Presentation is loading. Please wait.

Presentation is loading. Please wait.

McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, All Rights Reserved Business Plug-In B6 Information Security.

Published byPrimrose Cain Modified over 9 years ago

Similar presentations

Presentation on theme: "McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, All Rights Reserved Business Plug-In B6 Information Security."— Presentation transcript:

1 McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, All Rights Reserved Business Plug-In B6 Information Security

2 B6-2 LEARNING OUTCOMES 1.Describe the relationship between information security policies and an information security plan 2.Provide an example of each of the three primary security areas: (1) authentication and authorization, (2) prevention and resistance, and (3) detection and response 3.Describe the relationships and differences between hackers and viruses

3 B6-3 INTRODUCTION Information security – a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization This plug-in discusses how organizations can implement information security lines of defense through people first and technology second

4 B6-4 The First Line of Defense - People The biggest issue surrounding information security is not a technical issue, but a people issue 38% of security incidents originate within the organization –Insiders legitimate users who purposely or accidentally misuse their access –Social engineering using one’s social skills to trick people into revealing access credentials

5 B6-5 The First Line of Defense - People The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan –Information security policies – identify the rules required to maintain information security –Information security plan – details how an organization will implement the information security policies

6 B6-6 The First Line of Defense - People Five steps to creating an information security plan 1.Develop the information security policies 2.Communicate the information security policies 3.Identify critical information assets and risks I.Firewall (hardware and/or software) II.Intrusion detection software (IDS) 4.Test and re-evaluate risks 5.Obtain stakeholder support

7 B6-7 The First Line of Defense - People

8 B6-8 The Second Line of Defense - Technology Three primary information security areas 1.Authentication and authorization 2.Prevention and resistance 3.Detection and response

9 B6-9 AUTHENTICATION AND AUTHORIZATION Authentication – a method for confirming users’ identities Authorization – the process of giving someone permission to do or have something The most secure type of authentication involves a combination of the following: 1.Something the user knows such as a user ID and password 2.Something the user has such as a smart card or token 3.Something that is part of the user such as a fingerprint or voice signature

10 B6-10 Something the User Knows such as a User ID and Password User ID and passwords are the most common way to identify individual users, and are the most ineffective form of authentication Identity theft – the forging of someone’s identity for the purpose of fraud Phishing – a technique to gain personal information for the purpose of identity theft

11 B6-11 User ID and Password with CAPTCHA A CAPTCHA is a type of challenge- response test used in computing to determine whether or not the user is human.

12 B6-12 Something the User Has such as a Smart Card or Token Smart cards and tokens are more effective than a user ID and a password –Token – small electronic devices that change user passwords automatically –Smart card – a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing

13 B6-13 Security Tokens

14 B6-14 Smart Cards

15 B6-15 Something That Is Part of the User such as a Fingerprint or Voice Signature This is by far the best and most effective way to manage authentication –Biometrics – the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting Unfortunately, this method can be costly and intrusive

16 B6-16 Biometrics

17 B6-17 PREVENTION AND RESISTANCE Downtime can cost an organization anywhere from $100 to $1 million per hour A 22-hour outage in June 2000 caused eBay’s market cap to plunge $5.7 billion Technologies available to help prevent and build resistance to attacks include: 1.Content filtering 2.Encryption 3.Firewalls

18 B6-18 Prevention-Content Filtering Organizations can use content filtering technologies to filter e-mail and prevent e-mails containing sensitive information from transmitting and stop spam and viruses from spreading –Content filtering – occurs when organizations use software that filters content to prevent the transmission of unauthorized information –Spam – a form of unsolicited e-mail

19 B6-19 Prevention - ENCRYPTION If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it –Encryption – scrambles information into an alternative form that requires a key or password to decrypt the information –Public & private key encryption – uses two keys: a public key that everyone can have and a private key for only the recipient

20 B6-20 ENCRYPTION It would take many hundreds of years for a hacker to break an encryption code

21 B6-21 Encryption Demo Public vs Private key encryption

22 B6-22 Encryption over the Web Secure Hypertext Transfer Protocol (HTTPS): –Most sign-in e-business websites are equipped with https https://www.amazon.ca/gp/css/homepage.html –used for encrypting data flowing over the Internet

