Security of Information System

Computer Crime
Association of Information Technology Professionals (AITP) definition includes
The unauthorized use, access, modification, and destruction of hardware, software, data, or network resources Unauthorized release of information

Unauthorized copying of software

Computer Crime
Denying an end user his/her own hardware, software, data, or network resources Using computer or network resources to illegally obtain info or tangible property

Computer Crime
Hacking
The obsessive use of computers, or the unauthorized access and use of networked computer systems

Unauthorized use at work

Also called time and resource theft May range from doing private consulting or personal finances, to playing video games, to unauthorized use of the Internet on company networks

Computer Crime
Software Piracy
Unauthorized copying of software
Software is intellectual property protected by copyright law and user licensing agreements

Piracy of intellectual property

Other forms of intellectual property covered by copyright laws
Music, Videos, Images, Articles, Books, Other written works

Computer Crime
Computer viruses and worms
Virus
A program that cannot work without being inserted into another program Destroy programs/data, clogging computer memory, generate unnecessary payload etc.

Worm
A distinct program that can run unaided Copy themselves from one computer to other computers over network

Trojan horse
It does not replicate but works as a way for other viruses to enter into the computer system

 Spoofing:
Hiding of the hackers true identities or email addresses, or redirecting a Web link to a different web site that benefits the hacker. A sniffer is an eavesdropping program that monitors network information and can enable hackers to steal proprietary information transmitting over the network.

 Denial of service (DoS) attacks

Flooding a network or server with thousands of false communications to crash or disrupt the network. DOS attacker uses thousands of zombie (slave) PCs without their owners knowledge. Hackers create these botnet controlling others computers.

 Identity theft:
In identity theft, an fraudster obtains key pieces of personal information to obtain credit, merchandise, or false credentials.

Phishing
Setting up fake web site & sending emails that looks like legitimate business e-mails. They ask for bank & credit card information & other confidential data

 Evil twins
Wireless networks that looks identical to a legitimate public network Try to capture personal information of the user who log on to the network.

Security Management

Tools of Security Management

Goal
Minimize errors, fraud, and losses in the e-business systems that interconnect businesses with their customers, suppliers, and other stakeholders

Internetworked Security Defenses

Encryption
Passwords, messages, files, and other data is transmitted in scrambled form and unscrambled for authorized users

Involves using special mathematical algorithms to transform digital data in scrambled code Most widely used method uses a pair of public and private keys unique to each individual

Public Key Encryption

 A digital signature is a digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message. Digital certificates are data files used to establish the identity of users and electronic assets for protection of online transactions A digital certificate system uses a trusted third party known as a certificate authority (CA) to validate a users identity

Internetworked Security Defenses

Firewalls
A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic.

Serves as a gatekeeper system that protects a companys intranets and other computer networks from intrusion
Provides a filter and safe transfer point Screens all network traffic for proper passwords or other security codes

 Intrusion Detection systems

To protect against suspicious network traffic and attempt to access files. It is placed at most vulnerable points of a corporate networks. It generates alarm for computer attacks.

Internetworked Security Defenses

Denial of Service Defenses
These assaults depend on three layers of networked computer systems
Victims website Victims ISP Sites of zombie or slave computers

Defensive measures and security precautions must be taken at all three levels

Internetworked Security Defenses

E-mail Monitoring
Systematic monitoring of corporate e-mail traffic using content-monitoring software that scans for troublesome words that might compromise corporate security

Internetworked Security Defenses

Virus Defenses
Protection may be accomplished through
Centralized distribution and updating of antivirus software Outsourcing the virus protection responsibility to ISPs or to telecommunications or security management companies

Other Security Measures

Biometric Security Measure physical traits that make each individual unique Voice Fingerprints Hand geometry Signature dynamics Keystroke analysis Retina scanning Face recognition

Ensuring system availability

Computer Failure Controls
Preventive maintenance of hardware and management of software updates Backup computer system Carefully scheduled hardware or software changes Highly trained data center personnel

Ensuring system availability

Fault Tolerant Systems
Computer systems that have redundant processors, peripherals, and software Detect hardware failures & switch to a backup device. Objective is to minimize downtime & ensure business continuity.

Other Security Measures

Disaster Recovery Planning
Plans for the restoration of the system after it has been disrupted by an event such as an earthquake, flood, or terrorist attack.

Business continuity planning

Identifies critical business processes & plans for handling of such functions

Security policy
It consists of statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals

Risk assessment
To determine the level of risk to the firm if a specific activity or process is not properly controlled. Business managers & information systems specialists determine the value of information assets, points of vulnerability, the likely frequency of a problem, and the potential for damage.

Risk assessment
Exposure
Power Failure Embezzlement User error

Probability
30% 5% 98%

Loss
1,02,500 25500 20100

Expected annual Loss

30750 1275 19698

concentrate on the control points with the greatest vulnerability and potential for loss in order to minimize overall cost and maximize defenses.

System Controls and Audits

Information System Controls
Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities

Designed to monitor and maintain the quality and security of input, processing, and storage activities

System Controls and Audits

Auditing Business Systems
Review and evaluate whether proper and adequate security measures and management policies have been developed and implemented

It reviews technologies, procedures, documentation, training & personnel.