Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 8

    Uploaded by

    Olympus Inc
    8 views13 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views13 pages

    Chapter 8

    Uploaded by

    Olympus Inc

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    Securing

    Information Systems
    System Vulnerability and Abuse
    • Security: Policies, procedures, and technical measures used to prevent
    unauthorized access, alteration, theft, or physical damage to Information
    Systems
    • Controls: Methods, policies, and organizational procedures that ensure the
    safety of the organization’s assets; the accuracy and reliability of its records;
    and operational adherence to management standards

    • Why systems are vulnerable?


    › Accessibility of networks
    › Hardware problems
    › Software problems
    › Disasters
    › Use of networks/computers outside of firm’s control
    › Loss/theft of portable device
    System Vulnerability and Abuse (cont.)
    • Internet Vulnerabilities
    › Network open to anyone
    › Size of Internet means abuses can have wide impact
    › Use of fixed Internet addresses create targets for hackers
    › Encrypted VoIP
    › E-mail and IM (interception, attachments with malware, trade secrets)

    • Wireless Security Challenges


    › War driving (T.J. Maxx case)
    › Shared password for both users and access point
    Malicious Software: Malware
    • Viruses: Rogue software program that attaches itself to other software
    programs or data files in order to be executed, usually without user
    knowledge or permission
    • Worms: Independent computer programs that copy themselves from one
    computer to other computers over a network
    • Trojan Horses: Software program that appears to be harmless but then
    does something other than expected
    • Spyware: Small programs that install themselves secretly on computers to
    monitor user web surfing activity and serve up advertising
    • Key Loggers: Records every keystroke made on a computer to steal serial
    numbers for software, to launch Internet attacks, to gain access to e-mail
    accounts, to obtain passwords to protected computer systems, or to pick up
    personal information such as credit card numbers
    Hackers and Computer Crime
    • Hacker: An individual who intends to gain unauthorized access to a
    computer system
    • Cracker: A hacker with criminal intent

    • The terms hacker and cracker are used interchangeably in the public press
    • Hacker activities include system intrusion (theft of information), system
    damage, and cyber vandalism (intentional disruption, defacement, or
    destruction of a website or corporate information system)
    Hackers and Computer Crime (cont.)
    • Spoofing: Misrepresenting oneself by using fake e-mail addresses or
    pretending to be someone else
    • Sniffer: Spy program that monitors information travelling over a network
    • Denial-of-Service (DoS) Attacks: Flooding a server with thousands of
    false requests to crash the network
    • Distributed Denial-of-Service (DDoS) Attacks: Use of numerous
    computers to launch a DoS
    • Botnet: Networks of “zombie” PCs infiltrated by bot malware
    Hackers and Computer Crime (cont.)
    • Computer Crime: Any violations of criminal law that involve a knowledge
    of computer technology

    • Computers may be target of crime:


     Breaching the confidentiality of protected computerized data
     Accessing a computer system without authority

    • Computers may be instruments of crime:


     Theft of trade secrets
     Using e-mail for threats or harassment
    Hackers and Computer Crime (cont.)
    • Identity Theft: Theft of personal information (NID, driver’s license, credit
    card numbers) to impersonate someone else
    • Phishing: Setting up fake web sites or sending e-mail messages that look
    like those of genuine businesses to ask users for confidential personal data
    • Evil Twins: Wireless networks that pretend to offer trustworthy Wi-Fi
    connections to the Internet
    • Pharming: Redirects users to a bogus web page, even when an individual
    types the correct web page address into the browser

    • Click Fraud: Occurs when an individual or computer program fraudulently


    clicks on online ad without any intention of learning more about the
    advertiser or making a purchase
    Hackers and Computer Crime (cont.)
    • Cyber Terrorism and Cyber Warfare
     A study by Sophos (2008) showed that 42% of the malware originated in
    the US, 30.1% came from China, and 10.3% from Russia
     Cyber attacks on electrical power grids, air traffic control system,
    networks of major banks or financial institutions can create catastrophe

    • Internal Threats (Employees)


     Security threats often originate inside an organization
     Inside knowledge
     Sloppy security procedures
     Unintentional errors
    Software Vulnerability
    • Bugs (Program Code Defects)
     A major problem with software is the presence of hidden bugs or
    program code defects
     The main source of bugs is the complexity of decision making code
     Zero defects cannot be achieved in larger programs
     Such flaws hamper or slows down performance
     Such flaws can also open networks to intruders

    • Patches
     Vendors release small pieces of software to repair flaws
     Release of patches requires the identification of bugs first
    Framework for Security and Control
    • Information Systems Controls
     Information systems controls are both manual and automated and
    consist of both general controls and application controls
     General controls govern the design, security, and use of computer
    programs and the security of data files in general throughout the
    organization’s IT infrastructure. Can be classified as software controls,
    hardware controls, computer operations controls, data security controls,
    implementation controls, and administrative controls.
     Application controls are specific controls unique to each computerized
    application. Can be classified as input controls, processing controls, and
    output controls
    Framework for Security and Control
    • Identity Management
     Business processes and tools to identify valid users of system and control
    access
     Identifies and authorizes different categories of users
     Specifies which portion of system users can access
     Captures access rules for different levels of users

    • Disaster Recovery Planning: Devises plans for restoration of the system


    after disruption

    • Business Continuity Planning: Focuses on restoring business operations


    after disaster
    Technologies and Tools for
    Protecting Information Resources
    • Access Control
     Use of authentication (passwords, smart card)
     Biometric authentication

    • Firewalls: Combination of hardware and software that prevents


    unauthorized users from accessing private networks

    • Intrusion Detection Systems: Monitor hotspots on corporate networks


    to detect and deter intruders

    • Antivirus and Antispyware: Checks computers for presence of malware


    and can often eliminate it as well

    You might also like