Session#7; securing information systems

Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Securing Information
Systems
1 N.Karami, MIS-Spring 2012

Graduate School of
Learning Objectives
• Describe the major ethical (Privacy) issues
related to information technology and identify
situations in which they occur.
• Describe the many threats to information
security.
• Understand the various defense mechanisms
used to protect information systems.
• Explain IT auditing and planning for disaster
recovery.

Graduate School of
Computer systems
intrusion at TJX

Graduate School of
Privacy Issues
You Be the Judge
Terry Childs: Guilty
or not Guilty?

Graduate School of
Privacy
Court decisions have followed two rules:
(1) The right of privacy is not absolute.
Your privacy must be balanced against the needs of society.
(2) The public’s right to know is superior to the individual’s right
of privacy.
• Threats to Privacy
– Data aggregators, digital dossiers, and profiling
– Electronic Surveillance
– Personal Information in Databases
– Information on Internet Bulletin Boards, Newsgroups, &
Social Networking Sites

Graduate School of
Data Aggregators, Digital
Dossiers, and Profiling

Graduate School of
Information on Internet Bulletin Boards,
Newsgroups, &Social Networking Sites

Graduate School of
Protecting Privacy
• Privacy Codes and Policies: An organization’s
guidelines with respect to protecting the privacy of
customers, clients, and employees.
• Opt-out model of informed consent permits the
company to collect personal information until the
customer specifically requests that the data not be
collected.
• Opt-in model of informed consent means that
organizations are prohibited from collecting any
personal information unless the customer specifically
authorizes it.

Graduate School of
IS Security Management
• The goal of security
management is the
accuracy, integrity,
and safety of all
information system
processes and
resources

Graduate School of
Factors Increasing the Threats
to Information Security
• Today’s interconnected, interdependent, wirelessly-networked
business environment
• Government legislation
• Smaller, faster, cheaper computers and storage
devices
• Decreasing skills necessary to be a computer hacker
• International organized crime turning to cybercrime
• Downstream liability
• Increased employee use of unmanaged devices
• Lack of management support

Graduate School of
Key Information Security
Terms (1)
• A threat to an information resource is any danger to which
a system may be exposed.
• The exposure of an information resources is the harm, loss
or damage that can result if a threat compromises that
resource.
• A system’s vulnerability is the possibility that the system
will suffer harm by a threat.
• System security focuses on protecting hardware, data,
software, computer facilities, and personnel.

Graduate School of
Key Information Security
Terms (2)
• Information security describes the protection of both
computer and non-computer equipment, facilities, data,
and information from misuse by unauthorized parties.
– Includes copiers, faxes, all types of media, paper
documents
• Risk is the likelihood that a threat will occur.
• Information system controls are the procedures, devices,
or software aimed at preventing a compromise to the
system

Graduate School of
Objectives of Information
Security

Graduate School of
Security Threats

Graduate School of
Categories of Threats to
Information Systems
• Unintentional acts
• Natural disasters
• Technical failures
• Management failures
• Deliberate acts
(from Whitman and Mattord, 2003)

Graduate School of
Human Errors
• Tailgating
• Shoulder surfing
• Carelessness with laptops and portable
computing devices
• Opening questionable e-mails
• Careless Internet surfing
• Poor password selection and use

Graduate School of
Anti-Tailgating Door

Graduate School of
Shoulder Surfing

Graduate School of
Most Dangerous Employees
Human resources and MIS
Remember, these
employees hold ALL
the information

Graduate School of
Deliberate Acts
Malicious Software (Malware)
• Viruses: Rogue software program that attaches itself to other
software programs or data files in order to be executed
• Worms: Independent computer programs that copy themselves from
one computer to other computers over a network.
• Trojan horses: Software program that appears to be benign but
then does something other than expected.
• Spyware: Programs install themselves surreptitiously on computers
to monitor user Web surfing activity and serve up advertising.

Graduate School of
• Hacking is
Deliberate Acts
Hackers & Crackers
– The obsessive use of computers
– The unauthorized access and use of networked computer
systems
– Activities include System intrusion, System damage,
Cybervandalism.
• Electronic Breaking and Entering
– Hacking into a computer system and reading files, but neither
stealing nor damaging anything
• Cracker
– A malicious or criminal hacker who maintains knowledge of
the vulnerabilities found for private advantage

Graduate School of
• Spoofing
Deliberate Acts
Common Hacking Tactics (1)
• Faking an e-mail address or Web page to trick users into passing along
critical information like passwords or credit card numbers
• Sniffer
• Eavesdropping program that monitors information traveling over network
• Enables hackers to steal proprietary information such as e-mail, company
files, etc.
• Capturing passwords or entire contents
• Scans
• Widespread probes of the Internet to determine types of computers,
services, and connections
• Looking for weaknesses

