[go: up one dir, main page]
Scribd
Upload
73 views37 pages

Managing Information Systems: Seventh Canadian Edition

8

Uploaded by

Jayson King
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
73 views37 pages

Managing Information Systems: Seventh Canadian Edition

8

Uploaded by

Jayson King
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

Managing Information Systems

Seventh Canadian Edition

Laudon, Laudon and Brabston

CHAPTER 8
Securing Information Systems

Copyright © 2015 Pearson Canada Inc. 8-1


System Vulnerability and Abuse

• Security:
– Policies, procedures, and technical measures used to
prevent unauthorized access, alteration, theft, or
physical damage to information systems
• Controls:
– Methods, policies, and organizational procedures that
ensure safety of organization’s assets; accuracy and
reliability of its accounting records; and operational
adherence to management standards

Copyright © 2015 Pearson Canada Inc. 8-2


System Vulnerability and Abuse

Why systems are vulnerable


– Accessibility of networks
– Hardware problems (breakdowns, configuration
errors, damage from improper use or crime)
– Software problems (programming errors,
installation errors, unauthorized changes)
– Disasters
– Use of networks/computers outside of firm’s
control
– Loss and theft of portable devices

Copyright © 2015 Pearson Canada Inc. 8-3


[INSERT FIGURE 8.1]

Copyright © 2015 Pearson Canada Inc. 8-4


Internet Vulnerabilities

• Network open to anyone


• E-maiI
• Attachments with malicious software
• Transmitting trade secrets
• Interception

Copyright © 2015 Pearson Canada Inc. 8-5


Wireless Security Challenges

• Radio frequency bands easy to scan


• SSIDs (service set identifiers)
• Identify access points
• Broadcast multiple times
• War driving
• Eavesdroppers drive by buildings and try to
detect SSID and gain access to network and
resources

Continued …

Copyright © 2015 Pearson Canada Inc. 8-6


Wireless Security Challenges (cont.)

WEP (Wired Equivalent Privacy)


• Users often fail to implement WEP or stronger
systems

Copyright © 2015 Pearson Canada Inc. 8-7


Malicious Software: Viruses, Worms, Trojan
Horses, and Spyware

Computer viruses:
• Rogue software programs that attach to other
programs in order to be executed, usually without
user knowledge or permission
• Deliver a “payload”
• Can spread by email attachments

Copyright © 2015 Pearson Canada Inc. 8-8


Malicious Software: Viruses, Worms, Trojan
Horses, and Spyware

Worms:
• Programs that copy themselves from one
computer to another over networks
• Can destroy data, programs, and halt operation of
computer networks

Copyright © 2015 Pearson Canada Inc. 8-9


Malicious Software: Viruses, Worms, Trojan
Horses, and Spyware

Trojan Horse:
• A software program that appears to be benign,
but then does something unexpected
• Often “transports” a virus into a computer system
• Name is based on Greek ruse during Trojan war

Copyright © 2015 Pearson Canada Inc. 8-10


Hackers and Computer Crime

Hackers:
• individuals who attempt to gain unauthorized
access to a computer system
• Cracker: a hacker with criminal intent

Cybervandalism:
• intentional disruption, defacement, or
destruction of a Web site or system

Copyright © 2015 Pearson Canada Inc. 8-11


Spoofing and Sniffing

Spoofing
• masquerading as someone else, or redirecting a
Web link to an unintended address
Sniffing
• an eavesdropping program that monitors
information travelling over a network

Copyright © 2015 Pearson Canada Inc. 8-12


Denial of Service (DoS) Attacks

DoS: Hackers flood a server with false communications


in order to crash the system

Often use Botnets

Copyright © 2015 Pearson Canada Inc. 8-13


Computer Crime

Computer Crime: violation of criminal law that involves


a knowledge of technology for perpetration,
investigation, or prosecution

Continued …

Copyright © 2015 Pearson Canada Inc. 8-14


Computer Crime

Identity theft
•A crime in which the imposter obtains key pieces of
personal information
Phishing
•Setting up fake Web sites or sending email messages
that look legitimate, and using them to ask for
confidential data
Pharming
•Redirects users to a bogus web site
Continued …

Copyright © 2015 Pearson Canada Inc. 8-15


[INSERT TABLE 8.3]

Copyright © 2015 Pearson Canada Inc. 8-16


Computer Crime (cont.)

