Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT effective auditing in MIS and prevention

Published byLee Harrell Modified over 6 years ago

Similar presentations

Presentation on theme: "IT effective auditing in MIS and prevention"— Presentation transcript:

1 IT effective auditing in MIS and prevention
Risks, Security and Disaster Recovery

2 Objectives Describe the primary goals of information security
Enumerate the main types of risks to information systems List the various types of attacks on networked systems Describe the types of controls required to ensure the integrity of data entry and processing and uninterrupted e-commerce

3 Objectives (continued)
Describe the various kinds of security measures that can be taken to protect data and ISs Outline the principles of developing a recovery plan Explain the economic aspects of information security

4 Goals of Information Security
Protecting IT resources is a primary concern Securing corporate ISs increasingly challenging Major goals of information security Reduce risk of systems ceasing operation Maintain information confidentiality Ensure integrity of data resources Ensure uninterrupted availability of resources Ensure compliance with policies

5 Risks to Information Systems
Downtime: time when IS is not available Extremely expensive Pan-European survey by data centre provider, Global Switch, found IT downtime cost businesses €400,000 per hour

6 Risks to Hardware Major causes of damage to machine Natural disasters
Fire Flood Storms Blackouts and brownouts Blackout: total loss of electricity Brownout: partial loss of electricity Uninterruptible power supply (UPS): backup power Vandalism Deliberate destruction

7 Risks to Data and Applications
Data primary concern because unique Susceptible to Disruption Damage Theft Keystroke logging: record individual keystrokes Social engineering: con artists pretending to be service people Identity theft: pretending to be another person

8 Risks to Data and Applications (continued)
Risk to data Alteration Destruction Web defacement Deliberate alteration or destruction is a prank Target may be Web site Honeytoken: bogus record in networked database Used to combat hackers

9 Risks to Data and Applications (continued)
Honeypot: server containing mirrored copy of database Educated security officers of vulnerable points Virus: spread from computer to computer Worm: spread in network without human intervention Antivirus software: protect against viruses Trojan horse: virus disguised as legitimate software

10 Risks to Data and Applications (continued)
Logic bomb: cause damage at specific time Unintentional damage Human error Lack of adherence to backup procedures Poor training Unauthorized downloading may cause damage

11 Risks to Online Operations
Many hackers try to interrupt business daily Attacks Unauthorized access Data theft Defacing of Web pages Denial-of-service Hijacking

12 Denial of Service Denial of service (DoS): launch large number of information requests Slow down legitimate traffic to site Distributed denial-of-service (DDoS): launch DoS attack from multiple computers No definitive cure Can filter illegitimate traffic

13 Computer Hijacking Hijacking: linking computer to public network without consent Done for DDoS Done by installing bot on computer Hijackers usually send SPAM Bot planted by exploiting security holes Install forwarding software

14 Controls Controls: constraints on user or system
Can secure against risks Ensure nonsensical data is not entered Can reduce damage

15 Controls (continued)

16 Program Robustness and Data Entry Controls
Computer free of bugs is robust Handle situations well Resist inappropriate usage Provide clear messages Translate business policies into system features

17 Backup Backup: duplication of all data
Redundant Arrays of Independent Disks (RAID): set of disks programmed to replicate stored data Data must be routinely transported off-site Some companies specialize in data backup

18 Access Controls Access controls: require authorized access
Physical locks Software locks Three types of access controls What you know User ID and password What you have Require special devices What you are Physical characteristics

19 Access Controls (continued)
Passwords stored in OS or database Security card more secure than password Allows two-factor access Biometric: unique physical characteristic Fingerprints Retinal pictures Voiceprints Many people forget passwords

20 Atomic Transactions Atomic transaction: set of indivisible transactions All executed or none Ensure only full entry occurs Control against malfunction and fraud

21 Atomic Transactions (continued)

22 Audit Trail Audit trail: documented facts that help detect who recorded transactions Sometimes automatically created Certain policies on audit trail controls required in some countries Information systems auditor: find and investigate fraudulent cases

23 Security Measures Organizations can protect against attacks Firewalls
Authentication Encryption Digital signatures Digital certificates

