session#7; securing information systems

1 N.Karami, MIS-Spring 2012

Management Information Systems

Securing Information Systems

Graduate School of

Management & Economics

Securing Information

Systems

http://www2.egov.gov.sg/online_newsletter/issue17/IMGS/security6_1.gif

http://www2.egov.gov.sg/online_newsletter/issue17/IMGS/security6_1.gif




Graduate School of


Learning Objectives

• Describe the major ethical (Privacy) issues

related to information technology and identify

situations in which they occur.

• Describe the many threats to information

security.

• Understand the various defense mechanisms

used to protect information systems.

• Explain IT auditing and planning for disaster

recovery.




Graduate School of


Computer systems

intrusion at TJX

http://www.tjx.com/

http://www.tjx.com/




Graduate School of


Privacy Issues

You Be the Judge

Terry Childs: Guilty

or not Guilty?

http://www.wired.com/threatlevel/wp-content/image.php?u=/images_blogs/photos/uncategorized/2008/07/17/sfguy.jpg

http://www.wired.com/threatlevel/wp-content/image.php?u=/images_blogs/photos/uncategorized/2008/07/17/sfguy.jpg




Graduate School of


Privacy

Court decisions have followed two rules:

(1) The right of privacy is not absolute.

Your privacy must be balanced against the needs of society.

(2) The public’s right to know is superior to the individual’s right

of privacy.

• Threats to Privacy

– Data aggregators, digital dossiers, and profiling

– Electronic Surveillance

– Personal Information in Databases

– Information on Internet Bulletin Boards, Newsgroups, &

Social Networking Sites




Graduate School of


Data Aggregators, Digital

Dossiers, and Profiling

http://www.choicepoint.com/

http://www.choicepoint.com/

http://www.acxiom.com/

http://www.acxiom.com/

http://www.lexisnexis.com/

http://www.lexisnexis.com/




Graduate School of


Information on Internet Bulletin Boards,

Newsgroups, &Social Networking Sites

http://www.flickr.com/

http://www.flickr.com/

http://www.linkedin.com/

http://www.linkedin.com/

http://www.facebook.com/

http://www.facebook.com/




Graduate School of


Protecting Privacy

• Privacy Codes and Policies: An organization’s

guidelines with respect to protecting the privacy of

customers, clients, and employees.

• Opt-out model of informed consent permits the

company to collect personal information until the

customer specifically requests that the data not be

collected.

• Opt-in model of informed consent means that

organizations are prohibited from collecting any

personal information unless the customer specifically

authorizes it.




Graduate School of


IS Security Management

• The goal of security

management is the

accuracy, integrity,

and safety of all

information system

processes and

resources




Graduate School of


Factors Increasing the Threats

to Information Security• Today’s interconnected, interdependent, wirelessly-

networked business environment

• Government legislation

• Smaller, faster, cheaper computers and storage

devices

• Decreasing skills necessary to be a computer hacker

• International organized crime turning to cybercrime

• Downstream liability

• Increased employee use of unmanaged devices

• Lack of management support




Graduate School of


Key Information Security

Terms (1)• A threat to an information resource is any danger to which

a system may be exposed.

• The exposure of an information resources is the harm, loss

or damage that can result if a threat compromises that

resource.

• A system’s vulnerability is the possibility that the system

will suffer harm by a threat.

• System security focuses on protecting hardware, data,

software, computer facilities, and personnel.




Graduate School of


• Information security describes the protection of both

computer and non-computer equipment, facilities, data,

and information from misuse by unauthorized parties.

– Includes copiers, faxes, all types of media, paper

documents

• Risk is the likelihood that a threat will occur.

• Information system controls are the procedures, devices,

or software aimed at preventing a compromise to the

system

Key Information Security

Terms (2)




Graduate School of


Objectives of Information

Security




Graduate School of


Security Threats

http://thumbs.dreamstime.com/thumb_185/1189819543B3Kj1z.jpg

http://thumbs.dreamstime.com/thumb_185/1189819543B3Kj1z.jpg




Graduate School of


Categories of Threats to

Information Systems• Unintentional acts

• Natural disasters

• Technical failures

• Management failures

• Deliberate acts

(from Whitman and Mattord, 2003)




Graduate School of


Human Errors

• Tailgating

• Shoulder surfing

• Carelessness with laptops and portable

computing devices

• Opening questionable e-mails

• Careless Internet surfing

• Poor password selection and use




Graduate School of


Anti-Tailgating Door




Graduate School of


Shoulder Surfing




Graduate School of


Most Dangerous Employees

Human resources and MIS

Remember, these

employees hold ALL

the information




Graduate School of


Deliberate Acts

Malicious Software (Malware)

• Viruses: Rogue software program that attaches itself to other

software programs or data files in order to be executed

• Worms: Independent computer programs that copy themselves from

one computer to other computers over a network.

• Trojan horses: Software program that appears to be benign but

then does something other than expected.

• Spyware: Programs install themselves surreptitiously on computers

to monitor user Web surfing activity and serve up advertising.




Graduate School of


• Hacking is

– The obsessive use of computers

– The unauthorized access and use of networked computer

systems

– Activities include System intrusion, System damage,

Cybervandalism.

• Electronic Breaking and Entering

– Hacking into a computer system and reading files, but neither

stealing nor damaging anything

• Cracker

– A malicious or criminal hacker who maintains knowledge of

the vulnerabilities found for private advantage

Deliberate Acts

Hackers & Crackers




Graduate School of


• Spoofing

• Faking an e-mail address or Web page to trick users into passing along

critical information like passwords or credit card numbers

• Sniffer

• Eavesdropping program that monitors information traveling over network

• Enables hackers to steal proprietary information such as e-mail, company

files, etc.

