25-09-2012

1

Information Systems Security

IS Security

• The protection of IS against unauthorised access to or modification of information,

• whether it is being stored, processed or transmitted,

• and against the denial of service to authorised users or providing the service to unauthorized users,

• including the steps necessary to find out, document and counter such threats.

• It covers not just information but all infrastructures, which facilitate its use such as processes, systems, services and technology, etc.

• Advances in telecommunications and computer software

• Unauthorized access, abuse, or fraud

• Piracy

• Hackers

• Denial of service attack

• Harassment

• Computer viruses

• And many more…

SYSTEM VULNERABILITY AND ABUSE

Why Systems are Vulnerable?

Telecommunication Network Vulnerabilities

25-09-2012

2

Internet Security Challenges Tools of Security Management

Internetworked Security Defenses

• Encryption

– Passwords, messages, files, and other data is transmitted in scrambled form and unscrambled for authorized users

– Involves using special mathematical algorithms to transform digital data in scrambled code

– Most widely used method uses a pair of public and private keys unique to each individual

• Firewalls

– Serves as a “gatekeeper” system that protects a company’s intranets and other computer networks from intrusion

• Provides a filter and safe transfer point

• Screens all network traffic for proper passwords or other security codes

25-09-2012

3

• Denial of Service Defenses

– These assaults depend on three layers of networked computer systems

• Victim’s website

• Victim’s ISP

• Sites of “zombie” or slave computers

– Defensive measures and security precautions must be taken at all three levels

• E-mail Monitoring

– “Spot checks just aren’t good enough anymore. The tide is turning toward systematic monitoring of corporate e-mail traffic using content-monitoring software that scans for troublesome words that might compromise corporate security.”

• Virus Defenses

– Protection may accomplished through

• Centralized distribution and updating of antivirus software

• Outsourcing the virus protection responsibility to ISPs or to telecommunications or security management companies

Other Security Measures

• Security codes

– Multilevel password system

• Log onto the computer system

• Gain access into the system

• Access individual files

25-09-2012

4

• Backup Files

– Duplicate files of data or programs

– File retention measures

– Sometimes several generations of files are kept for control purposes

• Security Monitors

– Programs that monitor the use of computer systems and networks and protect them from unauthorized use, fraud, and destruction

• Biometric Security

– Measure physical traits that make each individual unique

• Voice

• Fingerprints

• Hand geometry

• Signature dynamics

• Keystroke analysis

• Retina scanning

• Face recognition and Genetic pattern analysis

• Computer Failure Controls

– Preventive maintenance of hardware and management of software updates

– Backup computer system

– Carefully scheduled hardware or software changes

– Highly trained data center personnel

25-09-2012

5

• Fault Tolerant Systems

– Computer systems that have redundant processors, peripherals, and software

• Disaster Recovery

– Disaster recovery plan

• Which employees will participate and their duties

• What hardware, software, and facilities will be used

• Priority of applications that will be processed

System Controls and Audits

• Information System Controls

– Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities

– Designed to monitor and maintain the quality and security of input, processing, and storage activities

• Auditing Business Systems

– Review and evaluate whether proper and adequate security measures and management policies have been developed and implemented

– Testing the integrity of an application’s audit trail