Securing Information Systems PDF
Document Details
Uploaded by Deleted User
Shiraz University
SeyedReza Taghizadeh
Tags
Summary
This document provides an overview of securing information systems, covering various vulnerabilities like hardware problems, software issues, and disasters. It also explores security threats like viruses, worms, Trojans, and spyware, along with internet and wireless security challenges. The document concludes with examples of computer crime and internal threats.
Full Transcript
Securing Information Systems SeyedReza Taghizadeh Shiraz University Management Information Systems Securing Information Systems Security: Policies, procedures and technical measures()اقدامات used to prevent unauthorized access, a...
Securing Information Systems SeyedReza Taghizadeh Shiraz University Management Information Systems Securing Information Systems Security: Policies, procedures and technical measures()اقدامات used to prevent unauthorized access, alteration, theft, or physical damage to information systems Management Information Systems Securing Information Systems Why systems are vulnerable Hardware problems Breakdowns, configuration errors, damage from improper use or crime Software problems Programming errors, installation errors, unauthorized changes Disasters Power failures, flood, fires, etc. Use of networks and computers outside of firm’s control E.g., outsourcing vendors Management Information Systems Securing Information Systems Security Challenges and Vulnerabilities The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Management Information Systems Securing Information Systems Internet vulnerabilities()آسیب پذیری Network open to anyone Size of Internet means abuses can have wide impact Use of fixed Internet addresses with permanent connections to Internet eases identification by hackers E-mail attachments E-mail used for transmitting trade secrets IM messages lack security, can be easily intercepted Management Information Systems Securing Information Systems Wireless security challenges Radio frequency bands easy to scan SSIDs (service set identifiers) Identify access points Broadcast multiple times War driving Eavesdroppers drive by buildings and try to intercept network traffic When hacker gains access to SSID, has access to network’s resources WEP (Wired Equivalent Privacy) Security standard for 802.11 uses shared password for both users and access point Users often fail to use security features Management Information Systems Securing Information Systems Wi-Fi Security Challenges Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to access the resources of a network without authorization. Management Information Systems Securing Information Systems Malicious software (malware) Viruses: software program that attaches itself to other software programs or data files in order to be executed, leaving infections as it travels. a virus cannot be spread without a human action, (such as running an infected program) Worms: Independent computer programs that copy themselves from one computer to other computers over a network. it has the capability to travel without any human action. worm consumes too much system memory (or network bandwidth), causing servers and individual computers to stop responding Management Information Systems Securing Information Systems Malicious software (malware) Trojan horses: Software program that appears to be benign( )بی خطرbut then does something other than expected Some Trojans are designed to be more annoying (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Management Information Systems Securing Information Systems Malicious software (malware). Spyware: Small programs install themselves surreptitiously on computers to monitor user Web surfing activity usually for advertising purposes. typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet monitors user activity on the Internet and transmits that information in the background to someone else can also gather information about email addresses and even passwords and credit card numbers. Key loggers: Record every keystroke on computer Management Information Systems Securing Information Systems Spoofing( کالهبرداری- )جعل Misrepresenting oneself by using fake e-mail addresses or masquerading( )لباس مبدل پوشیدنas someone else Redirecting Web link to address different from intended one, with site masquerading as intended destination Sniffer: Eavesdropping program that monitors information traveling over network Denial-of-service attacks (DoS): Flooding server with thousands of false requests to crash the network Distributed denial-of-service attacks (DDoS): Use of numerous computers to launch a DoS Botnets: Networks of “zombie” PCs infiltrated by bot malware Management Information Systems Securing Information Systems DDoS Management Information Systems Securing Information Systems Computer crime Defined as “any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution(”)پیگرد Computer may be target of crime, e.g.: Breaching( )نقضconfidentiality of protected computerized data Accessing a computer system without authority Computer may be instrument of crime, e.g.: Theft of trade secrets Using e-mail for threats or harassment()آزار و اذیت Management Information Systems Securing Information Systems Computer crime Examples Identity theft: Theft of personal Information (SSN, driver’s license or credit card numbers) to impersonate someone else Phishing: Setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask users for confidential personal data. Evil twin: Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet, but is set up to eavesdrop on wireless communications. mimics the legitimate AP Pharming: Redirects users to a bogus Web page, even when individual types correct Web page address into his or her browser. changing the hosts file on a victim's computer or by exploitation of DNS Management Information Systems Securing Information Systems Click fraud Individual or computer program clicks online ad without any intention of learning more or making a purchase Global threats - Cyberterrorism and cyberwarfare Concern that Internet vulnerabilities and other networks make digital networks easy targets for digital attacks by terrorists, foreign intelligence services, or other groups Management Information Systems Securing Information Systems Internal threats – Employees Security threats often originate inside an organization Unhappy employee Sloppy security procedures User lack of knowledge Social engineering: Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information The End