Chapter 8 Securing Information Systems 8 1 2007

  • Slides: 55
Download presentation
Chapter 8 Securing Information Systems 8. 1 © 2007 by Prentice Hall

Chapter 8 Securing Information Systems 8. 1 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems LEARNING OBJECTIVES • Analyze why information

Management Information Systems Chapter 8 Securing Information Systems LEARNING OBJECTIVES • Analyze why information systems need special protection from destruction, error, and abuse. • Assess the business value of security and control. • Design an organizational framework for security and control. • Evaluate the most important tools and technologies for safeguarding information resources. 8. 2 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Phishing: A Costly New Sport for

Management Information Systems Chapter 8 Securing Information Systems Phishing: A Costly New Sport for Internet Users • Problem: Large number of vulnerable users of online • • 8. 3 financial services, ease of creating bogus Web sites. Solutions: Deploy anti-phishing software and services and a multilevel authentication system to identify threats and reduce phishing attempts. Deploying new tools, technologies, and security procedures, along with educating consumers, increases reliability and customer confidence. Demonstrates IT’s role in combating cyber crime. Illustrates digital technology as part of a multilevel solution as well as its limitations in overcoming discouraged consumers. © 2007 by Prentice Hall

Computer crime and security survey (Computer Security Institute) 51% of the survey respondents acknowledged

Computer crime and security survey (Computer Security Institute) 51% of the survey respondents acknowledged financial losses, but only 31 % could quantify the losses http: //www. gocsi. com/losses. htm 8. 4 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Security •

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Security • Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems • Controls • Methods, policies, and organizational procedures that ensure: • Safety of organization’s assets • Accuracy and reliability of accounting records • Operational adherence to management standards 8. 5 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Why systems

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Why systems are vulnerable • Electronic data vulnerable to more types of threats than manual data • Networks • Potential for unauthorized access, abuse, or fraud is not limited to single location but can occur at any access point in network • Vulnerabilities exist at each layer and between layers • E. g. user error, viruses, hackers, radiation, hardware or software failure, theft 8. 6 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse Contemporary Security Challenges

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse Contemporary Security Challenges and Vulnerabilities The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network. Figure 8 -1 8. 7 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Internet vulnerabilities

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Internet vulnerabilities • Public network, so open to anyone • Size of Internet means abuses may have widespread impact • Fixed IP addresses are fixed target for hackers • Vo. IP phone service vulnerable to interception • E-mail, instant messaging vulnerable to malicious software, interception 8. 8 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Wireless security

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Wireless security challenges • Many home networks and public hotspots open to anyone, so not secure, communication unencrypted • LANs using 802. 11 standard can be easily penetrated • Service set identifiers (SSIDs) identify access points in Wi-Fi network and are broadcast multiple times • WEP (Wired Equivalent Privacy): Initial Wi-Fi security standard not very effective as access point and all users share same password 8. 9 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse Wi-Fi Security Challenges

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse Wi-Fi Security Challenges Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the resources of a network without authorization. 8. 10 Figure 8 -2 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Malicious software

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Malicious software (malware) • Computer virus • Rogue software program that attaches to other programs or data files • Payload may be relatively benign or highly destructive • Worm: • Independent program that copies itself over network • Viruses and worms spread via: • • 8. 11 Downloaded software files E-mail attachments Infected e-mail messages or instant messages Infected disks or machines © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Trojan horse

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Trojan horse • Software program that appears to be benign but then does something other than expected • Does not replicate but often is way for viruses or malicious code to enter computer system • Spyware • Small programs installed surreptitiously on computers to monitor user Web surfing activity and serve advertising • Key loggers • Record and transmit every keystroke on computer • Steal serial numbers, passwords 8. 12 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Hacker •

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Hacker • Individual who intends to gain unauthorized access to computer system • Cybervandalism • Intentional disruption, defacement, or destruction of Web site or corporate information system • Spoofing • Misrepresentation, e. g. by using fake e-mail addresses or redirecting to fake Web site • Sniffer: • Eavesdropping program that monitors information traveling over network 8. 13 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Denial-of-service (Do.

