CH10: IS Security and Controls 10.1.

Information Systems Security: precautions taken to keep all aspects of info sys (e.g. hardware, software, network equipment, data, and facilities) safe from unauthorised use or access. Primary Threats to Info Sys Security: isnt it basically all threats????? 1. Accidents and natural disaster: Inexperienced or careless computer operators, cats walking across keyboards, power outages, hurricanes, and so on. 2. Employees and consultants: People within an organisation who have access to electronic files. 3. Links to outside business contacts: Electronic info can be at risk when it travels between or among business affiliates as part of doing business. 4. Outsiders: Hackers and crackers who penetrate networks and computer systems to snoop or cause damage (viruses as well). Info Sys are most often compromised through one or more of the following: i. Unauthorised access: occurs whenever people who are not authorised to see, manipulate, or otherwise handle information (whatever it is wrong even peeking also wrong!) ii. Information modification: occurs when someone (within or outsiders) accesses electronic information and then changes the information in some way. iii. Computer viruses. Worms: a variation of virus targets networks, take advantage of security holes in operating systems and other software to replicate endlessly across internet, thus causing servers to crash, which denies service to internet users. iv. Denial of service: electronic intruders deliberately attempt to prevent legitimate users of a service from using that service, often by using up all of the systems resources. Zombie computers used to launch attacks to popular websites. v. Spyware: any software that covertly gathers info about a user through an internet connection without users knowledge. Spam: electronic junk mail, usually for the purpose of advertising nuisance and waste time+ eats up storage and network bandwidth. Utilise zombies too. May involve hoaxes, virus attachment, phishing. Spim: spam over instant text messaging. Prevent bots from automatically submit online forms by using CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Human Apart). and Cookies: a message passed to a web browser on users computer b y a web server. The browser then stores the message in a text file, and the message is sent back to the server each time the users browser requests a page from that server. Other Threats to Info Sys Security: organisation and individual do not exercise proper care in safeguarding information. 10.2 Safeguarding Info Sys Resources Risk analysis: process in which you assess the value of assets being protected, determine likelihood of being compromised, and compare the probable costs between taking measures and not. Tells us what steps to take: Risk reduction: Taking active countermeasures to protect your systems, such as installing firewalls. Risk acceptance: Implement NO countermeasures and simply absorbing any damages incurred. Risk transference: Having someone else absorb the risk, such as investing in insurance or by outsourcing certain functions to another organisation with specific expertise. Two broad categories of safeguards for reducing risk: Technological Safeguards Physical access restrictions: access is limited by making it dependent on something you have (keys, smart cards), something you know (passwords), and something you are (called biometrics). Access control software: access only related files related to their work, or restrict time period of access, allowing read only or edit, or delete accordingly. Wireless LAN control: Virtual Private Networks (VPN): network connection that is constructed dynamically within an existing network (often called secure tunnel) in order to connect users or nodes. Tunnelling: creating an encrypted tunnel to send secure(private) data over the internet(public). Firewalls (both in hard and software): designed to detect intrusion and prevent unauthorised access to or from a private network. Approaches: a) Packet filtering: examine each data packet entering or leaving the network and then accept or reject each packet based on predefined rules. b) Application-level control: only on specific applications c) Circuit-level control: detect when certain types of connection have been made, packets can flow without further checking. d) Proxy server: create the appearance of an alternative server that intercepts all messages entering and leaving network thus hides the true network address. Firewall architecture- complexity and power of firewall changes s situation gets more complex.

Encryption: process of encoding messages before they enter the network or airwaves, then decoding them at the receiving end. Public key: freely distributed, get this first to encrypt before sending message to Jane. Private key: kept secret, only Jane has to decrypt the message. Virus monitoring and prevention Audit control software: used to keep track of computer activity so that auditors can spot suspicious activity and take action. Designed so that both authorised and unauthorised users leave electronic footprints. Dedicated facilities: threat includes floods, hurricanes, terrorism, power outages, and seismic activity.

Human Safeguards Ethical standards; Federal and State laws; Effective management 10.3. Managing info sys security Planning process steps: 1) Risk Analysis 2) Develop policies and procedures 3) Implementation 4) Training 5) Ongoing auditing Disaster Planning Designing the recovery plan Responding to security breach: After a security breach, organisation should perform new audits, implement new countermeasures, and possibly inform law enforcement agencies of the breach.