|


 


 OBJECTIVES

R Explain why information systems need special

protection from destruction, error, and abuse

R Assess the business value of security and control

R Evaluate elements of an organizational and

managerial framework for security and control
 OBJECTIVES

R Evaluate the most important tools and

technologies for safeguarding information
resources

R Identify the challenges posed by information

systems security and control and management
solutions
 |ANAGE|ENT CHALLENGES

R






 

  
 
  


R 




 

 SYSTE| VULNERABILITY AND ABUSE

Why Systems Are Vulnerable

Contemporary Security Challenges and Vulnerabilities

Figure 10-1
 SYSTE| VULNERABILITY AND ABUSE

Telecommunication Network Vulnerabilities

 SYSTE| VULNERABILITY AND ABUSE

Internet Vulnerabilities:

R Use of fixed Internet addresses through use of

cable modems or DSL

R Lack of encryption with most Voice over IP (VoIP)

R Widespread use of e-mail and instant messaging

(I|)
 System Vulnerability and Abuse

Internal Threats: Employees

R Security threats often originate inside an
organization
R Social engineering

Software Vulnerability
R Commercial software contains flaws that create
security vulnerabilities
R Patches
 SYSTE| VULNERABILITY AND ABUSE

Wireless Security Challenges:

R Radio frequency bands are easy to scan

R The service set identifiers (SSID) identifying the

access points broadcast multiple times
 SYSTE| VULNERABILITY AND ABUSE

Wi-Fi Security Challenges

Figure 10-2
 SYSTE| VULNERABILITY AND ABUSE

|alicious Software: Viruses, Worms, Trojan Horses

Hackers and Cybervandalism

R Computer viruses, worms, trojan horses
R Spyware
R Spoofing and Sniffers
R Denial of Service (DoS) Attacks
R Identity theft
R Cyberterrorism and Cyberwarfare
R Vulnerabilities from internal threats (employees);
software flaws
 SYSTE| VULNERABILITY AND ABUSE

Concerns for System Builders and Users

R 


  


  

 




R 







 



 

R  

 
  
 
  
 

 !

 
 
 SYSTE| VULNERABILITY AND ABUSE

R Bugs
Program code defects or errors
R |aintenance Nightmare
|aintenance costs high due to
organizational change, software
complexity, and faulty system analysis
and design
 SYSTE| VULNERABILITY AND ABUSE

Points in the Processing Cycle where Errors can Occur

Figure 14-2
2

   
 Overview

  

R "

 
 



R 
 
     


R 

# 
 

 
 



  



 Business Value of Security and Control

R Failed computer systems can lead to a significant

or total loss of business function
R Firms are now more vulnerable than they have ever
been
R A security breach may cut into a firm¶s market
value almost immediately
R Inadequate security and controls also bring forth
issues of liability
 BUSINESS VALUE OF SECURITY AND CONTROL

R Inadequate security and control may create serious

legal liability.

R Businesses must protect not only their own information

assets but also those of customers, employees, and
business partners. Failure to do so can lead to costly
litigation for data exposure or theft.

R A sound security and control framework that protects

business information assets can thus produce a high
return on investment.
 BUSINESS VALUE OF SECURITY AND CONTROL

Legal and Regulatory Requirements for Electronic

Records |anagement

R Electronic Records |anagement (ER|): Policies,

procedures and tools for managing the retention,
destruction, and storage of electronic records
 BUSINESS VALUE OF SECURITY AND CONTROL

Electronic Evidence and Computer Forensics

R Electronic Evidence: Computer data stored on disks

and drives, e-mail, instant messages, and e-
commerce transactions

R Computer Forensics: Scientific collection,

examination, authentication, preservation, and
analysis of computer data for use as evidence in a
court of law
  

 CREATING A CONTROL ENVIRON|ENT

'

  
#

 !   