Click Fraud
• Bogus clicks to drive up pay-per-clicks

Copyright © 2015 Pearson Canada Inc. 8-17


Global Threats

Cyberterrorism and Cyberwarfare


• Exploitation of systems by terrorists

Copyright © 2015 Pearson Canada Inc. 8-18


Internal Threats: Employees

• Security threats often originate inside an


organization
– E.g. Tricking employees into revealing their
passwords by pretending to be legitimate
members of the company in need of information

Copyright © 2015 Pearson Canada Inc. 8-19


System Vulnerability

Software vulnerability
• Hidden bugs (program code defects)
• Flaws can open networks to intruders

Copyright © 2015 Pearson Canada Inc. 8-20


System Vulnerability

Patches
• Small pieces of software to repair flaws
• Exploits often created faster than patches can be
released and implemented

Copyright © 2015 Pearson Canada Inc. 8-21


Business Value of Security and Control

• Failed computer systems can lead to significant or


total loss of business function
• Firms now more vulnerable than ever
– Confidential personal and financial data
– Trade secrets, new products, strategies
• A security breach may cut into firm’s market value
almost immediately
• Inadequate security and controls also bring forth
issues of liability

Copyright © 2015 Pearson Canada Inc. 8-22


Legal and Regulatory Requirements for
Electronic Records Management

• Securely storing and handling recovered electronic


data

Continued …

Copyright © 2015 Pearson Canada Inc. 8-23


Establishing a Framework for Security and
Control

Information System Controls


• General controls
• apply to all computerized applications and consist
of a combination of hardware, software, and manual
procedures
• Application controls
• Input controls
• Processing controls
• Output controls

Copyright © 2015 Pearson Canada Inc. 8-24


Risk Assessment

Risk Assessment
• Determine level of risk to the firm in the case of
improper controls
Security policy
• Acceptable Use Policy (AUP)
• Authorization Policies
• Authorization Management systems

Copyright © 2015 Pearson Canada Inc. 8-25


Disaster Recovery Planning and Business
Continuity Planning

Disaster recovery planning


devises plans for the restoration of computing and
communications services after they have been
disrupted

Copyright © 2015 Pearson Canada Inc. 8-26


Disaster Recovery Planning and Business
Continuity Planning

Business continuity planning


• focuses on how the company can restore
business operations after a disaster strikes.
• identifies critical business processes and
determines action plans for handling mission-
critical functions if systems go down

Copyright © 2015 Pearson Canada Inc. 8-27


The Role of Auditing

• examines the firm’s overall security environment as


well as controls governing individual information
systems
• assesses the financial and organizational impact of
each threat

Copyright © 2015 Pearson Canada Inc. 8-28


Identity Management and Authentication

Authentication
• the ability to know that a person is who he or she
claims to be

Copyright © 2015 Pearson Canada Inc. 8-29


Firewalls, Intrusion Detection Systems, and
Antivirus Software

Firewalls: Hardware and software controlling


flow of incoming and outgoing network
traffic
• Packet Filtering (examines fields in
headers of data packets within network)
• Stateful Inspection (whether packets are
part of an ongoing dialogue between
sender and receiver)

Copyright © 2015 Pearson Canada Inc. 8-30


Firewalls, Intrusion Detection Systems and
Antivirus Software

Intrusion Detection Systems


• Full-time monitoring tools placed at the most
vulnerable points of the corporate networks to
detect and deter intruders
Antivirus and Antispyware
• Checks computer systems for viruses

Copyright © 2015 Pearson Canada Inc. 8-31


Securing Wireless Networks

Encryption and Public Key Infrastructure


• Coding and scrambling of messages to prevent
unauthorized access to, or understanding of, the
data being transmitted

Copyright © 2015 Pearson Canada Inc. 8-32


Securing Wireless Networks

Public key encryption:


• Uses two different keys, one private and one
public. The keys are mathematically related so
that data encrypted with one key can be
decrypted using only the other key

Copyright © 2015 Pearson Canada Inc. 8-33


[INSERT FIGURE 8.6]

Copyright © 2015 Pearson Canada Inc. 8-34


Ensuring System Availability

• Fault-tolerant computing
• High-availability computing
• Controlling Network Traffic
– Deep packet inspection
• Security Outsourcing

Copyright © 2015 Pearson Canada Inc. 8-35


Security Issues for Managers

• Security in the Cloud


• Securing Mobile Platforms
• Ensuring Software Quality
• Security and control must become a more visible
priority and a responsibility of everyone in the
organization; commitment from top management as
an area vital to all aspects of the business

Copyright © 2015 Pearson Canada Inc. 8-36


Managing Information Systems
Seventh Canadian Edition

Laudon, Laudon and Brabston

CHAPTER 8
Securing Information Systems

Copyright © 2015 Pearson Canada Inc. 8-37

You might also like