1 / 22

Assets and Treats Information System Assets That Must Be Protected

Chapter 17 Controls and Security Measures. Assets and Treats Information System Assets That Must Be Protected. People Hardware Software Operating systems Applications Data Networks. Hardware failure Software failure (unknown bug) Fire Electrical problem

markku
Télécharger la présentation

Assets and Treats Information System Assets That Must Be Protected

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 17Controls and Security Measures Assets and TreatsInformation System Assets That Must Be Protected • People • Hardware • Software • Operating systems • Applications • Data • Networks

  2. Hardware failure Software failure (unknown bug) Fire Electrical problem Natural disaster (flood, hurricane, tornado, etc.) Alteration or destruction of data Human error Unauthorized access (internal or external) Theft of data, information, services, equipment, or money Telecommunications problems Computer viruses Main Sources of Security Threats

  3. II. Classifications For Controls • Classification 1 • Preventive control – a constraint designed to prevent a security risk from occurring • Use of passwords for systems access • Detective control – a constraint designed to detect a security risk as it occurs • Virus detection software • Corrective control – a constraint designed to correct a breach of security after it has occurred • A disaster recovery plan

  4. Classifications For Controls • Classification 2 • General controls establish a framework for controlling the design and use of information system assets and operations • Software controls – monitor the use of system software • Hardware controls – provisions for protection from fire • Computer operations controls – backup and recovery procedures • Data security controls – unauthorized access • Implementation controls – audit the systems development process • Administrative controls – implement procedures to ensure controls are properly executed and enforced • Application controls • Input controls – check data for accuracy • Processing controls – establish that data are complete and accurate results are obtained • Output controls – ensure that results are properly distributed

  5. Management Analysis For Reducing Threats: 1

  6. Management Analysis For Reducing Threats: 2

  7. III. Risk Management • Risk management consists of • the identification of risks or threats • the implementation of controls • the monitoring of the controls for effectiveness • Risk assessment is a risk management activity that attempts to determine • What can wrong? • How likely is it to go wrong? • What are the consequences if it does go wrong?

  8. The Economic Aspect of Risk Management - 1 • Two types of costs to consider when determining how much to spend on data security: • The cost of potential damage • The cost of implementing a preventive measure • The total cost of potential damage is the aggregate of all the potential damages multiplied by the probability of the occurrence of the damage. These numbers can be difficult to estimate.

  9. Figure 17.12 The total cost to the enterprise is lowest at “Optimum.” No less, and no more, should be spent on information security measures. The Economic Aspect of Risk Management -2

  10. IV. Telecommunication Network Vulnerabilities • Due to the complex and diverse hardware, software, organizational and personnel arrangements required for telecommunication networks, there are many areas of vulnerability • Natural failures of hardware and software • Misuse by programmers, computer operators, maintenance staff, and end users • Tapping of lines and illegal intercepts of data • Interference such as crosstalk • Interference from radiation of other devices

  11. Special Threats to the Internet • Viruses • Web defacing • Spoofing • Denial of service attacks • Hackers

  12. Computer Viruses • Viruses – a computer virus is software that is written with malicious intent to cause annoyance or damage. Viruses can be benign or malignant • A benign virus displays a message or slows down a computer but does not destroy information • A malignant virus can do damage to your computer system such as scrambling or deleting files, shut your computer down, or make applications not function. • Viruses spread by copying infected files from someone else’s disk or by receiving infected files as an email attachment.

  13. More On Viruses • A macro virus is a malignant virus that spreads by binding itself to application software like Word or Excel and makes copies of itself (replicates) each time you use the application. If you have such a virus on your computer you can infect another machine by attaching an infected file to an email. The email recipient infects their machine as soon as they open the attachment. • Worms are particularly nasty macro viruses because they spread from computer to computer rather than file to file. Worms do not need your help; worms find your email address book and send themselves to your contacts.

  14. Other Threats To the Internet • Web defacing – people break into a Web site and replace the site with a substitute site that is neither attractive nor complimentary; electronic graffiti • Spoofing – the perpetrator uses flaws in the domain name software (DNS) used on the Internet to redirect a potential Web site visitor to an alternate site that is usually not complimentary to the real site owner. This is similar to someone switching your name with someone else’s in a telephone directory • Denial of service attack (DoS) – this occurs when too may requests are received to log on a Web site’s page. Multiple log-on requests are perpetrated by specially designed software that can automatically generate log-in requests over a long period of time. • Distributed denial of service attacks (DDoS) are denial of service attacks that are perpetrated from multiple computers

  15. Hackers • A hacker is a person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure. • Hackers are responsible for computer viruses, Web defacing, spoofing, and denial of service attacks • Seventy-three percent of respondents to a survey in 1998 of 1600 companies in 50 countries reported security breaches • 58 % of the breaches were from authorized employees • 24 % of the breaches were from unauthorized employees • 13 % of the breaches were from hackers or terrorists

  16. Examples of Network/Internet Controls - 1 • Anti-virus software detects and removes or quarantines computer viruses. You must update your anti-virus software frequently since new viruses come along every day. • Firewalls are hardware and/or software that protects a computer or network from intruders. Firewalls also can detect if your computer is communicating with the Internet without your approval • A callback control verifies a remote user’s telephone number before access is allowed

  17. Examples of Network/Internet Controls - 2 • Access controls check who you are before you can have access. Ways to check on access are (1) passwords, (2) special ID cards, (3) or biometrics (fingerprints, voice, retina of your eye). • Encryption codes a message to prevent unauthorized access to or understanding of the data being transmitted. • For Web transactions SSL and SHTTP are the encryption standards • When you access data on a secure server the communication between your browser and the secure server is encrypted • Intrusion-detection software looks for people on a network who are acting suspiciously (e.g., trying lots of passwords)

  18. Examples of Network/Internet Controls - 3 • Digital signature is a digital code attached to an electronically transmitted message that is used to verify the origins and contents of the message (e.g., similar to a written signature) • Digital certificates are attachments to an electronic message to verify the identity of the sender and to provide a means to encode a reply. • Load balancing is the process of distributing a large number of access requests among multiple servers so that no single server is overwhelmed

  19. Other Controls - 1 • Backup is the process of making a copy of the information stored on a computer. There is no action that you can that is more essential than regular backups. • Surveillance cameras in areas that contain IS assets can deter theft or destruction. • Surveillance software can record user actions down to individual keystrokes. • Anti-theft systems can be installed where alarms go off if unauthorized personnel tamper with computer hardware.

  20. Other Controls - 2 • Ahot site is a separate and fully equipped facility where a firm can move immediately after a disaster and resume business. • Fault-tolerant computer systems are systems that contain extra hardware, software, and power supply components that create an environment that provides continuous uninterrupted service. • Disaster recovery plan is a plan for running the business in the event of a computer outage. The plan states what should be done and by whom.

  21. Other Controls - 3 • Data entry controls try to reduce errors in the data entry process by restricting the range of the data or its format (in Access see “validation rules” or “input masks” in the Design View for tables) • Separation of duties means that different people are in charge of different activities, allowing checks and balances and minimizing possibility of criminal behavior. • An audit trail is a system that automatically records data such as the date and time of a transaction or the name or password of a user performing a specified activity (often without the knowledge of the user)

  22. V. Impact of Not Having a Recovery Plan • When companies are hit with the catastrophic loss of computerized records • 43 % never reopen • 51% close within two years • 6% survive long term • Despite these statistics many firms do not have a recovery plan.

More Related