ITM 100 Class 9 Securing Information Systems PDF

ITM 100 Class 9 Securing Information Systems adapted from Kenneth C. Laudon, Jane P. Laudon, Management Information Systems: Managing the Digital Firm, 17th Edition Real...

ITM 100 Class 9 Securing Information Systems adapted from Kenneth C. Laudon, Jane P. Laudon, Management Information Systems: Managing the Digital Firm, 17th Edition Real World Example - TJX ▪ In 2006, TJX Co. experienced a computer system security breach. As many as 94 million customers were affected. ▪ In 2010 Albert Gonzalez was sentenced for 20 years in prison for this incident. ▪ If the government calculated the potential loss at $500 per card (per federal guidelines) the impact of the intrusion would exceed $400 million. ▪ The string of hacks began in 2005 when Gonzalez and accomplices conducted war- driving expeditions in search of poorly protected wireless networks. ▪ Once inside a local TJX outlet’s network, the hackers forged their way upstream to its corporate network in Massachusetts. Gonzalez installed a packet sniffer on the TJX network to siphon transaction data in real time. ▪ Authorities found 16.3 million stolen card numbers on Gonzalez’s leased Latvian server, and another 27.5 million stolen numbers were found on the server in Ukraine. Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 2 Real World Example - Heartland Payment Systems ▪ Date: March 2008 ▪ Impact: 134 million credit cards exposed ▪ A federal grand jury indicted Albert Gonzalez and two unnamed Russian accomplices in 2009. Gonzalez was alleged to have masterminded the international operation that stole the credit and debit cards. In 2010 he was sentenced to 20 years in prison. ▪ The vulnerability to SQL injection was well understood and security analysts had warned retailers about it for several years. Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 3 Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 4 System Security ▪ Information systems are mission critical for many organizations Failed computer systems can lead to significant or total loss of business function ▪ Information and systems are very vulnerable: Confidential personal and financial data, trade secrets, new products, strategies ▪ Without proper security measures, these systems would be next to impossible to use and benefit from A security breach may cut into a firm’s market value almost immediately Inadequate security also brings forth issues of liability Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 5 Why Systems Are Vulnerable ▪ Hardware problems Breakdowns, configuration errors, damage from improper use or crime ▪ Software problems Programming errors, installation errors, unauthorized changes ▪ Physical damage to infrastructure ▪ Use of networks/computers outside of firm’s control Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 6 Software Vulnerability ▪ Commercial software contains flaws that create security vulnerabilities Bugs (program code defects) Zero defects cannot be achieved because complete testing is not possible with large programs Flaws can open networks to intruders, e.g. buffer overflow defect that could cause a system to crash and leave the user with heightened privileges Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 7 Computer Crime ▪ Violation of criminal law that involves a knowledge of technology for perpetration, investigation, or prosecution ▪ Computer as a target of crime Breaching confidentiality of protected computerized data Accessing a computer system without authority ▪ Computer as an instrument of crime Theft of trade secrets Using e-mail for threats or harassment Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 8 Internet Vulnerabilities ▪ Network open to anyone: Network communication is intercepted in an attempt to obtain key data, i.e. person-in-the-middle ▪ Size of Internet means abuses can have wide impact ▪ Use of fixed Internet addresses with cable / DSL modems creates fixed targets for hackers ▪ Unencrypted VOIP ▪ E-mail, P2P, IM Interception Attachments with malicious software Transmitting trade secrets Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 9 Wireless Security Challenges ▪ Radio frequency bands easy to scan ▪ SSIDs (service set identifiers) Identify access points, broadcast multiple times, can be identified by sniffer programs ▪ War driving Eavesdroppers drive by buildings and try to detect SSID and gain access to network and resources Once access point is breached, intruder can gain access to networked drives and files Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 10 Malicious Software ▪ Commonly known as malware Brings harm to a computer ▪ Computer Viruses ▪ Worms ▪ Trojan Horses ▪ SQL Injection, Spyware Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 11 Computer Viruses ▪ Rogue software programs Attempts to bypass appropriate authorization and/or perform unauthorized functions Attach to other programs in order to be executed Usually without user knowledge or permission ▪ Deliver a “payload” Copy themselves from one computer to another sometimes through email attachments May steal data or files Permit eavesdropping access Destroy data Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 12 Worms ▪ Programs that copy themselves from one computer to another over networks ▪ Virus vs Worms? Viruses require an active host program An already-infected and active operating system Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 13 Trojan Horses ▪ A software program that appears to be benign, but then does something unexpected ▪ Often “transports” a virus into a computer system ▪ Name is based on Greek ruse during Trojan war Troy Movie ▪ https://www.youtube.com/watch?v=Td1uPq9K--E Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 14 SQL Injection, Spyware ▪ SQL injection attacks Hackers submit data to Web forms that sends rogue SQL query to database to perform malicious acts (e.g. delete segments of the database) ▪ Spyware Key loggers Other types ▪ Reset browser home page ▪ Redirect search requests ▪ Slow computer performance by taking up memory Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 15 Hackers and Computer Crime ▪ Hackers Individuals who attempt to gain unauthorized access to a computer system ▪ Cracker A hacker with criminal intent Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 16 Computer Crime (Cont.) ▪ Identity theft: A crime in which the imposter obtains key pieces of personal information ▪ Password guessing: Obvious ▪ Phishing: setting up fake Web sites or sending email messages that look legitimate, and using them to ask for confidential data ▪ Pharming: redirecting users to a bogus web site ▪ Back door: Unauthorized access to anyone who knows it exists ▪ Cyberterrorism and Cyberwarfare: exploitation of systems by terrorists Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 17 Spoofing and Sniffing ▪ Spoofing Masquerading as someone else, or redirecting a Web link to an unintended address ▪ Sniffing An eavesdropping program that monitors information travelling over a network Enables hackers to steal proprietary information such as e-mail, company files, and so on Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 18 Denial of Service (DoS) Attacks ▪ DoS Hackers flood a server with false communications in order to crash the system ▪ Distributed DoS Uses numerous computers to launch a DoS ▪ Often use Botnets Deliver 90% of world spam, 80% of world malware ▪ Pushdo spamming botnet infected computers sent as many as 7.7 billion spam messages per day Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 19 What DDOS attack looks like Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 20 Internal Threats: Employees ▪ Security threats often originate inside an organization ▪ Inside knowledge ▪ Sloppy security procedures User lack of knowledge ▪ Social engineering Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information ▪ Both end users and information systems specialists are sources of risk Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 21 Contemporary Security Challenges and Vulnerabilities Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 22 Security and Controls ▪ What is Security? Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems ▪ Security measures are a special case of organizational controls Methods, policies, and organizational procedures that ensure safety of organization’s assets; accuracy and reliability of its accounting records; and operational adherence to management standards Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 23 Information Systems Controls ▪ General controls Govern design, security, and use of computer programs and security of data files in general throughout organization Software controls, hardware controls, computer operations controls, data security controls, system development controls, administrative controls, ▪ Application controls Controls unique to each computerized application Input controls, processing controls, output controls Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 24 CIA Triad of Information Security Ensuring that data can be modified only by appropriate Ensuring that data is mechanisms protected from unauthorized access The degree to which authorized users can access information for legitimate purposes Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 25 Tools and Technologies for Safeguarding Information Systems ▪ Software Patches Small pieces of software to repair flaws Exploits often created faster than patches can be released and implemented ▪ Identity management software Automates keeping track of all users and privileges Authenticates users, protecting identities, controlling access Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 26 Tools and Technologies for Safeguarding Information Systems ▪ Authentication Password systems Tokens Smart cards: A card with an embedded memory chip used for identification Biometric authentication: Human characteristics such as fingerprints, retina or voice patterns Two-factor authentication Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 27 Preventing Unauthorized Access Guidelines for passwords Easy to remember, hard to guess Don’t use family or pet names Don’t make it accessible Use combination uppercase/lowercase letters, digits and special characters Don’t leave computer when logged in Don’t ever tell anyone Don’t include in an email Don’t use the same password in lots of places Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 28 Preventing Unauthorized Access Fingerprint analysis – a stronger level of verification than username and password iPhone Touch ID What if somebody steals your digitized fingerprint? Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 29 Tools and Technologies for Safeguarding Information Systems ▪ Firewall Combination of hardware and software that prevents unauthorized users from accessing private networks Technologies include Packet Filtering Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 30 A Corporate Firewall Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 31 Tools and Technologies for Safeguarding Information Systems ▪ Intrusion detection system Monitors hot spots on corporate networks to detect and deter intruders ▪ Antivirus and antispyware software Checks computers for presence of malware and can often eliminate it as well Requires continual updating Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 32 Cryptography Cryptography The field of study related to encoded information (comes from Greek word for "secret writing") Encryption The process of converting plaintext into ciphertext Decryption The process of converting ciphertext into plaintext Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 33 Cryptography Encryption plaintext ciphertext message message Decryption Encrypted(Information) cannot be read Decrypted(Encrypted(Information)) can be Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 34 Cryptography Cipher An algorithm used to encrypt and decrypt text Key The set of parameters that guide a cipher Neither is any good without the other Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 35 Cryptography Substitution cipher A cipher that substitutes one character with another A B C D E F G H I J K L M N O P Q R S T U V W X Y Z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C Substitute the letters in the second row for the letters in the top row to encrypt a message Encrypt(COMPUTER) gives FRPSXWHU Substitute the letters in the first row for the letters in the second row to decrypt a message Decrypt(Encrypt(COMPUTER)) gives COMPUTER Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 36 Public/Private Keys Public-key cryptography An approach in which each user has two related keys, one public and one private One’s public key is distributed freely A person encrypts an outgoing message, using the receiver’s public key. Only the receiver’s private key can decrypt the message Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 37 Protecting Online Information Be smart about information you make available!!!!! ▪ 25% of Facebook users don’t make use of its privacy controls or don’t know they exist ▪ 40% of social media users post their full birthday, opening themselves up to identity theft ▪ 9% of social media users become victims of information abuse Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 38 Securing Wireless Networks ▪ WEP security Static encryption keys are relatively easy to crack Improved if used in conjunction with VPN ▪ WPA2 specification Replaces WEP with stronger standards Continually changing, longer encryption keys Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 39 Security in the Cloud ▪ Responsibility for security resides with company owning the data ▪ Firms must ensure providers provide adequate protection: Where data are stored Meeting corporate requirements, legal privacy laws Segregation of data from other clients Audits and security certifications ▪ Service level agreements (SLAs) Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 40 Risk Assessment ▪ Determines level of risk to firm if specific activity or process is not properly controlled ▪ Types of threat ▪ Probability of occurrence during year ▪ Potential losses, value of threat ▪ Expected annual loss ▪ Goal is to minimize vulnerability to threats that put a system at the most risk Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 41 Online Order Processing Risk Assessment EXPOSURE PROBABILITY OF LOSS RANGE EXPECTED OCCURRENCE (AVERAGE) ($) ANNUAL LOSS ($) Power failure 30% $5,000 - $200,000 $30,750 ($102,500) Embezzlement 5% $1,000 - $50,000 $1275 ($25,500) User error 98% $200 - $40,000 ($20,100) $19,698 Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 42 Security Policy ▪ Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals ▪ Drives other policies Acceptable use policy (AUP) ▪ Defines acceptable uses of firm’s information resources and computing equipment ▪ Identity management Identifying valid users Controlling access Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 43 Disaster Recovery Planning and Business Continuity Planning ▪ Disaster recovery planning Devises plans for restoration of disrupted services ▪ Business continuity planning Focuses on restoring business operations after disaster ▪ Both types of plans needed to identify firm’s most critical systems Business impact analysis to determine impact of an outage Management must determine which systems restored first Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 44 The Role of Auditing ▪ Information systems audit Examines firm’s overall security environment as well as controls governing individual information systems ▪ Security audits Review technologies, procedures, documentation, training, and personnel May even simulate disaster to test responses ▪ List and rank control weaknesses and the probability of occurrence ▪ Assess financial and organizational impact of each threat Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 45 Sample Auditor’s List of Control Weaknesses Copyright © 2018, 2017, 2016 Pearson Education, Inc. ITM 100 – Foundations of Management Information Systems 46

ITM 100 Class 9 Securing Information Systems PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue