Securing Information Systems

Similar documents
Securing Information Systems

Securing Information Systems

Information Security in Corporation

CHAPTER 8 SECURING INFORMATION SYSTEMS

Securing Information Systems

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

Securing Information Systems

Securing Information Systems

Securing Information Systems

Securing Information Systems Barbarians at the Gateway

Discovering Computers Living in a Digital World

Chapter 12. Information Security Management

Cyber Security Practice Questions. Varying Difficulty

IS Today: Managing in a Digital World 9/17/12

Chapter 6 Network and Internet Security and Privacy

716 West Ave Austin, TX USA

Chapter 4 Network and Internet Security

CCISO Blueprint v1. EC-Council

Most Common Security Threats (cont.)

CHAPTER 3. Information Systems: Ethics, Privacy, and Security

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

The Tension. Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes

Security Policies and Procedures Principles and Practices

Chapter 10: Security and Ethical Challenges of E-Business

Chapter 9 Security and Privacy

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Certified Cyber Security Analyst VS-1160

Chapter 1 Describing Regulatory Compliance

Security+ SY0-501 Study Guide Table of Contents

Cyber Criminal Methods & Prevention Techniques. By

Ethical Hacking and Prevention

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

6) A Trojan horse is a software program that appears threatening but is really benign. 6) Answer: True False

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

Syllabus: The syllabus is broadly structured as follows:

Cyber Security Guidelines for Public Wi-Fi Networks

2005 E-Crime Watch Survey Survey Results Conducted by CSO magazine in cooperation with the U.S. Secret Service and CERT Coordination Center

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

CompTIA Security+ (Exam SY0-401)

Thailand Initiatives and Challenges in Cyber Terrorism

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Education Network Security

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Security Audit What Why

Troubleshooting and Cyber Protection Josh Wheeler

INDEX. browser-hijacking adware programs, 29 brute-force spam, business, impact of spam, business issues, C

4 Information Security

A Review Paper on Network Security Attacks and Defences

God is in the Small Stuff and it all matters. .In the Small Stuff. Security and Ethical Challenges. Introduction to Information Systems Chapter 11

Chapter 4. Network Security. Part I

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Course Outline (version 2)

Management Information Systems SECURING INFORMATION SYSTEMS

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

BEST PRACTICES FOR PERSONAL Security

A Security Model for Space Based Communication. Thom Stone Computer Sciences Corporation

CYBER SECURITY AND MITIGATING RISKS

SECURITY & PRIVACY DOCUMENTATION

ECDL / ICDL IT Security. Syllabus Version 2.0

CEH: CERTIFIED ETHICAL HACKER v9

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Technology Risk Management and Information Security A Practical Workshop

Unit 2 Assignment 2. Software Utilities?

Future-ready security for small and mid-size enterprises

Table of Contents (CISSP 2012 Edition)

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Payment Card Compliance and Challenges

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

CERTIFIED SECURE COMPUTER USER COURSE OUTLINE

Access Controls. CISSP Guide to Security Essentials Chapter 2

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Curso: Ethical Hacking and Countermeasures

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Fifth Edition

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Cyber Security Audit & Roadmap Business Process and

Introduction to Information Security Dr. Rick Jerz

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Computer Forensics US-CERT

Simple and Powerful Security for PCI DSS

SECURE USE OF IT Syllabus Version 2.0

CS System Security 2nd-Half Semester Review

Cybersecurity Auditing in an Unsecure World

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

POST GRADUATE DIPLOMA IN CYBER SECURITY (PGDCS)

The Cost of Denial-of-Services Attacks

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Projectplace: A Secure Project Collaboration Solution

Transcription:

Chapter 7 Securing Information Systems 7.1 2007 by Prentice Hall

STUDENT OBJECTIVES Analyze why information systems need special protection from destruction, error, and abuse. Assess the business value of security and control. Design an organizational framework for security and control. Evaluate the most important tools and technologies for safeguarding information resources. 7.2 2007 by Prentice Hall

Phishing: A Costly New Sport for Internet Users Problem: Large number of vulnerable users of online financial services, ease of creating bogus Web sites. Solutions: Deploy anti-phishing software and services and a multilevel authentication system to identify threats and reduce phishing attempts. Deploying new tools, technologies, and security procedures, along with educating consumers, increases reliability and customer confidence. Demonstrates IT s role in combating cyber crime. Illustrates digital technology as part of a multilevel solution as well as its limitations in overcoming discouraged consumers. 7.3 2007 by Prentice Hall

Phishing: A Costly New Sport for Internet Users Interactive Session: Phishing Discuss suspicious e-mails that members of the class have received: What made you suspicious of a particular e-mail? Did you open the e-mail? Were there any consequences to this action? Did you report the suspicious e-mail to anyone? What measures have you taken to protect yourself from phishing scams? 7.4 2007 by Prentice Hall

System Vulnerability and Abuse An unprotected computer connected to the Internet may be disabled within a few seconds Security: policies, procedures and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems Controls: methods, policies, and organizational procedures that ensure the safety of the organization s assets; the accuracy and reliability of its accounting records; and operational adherence to management standards 7.5 2007 by Prentice Hall

Why Systems Are Vulnerable Hardware problems (breakdowns, configuration errors, damage from improper use or crime) Software problems (programming errors, installation errors, unauthorized changes) Disasters (power failures, flood, fires, etc.) Internet vulnerabilities System Vulnerability and Abuse Wireless security challenges 7.6 2007 by Prentice Hall

: System Vulnerability and Abuse Figure 7-1, The Map of the Chapter The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and 7.7 vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any 2007 by Prentice Hall point in the network

