Week-13
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Week-13 as PDF for free.
More details
- Words: 2,367
- Pages: 26
Week-13 Information Systems (IS) Security and Control
Introduction to Information Security
With the rapid importance of using Information Systems nowadays, the security of information becomes more and more vulnerable. Security is the main concern nowadays, due to alots of cybercrime and data sabotage over the Internet Due to insecurity in every aspect of life, we need to worry about how to protect our information systems from outside hackers and attackers.
Security Threats & Technologies Security Threats Today we hear about many security breaches that affect organizations and individuals. Some recently in the news: • Identity Theft – gaining access to some ones personal information allowing them to imitate you (stolen laptop) • Denial of Service – attacks on websites using zombie computers that overwhelm the site and shuts it down • Others: Spyware, Spam, Wireless Access, Viruses Security Technologies Companies and research organizations continue to develop and refine technologies to prevent security breaches. Some Include: • Firewalls • Biometrics • VPN and Encryption 3
Security Threat: Spyware, Spam, and Cookies Spyware Any software that covertly gathers information about a user through an Internet connection without the users knowledge • Problems: uses memory resources, uses bandwidth, and can cause system instability • Prevention: Firewalls and Spyware software Spam Electronic junk mail or junk newsgroup postings usually for purpose of advertising for some product and/or service • Problems: nuisance, wastes time deleting, uses storage • Prevention: Spam Blocker software Cookies A message passed to a browser from a Web server. Used by legitimate programs to store state and user information • Problems: can be used to track user activities • Prevention: browser settings, firewall
4
Security Technology: Biometrics
Biometrics • A sophisticated authentication technique used to restrict access to systems, data and/or facilities • Uses biological characteristics to identify individuals such as fingerprints, retinal patterns in the eye, etc. that are not easily counterfeited • Has great promise in providing high security 5
Security Threat: Access to Wireless Unauthorized Access to Wireless Networks With the prevalence in use of wireless networks this threat is increasing • Problems - Drive-by hacking an attacker accesses the network, intercepts data from it, and can use network services and/or sends attack instructions without entering the building • Prevention - Encryption between network and user devices
6
Security Technology: VPN and Encryption VPN (Virtual Private Network) • Called a secure tunnel • Dynamically generated network connection to connect users or nodes • This approach uses both authentication and encryption • Used extensively for remote access by employees
Encryption • The process of encoding messages before they enter the network or airwaves, and then decoding at the receiving end • Public Key - known and used to scramble messages • Private Key - not known and used by receiver to descramble • Certificate Authority – a third party that issues keys 7
IS Vulnerability and Abuse
As our society and the world itself come to depend on computers and information systems more and more, systems must become more reliable. The systems must also be more secure when processing transactions and maintaining data. These two issues, which we address in this week, are the biggest issues facing those wanting to do business on or expand their operations to the Internet. The threats are real, but so are the solutions. Why Systems Are Vulnerable This table points out some of the technical, organizational, and environmental threats to Information Systems. The weakest link in the chain is poor management of the system. If managers at all levels don't make security and reliability their number one priority, then the threats to an Information Systems can easily become real. With distributed computing used extensively in network systems, you have more points of entry, which can make attacking the system easy. The more people you have using the system, the more potential for fraud and abuse of the information maintained in that system. Yes, it's hard to control everyone's actions. It's easy for people to say that they are only one person and therefore they won't make much difference. But it only takes one person to disable a system or destroy data. Let's see why.
Hardware failure
Fire
Software failure
Electrical problem
Personnel actions
User errors
Terminal access penetration
Program changes
Theft of data, services, equipment
Telecommunications problems
Table: Threats to computerized Information Systems
Hackers, those who intentionally create havoc (crimedisturbance) or do damage to a computer system, have been around for a long time. Many companies don't report hackers attempts to enter their systems because they don't want people to realize their systems are vulnerable. That makes gathering real statistics about hacking attempts and successes hard. It is a huge problem, though.