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Denial-of-service (Do. S) attack: • Flooding network or Web server with thousands of false requests so as to crash or slow network • Distributed denial-of-service (DDo. S) attack • Uses hundreds or thousands of computers to inundate and overwhelm network from many launch points • Botnet • Collection of “zombie” PCs infected with malicious software without their owners’ knowledge and used to launch DDo. S or perpetrate other crimes 8. 14 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse Worldwide Damage from

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse Worldwide Damage from Digital Attacks This chart shows estimates of the average annual worldwide damage from hacking, malware, and spam since 1999. These data are based on figures from mi 2 G and the authors. Figure 8 -3 8. 15 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse Bot Armies and

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse Bot Armies and Network Zombies • Read the Interactive Session: Technology, and then discuss the following questions: • What is the business impact of botnets? • What management, organization, and technology factors should be addressed in a plan to prevent botnet attacks? • How easy would it be for a small business to combat botnet attacks? A large business? 8. 16 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Computer crime

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Computer crime • Computer as target of crime • Accessing computer without authority • Breaching confidentiality of protected computerized data • Computer as instrument of crime • Theft of trade secrets and unauthorized copying of software or copyrighted intellectual property • Using e-mail for threats or harassment • Most economically damaging computer crimes • Do. S attacks and viruses • Theft of service and disruption of computer systems 8. 17 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Identity theft

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Identity theft • Using key pieces of personal information (social security numbers, driver’s license numbers, or credit card numbers) to impersonate someone else • Phishing • Setting up fake Web sites or sending e-mail messages that look like those of legitimate businesses to ask users for confidential personal data • Evil twins • Bogus wireless networks used to offer Internet connections, then to capture passwords or credit card numbers 8. 18 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Pharming •

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Pharming • Redirecting users to bogus Web page, even when individual types correct address into browser • Computer Fraud and Abuse Act (1986) • Makes it illegal to access computer system without authorization • Click fraud • Fraudulently clicking on online ad without intention of learning more about advertiser or making purchase • Cyberterrorism and cyberwarfare: • At least twenty countries are believed to be developing offensive and defensive cyberwarfare capabilities 8. 19 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Internal threats:

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Internal threats: Employees • Company insiders pose serious security problems • Access to inside information– like security codes and passwords • May leave little trace • User lack of knowledge: Single greatest cause of network security breaches • Compromised passwords • Social engineering • Errors introduced into software by: • Faulty data entry, misuse of system • Mistakes in programming, system design 8. 20 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Software vulnerability

Management Information Systems Chapter 8 Securing Information Systems Vulnerability and Abuse • Software vulnerability • Software errors are constant threat to information systems • Cost U. S. economy $59. 6 billion each year • Can enable malware to slip past antivirus defenses • Patches • Created by software vendors to update and fix vulnerabilities • However, maintaining patches on all firm’s devices is time consuming and evolves more slowly than malware 8. 21 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Business Value of Security and Control

Management Information Systems Chapter 8 Securing Information Systems Business Value of Security and Control • Business value of security and control • Protection of confidential corporate and personal information • Value of information assets • Security breach of large firm results in average loss of 2. 1 % of market value • Legal liability • Electronic Records Management (ERM) • Policies, procedures, and tools for managing retention, destruction, and storage of electronic records 8. 22 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Business Value of Security and Control

Management Information Systems Chapter 8 Securing Information Systems Business Value of Security and Control • Legal and regulatory requirements for ERM • HIPAA-Health Insurance Portability and Accountability Act. • Outlines medical security and privacy rules • Gramm-Leach-Bliley Act • Requires financial institutions to ensure security and confidentiality of customer data • Sarbanes-Oxley Act • Imposes responsibility on companies and their management to safeguard accuracy and integrity of financial information used internally and released externally 8. 23 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Business Value of Security and Control

Management Information Systems Chapter 8 Securing Information Systems Business Value of Security and Control • Electronic evidence and computer forensics • Legal cases today increasingly rely on evidence represented as digital data • E-mail most common electronic evidence • Courts impose severe financial, even criminal penalties for improper destruction of electronic documents, failure to produce records, and failure to store records properly 8. 24 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Business Value of Security and Control

Management Information Systems Chapter 8 Securing Information Systems Business Value of Security and Control • Computer forensics • Scientific collection, examination, authentication, preservation, and analysis of data on computer storage media so that it can be used as evidence in a court • Awareness of computer forensics should be incorporated into firm’s contingency planning process 8. 25 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Establishing a Framework for Security and