• Capturing passwords or entire contents

• Scans

• Widespread probes of the Internet to determine types of computers,

services, and connections

• Looking for weaknesses

Deliberate Acts

Common Hacking Tactics (1)




Graduate School of


• Denial-of-service attacks (DoS)

• Flooding server with thousands of false requests to crash the

network.

• Distributed denial-of-service attacks (DDoS)

• Use of numerous computers to launch a DoS

• Back Doors

• A hidden point of entry to be used in case the original entry point is

detected or blocked.

• War Dialing

• Programs that automatically dial thousands of telephone numbers in

search of a way in through a modem connection

• Logic Bombs

• An instruction in a computer program that triggers a malicious act

Deliberate Acts

Common Hacking Tactics (2)




Graduate School of


• Identity theft

• Theft of personal Information (social security id, driver’s license or

credit card numbers) to impersonate someone else

• Phishing

• Setting up fake Web sites or sending e-mail messages

that look like legitimate businesses to ask users for

confidential personal data.

• Evil twins

• Wireless networks that pretend to offer trustworthy Wi-Fi

connections to the Internet

• Pharming

• Redirects users to a bogus Web page, even when individual

types correct Web page address into his or her browser

Deliberate Acts

Computer Crime (1)




Graduate School of


Deliberate Acts

Computer Crime (2)

• Click fraud

• Occurs when individual or computer program fraudulently

clicks on online ad without any intention of learning more

about the advertiser or making a purchase




Graduate School of


• General controls

• Govern design, security, and use of computer programs and

security of data files in general throughout organization’s

information technology infrastructure.

• Apply to all computerized applications

• Combination of hardware, software, and manual procedures to

create overall control environment

• Application controls

• Physical controls

• Access controls

• Communications (network) controls

• MIS auditing

Information Systems Controls




Graduate School of


Where Defense Mechanisms

(Controls) are Located




Graduate School of

Management & EconomicsAccess Control

• Policies and procedures to prevent improper access to systems by

unauthorized insiders and outsiders

• Access control three-step process includes:

• User identification

• User authentication

• Something the user is: Biometric authentication: Facial

recognition, Hand Geometry, Fingerprint Scan, Palm scan, Retina

scan, Iris Scan

• Something the user does: Signature, Voice recognition

• Something the user has: Regular ID card, Smart ID card or token

• Something the user knows: Passwords, passphrases

• User authorization

biometrics.pptx

does.pptx

has.pptx




Graduate School of


Communication or Network

Controls

• Firewalls

• Anti-malware systems

• Whitelisting and Blacklisting

• Intrusion detection systems

• Encryption

http://www.trendmicro.com/

http://www.trendmicro.com/

http://www.symantec.com/

http://www.symantec.com/

http://www.mcafee.com/

http://www.mcafee.com/




Graduate School of


• A gatekeeper system that protects a company’s intranets

and other computer networks from intrusion

• Provides a filter and safe transfer point for

access to/from the Internet and other networks

• Important for individuals who connect to the Internet with

DSL or cable modems

• Can deter hacking, but cannot prevent it.

Firewalls




Graduate School of


Basic Home Firewall (top) and

Corporate Firewall (bottom)




Graduate School of


• Intrusion detection systems:

• Monitor hot spots on corporate networks to detect

and deter intruders

• Examines events as they are happening to

discover attacks in progress

• Antivirus and antispyware software:

• Checks computers for presence of malware and

can often eliminate it as well

• Require continual updating

Intrusion Detection Systems, and

Antivirus Software




Graduate School of


• Encryption:

• Transforming text or data into cipher text that

cannot be read by unintended recipients

• Two alternative methods of encryption

• Symmetric key encryption

• Sender and receiver use single, shared key

• Public key encryption

• Uses two, mathematically related keys: Public key and

private key

• Sender encrypts message with recipient’s public key

• Recipient decrypts with private key

Encryption




Graduate School of


Public/Private Key Encryption




Graduate School of


• Digital certificate:

• Data file used to establish the identity of users and electronic

assets for protection of online transactions

• Uses a trusted third party, certification authority (CA), to

validate a user’s identity

• CA verifies user’s identity, stores information in CA server,

which generates encrypted digital certificate containing

owner ID information and copy of owner’s public key

Digital Certificate

http://www.entrust.com/

http://www.entrust.com/

http://www.verisign.com/

http://www.verisign.com/

http://www.thawte.com/

http://www.thawte.com/




Graduate School of


How Digital Certificates Work




Graduate School of


Communication or Network

Controls (continued)

• Virtual private networking

• Secure Socket Layer (now transport layer

security)

• Employee monitoring systems




Graduate School of


Virtual Private Network and

Tunneling




Graduate School of


Employee Monitoring System

http://www.spectorsoft.com/

http://www.spectorsoft.com/

http://www.websense.com/

http://www.websense.com/




Graduate School of


The Role of Auditing

• MIS audit

• Examines firm’s overall security environment as well as

controls governing individual information systems

• Reviews technologies, procedures, documentation, training,

and personnel.

• May even simulate disaster to test response of technology, IS

staff, other employees.

• Lists and ranks all control weaknesses and estimates

probability of their occurrence.

• Assesses financial and organizational impact of each threat




Graduate School of


Sample Auditor’s List of Control

WeaknessesThis chart is a

sample page from a

list of control

weaknesses that an

auditor might find

in a loan system in

a local commercial

bank. This form

helps auditors

record and evaluate

control weaknesses

and shows the

results of

discussing those

weaknesses with

management, as

well as any

corrective actions

taken by

management.

session#7; securing information systems

Documents

digital dossiers

right of privacy

wellknown data aggregators

nonpublic data

financial data

creditreporting agencies

privacydata aggregators

social networking sites