Transcript Week 9
Slide 1
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 2
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 3
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 4
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 5
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 6
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 7
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 8
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 9
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 10
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 11
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 12
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 13
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 14
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 15
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 16
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 17
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 18
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 19
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 20
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 21
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 22
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 23
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 24
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 25
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 26
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 27
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 28
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 29
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 30
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 31
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 32
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 33
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 34
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 35
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 36
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 37
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 38
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 39
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 40
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 41
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 42
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 43
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 44
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 45
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 46
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 47
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 48
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 49
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 50
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 51
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 2
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 3
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 4
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 5
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 6
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 7
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 8
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 9
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 10
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 11
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 12
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 13
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 14
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 15
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 16
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 17
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 18
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 19
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 20
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 21
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 22
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 23
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 24
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 25
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 26
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 27
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 28
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 29
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 30
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 31
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 32
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 33
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 34
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 35
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 36
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 37
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 38
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 39
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 40
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 41
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 42
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 43
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 44
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 45
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 46
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 47
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 48
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 49
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 50
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51
Slide 51
6
COIS11011 WEEK 9
Chapter
Securing Information Systems
“66 percent of all Webroot-scanned personal
computers are infected with at least 25 spyware
programs.”
Webroot (2005)
Information Systems Today: Managing in the Digital World
6-1
Learning Objectives
Information Systems Today: Managing in the Digital World
6-2
Learning Objectives
Information Systems Today: Managing in the Digital World
6-3
Information Systems Security
• All systems connected to a network are at risk
o Internal threats
o External threats
• Information systems security
o Precautions to keep IS safe from unauthorized
access and use
• Increased need for good computer security
with increased use of the Internet
Information Systems Today: Managing in the Digital World
6-4
Primary Threats to Information
Systems Security
•
Accidents and natural
disasters
o Power outages, cats
•
•
walking across keyboards
Employees and
consultants
Links to outside business
contacts
o Travel between business
•
•
affiliates
Outsiders
Viruses
Information Systems Today: Managing in the Digital World
6-5
Unauthorized Access
• Unauthorized people
o Look through
electronic data
o Peek at monitors
o Intercept electronic
communication
• Theft of computers or
storage media
• Determined hackers
gain administrator
status
Information Systems Today: Managing in the Digital World
6-6
Gaining Access to a Password
• Brute force
o Try combinations
until a match is
found
• Protection:
o Wait time
requirements after
unsuccessful login
attempt
o CAPTCHA
Information Systems Today: Managing in the Digital World
6-7
Information Modification
• User accesses
•
electronic
information
User changes
information
o Employee gives
himself a raise
Information Systems Today: Managing in the Digital World
6-8
Denial of Service Attack
• Attackers prevent
•
legitimate users
from accessing
services
Zombie
computers
o Created by
viruses or worms
o Attack Web sites
Information Systems Today: Managing in the Digital World
6-9
Computer Viruses
• Corrupt and destroy data
• Destructive code can
o Erase a hard drive
o Seize control of a
•
computer
Worms
o Variation of a virus
o Replicate endlessly across
•
the Internet
o Servers crash
MyDoom attack on
Microsoft’s Web site
Information Systems Today: Managing in the Digital World
6-10
Spyware
• Within freeware or shareware
• Within a Web site
• Gathers information about a user
o Credit card information
o Behavior tracking for marketing purposes
• Eats up computer’s memory and network
bandwidth
• Adware – special kind of spyware
o Collects information for banner ad customization
Information Systems Today: Managing in the Digital World
6-11
Spam
• Electronic junk mail
• Advertisements of
•
•
•
products and
services
Eats up storage
space
Compromises
network bandwidth
Spim
o Spam over IM
Information Systems Today: Managing in the Digital World
6-12
Protection Against Spam
• Barracuda Spam Firewall 600
o Filters spam and other email threats
o Decreases amount of spam processed by the
central e-mail server
o Handles 3,000 – 10,000 active email users
o Spam messages blocked or quarantines
Information Systems Today: Managing in the Digital World
6-13
Phishing
• Attempts to trick
•
•
•
users into giving away
credit card numbers
Phony messages
Duplicates of
legitimate Web sites
E.g., eBay, PayPal
have been used
Information Systems Today: Managing in the Digital World
6-14
Cookies
• Messages passed to a Web browser
from a Web server
• Used for Web site customization
• Cookies may contain sensitive
information
• Cookie management and cookie killer
software
• Internet Explorer Web browser settings
Information Systems Today: Managing in the Digital World
6-15
Other Threats to IS Security
1. Employees writing passwords on paper
2. No installation of antivirus software
3. Use of default network passwords
4. Letting outsiders view monitors
Information Systems Today: Managing in the Digital World
6-16
Other Threats to IS Security (II)
5. Organizations fail to limit access to
some files
6. Organizations fail to install firewalls
7. Not doing proper background checks
8. Lack of employee monitoring
9. Fired employees who are resentful
Information Systems Today: Managing in the Digital World
6-17
Learning Objectives
Information Systems Today: Managing in the Digital World
6-18
Safeguarding Information Systems
Resources
• Information systems audits
o Risk analysis
• Process of assessing the value of protected assets
o Cost of loss vs. cost of protection
• Risk reduction
o Measures taken to protect the system
• Risk acceptance
o Measures taken to absorb the damages
• Risk transfer
o Transferring the absorption of risk to a third party
Information Systems Today: Managing in the Digital World
6-19
Technological Safeguards
• Physical access restrictions
o Authentication
• Use of passwords
• Photo ID cards, smart cards
• Keys to unlock a computer
• Combination
• Authentication limited to
o Something you have
o Something you know
o Something you are
Information Systems Today: Managing in the Digital World
6-20
Biometrics
• Form of
authentication
o Fingerprints
o Retinal patterns
o Body weight
o Etc.