Management Information Systems Chapter 8 Securing Information Systems Establishing a Framework for Security and Control • ISO 17799 • International standards for security and control specifies best practices in information systems security and control • Risk Assessment • Determines level of risk to firm if specific activity or process is not properly controlled • • Value of information assets Points of vulnerability Likely frequency of problem Potential for damage • Once risks are assessed, system builders concentrate on control points with greatest vulnerability and potential for loss 8. 26 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Establishing a Framework for Security and

Management Information Systems Chapter 8 Securing Information Systems Establishing a Framework for Security and Control Online Order Processing Risk Assessment EXPOSURE Power failure Embezzlement User error PROBABILITY OF OCCURRENCE LOSS RANGE / (AVERAGE) EXPECTED ANNUAL LOSS 30 % $5, 000 - $200, 000 ($102. 500) $30, 750 5% $1, 000 - $50, 000 ($25, 500) $1, 275 $200 - $40, 000 ($20, 100) $19, 698 98 % Table 8 -3 8. 27 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Security policy • Statements ranking information risks, identifying acceptable security goals, and identifying mechanisms for achieving these goals • Chief Security Officer (CSO) • Heads security group in larger firms • Responsible for enforcing security policy • Security group • Educates and trains users • Keeps management aware of security threats and breakdowns • Maintains tools chosen to implement security 8. 28 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Acceptable Use Policy (AUP) • Defines acceptable uses of firm’s information resources and computing equipment • A good AUP defines acceptable actions for every user and specifies consequences for noncompliance • Authorization policies • Determine level of access to information assets for different levels of users • Authorization management systems • Allow each user access only to those portions of system that person is permitted to enter, based on information established by set of access rules 8. 29 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Establishing a Framework for Security and

Management Information Systems Chapter 8 Securing Information Systems Establishing a Framework for Security and Control Security Profiles for a Personnel System Figure 8 -4 These two examples represent two security profiles or data security patterns that might be found in a personnel system. Depending on the security profile, a user would have certain restrictions on access to various systems, locations, or data in an organization. 8. 30 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Ensuring business continuity • Fault-tolerant computer systems • Ensure 100% availability • Utilize redundant hardware, software, power supply components • Critical for online transaction processing • High availability computing • Tries to minimize downtime • Helps firms recover quickly from system crash • Utilizes backup servers, distributed processing, high capacity storage, disaster recovery and business continuity plans • Recovery-oriented computing: Designing systems, capabilities, tools that aid in quick recovery, correcting mistakes 8. 31 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Disaster recovery planning • Restoring computing and communication services after earthquake, flood, etc. • Can be outsourced to disaster recovery firms • Business continuity planning • Restoring business operations after disaster • Identifies critical business processes and determines how to handle them if systems go down • Business impact analysis • Use to identify most critical systems and impact system outage has on business 8. 32 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Auditing • MIS audit: Examines firm’s overall security environment as well as controls governing individual information systems • Security audit: Reviews technologies, procedures, documentation, training, and personnel • Audits: • List and rank all control weaknesses • Estimate probability of occurrence • Assess financial and organizational impact of each threat 8. 33 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Establishing a Framework for Security and

Management Information Systems Chapter 8 Securing Information Systems Establishing a Framework for Security and Control Sample Auditor’s List of Control Weaknesses Figure 8 -5 This chart is a sample page from a list of control weaknesses that an auditor might find in a loan system in a local commercial bank. This form helps auditors record and evaluate control weaknesses and shows the results of discussing those weaknesses with management, as well as any corrective actions taken by management. 8. 34 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Access control • Policies and procedures used to prevent improper access to systems by unauthorized insiders and outsiders • Users must be authorized and authenticated • Authentication: • Typically established by password systems • New authentication technologies: • Tokens • Smart cards • Biometric authentication 8. 35 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Firewalls: • Hardware and software controlling flow of incoming and outgoing network traffic • Prevents unauthorized access • Screening technologies • Packet filtering • Stateful inspection • Network address translation (NAT) • Application proxy filtering 8. 36 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security A