Reasons For Hacking
Theft of services: The first reason is theft of service, if a system offers some type of service and a hacker has a use for it, they will hack the system. Examples of such systems are on-line information networks (CompuServe, AOL etc)
Take valuable files: The second reason a hacker may hack into a system is to take valuable files, e.g., Credit card numbers, or info on operation of telecommunication systems
Vengeance and hate: another reason for hacking is vengeance and hatred E.g. Hacker pillaged US files to sell secrets Saddam Thrill and excitement: The fourth reason hackers break into systems is for the thrill and excitement of being somewhere you are not authorized to be
Knowledge and experiment: The final reason why hackers do what they do is just for knowledge and experiment. Hackers learn a great deal every time they break into a new type of system
Melissa Virus
In March 1999 a virus called Melissa was written by a hacker and sent out via an email attachment. While the virus didn't damage any computer files or data, it severely hampered normal operations of many companies and Internet Service Providers through the increased number of emails it generated. Here's what CERT (Computer Emergency Response Team) said about it on its Web site (http://www.cert.org/): "Melissa was different from other macro viruses because of the speed at which it spread. The first confirmed reports of Melissa were received on Friday, March 26, 1999. By Monday, March 29, it had reached more than 100,000 computers. Some sites had to take their mail systems off-line. One site reported receiving 32,000 copies of mail messages containing Melissa on their systems within 45 minutes." Whether you use a stand-alone PC or your computer is attached to a network, you're just asking for trouble if you don't have antivirus software. This type of software checks every incoming file for viruses. Not if, but when, you receive an infected file, the software alerts you to its presence. You can choose to delete the file or "clean" it. Make sure you update your antivirus software every 30 to 60 days because new viruses are constantly being written and passed around
Potential Destruction concerns with IS Builders and Users
Every user must be concerned about potential destruction of the Information Systems on which they rely. We can't stress this point enough. Let us look at three concerns: disasters, security, and errors. Natural disasters such as fires and earthquakes can strike at any time. A spilled cup of coffee can also do some damage! As the text points out, many companies create fault-tolerant systems that are used as back-ups to help keep operations running if the main system should go out. These back-up systems add to the overall cost of the system.
Just imagine what would happen if an airline reservation system (a typical online transaction processing system) went down, due to catastrophic attack (thundering), fire or power loss etc. Companies spend a lot of money on physical security such as locks on doors or fences around supply depots. They need to do the same thing on their Information Systems. Here the security is in the policies, procedures, and technical measures the company uses to keep out unauthorized users or prevent physical damage to the hardware Surely you've heard the saying, "Garbage In, Garbage Out." What may seem like a simple error to you may not be to the customer. Let's flip that around; what if you wanted to fly to Dallas on March 15 and the reservation clerk booked you on a flight for April 15? The potential for error exists all through the processing cycle. You must be aware of these error points when designing and building a system, especially an end-user developed system.
Creating Computer Operations controls
How do you help prevent some of the problems we've discussed?
One of the best ways is to introduce controls into your Information System
For e.g. Think about what a typical company does when it builds a new office building. From the beginning of the design phase until the building is occupied, the company decides how the physical security of the building and its occupants will be handled. It builds locks into the doors, maybe even designs a single entry control point. It builds a special wing for the executive offices that has extra-thick bulletproof glass. Fences around the perimeter of the building control the loading docks. These are just a few examples to get you to think about the fact that the company designs the security into the building from the beginning. You should do the same thing with an Information System. Let's look at the two distinct types of controls: General Controls, which focus on the design, security and use of computer programs and data files. Application Controls, which are concerned with the actual application programs.
Data Security controls
Data security controls should consist of passwords that allow only certain people access to the system or to certain areas of the system. While you may want to grant employees access to their payroll data or 401K data through an Intranet, you must make sure they can access only their information and not that of any other employee. You wouldn't want a co-worker to be able to access your paycheck information, would you? If you allow employees to keep certain data on their machines that are not backed up to the mainframe computer, you need to ensure that safeguards are installed on the individual PCs. Make sure you have controls in place for access to individual data, backing them up, and properly protecting them against corruption. Do you even have a policy about whether employees can store data on their individual terminals?
Fig 13.2: Personnel system security profiles.
Prevention
Security Profiles -- Build personal Data security profiles. Object Security -- Enable individualized object security access permissions.
Antivirus -- Install antivirus programs.
Firewalls -- Install and enable firewall support.
