CHAPTER 8 Securing Information Systems. System Vulnerability Security (policies, procedures,...
-
Upload
emery-skinner -
Category
Documents
-
view
215 -
download
2
Transcript of CHAPTER 8 Securing Information Systems. System Vulnerability Security (policies, procedures,...
CHAPTER 8
Securing Information Systems
System Vulnerability
Security (policies, procedures, technical measures) and controls (methods, policies, procedures) important to ensure your system is not vulnerable
Internet Emails and other ways hackers access
Wireless security challenges War driving and RFID bands Wi-fi transmission
Malware, Viruses, Worms, Trojan horses, Spyware, SQL injection attacks, key loggers
System Vulnerability (cont)
Hackers, crackers, Script Kiddies Spoofing (redirecting web address) and
Sniffing (eavesdropping program monitoring info over a network)
Denial-of-service (DoS) attack Distributed denial-of-service (DoS) attack Botnet Computer Crime
Common Computer Crime
System Vulnerability (cont)
Identity Theft Phishing Evil Twins Pharming Click Fraud Cyberterrorism and Cyber Warfare Internal threats
Social engineering Software Vulnerability
Bugs and patches
Security and Control
Legal and Regulatory HIPPA for medical Gramm-Leach-Bliley (Financial Services
Moderation) – consumer data in financial institutions
Sarbanes-Oxley Act – protects investors from financial scandals
Electronic Evidence and Computer Forensics Computer forensics – collecting, analyzing,
authentication, preservation and analysis of data/on storage media/used in court
Security and Control Framework Types of controls
General (govern design, security, and use of computer programs/security of data files/throughout organization’s infrastructure)
Application (specific controls unique to each computerized application such as payroll or order processing) Input, Processing, output controls
Risk Assessment (determines level of risk to the firm) Once risks assessed, system builders will look at
control points with greatest vulnerability and potential for loss
Security and Control Framework (cont)
Security Policy Created after risk assessment How to protect company’s assets Acceptable Use Policy (AUP) – acceptable uses of firms
info systems, etc. Identity Management – determine valid users of the
system Disaster Recovery
Hot Site vs Cold Site Business Continuity Planning
Auditing MIS Audit (examines firm’s security environment)
Technologies and Tools for Protecting Info Resources
Identity Management Authentication Passwords Token Smart Cards Biometric authentication (human traits) What you know, what you have, who you
are
Technologies (cont)
Firewalls (prevent unauthorized users from accessing private networks) Combination of hardware and software that controls
the flow of incoming and outgoing network traffic Identifies names, IP address, applications, and other
characteristics of incoming traffic Intrusion detection systems (monitor for
vulnerability) Antivirus and Antispyware software Unified threat management (UTM)
(comprehensive security management systems/inside a single device)
Wireless Security
Encryption and Public Key Infrastructure Secure Socket Layer (SSL) – secure connection between
computers Secure Hypertext Transfer Protocol (S-HTTP) – encrypts
messages Public Key Encryption (PKE) - secure encryption/uses two keys Digital Certificates – data files to establish identity of users and
electronic assets Public key infrastructure (PKI) – public key cryptography
working with a certification authority.
System Availability
Online transaction processing (OLTP) – immediately process transactions
Fault-tolerant computer systems – detect hardware failures
High-availability computing – for recovering quickly from a crash
Downtime – periods when system operational Recovery-oriented computing – try to minimize
downtime Deep packet inspection (DPI) – examines data files and
sorts out low-priority online material/assigns higher priority to business critical functions
Security Outsourcing Managed security service providers (MSSP) – monitor
network activity