  
  
R $
 


 


 
 

 
 
  
R %
 '

  
&'  



('  
 
 
)' 

*' 
 

  

 CREATING A CONTROL ENVIRON|ENT

   

R +
 

 

 

R $
 
   

Establishing a Framework for Security and Control
R Downtime
R Fault-tolerant computer systems
R High-availability computing
R Recovery-oriented computing
R Disaster recovery planning
R Business continuity planning
R Security outsourcing (managed security service
providers)
R Downtime: Period of time in which a system is not
operational

R Fault-tolerant computer systems: Redundant

hardware, software, and power supply components to
provide continuous, uninterrupted service

R High-availability computing: Designing to maximize

application and system availability
R High-
High-availability computing:
computing: Tools and
technologies enabling system to recover from a
crash

R Load balancing:
balancing: Distributes large number of
requests for access among multiple servers
 Risk Assessment:

R Determines the level of risk to the firm if a specific

activity or process is not properly controlled

Security Policy:

Policy ranking information risks, identifying acceptable

security goals, and identifying the mechanisms for
achieving these goals
R Acceptable Use Policy (AUP)

R Authorization policies
R Load balancing: Distributes access requests across
multiple servers

R |irroring: Backup server that duplicates processes on

primary server

R Recovery-oriented computing: Designing computing

systems to recover more rapidly from mishaps
R Disaster recovery planning: Plans for restoration of
computing and communications disrupted by an
event such as an earthquake, flood, or terrorist
attack

R Business continuity planning: Plans for handling

mission-critical functions if systems go down
Auditing:

R |IS audit: Identifies all of the controls that govern

individual information systems and assesses their
effectiveness

R Security audits: Review technologies, procedures,

documentation, training, and personnel
 The Role of Auditing

R |IS audit
R Identifies the controls that govern information
systems and assesses their effectiveness
R Auditor conducts interviews with key
individuals
R Examines security, application controls,
overall integrity controls, and control
disciplines
Sample Auditor¶s List of Control
Weaknesses

Figure 14-8
 

R 
,  
 


R

 
 


 




R  

  

 




R -!
 
. /

 
  

 
#   



R
#.  
  

 

 

   

R "
.0#



  






   




%

  % 
 Access Control

Access control: Consists of all the policies and

procedures a company uses to prevent improper access
to systems by unauthorized insiders and outsiders

Authentication:
R Passwords

R Tokens, smart cards

R Biometric authentication
 Firewalls, Intrusion Detection Systems, and
Antivirus Software

R Firewalls: Hardware and software controlling flow of

incoming and outgoing network traffic

R Intrusion detection systems: Full-time monitoring

tools placed at the most vulnerable points of
corporate networks to detect and deter intruders
A Corporate Firewall

Figure 10-7
R Antivirus software: Software that checks computer
systems and drives for the presence of computer
viruses and can eliminate the virus from the infected
area

R Wi-Fi Protected Access specification

 Encryption and Public Key Infrastructure

R Encryption: transforming text or data into cipher

text that cannot be read by unintended recipients
R Secure Sockets Layer (SSL)
R Transport Layer Security (TLS)
R Secure Hypertext Transfer Protocol (S-HTTP)
R Public key encryption
R Digital signature
R Digital certificate
R Public key infrastructure (PKI)
 Encryption and Public Key Infrastructure

R Public key encryption: Uses two different keys, one

private and one public. The keys are mathematically
related so that data encrypted with one key can be
decrypted using only the other key

R |essage integrity: The ability to be certain that the

message being sent arrives at the proper destination
without being copied or changed
Public Key Encryption

Figure 10-8
R Digital signature: A digital code attached to an
electronically transmitted message that is used to
verify the origin and contents of a message

R Digital certificates: Data files used to establish the

identity of users and electronic assets for protection
of online transactions

R Public Key Infrastructure (PKI): Use of public key

cryptography working with a certificate authority
Digital Certificates

Figure 10-9
R Secure Sockets Layer (SSL) and its successor
Transport Layer Security (TLS): protocols for secure
information transfer over the Internet; enable client
and server computer encryption and decryption
activities as they communicate during a secure Web
session.

R Secure Hypertext Transfer Protocol (S-HTTP): used for

encrypting data flowing over the Internet; limited to
Web documents, whereas SSL and TLS encrypt all
data being passed between client and server.
-

 ! 
|anagement Opportunities:

Creation of secure, reliable Web sites

and systems that can support e-
commerce and e-business strategies
|anagement Challenges:

R Designing systems that are neither

overcontrolled nor undercontrolled

R Implementing an effective security policy

Solution Guidelines:

R Security and control must become a more visible

and explicit priority and area of information systems
investment.

R Support and commitment from top management is

required to show that security is indeed a corporate
priority and vital to all aspects of the business.

R Security and control should be the responsibility of

everyone in the organization.