Malicious Software: Viruses, Worms, Trojan Horses, and Spyware Malware Viruses, a virus is a program (a set of code) that replicates by being copied or initiating its copying to another program, computer boot sector or document. Worms a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Trojan horses is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and execute its chosen form of damage, such as ruining the file allocation table on your hard disk. Spyware Key loggers 7.8 2007 by Prentice Hall

System Vulnerability and Abuse Hackers and Cyber-vandalism Hackers ( A hacker is an individual who intends to gain unauthorized access) vs. crackers ( with criminal intent) Cyber-vandalism Spoofing (misrepresenting, redirecting) Sniffing (eavesdropping to find weaknesses) Denial-of-service (DoS) attack Distributed denial-of-service (DDoS) attack (create numerous server request through many unauthorized servers (Botnet) to overwhelm the targeted server) Botnets (Zambie PC -- software robots) 7.9 2007 by Prentice Hall

System Vulnerability and Abuse Computer Crime and Cyberterrorism Computer crime: any violations of criminal law that involve knowledge of computer technology for their perpetration, investigation, or prosecution U.S. Department of Justice U.S. companies lose $14 billion annually to cyber crime Cont 7.10 2007 by Prentice Hall

System Vulnerability and Abuse Identity theft : Phishing, misrepresented Websites evil twins, misrepresented hotspot pharming, redirect to their Web page by gaining access to your IP address from ISP list computer abuse: spamming: unsolicited, unethical not illegal) Cyber-terrorism and cyber-warfare: Attacks on computer-controlled system: 7.11 2007 by Prentice Hall

System Vulnerability and Abuse Worldwide Damage from Digital Attacks This chart shows estimates of the average worldwide damage from hacking, malware, and spam since 1998. These figures are based on data from mi2g and the authors. Figure 7-3 7.12 2007 by Prentice Hall

System Vulnerability and Abuse Internal Threats: Employees Security threats often originate inside an organization Social engineering (colleague: getting one s password) Software Vulnerability Commercial software contains flaws that create security vulnerabilities Patches 7.13 2007 by Prentice Hall

Business Value of Security and Control Failed computer systems can lead to a significant or total loss of business function Firms are now more vulnerable than they have ever been A security breach may cut into a firm s market value almost immediately Inadequate security and controls also bring forth issues of liability 7.14 2007 by Prentice Hall

Business Value of Security and Control Legal and Regulatory Requirements for Electronic Records Management Electronic records management (ERM): policies, procedures, and tools for managing the retention, destruction, and storage of electronic records HIPAA (Health Insurance Portability and Accountability) Gramm-Leach-Bliley Act Financial Services Modernization Sarbanes-Oxley Act Investor Protection Act 7.15 2007 by Prentice Hall

Business Value of Security and Control Electronic Evidence and Computer Forensics Evidence for legal actions often found in digital form Proper control of data can save money when responding to a discovery request Computer forensics: scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in a court of law Ambient data (Hidden, background,..) e.g. deleted files 7.16 2007 by Prentice Hall

Establishing a Framework for Security and Control ISO 17799 Risk assessment Security policy Chief security officer (CSO) Acceptable use policy (AUP) Authorization policies Authorization management systems 7.17 2007 by Prentice Hall

Downtime Establishing a Framework for Security and Control Ensuring Business Continuity Fault-tolerant computer systems High-availability computing Recovery-oriented computing Disaster recovery planning Business continuity planning Security outsourcing (managed security service providers) 7.18 2007 by Prentice Hall

MIS audit Establishing a Framework for Security and Control The Role of Auditing Identifies the controls that govern information systems and assesses their effectiveness Auditor conducts interviews with key individuals Examines security, application controls, overall integrity controls, and control disciplines 7.19 2007 by Prentice Hall

Technologies and Tools for Security Access Control Authentication Tokens Smart cards hotel key, cash card Biometric authentication 7.20 2007 by Prentice Hall

Technologies and Tools for Security New Solutions for Identity Management Read the Focus on Technology and then discuss the following questions: What problems were Monsanto, Clarian, and others having with identity management? What was the impact of those problems? What alternative solutions were available? What people, organization, and technology issues had to be addressed in developing solutions? Do you think the solutions chosen are effective? Why or why not? 7.21 2007 by Prentice Hall

Technologies and Tools for Security Firewalls, Intrusion Detection Systems, and Antivirus Software Firewall: a combination of hardware and software that prevents unauthorized users from accessing private networks Intrusion detection systems monitor hot spots on corporate networks to detect and deter intruders Antivirus and antispyware software checks computers for the presence of malware and can often eliminate it as well 7.22 2007 by Prentice Hall

Technologies and Tools for Security A Corporate Firewall The firewall is placed between the firm s private network and the public Internet or another distrusted network to protect against unauthorized traffic. Figure 7-6 7.23 2007 by Prentice Hall

Technologies and Tools for Security Securing Wireless Networks WEP security can be improved by using it with VPN technology Wi-Fi Alliance/Wi-Fi Protected Access (WPA) specifications Extensible Authentication Protocol (EAP) Protection from rogue networks 7.24 2007 by Prentice Hall

Technologies and Tools for Security Interactive Session: Securing Wireless Networks Do you use wireless technology? If so, what kinds of information do you transmit over the wireless network? What kinds of information do you avoid sending over the wireless network? What are your concerns related to sending these kinds of information? If you do not have access to a wireless network, is it by choice due to security concerns? 7.25 2007 by Prentice Hall

Encryption and Public Key Infrastructure Encryption: transforming text or data into cipher text that cannot be read by unintended recipients Secure Sockets Layer (SSL) Transport Layer Security (TLS) Secure Hypertext Transfer Protocol (S-HTTP) Public key encryption Digital signature Digital certificate Technologies and Tools for Security Public key infrastructure (PKI) 7.26 2007 by Prentice Hall

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback