securing is
Post on 28-Nov-2014
820 Views
Preview:
DESCRIPTION
TRANSCRIPT
Information Systems Today: Managing in the Digital World 6-1
6Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal computers are infected with at least 25 spyware programs.”Webroot (2005)
Information Systems Today: Managing in the Digital World 6-4
Information Systems Security
• All systems connected to a network are at risko Internal threats
o External threats
• Information systems securityo Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security with increased use of the Internet
Information Systems Today: Managing in the Digital World 6-5
Primary Threats to Information Systems Security
• Accidents and natural disasterso Power outages, cats
walking across keyboards
• Employees and consultants
• Links to outside business contactso Travel between business
affiliates
• Outsiders
• Viruses
Information Systems Today: Managing in the Digital World 6-6
Unauthorized Access
• Unauthorized peopleo Look through
electronic datao Peek at monitorso Intercept electronic
communication
• Theft of computers or storage media
• Determined hackers gain administrator status
Information Systems Today: Managing in the Digital World 6-7
Gaining Access to a Password
• Brute forceo Try combinations
until a match is found
• Protection:o Wait time
requirements after unsuccessful login attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World 6-8
Information Modification
• User accesses electronic information
• User changes informationo Employee gives
himself a raise
Information Systems Today: Managing in the Digital World 6-9
Denial of Service Attack
• Attackers prevent legitimate users from accessing services
• Zombie computerso Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World 6-10
Computer Viruses
• Corrupt and destroy data
• Destructive code cano Erase a hard driveo Seize control of a
computer
• Worms o Variation of a viruso Replicate endlessly across
the Interneto Servers crash
• MyDoom attack on Microsoft’s Web site
Information Systems Today: Managing in the Digital World 6-11
Spyware• Within freeware or shareware
• Within a Web site
• Gathers information about a usero Credit card informationo Behavior tracking for marketing purposes
• Eats up computer’s memory and network bandwidth
• Adware – special kind of spywareo Collects information for banner ad customization
Information Systems Today: Managing in the Digital World 6-12
Spam
• Electronic junk mail• Advertisements of
products and services
• Eats up storage space
• Compromises network bandwidth
• Spimo Spam over IM
Information Systems Today: Managing in the Digital World 6-13
Protection Against Spam• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World 6-14
Phishing
• Attempts to trick users into giving away credit card numbers
• Phony messages
• Duplicates of legitimate Web sites
• E.g., eBay, PayPal have been used
Information Systems Today: Managing in the Digital World 6-15
Cookies• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive information
• Cookie management and cookie killer software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World 6-16
Other Threats to IS Security1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World 6-17
Other Threats to IS Security (II)5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World 6-19
Safeguarding Information Systems Resources
• Information systems auditso Risk analysis
•Process of assessing the value of protected assets o Cost of loss vs. cost of protection
•Risk reductiono Measures taken to protect the system
•Risk acceptanceo Measures taken to absorb the damages
•Risk transfero Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World 6-20
Technological Safeguards• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited too Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World 6-21
Biometrics
• Form of authenticationo Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast authentication
• High security
Information Systems Today: Managing in the Digital World 6-22
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applicationso Built-in access control capabilities
Information Systems Today: Managing in the Digital World 6-23
Wireless LAN Control
• Wireless LAN cheap and easy to install
• Use on the rise
• Signal transmitted through the airo Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World 6-24
Virtual Private Networks
• Connection constructed dynamically within an existing network
• Secure tunnelo Encrypted
information
Information Systems Today: Managing in the Digital World 6-25
Firewalls• System designed to detect intrusion and
prevent unauthorized access
• Implementationo Hardware, software, mixed
• Approacheso Packet filter – each packet examined
o Application-level control – security measures only for certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all messages; Network Address Translation
Information Systems Today: Managing in the Digital World 6-26
Firewall Architecturea) Basic software
firewall for a home network
b) Firewall router• Home office
• Small office
Information Systems Today: Managing in the Digital World 6-27
Firewall Architecture Larger Organization
Information Systems Today: Managing in the Digital World 6-28
Encryption• Message encoded before sending• Message decoded when received
• Encryption allows foro Authentication – proving one’s identityo Privacy/confidentiality – only intended recipient can read a messageo Integrity – assurance of unaltered messageo Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World 6-29
The Encryption Process
• Key – code that scrambles the messageo Symmetric secret key system
•Sender and recipient use the same key
•Cons: Management problems
o Public key technology
•Asymmetric key system
•Each individual has a pair of keyso Public key – freely distributedo Private key – kept secret
Information Systems Today: Managing in the Digital World 6-31
Encryption for Websites• Certificate Authority
o Third party – trusted middleman•Verifies trustworthiness of a Web site
•Checks for identity of a computer
•Provides public keys
• Secure Sockets Layer (SSL)o Developed by Netscapeo Popular public-key encryption method
Information Systems Today: Managing in the Digital World 6-32
Other Encryption Approaches• 1976 – Public/private key
