of public key cryptography working with a certificate authority Digital signatures and digital certificates help with authentication. A digital signature is a digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message. Digital certificates are data files used to establish the identity of users and electronic assets for protection of online transactions. A digital certificate system uses a trusted third party known as a certificate authority (CA) to validate a user's identity. The digital certificate system would enable, for example, a credit card user and a merchant to validate that their digital certificates were issued by an authorized and trusted third party before they exchange data.Public key infrastructure (PKI), the use of public key cryptography working with a certificate authority, is a principal technology for providing secure authentication of identity online.

33 Two methods for encrypting network traffic on the Web are:
Information System Managements Chapter 4 Security and Control TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Two methods for encrypting network traffic on the Web are: Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS): protocols for secure information transfer over the Internet; enable client and server computer encryption and decryption activities as they communicate during a secure Web session. Secure Hypertext Transfer Protocol (S-HTTP): used for encrypting data flowing over the Internet; limited to Web documents, whereas SSL and TLS encrypt all data being passed between client and server.

34 Public Key Encryption Information System Managements
Chapter 4 Security and Control TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Public Key Encryption

35 Digital Certificates Information System Managements
Chapter 4 Security and Control TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Digital Certificates

36 Management Opportunities:
Information System Managements Chapter 4 Security and Control MANAGEMENT OPPORTUNITIES, CHALLENGES AND SOLUTIONS Management Opportunities: Creation of secure, reliable Web sites and systems that can support e-commerce and e-business strategies

37 Management Challenges:
Information System Managements Chapter 4 Security and Control MANAGEMENT OPPORTUNITIES, CHALLENGES AND SOLUTIONS Management Challenges: Designing systems that are neither overcontrolled nor undercontrolled Implementing an effective security policy

38 Information System Managements
Chapter 4 Security and Control MANAGEMENT OPPORTUNITIES, CHALLENGES AND SOLUTIONS Solution Guidelines: Security and control must become a more visible and explicit priority and area of information systems investment. Support and commitment from top management is required to show that security is indeed a corporate priority and vital to all aspects of the business. Security and control should be the responsibility of everyone in the organization.

Download ppt "IT Security and Control"

Similar presentations

Security and Control Soetam Rizky. Why Systems Are Vulnerable ?

Security and Control Soetam Rizky. Why Systems Are Vulnerable ?
Lecture 14 Securing Information Systems

Lecture 14 Securing Information Systems
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
7.1 © 2007 by Prentice Hall 7 Chapter Securing Information Systems.

7.1 © 2007 by Prentice Hall 7 Chapter Securing Information Systems.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Lecture 10 Security and Control.

Lecture 10 Security and Control.
Lecture 10 Security and Control.

Lecture 10 Security and Control.
10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.

10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Risks, Controls and Security Measures

Risks, Controls and Security Measures
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Misbahuddin Azzuhri SE. MM. CPHR.

Misbahuddin Azzuhri SE. MM. CPHR.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) =.00625 * 5,349.44 = $33.434 What happens to the.004?.004+.004+.004=.012.004.

Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
Chapter 8 Security and Control.

Chapter 8 Security and Control.

Similar presentations

Ads by Google