Change passwords – Change passwords regularly, atleast once in a week. No Disk Sharing -- Viruses can be transferred to clean computers by inserting disks containing infected files. Delete Suspicious Email Messages -- Do not open suspicious e-mail messages…Delete Only! Create Security Logs -- Review system logs to notice access to the system
Administrative controls
To properly execute and enforce all these controls, you have to have administrative controls--rules, procedures, standards, and discipline. You don't want to wait until disaster strikes, until a hacker destroys data, or an employee steals information and gives it to the competition, to realize you weren't paying attention to what's going on.
Application controls
We've talked about controls for the general use of an Information System. Application controls are specific controls within each computer application used in the system. Each activity in the system needs controls to ensure the integrity of the data input, how it's processed, and how it's stored and used.
Input controls
Are the data accurate and complete? We used an example earlier of a course grade being entered incorrectly. “If your system had a method to check the data on the input documents against the actual data entered into the system, this kind of error could be caught and corrected at the time it was entered”. Many companies are using source data automation to help eliminate input errors. Managers can use control totals to determine that the documents used to enter data equal the number of transactions processed by the system. For instance, if the Sales Department says it entered data from 1,500 documents on April 21, were 1,500 transactions actually processed by the system that same day? If the number is different, managers can investigate the discrepancy and determine the cause of the mismatch.
Processing controls
As the name describes, “processing controls are used during the actual processing of the data”. If Suzy says she entered 100 items into the system on Tuesday, your application program would have a method of checking and reporting the actual number of data entries for that day. Not that you think Suzy is lying; you just need to have a method of verifying and reconciling (accommodating) data entered against data processed. If Sam mistakenly submitted two invoices for the same customer on the same day with the same parts ordered, a computer matching control would catch the discrepancy (disagreement) and create a report that can be used to investigate the error. Perhaps the customer really did order the same part twice on the same day. More than likely it is an error that's better caught before it causes an embarrassing incident for the company.
Output controls
Is the information created from the data accurate, complete, and properly distributed? “Output controls can verify who gets the output”, and if they're authorized to use it. You can also use output controls to match the number of transactions input, the number of transactions processed, and the number of transactions output. Maybe there's a glitch in the system somewhere that is causing transactions to be recorded twice on the data storage device. Obviously that's a situation the company should know about before customers report it. Output controls can help you uncover this kind of discrepancy
Introduction to Information Security
With the rapid importance of using Information Systems nowadays, the security of information becomes more and more vulnerable. Security is the main concern nowadays, due to alots of cybercrime and data sabotage over the Internet Due to insecurity in every aspect of life, we need to worry about how to protect our information systems from outside hackers and attackers.
Security Threats & Technologies Security Threats Today we hear about many security breaches that affect organizations and individuals. Some recently in the news: • Identity Theft – gaining access to some ones personal information allowing them to imitate you (stolen laptop) • Denial of Service – attacks on websites using zombie computers that overwhelm the site and shuts it down • Others: Spyware, Spam, Wireless Access, Viruses Security Technologies Companies and research organizations continue to develop and refine technologies to prevent security breaches. Some Include: • Firewalls • Biometrics • VPN and Encryption 3
Security Threat: Spyware, Spam, and Cookies Spyware Any software that covertly gathers information about a user through an Internet connection without the users knowledge • Problems: uses memory resources, uses bandwidth, and can cause system instability • Prevention: Firewalls and Spyware software Spam Electronic junk mail or junk newsgroup postings usually for purpose of advertising for some product and/or service • Problems: nuisance, wastes time deleting, uses storage • Prevention: Spam Blocker software Cookies A message passed to a browser from a Web server. Used by legitimate programs to store state and user information • Problems: can be used to track user activities • Prevention: browser settings, firewall
4
Security Technology: Biometrics
Biometrics • A sophisticated authentication technique used to restrict access to systems, data and/or facilities • Uses biological characteristics to identify individuals such as fingerprints, retinal patterns in the eye, etc. that are not easily counterfeited • Has great promise in providing high security 5
Security Threat: Access to Wireless Unauthorized Access to Wireless Networks With the prevalence in use of wireless networks this threat is increasing • Problems - Drive-by hacking an attacker accesses the network, intercepts data from it, and can use network services and/or sends attack instructions without entering the building • Prevention - Encryption between network and user devices
6
Security Technology: VPN and Encryption VPN (Virtual Private Network) • Called a secure tunnel • Dynamically generated network connection to connect users or nodes • This approach uses both authentication and encryption • Used extensively for remote access by employees
Encryption • The process of encoding messages before they enter the network or airwaves, and then decoding at the receiving end • Public Key - known and used to scramble messages • Private Key - not known and used by receiver to descramble • Certificate Authority – a third party that issues keys 7
IS Vulnerability and Abuse
As our society and the world itself come to depend on computers and information systems more and more, systems must become more reliable. The systems must also be more secure when processing transactions and maintaining data. These two issues, which we address in this week, are the biggest issues facing those wanting to do business on or expand their operations to the Internet. The threats are real, but so are the solutions. Why Systems Are Vulnerable This table points out some of the technical, organizational, and environmental threats to Information Systems. The weakest link in the chain is poor management of the system. If managers at all levels don't make security and reliability their number one priority, then the threats to an Information Systems can easily become real. With distributed computing used extensively in network systems, you have more points of entry, which can make attacking the system easy. The more people you have using the system, the more potential for fraud and abuse of the information maintained in that system. Yes, it's hard to control everyone's actions. It's easy for people to say that they are only one person and therefore they won't make much difference. But it only takes one person to disable a system or destroy data. Let's see why.
