1

Chapter 17

Risks, Controls and Security Measures

2

Learning Objectives

When you finish this chapter, you will: Be able to identify the main types of risks to

information systems. List various types of attacks on networked

systems Identify types of controls required to ensure

the integrity of data entry and processing and uninterrupted e-commerce.

3

Learning Objectives

Know the principles of how organizations develop recovery plans.

Be able to explain the economic aspects of pursuing information security.

4

Why do we care?

Nearly 20,000 digital attacks* occurred in January 2003

At this rate, we could see 180,000 attacks resulting in $80-100 billion in damages

*mi2g Ltd., a digital risk management firm.

5

Goals of Information Security

Reduce the risk of systems and organizations ceasing operations

Maintain information confidentiality Ensure the integrity and reliability of data

resources Ensure uninterrupted availability of data

resources and online operations Ensure compliance with national security laws

and privacy policies and laws

6

Risks to Information Systems

Causes of systems downtime Number-one is hardware failure Fire and theft are the next two contributors

Risks to Hardware Natural disasters Blackouts and brownouts Vandalism

7

Risks to Information Systems

Risks to Applications and Data Theft of information Data alteration, data destruction, and

defacement Computer viruses and Logic Bombs Nonmalicious mishaps

8

Risks to Information Systems

Figure 17.2 Frequency of security breaches in a 12-month period based on a survey of 745 professionals

9

Risks to Online Operations

Denial of Service (DoS) Too many requests are received to log on to a

Web site’s pages If perpetrated from multiple computers it is

called distributed denial of service (DDoS) Spoofing

Deception of users to make them think they are logged on at one site while they actually are on another

10

Controlling Information System Risks

Controls: Constraints imposed on a user or a system to secure systems against risks.

Figure 17.3 Common controls to protect systems from risk

11

Controlling Information System Risks

Program Robustness and Data Entry Controls Provide a clear and sound interface with the user Menus and limits / data input constraints

Backup Periodic duplication of all data

Access Controls Ensure that only authorized people can gain access to

systems and files Access codes and passwords Biometric

An access control unique in physical, measurable characteristic of a human being that is used to identify a person

12

Controlling Information System Risks

Atomic Transactions Ensures that

transaction data are recorded properly in all the pertinent files to ensure integrity

13

Controlling Information System Risks

Audit Trails Built into an IS so that transactions can be

traced to people, times, and authorization information

14

Encryption

Authentication Process of ensuring that the sender and

receiver of a message is indeed that person Original message – plaintext Coded message – ciphertext Messages scrambled on sending end;

descramble to plain text on receiving end

15

Encryption Strength

Figure 17.6 Estimated time needed to break encryption keys, using $100,000 worth of computer equipment

16

Encryption

Distribution Restrictions Public Key encryption

Symmetric Both sender and recipient use same key

Key is referred to as secret key Asymmetric (also called public key encryption)

Sender is able to communicate key to recipient before message is sent

17

Encryption

18

Encryption

Secure Sockets Layer and Secure Hypertext Transport Protocol ensure online transactions are secure

Pretty Good Privacy – Network Associates product that allows individuals to register for public and private keys

19

Digital signatures and Digital Certificates Electronic Signatures Digital Signatures

Different each time you send a message Digital Certificates

Computer files that serve as the equivalent of ID cards

20

Firewalls

Software whose purpose is to manage access to computing resources Early firewalls used combination of hardware

and software While firewalls are used to keep unauthorized

users out, they are also used to keep unauthorized software or instructions away Computer viruses and other rogue software

Proxy Servers act as a buffer between internal and external networks

21

Security Standards

The Orange Book (DOD)- Four security levels Decision A: Verify Protection Decision B: Mandatory Protection Decision C: Discretionary Protection Decision D: Minimal Protection or No Protection

The ISO Standard Common set of requirements for IT product security

functions and for assurance measures during security evaluation

Permits comparability between results of independent security tests

22

The Downside of Security Controls

Security measures slow data communications and require discipline that is not easy to maintain Passwords Encryption Firewalls

Drains personnel resources as well…

23

Chief Security Officers

24

Recovery Measures

The Business Recovery Plan – Nine steps proposed for development

1. Obtain management’s commitment to the plan2. Establish a planning committee3. Perform risk assessment and impact analysis4. Prioritize recovery needs5. Select a recovery plan6. Select vendors7. Develop and implement the plan8. Test the plan9. Continually test and evaluate

25

Recovery Measures

Outsourcing the Recovery Plan Some companies may choose not to develop

their own recovery plan Small companies may not be able to afford an

expensive recovery plan May opt for a Web-based service

26

Median Amounts of IT Security Budgets by Industry

27

The Economic Aspect of Security Measures Two types of costs to consider when

determining how much to spend on data security: The cost of potential damage The cost of implementing a preventive

measure

28

The Economic Aspect of Security Measures

Figure 17.12 The total cost to the enterprise is lowest at “Optimum.” No less, and no more, should be spent on information security measures.