You are on page 1of 8


Managing IT Security

INFO420: Managing the IT Function


Information Security    

The Threats
Scope of Security Management
Security’s Five Pillars
Tools for Computer Security 

Business Continuity

INFO420: Managing the IT Function


INFORMATION SYSTEMS @ X Information Security  Information security is more than just protecting hardware and software from being crashed… crashed…  It’ It’s about protecting the information resources that keep the company operating  Goals are to ensure:   Data integrity. availability and confidentiality Business continuity INFO420: Managing the IT Function INFORMATION SYSTEMS @ X Threats from outside… INFO420: Managing the IT Function 2 .

Personal  Spoofing: Masquerade as a legitimate web site and redirect traffic to a fraudulent site  Con artists: calling to offer credit card account to obtain info about email. or credit card information  Denial of Service: Attacks from coordinated computers that floods a site with so many requests until the site crashes > Thousands of page requests/minute on an ecommerce site (virus as well) INFO420: Managing the IT Function INFORMATION SYSTEMS @ X Common Attacks .g. but is a hidden malware > E.  Phishing or Fishing: Fraudulent email attempt to obtain sensitive information > E.g. email notifying a bank account owner that s/he account had a security breach.Corporate  Virus/Worm: A computer program that appears to perform a legitimate task. wipe out a hard drive. and request the owner to log in a fraudulent website to “reset the password” password” INFO420: Managing the IT Function 3 . etc.. send out an unauthorized email.. SSN. etc. copy passwords.g. > Samy  Sniffing: Interception and reading of electronic messages as they travel over the Internet > E..INFORMATION SYSTEMS @ X Common Attacks .

INFORMATION SYSTEMS @ X Threats from inside… inside….  Employee illegally accesses email accounts  Angry / misguided technical personnel:    Deletes sensitive data Rewrites a program so data is corrupted/company can’ can’t operate Leaves a ‘cyber bomb’ bomb’ that detonates in the event he/she is fired  Employee steals sensitive data (customer) and sells it to a competitor INFO420: Managing the IT Function INFORMATION SYSTEMS @ X Many dimensions of security      Data security Application and OS security Network security Facility security Egress security should be enforced INFO420: Managing the IT Function 4 .

.INFORMATION SYSTEMS @ X Catch me if you can… can…  Why are criminals able to carry out identity theft?  What can credit card companies due to prevent this?  Individuals? INFO420: Managing the IT Function INFORMATION SYSTEMS @ X Security’s Five Pillars  Authentication: Authentication: Verifying the authenticity of users – ensuring people are who they say they are. > ID/Password.g. against spyware installed without consent in a computer to collect information INFO420: Managing the IT Function 5 . questions  Identification: Identification: Identifying users to grant them appropriate access > Allowing system to know who someone is to give appropriate access rights  Privacy: Privacy: Protecting information from being seen > E. biometric.

INFORMATION SYSTEMS @ X Security Five Pillars  Integrity: Integrity: Keeping information in its original form > Ensuring data is not altered in any way  Non-repudiation: Non-repudiation: Preventing parties from denying actions they have taken > Ensuring that the parties in a transaction are who they say they are and cannot deny that transaction took place INFO420: Managing the IT Function INFORMATION SYSTEMS @ X Technical Countermeasures  Firewalls: Firewalls:  hardware/software to control access between networks / blocking unwanted access > Windows Vista  Encryption/decryption: Encryption/decryption:  Using an algorithm (cipher) to make a plain text unreadable to anyone that does not have a key > SSL INFO420: Managing the IT Function 6 .

Public key: scramble.  Unique session key established and secure transmission can begin.  Each SSL Certificate consists of a public key and a  A Certificate Authority private key. authenticated information about the certificate owner. Private Key: verifies the identity of unscramble the certificate owner  Secure Sockets Layer handshake authenticates the when it is issued.  Each SSL Certificate contains unique. INFO420: Managing the IT Function 7 . server (Web site) and the client (Web browser). but do not provide 100% end-to-end security INFO420: Managing the IT Function INFORMATION SYSTEMS @ X Encryption / SSL  An SSL Certificate enables encryption of sensitive information during online transactions.INFORMATION SYSTEMS @ X Technical Countermeasures  Virtual Private Networks (VPNs)   Allow strong protection for data communications Cheaper than private networks.

etc.INFORMATION SYSTEMS @ X Business Continuity        Earlier: technical ‘disaster recovery’ recovery’ 9/11 and Katrina: ‘business continuity’ continuity’ Alternate workspace for people with working computers and communications Backup IT sites (business programs and data) Backup mobile devices with corporate information Up-to-date evacuation plans and drills Disaster recovery support (emergency procedures.) INFO420: Managing the IT Function 8 .