Graduate School of
Deliberate Acts
Common Hacking Tactics (2)
• Denial-of-service attacks (DoS)
• Flooding server with thousands of false requests to crash the
network.
• Distributed denial-of-service attacks (DDoS)
• Use of numerous computers to launch a DoS
• Back Doors
• A hidden point of entry to be used in case the original entry point is
detected or blocked.
• War Dialing
• Programs that automatically dial thousands of telephone numbers in
search of a way in through a modem connection
• Logic Bombs
• An instruction in a computer program that triggers a malicious act

Graduate School of
Computer Crime (1)
• Identity theft
Deliberate Acts
• Theft of personal Information (social security id, driver’s license or
credit card numbers) to impersonate someone else
• Phishing
• Setting up fake Web sites or sending e-mail messages
that look like legitimate businesses to ask users for
confidential personal data.
• Evil twins
• Wireless networks that pretend to offer trustworthy Wi-Fi
connections to the Internet
• Pharming
• Redirects users to a bogus Web page, even when individual
types correct Web page address into his or her browser

Graduate School of
Deliberate Acts
Computer Crime (2)
• Click fraud
• Occurs when individual or computer program fraudulently
clicks on online ad without any intention of learning more
about the advertiser or making a purchase

Graduate School of
Information Systems Controls
• General controls
• Govern design, security, and use of computer programs and
security of data files in general throughout organization’s
information technology infrastructure.
• Apply to all computerized applications
• Combination of hardware, software, and manual procedures to
create overall control environment
• Application controls
• Physical controls
• Access controls
• Communications (network) controls
• MIS auditing

Graduate School of
Where Defense Mechanisms
(Controls) are Located

Access Control
Graduate School of
Management & Economics • Policies and procedures to prevent improper access to systems by
unauthorized insiders and outsiders
• Access control three-step process includes:
• User identification
• User authentication
• Something the user is: Biometric authentication: Facial
recognition, Hand Geometry, Fingerprint Scan, Palm scan, Retina
scan, Iris Scan
• Something the user does: Signature, Voice recognition
• Something the user has: Regular ID card, Smart ID card or token
• Something the user knows: Passwords, passphrases
• User authorization

Graduate School of
Communication or Network
Controls
• Firewalls
• Anti-malware systems
• Whitelisting and Blacklisting
• Intrusion detection systems
• Encryption

Graduate School of
Firewalls
• A gatekeeper system that protects a company’s intranets
and other computer networks from intrusion
• Provides a filter and safe transfer point for
access to/from the Internet and other networks
• Important for individuals who connect to the Internet with
DSL or cable modems
• Can deter hacking, but cannot prevent it.

Graduate School of
Basic Home Firewall (top) and
Corporate Firewall (bottom)

Graduate School of
Intrusion Detection Systems, and
Antivirus Software
• Intrusion detection systems:
• Monitor hot spots on corporate networks to detect
and deter intruders
• Examines events as they are happening to
discover attacks in progress
• Antivirus and antispyware software:
• Checks computers for presence of malware and
can often eliminate it as well
• Require continual updating

Graduate School of
• Encryption:
Encryption
• Transforming text or data into cipher text that
cannot be read by unintended recipients
• Two alternative methods of encryption
• Symmetric key encryption
• Sender and receiver use single, shared key
• Public key encryption
• Uses two, mathematically related keys: Public key and
private key
• Sender encrypts message with recipient’s public key
• Recipient decrypts with private key

Graduate School of
Public/Private Key Encryption

Graduate School of
Digital Certificate
• Digital certificate:
• Data file used to establish the identity of users and electronic
assets for protection of online transactions
• Uses a trusted third party, certification authority (CA), to
validate a user’s identity
• CA verifies user’s identity, stores information in CA server,
which generates encrypted digital certificate containing
owner ID information and copy of owner’s public key

Graduate School of
How Digital Certificates Work

Graduate School of
Communication or Network
Controls (continued)
• Virtual private networking
• Secure Socket Layer (now transport layer
security)
• Employee monitoring systems

Graduate School of
Virtual Private Network and
Tunneling

Graduate School of
Employee Monitoring System

Graduate School of
The Role of Auditing
• MIS audit
• Examines firm’s overall security environment as well as
controls governing individual information systems
• Reviews technologies, procedures, documentation, training,
and personnel.
• May even simulate disaster to test response of technology, IS
staff, other employees.
• Lists and ranks all control weaknesses and estimates
probability of their occurrence.
• Assesses financial and organizational impact of each threat

Graduate School of
Sample Auditor’s List of Control
Weaknesses
This chart is a
sample page from a
list of control
weaknesses that an
auditor might find
in a loan system in
a local commercial
bank. This form
helps auditors
record and evaluate
control weaknesses
and shows the
results of
discussing those
weaknesses with
management, as
well as any
corrective actions
taken by
management.

Session#7; securing information systems

More Related Content

What's hot (20)

Similar to Session#7; securing information systems (20)

More from Omid Aminzadeh Gohari (20)

Session#7; securing information systems