• Fast
•
authentication
High security
Information Systems Today: Managing in the Digital World
6-21
Access-Control Software
• Access only to files required for work
• Read-only access
• Certain time periods for allowed access
• Business systems applications
o Built-in access control capabilities
Information Systems Today: Managing in the Digital World
6-22
Wireless LAN Control
• Wireless LAN cheap
•
•
and easy to install
Use on the rise
Signal transmitted
through the air
o Susceptible to being
intercepted
o Drive-by hacking
Information Systems Today: Managing in the Digital World
6-23
Virtual Private Networks
• Connection
constructed
dynamically within
an existing network
• Secure tunnel
o Encrypted
information
Information Systems Today: Managing in the Digital World
6-24
Firewalls
• System designed to detect intrusion and
prevent unauthorized access
• Implementation
o Hardware, software, mixed
• Approaches
o Packet filter – each packet examined
o Application-level control – security measures only for
certain applications
o Circuit-level control – based on certain type of connection
o Proxy server – firewall acts as the server and intercepts all
messages; Network Address Translation
Information Systems Today: Managing in the Digital World
6-25
Firewall Architecture
a) Basic software
firewall for a
home network
b) Firewall router
• Home office
• Small office
Information Systems Today: Managing in the Digital World
6-26
Firewall Architecture
Larger Organization
Information Systems Today: Managing in the Digital World
6-27
Encryption
• Message encoded before sending
• Message decoded when received
•
Encryption allows for
o Authentication – proving one’s identity
o Privacy/confidentiality – only intended recipient can read a
message
o Integrity – assurance of unaltered message
o Nonrepudiation – use of digital signature
Information Systems Today: Managing in the Digital World
6-28
The Encryption Process
• Key – code that scrambles the message
o Symmetric secret key system
• Sender and recipient use the same key
• Cons: Management problems
o Public key technology
• Asymmetric key system
• Each individual has a pair of keys
o Public key – freely distributed
o Private key – kept secret
Information Systems Today: Managing in the Digital World
6-29
How Encryption Works (Asymmetric)
Information Systems Today: Managing in the Digital World
6-30
Encryption for Websites
• Certificate Authority
o Third party – trusted middleman
• Verifies trustworthiness of a Web site
• Checks for identity of a computer
• Provides public keys
• Secure Sockets Layer (SSL)
o Developed by Netscape
o Popular public-key encryption method
Information Systems Today: Managing in the Digital World
6-31
Other Encryption Approaches
• 1976 – Public/private key
• 1977 – RSA
o Technology licensed to Lotus and Microsoft
o Federal law prohibited exporting encryption technology
•
•
• Limited use by organizations
1991 – Pretty good privacy
o Versatile encryption program
o Global favorite
1993 – Clipper chip
o Chip generating uncrackable codes
o Scrapped before it became reality
Information Systems Today: Managing in the Digital World
6-32
The Evolution of Encryption
• Future encryption programs will provide
o Strong security
o High speed
o Usability on any platform
• Encryption for cellular phones
• Encryption for PDAs
Information Systems Today: Managing in the Digital World
6-33
Recommended Virus Precautions
• Purchase and install antivirus
software
o Update frequently
• Do not download data from
unknown sources
o Flash drives, disks, Web sites
• Delete (without opening) e-mail
from unknown sources
• Warn people if you get a virus
o Your department
o People on e-mail list
Information Systems Today: Managing in the Digital World
6-34
Audit Control Software
• Keeps track of computer activity
• Spots suspicious action
• Audit trail
•
o Record of users
o Record of activities
IT department needs to monitor this
activity
Information Systems Today: Managing in the Digital World
6-35
Other Technological Safeguards
• Backups
o Secondary storage devices
o Regular intervals
• Closed-circuit television (CCTV)
o Monitoring for physical intruders
o Video cameras display and record all activity
o Digital video recording
• Uninterruptible power supply (UPS)
o Protection against power surges
Information Systems Today: Managing in the Digital World
6-36
Human Safeguards
• Use of federal and state laws as well as ethics
Information Systems Today: Managing in the Digital World
6-37
Learning Objectives
Information Systems Today: Managing in the Digital World
6-38
Managing Information Systems
Security
• Non-technical
safeguards
o Management of
people’s use of IS
• Acceptable use policies
o Trustworthy
employees
o Well-treated
employees
Information Systems Today: Managing in the Digital World
6-39
Developing an Information Systems
Security Plan
Ongoing five-step process
1.
