1 / 44

IT effective auditing in MIS and prevention

This article explores the primary goals of information security, types of risks to information systems, various types of attacks on networked systems, controls required for data integrity and uninterrupted e-commerce, and security measures to protect data and ISs. It also outlines the principles of developing a recovery plan and explains the economic aspects of information security.

benderr
Download Presentation

IT effective auditing in MIS and prevention

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT effective auditing in MIS and prevention Risks, Security and Disaster Recovery www.cengage.co.uk/oz

  2. Objectives • Describe the primary goals of information security • Enumerate the main types of risks to information systems • List the various types of attacks on networked systems • Describe the types of controls required to ensure the integrity of data entry and processing and uninterrupted e-commerce

  3. Objectives (continued) • Describe the various kinds of security measures that can be taken to protect data and ISs • Outline the principles of developing a recovery plan • Explain the economic aspects of information security

  4. Goals of Information Security • Protecting IT resources is a primary concern • Securing corporate ISs increasingly challenging • Major goals of information security • Reduce risk of systems ceasing operation • Maintain information confidentiality • Ensure integrity of data resources • Ensure uninterrupted availability of resources • Ensure compliance with policies

  5. Risks to Information Systems • Downtime: time when IS is not available • Extremely expensive • Pan-European survey by data centre provider, Global Switch, found IT downtime cost businesses €400,000 per hour

  6. Risks to Hardware • Major causes of damage to machine • Natural disasters • Fire • Flood • Storms • Blackouts and brownouts • Blackout: total loss of electricity • Brownout: partial loss of electricity • Uninterruptible power supply (UPS): backup power • Vandalism • Deliberate destruction

  7. Risks to Data and Applications • Data primary concern because unique • Susceptible to • Disruption • Damage • Theft • Keystroke logging: record individual keystrokes • Social engineering: con artists pretending to be service people • Identity theft: pretending to be another person

  8. Risks to Data and Applications (continued) • Risk to data • Alteration • Destruction • Web defacement • Deliberate alteration or destruction is a prank • Target may be Web site • Honeytoken: bogus record in networked database • Used to combat hackers

  9. Risks to Data and Applications (continued) • Honeypot: server containing mirrored copy of database • Educated security officers of vulnerable points • Virus: spread from computer to computer • Worm: spread in network without human intervention • Antivirus software: protect against viruses • Trojan horse: virus disguised as legitimate software

  10. Risks to Data and Applications (continued) • Logic bomb: cause damage at specific time • Unintentional damage • Human error • Lack of adherence to backup procedures • Poor training • Unauthorized downloading may cause damage

  11. Risks to Online Operations • Many hackers try to interrupt business daily • Attacks • Unauthorized access • Data theft • Defacing of Web pages • Denial-of-service • Hijacking

  12. Denial of Service • Denial of service (DoS): launch large number of information requests • Slow down legitimate traffic to site • Distributed denial-of-service (DDoS): launch DoS attack from multiple computers • No definitive cure • Can filter illegitimate traffic

  13. Computer Hijacking • Hijacking: linking computer to public network without consent • Done for DDoS • Done by installing bot on computer • Hijackers usually send SPAM • Bot planted by exploiting security holes • Install e-mail forwarding software

  14. Controls • Controls: constraints on user or system • Can secure against risks • Ensure nonsensical data is not entered • Can reduce damage

  15. Controls (continued)

  16. Program Robustness and Data Entry Controls • Computer free of bugs is robust • Handle situations well • Resist inappropriate usage • Provide clear messages • Translate business policies into system features

  17. Backup • Backup: duplication of all data • Redundant Arrays of Independent Disks (RAID): set of disks programmed to replicate stored data • Data must be routinely transported off-site • Some companies specialize in data backup

  18. Access Controls • Access controls: require authorized access • Physical locks • Software locks • Three types of access controls • What you know • User ID and password • What you have • Require special devices • What you are • Physical characteristics

  19. Access Controls (continued) • Passwords stored in OS or database • Security card more secure than password • Allows two-factor access • Biometric: unique physical characteristic • Fingerprints • Retinal pictures • Voiceprints • Many people forget passwords

