CHAPTER FIVE

Information System
Security
 Chapter IV
Introduction

Information System Security

Threats – IS Factors Managing IS

Security Contributing to Security
Threat
 Goals
 Definition of IS  Inadvertent act  Strategy
Security  Deliberate SW attack  Policy
 Dimensions of  Virus, Hacking,  Authentication
IS Security identity theft,  Access control
 Definition of IS cyber-  Encryption
Security harassment, war,  Backup
Threats crime  Firewall
 Natural Disaster  IDS
 Technical Failure  Physical
 Management failure security 2
 Chapter IV

MAJOR THREATS TO
INFORMATION SYSTEM
SECURITY

3
 Definition of Information System Security
 Security is defined as “the quality/state of being
secured – to be secured from danger”
 Information security – practice of defending digital
information from unauthorized:
 Access

 Use

 Recording

 Disruption

 Modification

 Destruction

4
 Dimensions of Information Security
 Information is:
 stored on computer hardware
 manipulated by software
 transmitted by communication network
 used by people, etc.

 Multiple layers of security:

 Physical security: physical items/objects/areas
 Personal security: individuals/groups
 Operations security: series of activities
 Communication security: media, technology and
content
 Information security: confidentiality, integrity and
5
accessibility
 Information Security Threats

 Security Threat: any action or interaction that could cause

disclosure, alteration, loss, damage or unavailability of a
company’s/individual’s assets
 Three components of threat:
 Target: organization’s assets that might be attacked

(information, HW, SW, Network service, etc.)

 Agent: people/organization originating threat

(intentional/non-intentional)
 Events: type of action that poses the threat

6
 Chapter IV

FACTORS CONTRIBUTING TO
THREAT

7
Cont.
 INADVERTENT ACTS

acts that happen by mistake

not deliberate or with no malicious intent or ill
will
examples of inadvertent acts
 Acts of Human error and failure (inexperienced,
poor training)
 Deviation from service quality,

 Communication error

8
Cont.
 DELEBERATE SOFTWARE ATTACKS
 Deliberate action aimed to violate/ compromise a system’s
security through the use of software:
 Use of malware

 Password cracking

 DoS and DDoS

 Spoofing

 Sniffing

9
Cont.
 NATURAL DISASTER

 dangerous - unexpected and occur without very

little warning, causes damage to information

 TECHNICAL FAILURE

 Two Types: (Technical Hardware Failure

Technical Software Failure
 MANAGEMENT FAILURE
 Managers:
 Update, develop proper plan for good protection of the
information, Committed to upgrade
10
 Computer Crime
 What is computer crime?
 Using a computer to commit an illegal act
 Targeting a computer while committing

an offense
 Unauthorized access of a server to destroy data

Using a computer to:

commit an offense: to embezzle funds

support criminal activity: illegal

gambling 11
 Cont.
 Who commits a crime?
 Current or former employees; insider threat
 People with technical knowledge who commit business
or information sabotage for personal gain
 Career criminals who use computers to assist in crimes
 Outside crackers — commit millions of intrusions per
year

12
 Types of Computer Crimes

Identity
Hacking & Cracking
Theft

Computer
Viruses

Cyber harassment,
Cyberstalking, Piracy
Cyberbullying

13
 Hackers & Crackers
 Hackers
 Anyone who can gain unauthorized access to
computers
 White hat hackers don’t intend to do harm

 Crackers
 Individuals who break into computer systems with
the intent to commit crime or do damage
 Also called black hat hackers

 Hacktivists:
 Crackers who are motivated by political or
ideological goals and who use cracking to
14
promote their interests
 Computer Viruses
 perverse software which cause malicious
activity (spread destructive program routines)
hindering execution of other programs

 modification or complete destruction of data

 destroy the contents of memory, hard disks, and other
storage devices

 sabotaging the operating system

 Types: Virus, Worms, Trojan Horses, Bombs,

15
 Cont.

 Reasons for perverse activity:

