[go: up one dir, main page]
Scribd
Upload
108 views16 pages

Chapter 8 - Part 2

Chapter 8 - Part 2

Uploaded by

Saeed Khawam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
108 views16 pages

Chapter 8 - Part 2

Chapter 8 - Part 2

Uploaded by

Saeed Khawam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 16

Beirut Arab University

Faculty of Business Administration


Management in IS Department

Chapter 8:
Securing Information Systems
(Part 2)

Course Name: Management Information Systems II


Course Number: BMIS302

Lecturer: Dr. issam shbaro


PhD in Information Technology

13-Mar-2019
6.1 Copyright © 2014 Pearson Education, Inc.
Outline

• System Vulnerability and Abuse

• Business Value of Security and Control

• Organizational Frameworks for Security and Control

6.2 Copyright © 2014 Pearson Education, Inc.


System Vulnerability and Abuse

• Denial-of-service attacks (DoS)


• Flooding server with thousands of false requests to
crash the network
• Distributed denial-of-service attacks (DDoS)
• Use of numerous computers to launch a DoS
• Botnets
• Networks of “zombie” PCs infiltrated by bot malware
• Deliver 90 percent of world spam, 80 percent of world
malware

6.3 Copyright © 2014 Pearson Education, Inc.


System Vulnerability and Abuse

• Computer crime
• Computer may be target of crime, for example:
• Breaching confidentiality of protected computerized
data
• Accessing a computer system without authority
• Computer may be instrument of crime, for example:
• Theft of trade secrets
• Using e-mail for threats or harassment

6.4 Copyright © 2014 Pearson Education, Inc.


System Vulnerability and Abuse

• Identity theft
• Theft of personal Information (social security ID,
driver’s license, or credit card numbers) to
impersonate someone else
• Phishing
• Setting up fake Web sites or sending e-mail messages
that look like legitimate businesses to ask users for
confidential personal data
• Evil twins
• Wireless networks that pretend to offer trustworthy
Wi-Fi connections to the Internet
6.5 Copyright © 2014 Pearson Education, Inc.
System Vulnerability and Abuse

• Pharming
– Redirects users to a bogus Web page, even when
individual types correct Web page address into his or
her browser
• Click fraud
– Occurs when individual or computer program
fraudulently clicks on online ad without any intention
of learning more about the advertiser or making a
purchase
• Cyberterrorism or Cyberwarfare
6.6 Copyright © 2014 Pearson Education, Inc.
System Vulnerability and Abuse

• Internal threats: Employees


– Security threats often originate inside an
organization
– Social engineering
• Tricking employees into revealing their passwords by
pretending to be legitimate members of the company
in need of information

6.7 Copyright © 2014 Pearson Education, Inc.


System Vulnerability and Abuse

• Software vulnerability
– Commercial software contains flaws that create
security vulnerabilities
• Hidden bugs (program code defects)
– Zero defects cannot be achieved because complete testing is
not possible with large programs
– Patches
• Small pieces of software to repair flaws

6.8 Copyright © 2014 Pearson Education, Inc.


Business Value of Security and Control

• Failed computer systems can lead to


significant or total loss of business function
• Firms now are more vulnerable than ever
• Confidential personal and financial data
• Trade secrets, new products, strategies

6.9 Copyright © 2014 Pearson Education, Inc.


Business Value of Security and Control

• Electronic evidence
– Evidence for white collar crimes often in digital form
• Data on computers, e-mail, instant messages,
e-commerce transactions

• Computer forensics
– Scientific collection, examination, authentication,
preservation, and analysis of data from computer
storage media for use as evidence in court of law
– Includes recovery of hidden data

6.10 Copyright © 2014 Pearson Education, Inc.


Organizational Frameworks for Security and Control

• Application controls
– Specific controls unique to each computerized
application, such as payroll or order processing
– Include both automated and manual procedures
– Ensure that only authorized data are completely and
accurately processed by that application
– Include
• Input controls
• Processing controls
• Output controls
6.11 Copyright © 2014 Pearson Education, Inc.
Organizational Frameworks for Security and Control

• Risk assessment: Determines level of risk to firm if


specific activity or process is not properly controlled
• Types of threat
• Probability of occurrence during year
• Potential losses, value of threat
• Expected annual loss

EXPECTED
TYPE OF THREAT PROBABILITY LOSS RANGE (AVG) ANNUAL LOSS
Power failure 30% $5K–$200K ($102,500) $30,750

Embezzlement 5% $1K–$50K ($25,500) $1,275

6.12 Copyright © 2014 Pearson Education, Inc.


Organizational Frameworks for Security and Control

• Identity management
–Business processes and tools to identify valid
users of system and control access
• Identifies and authorizes different categories of
users
• Specifies which portion of system users can access
• Authenticating users and protects identities

6.13 Copyright © 2014 Pearson Education, Inc.


SECURITY PROFILES FOR A PERSONNEL SYSTEM

These two examples represent


two security profiles or data
security patterns that might be
found in a personnel system.
Depending on the security
profile, a user would have
certain restrictions on access
to various systems, locations,
or data in an organization.

FIGURE 8-3

6.14 Copyright © 2014 Pearson Education, Inc.


Organizational Frameworks for Security and Control

• Disaster recovery planning: Devises plans for


restoration of disrupted services
• Business continuity planning: Focuses on
restoring business operations after disaster

6.15 Copyright © 2014 Pearson Education, Inc.


Organizational Frameworks for Security and Control

• Information systems audit


• Reviews technologies, procedures, documentation,
training, and personnel
• Lists and ranks all control weaknesses and estimates
probability of their occurrence, and assesses financial
and organizational impact of each threat

6.16 Copyright © 2014 Pearson Education, Inc.

You might also like