24 Firewalls and Proxy Servers
Firewall: best defense Hardware and software Blocks access to computing resources Routinely integrated into routers DMZ: demilitarized zone approach One end of network connected to trusted network other end to public network Proxy server: represent another server Employs firewall

25 Firewalls and Proxy Servers (continued)

26 Authentication and Encryption
Encrypt and authenticate messages to ensure security Message may not be text Image Sound Authentication: process of ensuring sender is valid Encryption: coding message to unreadable form

27 Authentication and Encryption (continued)

28 Authentication and Encryption (continued)
Encryption programs Plaintext: original message Ciphertext: coded message Uses mathematical algorithm and key Key is combination of bits that deciphers ciphertext Symmetric encryption: sender and recipient use same key Asymmetric encryption: public and private key used

29 Authentication and Encryption (continued)

30 Authentication and Encryption (continued)
Transport Layer Security (TLS): protocol for transactions on Web Uses combination of public and symmetric key encryption HTTPS: secure version of HTTP Digital signature: way to authenticate online messages Message digest: unique fingerprint of file

31 Authentication and Encryption (continued)

32 Authentication and Encryption (continued)
Digital certificates: identify identity with public key Issued by certificate authority Certificate authority (CA): trusted third party Contains Name Serial number Expiration dates Copy of holder’s public key

33 Authentication and Encryption (continued)

34 The Downside of Security Measures
Single sign-on (SSO): user name/password entered only once Saves time Encryption slows down communication IT specialists must clearly explain implications of security measures

35 Recovery Measures Uncontrolled disasters need recovery measures
Redundancy may be used Expensive Alternatives must be taken

36 The Business Recovery Plan
Business recovery plans: plan to recover from disaster Nine steps Obtain management’s commitment Establish planning committee Perform risk assessment and impact analysis Prioritize recovery needs Select recovery plan Select vendors Develop and implement plan Test plan Continually test and evaluate

37 Recovery Planning and Hot Site Providers
Can outsource recovery plans Hot sites: alternative sites Backup sites to continue operation

38 The Economics of Information Security
Security analogous to insurance Spending should be proportional to potential damage Access minimum rate of system downtime

39 How Much Security Is Enough Security?
Two costs to consider Cost of potential damage Cost of implementing preventative measure Companies try to find optimal point Need to define what needs to be protected Never exceed value of protected system

40 How Much Security Is Enough Security? (continued)

41 Calculating Downtime Try to minimize downtime
Mission-critical systems must be connected to alternative source of power More ISs interfaced with other systems Interdependent systems have greater downtime Redundancy reduces downtime

42 Summary Purpose of controls and security measures is to maintain functionality of ISs Risks to IS include risks to hardware, data, and networks, and natural disaster and vandalism Risks to data include theft, data alteration, data destruction, defacement of Web sites, and viruses Risk to online systems include denial of service and hijacking

43 Summary (continued) Controls used to minimize disruption
Access controls require information to be entered before resources are made available Atomic transactions ensures data integrity Firewalls protect against Internet attacks Encryption schemes protect messaging on Internet

44 Summary (continued) TLS and HTTPS are encryption standards designed for Web Keys and digital certificates purchased from certificate authority Many organizations have business recovery plans which may be outsourced Careful evaluation of amount spent on security measures is necessary Government is obliged to protect citizens against crime and terrorism

Download ppt "IT effective auditing in MIS and prevention"

Similar presentations

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Management Information Systems, Sixth Edition

Management Information Systems, Sixth Edition
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Risks, Controls and Security Measures

Risks, Controls and Security Measures
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
E-Commerce Security and Fraud Issues and Protections

E-Commerce Security and Fraud Issues and Protections
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
1 Pertemuan 10 Understanding Computers Security Matakuliah: J0282 / Pengantar Teknologi Informasi Tahun: 2005 Versi: 02/02.

1 Pertemuan 10 Understanding Computers Security Matakuliah: J0282 / Pengantar Teknologi Informasi Tahun: 2005 Versi: 02/02.
Securing Information Systems

Securing Information Systems
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Similar presentations

Ads by Google