• 1977 – RSAo Technology licensed to Lotus and Microsofto Federal law prohibited exporting encryption technology
• Limited use by organizations
• 1991 – Pretty good privacyo Versatile encryption programo Global favorite
• 1993 – Clipper chipo Chip generating uncrackable codeso Scrapped before it became reality
Information Systems Today: Managing in the Digital World 6-33
The Evolution of Encryption
• Future encryption programs will provideo Strong security
o High speed
o Usability on any platform
•Encryption for cellular phones
•Encryption for PDAs
Information Systems Today: Managing in the Digital World 6-34
Recommended Virus Precautions• Purchase and install antivirus
softwareo Update frequently
• Do not download data from unknown sourceso Flash drives, disks, Web sites
• Delete (without opening) e-mail from unknown source
• Warn people if you get a viruso Your departmento People on e-mail list
Information Systems Today: Managing in the Digital World 6-35
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trailo Record of users
o Record of activities
• IT department needs to monitor this activity
Information Systems Today: Managing in the Digital World 6-36
Other Technological Safeguards
• Backups o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)o Protection against power surges
Information Systems Today: Managing in the Digital World 6-37
Human Safeguards• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World 6-39
Managing Information Systems Security
• Non-technical safeguardso Management of
people’s use of IS
• Acceptable use policies
o Trustworthy employees
o Well-treated employees
Information Systems Today: Managing in the Digital World 6-40
Developing an Information Systems Security Plan
Ongoing five-step process1. Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to improve computer security
Information Systems Today: Managing in the Digital World 6-41
Security Plan: Step 22. Policies and procedures – actions to be
taken if security is breacheda. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational computers
c. Use policy – appropriate use of in-house IS
d. Backup policye. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer operations
Information Systems Today: Managing in the Digital World 6-42
Security Plan: Remaining Steps3. Implementation
a. Implementation of network security hardware and software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4. Training – organization’s personnel
5. Auditinga. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World 6-43
Responding to a Security Breach• 1988 – Computer Emergency Response Team
(CERT)o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)o Raising of awareness of IT riskso Research and advising about IT vulnerabilitieso Development of standardso Development of guidelines to increase secure IT
planning, implementation, management and operation
Information Systems Today: Managing in the Digital World 6-44
The State of Systems Security Management• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial losses
o Only about 25% of organizations utilize cyberinsuranceo Only about 20% of organizations report intrusions to the
law enforcement• Fear of falling stock prices
o Most organizations do not outsource security activitieso 90% of organizations conduct routine security auditso Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World 6-45
Use of Security Technologies• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World 6-47
Opening Case: Managing in the Digital World: Drive-by-Hacking• 60 - 80 % of corporate wireless networks do not use
security• “War driving” – a new hacker tactic
o Driving around densely populated areas
• “War spamming”o Attackers link to an e-mail server and send out millions of spam
messageso Companies pay millions in bandwidth fees
• Businesses fight back using bogus access pointso FakeAP
• Network scanners distinguish between real and fake APso Netstumbler
• Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World 6-48
Spyware Lurks on Most PCs
• Webrooto Producer of software to scan and eliminate
spyware
• Webroot company datao 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World 6-49
To Cookie or Not to Cookie• Cookies collected by companies to get data
about customerso Footprints that marketers can traceo Sometimes sold to other companies
• Web browsers can protect against accepting cookieso Constant pop-upso Some sites will not work properlyo Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World 6-50
Anne Mulcahy, CEO and Chairman, Xerox Corporation
• 1974 – B.A. in English and journalism
• 1976 – joined Xerox
• 2002 – promoted to CEOo Xerox in 2002
• $17 billion debt
o Xerox under Mulcahy
• First time profitable in years
• Cut expenses by $1.7 billion
• Sold non-core assets for $2.3 billion
Information Systems Today: Managing in the Digital World 6-51
Voiceprint
• 1976 case – State of Maine v. Thomas Williamso Bomb threat
o Voiceprint used for conviction of terrorism
•Each individual has unique voice characteristics
•1967-2006 – more than 5,000 law enforcement voice identification cases
•Spectrogram – visual inspection of waves
o Voiceprints used for access authorization
Information Systems Today: Managing in the Digital World 6-52
Is Big Brother Watching You
• Employers can use equipment too Read your emailo Monitor Web-surfing behavioro Collect keystrokeso Follow the movement of employees
•RFID and GPS
• Companies have rights to collect almost any information about employees while on the job
Information Systems Today: Managing in the Digital World 6-53
Backhoe Cyber Threat• Telecommunications infrastructure is
vulnerableo Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines•675,000 incidents in 1 year
o Infrastructure information publicly availableo Most of Internet communication goes through
cables buried along major highways and railroads•Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World 6-54
Banking Industry• In the past – highly regulated industry
o Banks limited to certain locations and serviceso Efforts to make banks safero Regulations prevented banks from competition
• 1970 to present – many regulations eliminatedo Acquisitions, consolidations and integration across
state lineso Better customer service at lower priceso Benefits to overall economy
• Internet erao Customers assess banks based on online banking
services
top related