Risk analysis
a. Determine value of electronic information
b. Assess threats to confidentiality, integrity and
availability of information
c. Identify most vulnerable computer operations
d. Assess current security policies
e. Recommend changes to existing practices to
improve computer security
Information Systems Today: Managing in the Digital World
6-40
Security Plan: Step 2
2. Policies and procedures – actions to be
taken if security is breached
a. Information policy – handling of sensitive information
b. Security policy – technical controls on organizational
computers
c. Use policy – appropriate use of in-house IS
d. Backup policy
e. Account management policy – procedures for adding
new users
f. Incident handling procedures –handling security breach
g. Disaster recovery plan – restoration of computer
operations
Information Systems Today: Managing in the Digital World
6-41
Security Plan: Remaining Steps
3.
Implementation
a. Implementation of network security hardware and
software
b. IDs and smart cards dissemination
c. Responsibilities of the IS department
4.
5.
Training – organization’s personnel
Auditing
a. Assessment of policy adherence
b. Penetration tests
Information Systems Today: Managing in the Digital World
6-42
Responding to a Security Breach
• 1988 – Computer Emergency Response Team
(CERT)
o Started after Morris worm disabled 10% of all
computers connected to the Internet
• Computer Security Division (CSD)
o Raising of awareness of IT risks
o Research and advising about IT vulnerabilities
o Development of standards
o Development of guidelines to increase secure IT
planning, implementation, management and
operation
Information Systems Today: Managing in the Digital World
6-43
The State of Systems Security
Management
• Financial losses of cybercrime are decreasing
o Computer virus attacks result in the greatest financial
losses
o Only about 25% of organizations utilize cyberinsurance
o Only about 20% of organizations report intrusions to the
law enforcement
• Fear of falling stock prices
o Most organizations do not outsource security activities
o 90% of organizations conduct routine security audits
o Most organizations agree security training is important
• Majority said they do not do enough of training
Information Systems Today: Managing in the Digital World
6-44
Use of Security Technologies
• CSI/FBI computer crime and security survey
respondents (2006)
Information Systems Today: Managing in the Digital World
6-45
End of Chapter Content
Opening Case: Managing in the
Digital World: Drive-by-Hacking
•
•
•
60 - 80 % of corporate wireless networks do not use
security
“War driving” – a new hacker tactic
o Driving around densely populated areas
“War spamming”
o Attackers link to an e-mail server and send out millions of spam
•
•
•
messages
o Companies pay millions in bandwidth fees
Businesses fight back using bogus access points
o FakeAP
Network scanners distinguish between real and fake APs
o Netstumbler
Fast Packet Keying – to fix shortcomings of WEP
Information Systems Today: Managing in the Digital World
6-47
Spyware Lurks on Most PCs
• Webroot
o Producer of software to scan and eliminate
spyware
• Webroot company data
o 66% of scanned PCs infected with at least
25 spyware programs
o Incidents of spyware slightly decreasing
Information Systems Today: Managing in the Digital World
6-48
To Cookie or Not to Cookie
• Cookies collected by companies to get data
about customers
o Footprints that marketers can trace
o Sometimes sold to other companies
• Web browsers can protect against accepting
cookies
o Constant pop-ups
o Some sites will not work properly
o Customized information will not be available
• National Security Agency (NSA)
Information Systems Today: Managing in the Digital World
6-49
Is Big Brother Watching You
• Employers can use equipment to
o Read your email
o Monitor Web-surfing behavior
o Collect keystrokes
o Follow the movement of employees
• RFID and GPS
• Companies have rights to collect almost
any information about employees while
on the job
Information Systems Today: Managing in the Digital World
6-50
Backhoe Cyber Threat
• Telecommunications infrastructure is
vulnerable
o Damage to telephone lines, fiber-optic
cables, water lines, gas pipelines
• 675,000 incidents in 1 year
o Infrastructure information publicly available
o Most of Internet communication goes through
cables buried along major highways and
railroads
• Only two major routes across US for Internet
traffic
Information Systems Today: Managing in the Digital World
6-51