![Page 1: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/1.jpg)
Security
![Page 2: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/2.jpg)
Topics: Security
What are the threats that affect information security? – For each threat, identify controls that can be used to
mitigate risks.
![Page 3: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/3.jpg)
Security Concerns
Information systems are subject to many threats Continue to apply Risk Assessment Framework
– What is threat?– What is likelihood that
threat will occur?– What is potential damage
from threat?– What controls can be used
to minimize damage?– What is the cost of
implementing the control?
![Page 4: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/4.jpg)
Goals of Information Security
Reduce the risk of systems and organizations ceasing operations
Maintain information confidentiality Ensure the integrity and reliability of data
resources Ensure compliance with national security laws
and privacy policies and laws
![Page 5: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/5.jpg)
Security Threats
Three major types:– Natural Forces– Human– Technical (System)
![Page 6: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/6.jpg)
Security Threats
Natural forces– Fire– Water– Energy (surges, brownouts, etc.)– Structural damage (earthquake)– Pollution
How prevent/minimize damage?
![Page 7: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/7.jpg)
Security Threats - cont
Human– Unintentional mistakes– Unauthorized intrusion– Sabotage– Hackers– Virus and worms
![Page 8: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/8.jpg)
Human Security Threats (cont.)
Unintentional mistakes– Over 90% of errors
How prevent/minimize?
![Page 9: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/9.jpg)
Risks to Information Systems
Risks to Applications and Data– Theft of information– Data alteration and data destruction– Computer viruses– Unauthorized remote control programs– Nonmalicious mishaps
Unintentional mistakes
![Page 10: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/10.jpg)
Human Security Threats (cont.)
Risks to Network Operations– Denial of Service– Spoofing
Deception for the purpose of gaining access Deception of users direction to different web site
![Page 11: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/11.jpg)
Risks to Information Systems
![Page 12: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/12.jpg)
Security Threats - cont
Technical– Inadequate testing of modifications– Hardware failure
![Page 13: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/13.jpg)
Controls
Controls: Constraints imposed on a user or a system to secure systems against risks.
Types– Prevent– Detect– Correct
![Page 14: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/14.jpg)
Control Types – cont’d
Preventative– Program Robustness and Data Entry Controls
Provide a clear and sound interface with the user Menus and limits
– Access Controls Ensure that only authorized people can gain access to
systems and files Access codes, passwords, biometric
– Atomic Transactions Ensures that transaction data are recorded properly in all the
pertinent files to ensure integrity
![Page 15: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/15.jpg)
Control Types – cont’d Preventative Controls – cont’d
Segregation of Duties– Different people in charge of different activities,
allowing checks and balances and minimizing possibility of criminal behavior.
– Separation of duties during systems development prevents installation of trapdoors.
– Separation of duties while using the system minimizes abuse, especially in electronic fund transfer.
![Page 16: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/16.jpg)
Control Types – cont’dPreventative Controls – cont’d
Network– Callback
Remote user’s telephone number verified before access allowed
– Encryption Messages scrambled on sending end; descramble to plain
text on receiving end Symmetric: Both users use a private, secret key Asymmetric: Parties use a combination of a public and a
private key
![Page 17: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/17.jpg)
Control Types – cont’dPreventative Controls – cont’d
Web encryption standards– Secure Sockets layer (SSL)
is the most common protocol used The main capability is encrypting messages automatically by the
SSL in your computer browser before being sent over the Internet.
– Secure Hypertext Transport Protocol (SHTTP) Works only along with HTTP
– Secure Electronic Transaction (SET) Developed by MasterCard and VISA in 1997 to provide protection
from electronic payment fraud Proposed standard incorporating digital signatures, encryption,
certification, and an agreed-upon payment gateways
![Page 18: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/18.jpg)
Control Types – cont’dPreventative Controls – cont’d
Firewalls– Software that separates users from computing
resources– Allows retrieval and viewing of certain material but
blocks changes and access to other resources on the same computer
![Page 19: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/19.jpg)
Control Types – cont’d
Detective– Audit Trails
Built into an IS so that transactions can be traced to people, times, and authorization information
– Network Logs– Internet Logs
![Page 20: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/20.jpg)
Control Types – cont’d
Corrective– Backup and Recovery
Periodic duplication of all data
![Page 21: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/21.jpg)
Electronic Commerce Security
The security features needed to conduct commerce were not in place when public ban on use of internet was lifted
Major issues– Authorization– Authentication– Integrity– Privacy– Fraud/theft– Sabotage
![Page 22: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/22.jpg)
Electronic Commerce Security
Authorization – Does user have permission to access?– Solution:
Access control mechanisms– Passwords
– Problem with solution Administrative overhead How control access to e-commerce site?
