Documente Academic
Documente Profesional
Documente Cultură
With the rapid importance of using Information
Systems nowadays, the security of information
becomes more and more vulnerable.
Security is the main concern nowadays, due to
alots of cybercrime and data sabotage over the
Internet
Due to insecurity in every aspect of life, we
need to worry about how to protect our
information systems from outside hackers and
attackers.
Security Threats & Technologies
Security Threats
Today we hear about many security breaches that affect
organizations and individuals. Some recently in the news:
• Identity Theft – gaining access to some ones personal
information allowing them to imitate you (stolen laptop)
• Denial of Service – attacks on websites using zombie
computers that overwhelm the site and shuts it down
• Others: Spyware, Spam, Wireless Access, Viruses
Security Technologies
Companies and research organizations continue to develop and
refine technologies to prevent security breaches. Some Include:
• Firewalls
• Biometrics
• VPN and Encryption
3
Security Threat: Spyware, Spam, and Cookies
Spyware
Any software that covertly gathers information about a user
through an Internet connection without the users knowledge
• Problems: uses memory resources, uses bandwidth, and can
cause system instability
• Prevention: Firewalls and Spyware software
Spam
Electronic junk mail or junk newsgroup postings usually for
purpose of advertising for some product and/or service
• Problems: nuisance, wastes time deleting, uses storage
• Prevention: Spam Blocker software
Cookies
A message passed to a browser from a Web server. Used by
legitimate programs to store state and user information
• Problems: can be used to track user activities
• Prevention: browser settings, firewall
4
Security Technology: Biometrics
Biometrics
• A sophisticated authentication
technique used to restrict access to
systems, data and/or facilities
• Uses biological characteristics to
identify individuals such as
fingerprints, retinal patterns in the
eye, etc. that are not easily
counterfeited
• Has great promise in providing high
security
5
Security Threat: Access to Wireless
Unauthorized Access to Wireless Networks
With the prevalence in use of wireless networks this threat is
increasing
• Problems - Drive-by hacking an attacker accesses the
network, intercepts data from it, and can use network services
and/or sends attack instructions without entering the building
• Prevention - Encryption between network and user devices
6
Security Technology: VPN and Encryption
VPN (Virtual Private Network)
• Called a secure tunnel
• Dynamically generated network connection to connect users or
nodes
• This approach uses both authentication and encryption
• Used extensively for remote access by employees
Encryption
• The process of encoding messages before they enter the network or
airwaves, and then decoding at the receiving end
• Public Key - known and used to scramble messages
• Private Key - not known and used by receiver to descramble
• Certificate Authority – a third party that issues keys
7
IS Vulnerability and Abuse
As our society and the world itself come to depend on computers and
information systems more and more, systems must become more reliable.
The systems must also be more secure when processing transactions and
maintaining data. These two issues, which we address in this week, are the
biggest issues facing those wanting to do business on or expand their
operations to the Internet. The threats are real, but so are the solutions.
Why Systems Are Vulnerable
This table points out some of the technical, organizational, and
environmental threats to Information Systems.
The weakest link in the chain is poor management of the system. If
managers at all levels don't make security and reliability their number one
priority, then the threats to an Information Systems can easily become real.
With distributed computing used extensively in network systems, you have
more points of entry, which can make attacking the system easy. The more
people you have using the system, the more potential for fraud and abuse of
the information maintained in that system.
Yes, it's hard to control everyone's actions. It's easy for people to say that
they are only one person and therefore they won't make much difference.
But it only takes one person to disable a system or destroy data. Let's see
why.
Hardware failure Fire
Software failure Electrical problem
Personnel actions User errors
Terminal access penetration Program changes
Theft of data, services, equipment Telecommunications problems
Data security controls should consist of passwords that allow
only certain people access to the system or to certain areas of
the system.
While you may want to grant employees access to their payroll
data or 401K data through an Intranet, you must make sure
they can access only their information and not that of any other
employee. You wouldn't want a co-worker to be able to access
your paycheck information, would you?
If you allow employees to keep certain data on their machines
that are not backed up to the mainframe computer, you need to
ensure that safeguards are installed on the individual PCs.
Make sure you have controls in place for access to individual
data, backing them up, and properly protecting them against
corruption. Do you even have a policy about whether
employees can store data on their individual terminals?
Fig 13.2: Personnel system security profiles.
Prevention
Security Profiles -- Build personal Data security profiles.
Object Security -- Enable individualized object security access
permissions.
Antivirus -- Install antivirus programs.
Firewalls -- Install and enable firewall support.
Change passwords – Change passwords regularly, atleast
once in a week.
No Disk Sharing -- Viruses can be transferred to clean
computers by inserting disks containing infected files.
Delete Suspicious Email Messages -- Do not open suspicious
e-mail messages…Delete Only!
Create Security Logs -- Review system logs to notice access
to the system
Administrative controls
To properly execute and enforce all these controls, you have to
have administrative controls--rules, procedures, standards, and
discipline.
You don't want to wait until disaster strikes, until a hacker
destroys data, or an employee steals information and gives it to
the competition, to realize you weren't paying attention to what's
going on.
Application controls
We've talked about controls for the general use of an
Information System.
Application controls are specific controls within each computer
application used in the system.
Each activity in the system needs controls to ensure the
integrity of the data input, how it's processed, and how it's
stored and used.
Input controls
Are the data accurate and complete? We used an example
earlier of a course grade being entered incorrectly. “If your
system had a method to check the data on the input
documents against the actual data entered into the system,
this kind of error could be caught and corrected at the time
it was entered”. Many companies are using source data
automation to help eliminate input errors.
Managers can use control totals to determine that the
documents used to enter data equal the number of transactions
processed by the system.
For instance, if the Sales Department says it entered data from
1,500 documents on April 21, were 1,500 transactions actually
processed by the system that same day? If the number is
different, managers can investigate the discrepancy and
determine the cause of the mismatch.
Processing controls
As the name describes, “processing controls are used
during the actual processing of the data”.
If Suzy says she entered 100 items into the system on
Tuesday, your application program would have a method of
checking and reporting the actual number of data entries for
that day. Not that you think Suzy is lying; you just need to have
a method of verifying and reconciling (accommodating) data
entered against data processed.
If Sam mistakenly submitted two invoices for the same
customer on the same day with the same parts ordered, a
computer matching control would catch the discrepancy
(disagreement) and create a report that can be used to
investigate the error. Perhaps the customer really did order the
same part twice on the same day. More than likely it is an error
that's better caught before it causes an embarrassing incident
for the company.
Output controls
Is the information created from the data accurate, complete,
and properly distributed? “Output controls can verify who
gets the output”, and if they're authorized to use it. You can
also use output controls to match the number of transactions
input, the number of transactions processed, and the number of
transactions output.
Maybe there's a glitch in the system somewhere that is causing
transactions to be recorded twice on the data storage device.
Obviously that's a situation the company should know about
before customers report it. Output controls can help you
uncover this kind of discrepancy