1. Securing Information Systems
Chapter 8
Securing Information Systems

2. System Vulnerability
Security (policies, procedures, technical measures) and controls (methods, policies, procedures) important to ensure your system is not vulnerable
Internet
s and other ways hackers access
Wireless security challenges
War driving and RFID bands
Wi-fi transmission
Malware, Viruses, Worms, Trojan horses, Spyware, SQL injection attacks, key loggers

3. System Vulnerability (cont)
Hackers, crackers, Script Kiddies
Spoofing (redirecting web address) and Sniffing (eavesdropping program monitoring info over a network)
Denial-of-service (DoS) attack
Distributed denial-of-service (DoS) attack
Botnet
Computer Crime

4. Common Computer Crime

5. System Vulnerability (cont)
Identity Theft
Phishing
Evil Twins
Pharming
Click Fraud
Cyberterrorism and Cyber Warfare
Internal threats
Social engineering
Software Vulnerability
Bugs and patches
Chapter 8 Notes

6. Security and Control Legal and Regulatory
HIPPA for medical
Gramm-Leach-Bliley (Financial Services Moderation) – consumer data in financial institutions
Sarbanes-Oxley Act – protects investors from financial scandals
Electronic Evidence and Computer Forensics
Computer forensics – collecting, analyzing, authentication, preservation and analysis of data/on storage media/used in court

7. Security and Control Framework
Types of controls
General (govern design, security, and use of computer programs/security of data files/throughout organization’s infrastructure)
Application (specific controls unique to each computerized application such as payroll or order processing)
Input, Processing, output controls
Risk Assessment (determines level of risk to the firm)
Once risks assessed, system builders will look at control points with greatest vulnerability and potential for loss

8. Security and Control Framework (cont)
Security Policy
Created after risk assessment
How to protect company’s assets
Acceptable Use Policy (AUP) – acceptable uses of firms info systems, etc.
Identity Management – determine valid users of the system
Disaster Recovery
Hot Site vs Cold Site
Business Continuity Planning
Auditing
MIS Audit (examines firm’s security environment)

9. Technologies and Tools for Protecting Info Resources
Identity Management
Authentication
Passwords
Token
Smart Cards
Biometric authentication (human traits)
What you know, what you have, who you are

10. Technologies (cont)
Firewalls (prevent unauthorized users from accessing private networks)
Combination of hardware and software that controls the flow of incoming and outgoing network traffic
Identifies names, IP address, applications, and other characteristics of incoming traffic
Intrusion detection systems (monitor for vulnerability)
Antivirus and Antispyware software
Unified threat management (UTM) (comprehensive security management systems/inside a single device)

11. Wireless Security Encryption and Public Key Infrastructure
Secure Socket Layer (SSL) – secure connection between computers
Secure Hypertext Transfer Protocol (S-HTTP) – encrypts messages
Public Key Encryption (PKE) - secure encryption/uses two keys
Digital Certificates – data files to establish identity of users and electronic assets
Public key infrastructure (PKI) – public key cryptography working with a certification authority.

12. System Availability
Online transaction processing (OLTP) – immediately process transactions
Fault-tolerant computer systems – detect hardware failures
High-availability computing – for recovering quickly from a crash
Downtime – periods when system operational
Recovery-oriented computing – try to minimize downtime
Deep packet inspection (DPI) – examines data files and sorts out low-priority online material/assigns higher priority to business critical functions
Security Outsourcing
Managed security service providers (MSSP) – monitor network activity