![Page 23: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/23.jpg)
Electronic Commerce Security
Authorization – Cont’d– Digital Certificate
Equivalent of a physical ID card
– Electronic Signature Electronic symbol or process associated with a contract
– Digital Signature Encrypted text sent along with message that verifies that
message was not altered (equivalent to a signed envelop)
![Page 24: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/24.jpg)
Electronic Commerce Security
Authentication - assurance regarding the identity of the parties who are involved in the deal
Solution– Encrypted password devices
System sends a 5 digit number Enter into handheld device, which displays different 5 digit
number Enter back into system as password
– Digital Certificate Similar principle – owner’s public key stored on third-party site
![Page 25: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/25.jpg)
Electronic Commerce Security
Integrity - assurance that data and information (orders, reply to queries, and payment authorization) are not accidentally or maliciously altered or destroyed during transmission
Solution– Digital signature
Digital code attached to message that verifies origin and contents
Problems– Not everyone has digital signatures
![Page 26: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/26.jpg)
Electronic Commerce Security
Privacy – How prevent eavesdropping? Solution
– Encryption Based on mathematical principles to factor product into two
prime numbers If prime numbers are large, supposedly difficult to crack
– 56-bit DES encrypted message was decrypted in little over 22 hours by a network of volunteers and a special purpose computer called “Deep Crack”.
Standards:– Secure Sockets Layer (SSL)– Secure HTTP (S-HTTP)– Secure Electronic Transactions (SET)
![Page 27: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/27.jpg)
Electronic Commerce Security
Fraud/Theft – How do you know if something is “stolen”?
Solution– Internet logs– “Electronic tags” on files, etc.
Problems– Cannot prevent people from saving page, images, etc.– If saved as images – almost impossible to determine if
someone else has them.
![Page 28: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/28.jpg)
Electronic Commerce Security
Sabotage – Can someone enter internal information system and access private information or destroy/alter information?
What do intruders do?– Scan/explore system (15%)– Change documents/files (15%)
e.g., credit rating, stealing
– Plant a virus (11%)– Steal trade secrets (10%)
![Page 29: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/29.jpg)
Hackers
Who are they?– People who gain unauthorized access for profit,
criminal mischief or personal pleasure
“Training” manuals on WWW Examples of tactics
– “War dialing” – denial of service– Sniffers– Password crackers– Viruses
![Page 30: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/30.jpg)
Viruses
First occurrence on internet in 1988 by Robert Morris, CS student at Cornell– Went out of control. As spread, tied up memory and
storage space– Hundreds of computer centers in research institutes
and universities had to shut down– Virus intended to cause no harm cost over $100
million in lost access and direct labor costs
Anti-viral software
![Page 31: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/31.jpg)
Sabotage – cont’d
Solution– Firewall
Sits between internet and internal network Can be router, or can use third-party host for web site
– Firebreak – submit sensitive information over telephone or VAN– not over internet
Problem– Only prevents inexperienced hackers
![Page 32: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/32.jpg)
CERT
Computer Emergency Response Team– Helps determine who is breaking into sites, and
publishes solutions to the method used for the breakin
![Page 33: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/33.jpg)
Discussion Questions
Crime– Bank robbery: average loss is $3400, 85% chance of
being caught– White collar: average loss is $23,000– Computer fraud: average loss is $600,000, extremely
hard to catch culprit
– Why?
![Page 34: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/34.jpg)
Discussion Questions cont’d
Computer fraud typically performed by insiders.– What measures can be used to minimize fraud?
Why doesn’t everyone use biometric access controls?
Should companies use firewalls to block employee access to outside web sites?– To track pages downloaded to PC?
Why don’t companies report computer fraud?
![Page 35: Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649e9e5503460f94ba03d7/html5/thumbnails/35.jpg)
Network Security: Need combination to Minimize Risk
Authorization management Firewall Encryption Advisory organization and consultants
– e.g., CERT, ex-hackers
OR Disconnect from internet