  20. Atomic Transactions • Atomic transaction: set of indivisible transactions • All executed or none • Ensure only full entry occurs • Control against malfunction and fraud

  21. Atomic Transactions (continued)

  22. Audit Trail • Audit trail: documented facts that help detect who recorded transactions • Sometimes automatically created • Certain policies on audit trail controls required in some countries • Information systems auditor: find and investigate fraudulent cases

  23. Security Measures • Organizations can protect against attacks • Firewalls • Authentication • Encryption • Digital signatures • Digital certificates

  24. Firewalls and Proxy Servers • Firewall: best defense • Hardware and software • Blocks access to computing resources • Routinely integrated into routers • DMZ: demilitarized zone approach • One end of network connected to trusted network other end to public network • Proxy server: represent another server • Employs firewall

  25. Firewalls and Proxy Servers (continued)

  26. Authentication and Encryption • Encrypt and authenticate messages to ensure security • Message may not be text • Image • Sound • Authentication: process of ensuring sender is valid • Encryption: coding message to unreadable form

  27. Authentication and Encryption (continued)

  28. Authentication and Encryption (continued) • Encryption programs • Plaintext: original message • Ciphertext: coded message • Uses mathematical algorithm and key • Key is combination of bits that deciphers ciphertext • Symmetric encryption: sender and recipient use same key • Asymmetric encryption: public and private key used

  29. Authentication and Encryption (continued)

  30. Authentication and Encryption (continued) • Transport Layer Security (TLS): protocol for transactions on Web • Uses combination of public and symmetric key encryption • HTTPS: secure version of HTTP • Digital signature: way to authenticate online messages • Message digest: unique fingerprint of file

  31. Authentication and Encryption (continued)

  32. Authentication and Encryption (continued) • Digital certificates: identify identity with public key • Issued by certificate authority • Certificate authority (CA): trusted third party • Contains • Name • Serial number • Expiration dates • Copy of holder’s public key

  33. Authentication and Encryption (continued)

  34. The Downside of Security Measures • Single sign-on (SSO): user name/password entered only once • Saves time • Encryption slows down communication • IT specialists must clearly explain implications of security measures

  35. Recovery Measures • Uncontrolled disasters need recovery measures • Redundancy may be used • Expensive • Alternatives must be taken

  36. The Business Recovery Plan • Business recovery plans: plan to recover from disaster • Nine steps • Obtain management’s commitment • Establish planning committee • Perform risk assessment and impact analysis • Prioritize recovery needs • Select recovery plan • Select vendors • Develop and implement plan • Test plan • Continually test and evaluate

  37. Recovery Planning and Hot Site Providers • Can outsource recovery plans • Hot sites: alternative sites • Backup sites to continue operation

  38. The Economics of Information Security • Security analogous to insurance • Spending should be proportional to potential damage • Access minimum rate of system downtime

  39. How Much Security Is Enough Security? • Two costs to consider • Cost of potential damage • Cost of implementing preventative measure • Companies try to find optimal point • Need to define what needs to be protected • Never exceed value of protected system

  40. How Much Security Is Enough Security? (continued)

  41. Calculating Downtime • Try to minimize downtime • Mission-critical systems must be connected to alternative source of power • More ISs interfaced with other systems • Interdependent systems have greater downtime • Redundancy reduces downtime

  42. Summary • Purpose of controls and security measures is to maintain functionality of ISs • Risks to IS include risks to hardware, data, and networks, and natural disaster and vandalism • Risks to data include theft, data alteration, data destruction, defacement of Web sites, and viruses • Risk to online systems include denial of service and hijacking

  43. Summary (continued) • Controls used to minimize disruption • Access controls require information to be entered before resources are made available • Atomic transactions ensures data integrity • Firewalls protect against Internet attacks • Encryption schemes protect messaging on Internet

  44. Summary (continued) • TLS and HTTPS are encryption standards designed for Web • Keys and digital certificates purchased from certificate authority • Many organizations have business recovery plans which may be outsourced • Careful evaluation of amount spent on security measures is necessary • Government is obliged to protect citizens against crime and terrorism

More Related