Hardware failure
Fire
Software failure
Electrical problem
Personnel actions
User errors
Terminal access penetration
Program changes
Theft of data, services, equipment
Telecommunications problems
Table: Threats to computerized Information Systems
Hackers, those who intentionally create havoc (crimedisturbance) or do damage to a computer system, have been around for a long time. Many companies don't report hackers attempts to enter their systems because they don't want people to realize their systems are vulnerable. That makes gathering real statistics about hacking attempts and successes hard. It is a huge problem, though.
Reasons For Hacking
Theft of services: The first reason is theft of service, if a system offers some type of service and a hacker has a use for it, they will hack the system. Examples of such systems are on-line information networks (CompuServe, AOL etc)
Take valuable files: The second reason a hacker may hack into a system is to take valuable files, e.g., Credit card numbers, or info on operation of telecommunication systems
Vengeance and hate: another reason for hacking is vengeance and hatred E.g. Hacker pillaged US files to sell secrets Saddam Thrill and excitement: The fourth reason hackers break into systems is for the thrill and excitement of being somewhere you are not authorized to be
Knowledge and experiment: The final reason why hackers do what they do is just for knowledge and experiment. Hackers learn a great deal every time they break into a new type of system
Melissa Virus
In March 1999 a virus called Melissa was written by a hacker and sent out via an email attachment. While the virus didn't damage any computer files or data, it severely hampered normal operations of many companies and Internet Service Providers through the increased number of emails it generated. Here's what CERT (Computer Emergency Response Team) said about it on its Web site (http://www.cert.org/): "Melissa was different from other macro viruses because of the speed at which it spread. The first confirmed reports of Melissa were received on Friday, March 26, 1999. By Monday, March 29, it had reached more than 100,000 computers. Some sites had to take their mail systems off-line. One site reported receiving 32,000 copies of mail messages containing Melissa on their systems within 45 minutes." Whether you use a stand-alone PC or your computer is attached to a network, you're just asking for trouble if you don't have antivirus software. This type of software checks every incoming file for viruses. Not if, but when, you receive an infected file, the software alerts you to its presence. You can choose to delete the file or "clean" it. Make sure you update your antivirus software every 30 to 60 days because new viruses are constantly being written and passed around
Potential Destruction concerns with IS Builders and Users
Every user must be concerned about potential destruction of the Information Systems on which they rely. We can't stress this point enough. Let us look at three concerns: disasters, security, and errors. Natural disasters such as fires and earthquakes can strike at any time. A spilled cup of coffee can also do some damage! As the text points out, many companies create fault-tolerant systems that are used as back-ups to help keep operations running if the main system should go out. These back-up systems add to the overall cost of the system.
Just imagine what would happen if an airline reservation system (a typical online transaction processing system) went down, due to catastrophic attack (thundering), fire or power loss etc. Companies spend a lot of money on physical security such as locks on doors or fences around supply depots. They need to do the same thing on their Information Systems. Here the security is in the policies, procedures, and technical measures the company uses to keep out unauthorized users or prevent physical damage to the hardware Surely you've heard the saying, "Garbage In, Garbage Out." What may seem like a simple error to you may not be to the customer. Let's flip that around; what if you wanted to fly to Dallas on March 15 and the reservation clerk booked you on a flight for April 15? The potential for error exists all through the processing cycle. You must be aware of these error points when designing and building a system, especially an end-user developed system.