23 B6-23 Steganography Steganography is the hiding of information in innocent looking objects and is a part of cryptography. Steganos means hidden and graffein write. Since the arrival of digital files for image and sound, steganography has known an enormous revival.Steganography Example: http://www.kwebbel.net/stega/enindex.php http://www.kwebbel.net/stega/enindex.php

24 B6-24 Prevention- FIREWALLS One of the most common defenses for preventing a security breach is a firewall –Firewall – hardware and/or software that guards a private network by analyzing the information leaving and entering the network

25 B6-25 Prevention- FIREWALLS A firewall examines each message that wants entrance to the network, and unless the message has the correct marking, the firewall prevents it from entering the network

26 B6-26 FIREWALLS Sample firewall architecture connecting systems located in Chicago, New York, and Boston

27 B6-27 A Corporate Firewall

28 B6-28 DETECTION AND RESPONSE If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage Antivirus software is the most common type of detection and response technology

29 B6-29 DETECTION AND RESPONSE Hacker - people very knowledgeable about computers who use their knowledge to invade other people’s computers –White-hat hacker –Black-hat hacker –Hactivist –Script kiddies or script bunnies –Cracker –Cyberterrorist

30 B6-30 DETECTION AND RESPONSE Virus - software written with malicious intent to cause annoyance or damage by self–replicating –Spreads as email attachments Other forms of viruses –Worm –Trojan-horse virus –Distributed DoS –Denial-of-service attack (DoS)

31 B6-31 Worms: Programs that copy themselves from one computer to another over networks. Unlike a virus, it does not need to attach itself to an existing program Can destroy data, programs, and halt operation of computer networks In August 2003, the “Blaster worm” infected over 50,000 computers worldwide Good Worms: The “Welchia” worm, for example, tries to download then install patches from Microsoft's website to fix various vulnerabilities in the host system DETECTION AND RESPONSE

32 B6-32 Trojan Horse: A software program that appears to be gentle, but then does something unexpected Often “transports” a virus into a computer system Name is based on classic Greek myth during Trojan war DETECTION AND RESPONSE

33 B6-33 Denial of Service (DoS) Attacks Hackers flood a server with false communications in order to crash the system Distributed DoS: uses numerous computers to crash the network DETECTION AND RESPONSE

34 B6-34 DETECTION AND RESPONSE Security threats to e-business include: –Hoaxes –Malicious code –Spoofing (phishing) –Spyware –Sniffer

35 B6-35 Spoofing: masquerading as someone else, or redirecting a Web link to an unintended address ( see Phishing) Sniffing: an eavesdropping program that monitors information traveling over a network DETECTION AND RESPONSE

36 B6-36 Phishing ( web spoofing)Phishing Setting up fake Web sites or sending email messages that look legitimate, and using them to ask for confidential data DETECTION AND RESPONSE

37 B6-37 Slide 37 Additional Material Phishing Video

38 B6-38 Wireless Security Wired Equivalent Privacy (WEP) [Old] –can provide security for Wi-Fi if users turn it on –It is a code that you choose to protect your wireless connections Wi-Fi Protected Access (WPA) [New] –WPA aims to provide stronger wireless data encryption than WEP

39 B6-39 War Driving: the eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic. Wireless Security

40 B6-40 Wireless hacking Wireless hacking video

Download ppt "McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, All Rights Reserved Business Plug-In B6 Information Security."

Similar presentations

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin CHAPTER FOUR ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS.

Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin CHAPTER FOUR ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS.
CHAPTER OVERVIEW SECTION 4.1 – Ethics

CHAPTER OVERVIEW SECTION 4.1 – Ethics
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.

McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Sarbanes-Oxley: Where Information Technology, Finance, and Ethics Meet

Sarbanes-Oxley: Where Information Technology, Finance, and Ethics Meet
BUSINESS PLUG-IN B6 Information Security.

BUSINESS PLUG-IN B6 Information Security.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.

7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS

ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved ETHICS SECTION 4.1.

McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved ETHICS SECTION 4.1.
4-1 Chapter Four Overview SECTION 4.1 - ETHICS –Ethics –Information Ethics –Developing Information Management Policies –Ethics in the Workplace SECTION.

4-1 Chapter Four Overview SECTION ETHICS –Ethics –Information Ethics –Developing Information Management Policies –Ethics in the Workplace SECTION.

Similar presentations

Ads by Google