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security A Corporate Firewall The firewall is placed between the firm’s private network and the public Internet or another distrusted network to protect against unauthorized traffic. Figure 8 -6 8. 37 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Intrusion detection systems: • Full-time, real-time monitoring tools • Placed at most vulnerable points of corporate networks to detect and deter intruders • Scanning software looks for patterns such as bad passwords, removal of important files, and notifies administrators 8. 38 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Antivirus software, antispyware software • Antivirus software: • Checks computer systems and drives for presence of computer viruses • To remain effective, antivirus software must be continually updated • Antispyware software tools: • Many leading antivirus software vendors include protection against spyware • Standalone tools available (Ad-Aware, Spybot) 8. 39 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Securing wireless networks • WEP: Provides some measure of security if activated • VPN technology: Can be used by corporations to help security • 802. 11 i specification: Tightens security for wireless LANs • Longer encryption keys that are not static • Central authentication server • Mutual authentication • Wireless security should be accompanied by appropriate policies and procedures for using wireless devices 8. 40 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security Unilever

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security Unilever Secures Its Mobile Devices • Read the Interactive Session: Management, and then discuss the following questions: • How are Unilever executives’ wireless handhelds related to the company’s business performance? • Discuss the potential impact of a security breach at Unilever. • What management, organization, and technology factors had to be addressed in developing security policies and procedures for Unilever’s wireless handhelds? • Is it a good idea to allow Unilever executives to use both Black. Berrys and cell phones? Why or why not? 8. 41 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Encryption: • Transforming message into cipher text, using encryption key • Receiver must decrypt encoded message • Two main methods for encrypting network traffic • Secure Sockets Layer (SSL) /Transport Layer Security (TLS) • Establishes secure connection between two computers • Secure HTTP (S-HTTP) • Encrypts individual messages 8. 42 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Two methods of encryption: • Symmetric key encryption • Shared, single encryption key sent to receiver • Public key encryption • Two keys, one shared/public and one private • Messages encrypted with recipient’s public key but can only be decoded with recipient’s private key 8. 43 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security Public

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security Public Key Encryption A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock the data when they are received. The sender locates the recipient’s public key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message. Figure 8 -7 8. 44 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security •

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security • Digital signature • Encrypted message that only sender with private key can create • Used to verify origin and contents of message • Digital certificates • Data files used to establish identity of users and electronic assets for protection of online transactions • Uses trusted third party, certificate authority (CA), to validate user’s identity • Public Key Infrastructure (PKI) • Use of public key cryptography working with certificate authority 8. 45 © 2007 by Prentice Hall

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security Digital

Management Information Systems Chapter 8 Securing Information Systems Technologies and Tools for Security Digital Certificates Figure 8 -8 Digital certificates help establish the identity of people or electronic assets. They protect online transactions by providing secure, encrypted, online communication. 8. 46 © 2007 by Prentice Hall

DEVELOPING A CONTROL STRUCTURE • COSTS: Can be expensive to build; complicated to use

DEVELOPING A CONTROL STRUCTURE • COSTS: Can be expensive to build; complicated to use • BENEFITS: Reduces expensive errors, loss of time, resources, good will RISK ASSESSMENT: Determine frequency of occurrence of problem, cost, damage if it were to occur * 8. 47 © 2007 by Prentice Hall

Optimum mix of controls The following example is scanned from Burch and Grudnitski, 'Information

Optimum mix of controls The following example is scanned from Burch and Grudnitski, 'Information Systems', pages 513 -515. TEC(K) = S(K) + L(K) TEC(K) - Total expected cost in installing the control system K S(K) - cost to install and operate controls for the system K L(K) - average expected loss due to hazards if control fails * 8. 48 © 2007 by Prentice Hall

8. 49 © 2007 by Prentice Hall

8. 49 © 2007 by Prentice Hall

8. 50 © 2007 by Prentice Hall

8. 50 © 2007 by Prentice Hall

8. 51 © 2007 by Prentice Hall

8. 51 © 2007 by Prentice Hall

8. 52 © 2007 by Prentice Hall

8. 52 © 2007 by Prentice Hall

8. 53 © 2007 by Prentice Hall

8. 53 © 2007 by Prentice Hall

8. 54 © 2007 by Prentice Hall

8. 54 © 2007 by Prentice Hall

References • Laudon • Turban and Wetherbe 8. 55 © 2007 by Prentice Hall

References • Laudon • Turban and Wetherbe 8. 55 © 2007 by Prentice Hall