For gaining publicity

Revenge on company/person

In-born natural desire to tease other people

 act of maniac

16
 Spyware, Spam, and Cookies

 Spyware: software that monitors the computer use, such

as the Web sites visible or even the keystrokes of the user
 Spam: Bulk unsolicited e-mail sent to millions of users at
extremely low cost, typically seeking to sell a product,
distribute malware, or conduct a phishing attack
 Cookies: A small file Web sites place on a user’s
computer; can be legitimate (to capture items in a
shopping cart) but can be abused (to track individuals’
browsing habits) and can contain sensitive information
(like credit card numbers) and pose a security risk

17
 Denial-of-Service (DoS)
 A denial-of-service attack seeks to
overload servers, typically using a
network of hacked computers that are
controlled remotely, by sending too
many requests or messages to the server
for it to handle.
 When a server has too many requests to
handle, it becomes overloaded and
unable to serve the requests of
legitimate users.

18
 Sniffing
 use of a program or device that can monitor
data traveling over a network
 Unauthorized sniffers – sniff/extract critical
information; can’t be detected

19
 Identity Theft
 Stealing Social Security, credit card, bank
account numbers and information
 thieves even withdraw money directly from
victims’ bank accounts
 organizations keep information about individuals
in accessible databases
 One of the fastest growing information crimes
 Possible solutions
 Government and private sector working together
to change practices
 Use of biometrics and encryption
20
 Software Piracy
 Unauthorized copying of computer programs, which is intellectual
property protected by copy right law.
 using software that isn’t properly licensed and paid for, such as by
purchasing one copy of a product and then using it on multiple
computers.
 Huge profit loss by software publishers.

Region Piracy Level Dollar Loss

(in US$ millions)
North America Western 19% 10,958
Europe 32% 13,749
Asia/Pacific 60% 20,998
Latin America 61% 7,459
Middle East/Africa 58% 4,159
Eastern Europe 62% 6,133
Worldwide 42% 63,456
21
 Chapter IV

Managing Information System

Security

22
 Goals of Information Security

 Availability:
 Ensuring that legitimate users can access the system

 Integrity
 Preventing unauthorized manipulations of data and

systems

 Confidentiality
 Protecting data from unauthorized access

 Accountability
 Ensuring that actions can be traced

23
 Developing IS Security Strategy
 Options for addressing information security risks
 Risk Reduction

 Actively installing countermeasures

 Risk Acceptance

 Accepting any losses that occur

 Risk Transference

 Have someone else absorb the risk (insurance, outsourcing)

 Risk Avoidance

 Using alternative means, avoiding risky tasks

24
 Cont.
 A strategy is developed detailing the information security
controls
 Types of Controls
 Preventive:

 negative event from occurring: intruders

 Detective

 recognizing wrong incidents: unauthorized access attempts

 Corrective

 mitigating the impact

 Principles of least permissions and least privileges

25
 Cont.

 IS Security Mechanisms:
 Developing Information System Security

Policy
 Use of authentication mechanism

 Access control

 Back-ups

 Firewalls

Intrusion detection system

 Physical Security 26
 IS Security Policy & Procedure

 Policies and procedures include:

 Information policy: handling, storage, transmission, and

destroying
 Security policy: access limitations, audit-control software,

firewalls, etc.
 Use policy: proper use

 Backup policy: requirements – critical data

 Account management policy: adding & removing users

 Incident handling procedures: list procedures to follow when

handling a security breach.

 Disaster recovery plan: restore computer operations in case

of a natural or deliberate disaster

27
 Authentication Mechanism

 Use of Passwords: secret alphanumeric text

used for authentication
 can be compromised if it is weak
 Use of key or smart cards:
 can be easily stolen/lost
 Use of physical characteristics
Biometric: Identification via fingerprints, retinal
patterns in the eye, facial features, or other bodily
characteristics
28
 Access Control
 which users are authorized to read, write,
modify, add, delete after login through password
 only those with such capabilities are allowed to
perform those functions

29
 Chapter V

Physical Security
 Locked doors
 Physical intrusion detection
 Security cameras

 Secured equipment – e.g. hard disc – locked

 Environmental monitoring
 monitoring temperature, humidity, airflow  for

servers and other high value equipment

 Employee training – how to secure

30
 Chapter V

Antivirus
 used to prevent, detect and remove malware
 It runs in the background at all times.
 It should be kept updated.
 It runs computer disk scans periodically.
 Eg. McAfee, Norton, Kaspersky.

31