CHAPTER 8

Securing Information Systems

System Vulnerability

Security (policies, procedures, technical measures) and controls (methods, policies, procedures) important to ensure your system is not vulnerable

Internet Emails and other ways hackers access

Wireless security challenges War driving and RFID bands Wi-fi transmission

Malware, Viruses, Worms, Trojan horses, Spyware, SQL injection attacks, key loggers

System Vulnerability (cont)

Hackers, crackers, Script Kiddies Spoofing (redirecting web address) and

Sniffing (eavesdropping program monitoring info over a network)

Denial-of-service (DoS) attack Distributed denial-of-service (DoS) attack Botnet Computer Crime

Common Computer Crime

System Vulnerability (cont)

Identity Theft Phishing Evil Twins Pharming Click Fraud Cyberterrorism and Cyber Warfare Internal threats

Social engineering Software Vulnerability

Bugs and patches

Security and Control

Legal and Regulatory HIPPA for medical Gramm-Leach-Bliley (Financial Services

Moderation) – consumer data in financial institutions

Sarbanes-Oxley Act – protects investors from financial scandals

Electronic Evidence and Computer Forensics Computer forensics – collecting, analyzing,

authentication, preservation and analysis of data/on storage media/used in court

Security and Control Framework Types of controls

General (govern design, security, and use of computer programs/security of data files/throughout organization’s infrastructure)

Application (specific controls unique to each computerized application such as payroll or order processing) Input, Processing, output controls

Risk Assessment (determines level of risk to the firm) Once risks assessed, system builders will look at

control points with greatest vulnerability and potential for loss

Security and Control Framework (cont)

Security Policy Created after risk assessment How to protect company’s assets Acceptable Use Policy (AUP) – acceptable uses of firms

info systems, etc. Identity Management – determine valid users of the

system Disaster Recovery

Hot Site vs Cold Site Business Continuity Planning

Auditing MIS Audit (examines firm’s security environment)

Technologies and Tools for Protecting Info Resources

Identity Management Authentication Passwords Token Smart Cards Biometric authentication (human traits) What you know, what you have, who you

are

Technologies (cont)

Firewalls (prevent unauthorized users from accessing private networks) Combination of hardware and software that controls

the flow of incoming and outgoing network traffic Identifies names, IP address, applications, and other

characteristics of incoming traffic Intrusion detection systems (monitor for

vulnerability) Antivirus and Antispyware software Unified threat management (UTM)

(comprehensive security management systems/inside a single device)

Wireless Security

Encryption and Public Key Infrastructure Secure Socket Layer (SSL) – secure connection between

computers Secure Hypertext Transfer Protocol (S-HTTP) – encrypts

messages Public Key Encryption (PKE) - secure encryption/uses two keys Digital Certificates – data files to establish identity of users and

electronic assets Public key infrastructure (PKI) – public key cryptography

working with a certification authority.

System Availability

Online transaction processing (OLTP) – immediately process transactions

Fault-tolerant computer systems – detect hardware failures

High-availability computing – for recovering quickly from a crash

Downtime – periods when system operational Recovery-oriented computing – try to minimize

downtime Deep packet inspection (DPI) – examines data files and

sorts out low-priority online material/assigns higher priority to business critical functions

Security Outsourcing Managed security service providers (MSSP) – monitor

network activity