4/15: Security & Controls in IS• Systems Vulnerabilities

• Controls: what to use to guard against vulnerabilities– General controls– Application controls

• Internet & eCommerce controls– Firewalls – Encryption– Authentication

• Assessments & Audits

Systems Vulnerabilities• Ex: DDoS attacks in February 2000

• Why worry?– Financial impact of downtime is staggering:

Type of Loss Brokerage site Auction site

(8 hrs) (22 hrs)

Direct revenues loss $204,000 $341,652

Compensatory loss $0 $943,521

Lost future revenues $4,810,320 $1,024,955

Worker downtime loss $117,729 $46,097

Delay-to-market $60,000 $358,734

Total impact $5,220,159 $2,773,416

How are systems vulnerable?• If destroyed

– Systems cannot be replicated manually– Systems are not easily understood or audited– Systems’ records can be permanently lost

• Hardware: fire, earthquake, etc.

• Software: electrical problems, bugs

• Personnel actions: user errors, maliciousness

• Access: program changes, data changes

• Data & services: telecommunication failures

So what if it’s vulnerable?• Use a risk assessment to decide if the costs of

protecting against the vulnerability outweigh the potential losses from it.

• Ex. Online Order Processing Risk AssessmentExposure Prob. (%) Loss range / avg.

($)Exp. ann. loss($)

Power failure 30% $5,000 – 200,000$102,500

$30,750

Embezzlement 5% $1,000 – 50,000$25,500

$1,275

User error 98% $200 - 40,000$20,100

$19,698

Example of vulnerabilities: hackers• Hackers

– “A person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure.”

– Create computer viruses, DDoS attacks, etc.

Examples of vulnerabilities: viruses• “Rogue software programs that are difficult to

detect and spread rapidly, destroying data or disrupting processing & memory systems.”

• Chernobyl (CIH) virus

• Badtrans.B virus

• Nimda virus

• Antivirus software is a necessity. – Virus definitions MUST BE

UPDATED FREQUENTLY (min. every 2 weeks).

Concerns for systems builders• Disaster

– Build backup facilities– Build fault-tolerant systems

• Have extra hardware, software, power, processing capability in case something fails

– Contract with a disaster recovery firm

• Security– “Policies procedures, and technical measures used to

prevent unauthorized access, alteration, theft, or physical damage to IS.”

• Errors: prevention

Systems quality issues: software• Software bugs

– “Program code defects or errors.”– Main Sources: decision code, poor design specs.

• Maintenance– 50% of ITS staff time is spent “maintaining” existing

systems.– Why?

• Organizational changes

• Software complexity

• Faulty systems analysis discovered too late

Systems quality issue: data quality• Most common source of IS failure

• “Bad data”: – Input improperly or incorrectly– Faulty processing or database design

• FBI’s computerized criminal-records system– Estimated that 54% of records

are wrong, incomplete, or ambiguous.

Controls: Guards against Errors• “All of the methods, policies, and procedures

that ensure protection of the organization’s assets, accuracy and reliability of its records, and operational adherence to management standards.”

• Two types of IS controls:– General controls– Application Controls

General controls• “Overall controls that establish a framework for

controlling the design, security, and use of computer programs in the organization.”

• Implementation controls

• Software controls

• Hardware controls

• Computer operations controls

• Data security controls

• Administrative controls

General controls• Implementation controls

– “The audit of the systems development process at various points to make sure that it is properly controlled and managed”

– Controlling the systems development process

General controls• Software controls

– “Controls to ensure the security and reliability of software.”

– Control access and use of computer programs.

General controls• Hardware controls

– “Controls to ensure the physical security and correct performance of computer hardware.”

– Physical security: • locking doors to computer

rooms

• Ensuring correct humidity & temperature of computer rooms

• Etc.

General controls• Computer operations controls

– “Procedures to ensure that programmed procedures are consistently and correctly applied to data storage and processing.”

– Examples:• Backing up and recovering files

• Controlling setup of computer processing jobs

• Etc.

General controls• Data security controls

– “Controls to ensure that data files on either disk or tape are not subject to unauthorized access, change, or destruction.”

– Keeping data safe & secure• Restricting physical access to terminals to authorized users

• System passwords

• Additional password sets for specific data or applications

General controls• Administrative controls

– “Formalized standards, rules, procedures, and disciplines to ensure that the organization’s controls are properly executed and enforced.”

– Making sure that the people do what they’re supposed to do.

– Examples:• Segregation of functions:

– No one position has total access to, responsibility for, or control of data

• Written policies & procedures for controlling IS operations

Application controls• “Specific controls within each separate computer

application, such as payroll or order processing.”

• Input controls– Check data coming into system.– Control totals count # of transactions or fields before

processing– Edit checks can fix errors in inputs before processing

• Processing controls

• Output controls

Application controls• Input controls• Processing controls

– Establish that data are complete & accurate during processing

– Run control totals reconcile the input control totals with the totals of items that have updated a file.

– Computer matching highlights unmatched items between what was input and what was processed.

– Edit checks can highlight errors before processing is finalized.

• Output controls

Application controls• Input controls

• Processing controls

• Output controls– Ensure that results of processing are accurate,

complete, and properly distributed.

Internet & eCommerce controls• Threats are greater because of greater access to

systems by anonymous outsiders.

• Firewalls: proxy & stateful inspection

• Encryption

• Authentication: digital signatures, digital certificates

Internet controls: Firewalls• Prevent access by unauthorized users to a private

network from the outside, usually the Internet.

• Proxy firewalls– Accept data from outside, then pass a copy (not the

original files) along to the internal destination.– Can work similarly going from inside to outside.

• Stateful inspection firewalls– Checks each type of packet that comes in, and lets it

pass if it is an approved type.

Internet controls: Encryption• Coding and scrambling of messages to prevent

unauthorized access to or understanding of the data being transmitted.

• Public key encryption: uses two “keys”, one public, one private.

Sender RecipientScrambledmessage

Public key

Private key

Internet controls: Authentication• Digital signatures

– Not fully developed yet, some governmental approval

– Unique digital code attached to message to identify user, like a signature

• Digital certificates– Uses a third party (ex. Verisign) to guarantee identity

of user

Do your controls work well?

• Use an MIS audit.– “Identifies all the controls that govern individual

information systems and assesses their effectiveness.”

• The audit:– Lists and ranks all the control weaknesses, – Estimates the probability of occurrence, and – Assesses financial & organizational impact of each

threat.