Creating Computer Operations controls
How do you help prevent some of the problems we've discussed?
One of the best ways is to introduce controls into your Information System
For e.g. Think about what a typical company does when it builds a new office building. From the beginning of the design phase until the building is occupied, the company decides how the physical security of the building and its occupants will be handled. It builds locks into the doors, maybe even designs a single entry control point. It builds a special wing for the executive offices that has extra-thick bulletproof glass. Fences around the perimeter of the building control the loading docks. These are just a few examples to get you to think about the fact that the company designs the security into the building from the beginning. You should do the same thing with an Information System. Let's look at the two distinct types of controls: General Controls, which focus on the design, security and use of computer programs and data files. Application Controls, which are concerned with the actual application programs.
Data Security controls
Data security controls should consist of passwords that allow only certain people access to the system or to certain areas of the system. While you may want to grant employees access to their payroll data or 401K data through an Intranet, you must make sure they can access only their information and not that of any other employee. You wouldn't want a co-worker to be able to access your paycheck information, would you? If you allow employees to keep certain data on their machines that are not backed up to the mainframe computer, you need to ensure that safeguards are installed on the individual PCs. Make sure you have controls in place for access to individual data, backing them up, and properly protecting them against corruption. Do you even have a policy about whether employees can store data on their individual terminals?
Fig 13.2: Personnel system security profiles.
Prevention
Security Profiles -- Build personal Data security profiles. Object Security -- Enable individualized object security access permissions.
Antivirus -- Install antivirus programs.
Firewalls -- Install and enable firewall support.
Change passwords – Change passwords regularly, atleast once in a week. No Disk Sharing -- Viruses can be transferred to clean computers by inserting disks containing infected files. Delete Suspicious Email Messages -- Do not open suspicious e-mail messages…Delete Only! Create Security Logs -- Review system logs to notice access to the system
Administrative controls
To properly execute and enforce all these controls, you have to have administrative controls--rules, procedures, standards, and discipline. You don't want to wait until disaster strikes, until a hacker destroys data, or an employee steals information and gives it to the competition, to realize you weren't paying attention to what's going on.
Application controls
We've talked about controls for the general use of an Information System. Application controls are specific controls within each computer application used in the system. Each activity in the system needs controls to ensure the integrity of the data input, how it's processed, and how it's stored and used.
Input controls
Are the data accurate and complete? We used an example earlier of a course grade being entered incorrectly. “If your system had a method to check the data on the input documents against the actual data entered into the system, this kind of error could be caught and corrected at the time it was entered”. Many companies are using source data automation to help eliminate input errors. Managers can use control totals to determine that the documents used to enter data equal the number of transactions processed by the system. For instance, if the Sales Department says it entered data from 1,500 documents on April 21, were 1,500 transactions actually processed by the system that same day? If the number is different, managers can investigate the discrepancy and determine the cause of the mismatch.
Processing controls
As the name describes, “processing controls are used during the actual processing of the data”. If Suzy says she entered 100 items into the system on Tuesday, your application program would have a method of checking and reporting the actual number of data entries for that day. Not that you think Suzy is lying; you just need to have a method of verifying and reconciling (accommodating) data entered against data processed. If Sam mistakenly submitted two invoices for the same customer on the same day with the same parts ordered, a computer matching control would catch the discrepancy (disagreement) and create a report that can be used to investigate the error. Perhaps the customer really did order the same part twice on the same day. More than likely it is an error that's better caught before it causes an embarrassing incident for the company.
Output controls
Is the information created from the data accurate, complete, and properly distributed? “Output controls can verify who gets the output”, and if they're authorized to use it. You can also use output controls to match the number of transactions input, the number of transactions processed, and the number of transactions output. Maybe there's a glitch in the system somewhere that is causing transactions to be recorded twice on the data storage device. Obviously that's a situation the company should know about before customers report it. Output controls can help you uncover this kind of discrepancy
Related Documents
Week13 Lab
November 2019 15
Week13 Lab
November 2019 5
Week13 Presenter The Spirit
October 2019 11
Seokjin Week13 Lab Gallery
November 2019 17
Rph Week13.docx
April 2020 3