1 / 35

Security

Security. Topics: Security. What are the threats that affect information security?  For each threat, identify controls that can be used to mitigate risks. . Security Concerns. Information systems are subject to many threats Continue to apply Risk Assessment Framework. What is threat?

genna
Download Presentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security

  2. Topics: Security • What are the threats that affect information security?  • For each threat, identify controls that can be used to mitigate risks.

  3. Security Concerns • Information systems are subject to many threats • Continue to apply Risk Assessment Framework • What is threat? • What is likelihood that threat will occur? • What is potential damage from threat? • What controls can be used to minimize damage? • What is the cost of implementing the control?

  4. Goals of Information Security • Reduce the risk of systems and organizations ceasing operations • Maintain information confidentiality • Ensure the integrity and reliability of data resources • Ensure compliance with national security laws and privacy policies and laws

  5. Security Threats • Three major types: • Natural Forces • Human • Technical (System)

  6. Security Threats • Natural forces • Fire • Water • Energy (surges, brownouts, etc.) • Structural damage (earthquake) • Pollution • How prevent/minimize damage?

  7. Security Threats - cont • Human • Unintentional mistakes • Unauthorized intrusion • Sabotage • Hackers • Virus and worms

  8. Human Security Threats (cont.) • Unintentional mistakes • Over 90% of errors • How prevent/minimize?

  9. Risks to Information Systems • Risks to Applications and Data • Theft of information • Data alteration and data destruction • Computer viruses • Unauthorized remote control programs • Nonmalicious mishaps • Unintentional mistakes

  10. Human Security Threats (cont.) • Risks to Network Operations • Denial of Service • Spoofing • Deception for the purpose of gaining access • Deception of users direction to different web site

  11. Risks to Information Systems

  12. Security Threats - cont • Technical • Inadequate testing of modifications • Hardware failure

  13. Controls • Controls: Constraints imposed on a user or a system to secure systems against risks. • Types • Prevent • Detect • Correct

  14. Control Types – cont’d • Preventative • Program Robustness and Data Entry Controls • Provide a clear and sound interface with the user • Menus and limits • Access Controls • Ensure that only authorized people can gain access to systems and files • Access codes, passwords, biometric • Atomic Transactions • Ensures that transaction data are recorded properly in all the pertinent files to ensure integrity

  15. Control Types – cont’d Preventative Controls – cont’d • Segregation of Duties • Different people in charge of different activities, allowing checks and balances and minimizing possibility of criminal behavior. • Separation of duties during systems development prevents installation of trapdoors. • Separation of duties while using the system minimizes abuse, especially in electronic fund transfer.

  16. Control Types – cont’dPreventative Controls – cont’d Network • Callback • Remote user’s telephone number verified before access allowed • Encryption • Messages scrambled on sending end; descramble to plain text on receiving end • Symmetric: Both users use a private, secret key • Asymmetric: Parties use a combination of a public and a private key

  17. Control Types – cont’dPreventative Controls – cont’d • Web encryption standards • Secure Sockets layer (SSL) • is the most common protocol used • The main capability is encrypting messages automatically by the SSL in your computer browser before being sent over the Internet. • Secure Hypertext Transport Protocol (SHTTP) • Works only along with HTTP • Secure Electronic Transaction (SET) • Developed by MasterCard and VISA in 1997 to provide protection from electronic payment fraud • Proposed standard incorporating digital signatures, encryption, certification, and an agreed-upon payment gateways

  18. Control Types – cont’dPreventative Controls – cont’d • Firewalls • Software that separates users from computing resources • Allows retrieval and viewing of certain material but blocks changes and access to other resources on the same computer

  19. Control Types – cont’d • Detective • Audit Trails • Built into an IS so that transactions can be traced to people, times, and authorization information • Network Logs • Internet Logs

  20. Control Types – cont’d • Corrective • Backup and Recovery • Periodic duplication of all data

  21. Electronic Commerce Security • The security features needed to conduct commerce were not in place when public ban on use of internet was lifted • Major issues • Authorization • Authentication • Integrity • Privacy • Fraud/theft • Sabotage

  22. Electronic Commerce Security • Authorization • Does user have permission to access? • Solution: • Access control mechanisms • Passwords • Problem with solution • Administrative overhead • How control access to e-commerce site?

  23. Electronic Commerce Security • Authorization – Cont’d • Digital Certificate • Equivalent of a physical ID card • Electronic Signature • Electronic symbol or process associated with a contract • Digital Signature • Encrypted text sent along with message that verifies that message was not altered (equivalent to a signed envelop)

  24. Electronic Commerce Security • Authentication - assurance regarding the identity of the parties who are involved in the deal • Solution • Encrypted password devices • System sends a 5 digit number • Enter into handheld device, which displays different 5 digit number • Enter back into system as password • Digital Certificate • Similar principle – owner’s public key stored on third-party site

  25. Electronic Commerce Security • Integrity - assurance that data and information (orders, reply to queries, and payment authorization) are not accidentally or maliciously altered or destroyed during transmission • Solution • Digital signature • Digital code attached to message that verifies origin and contents • Problems • Not everyone has digital signatures

  26. Electronic Commerce Security • Privacy – How prevent eavesdropping? • Solution • Encryption • Based on mathematical principles to factor product into two prime numbers • If prime numbers are large, supposedly difficult to crack • 56-bit DES encrypted message was decrypted in little over 22 hours by a network of volunteers and a special purpose computer called “Deep Crack”. • Standards: • Secure Sockets Layer (SSL) • Secure HTTP (S-HTTP) • Secure Electronic Transactions (SET)

  27. Electronic Commerce Security • Fraud/Theft – How do you know if something is “stolen”? • Solution • Internet logs • “Electronic tags” on files, etc. • Problems • Cannot prevent people from saving page, images, etc. • If saved as images – almost impossible to determine if someone else has them.

  28. Electronic Commerce Security • Sabotage – Can someone enter internal information system and access private information or destroy/alter information? • What do intruders do? • Scan/explore system (15%) • Change documents/files (15%) • e.g., credit rating, stealing • Plant a virus (11%) • Steal trade secrets (10%)

  29. Hackers • Who are they? • People who gain unauthorized access for profit, criminal mischief or personal pleasure • “Training” manuals on WWW • Examples of tactics • “War dialing” – denial of service • Sniffers • Password crackers • Viruses

  30. Viruses • First occurrence on internet in 1988 by Robert Morris, CS student at Cornell • Went out of control. As spread, tied up memory and storage space • Hundreds of computer centers in research institutes and universities had to shut down • Virus intended to cause no harm cost over $100 million in lost access and direct labor costs • Anti-viral software

  31. Sabotage – cont’d • Solution • Firewall • Sits between internet and internal network • Can be router, or can use third-party host for web site • Firebreak – submit sensitive information over telephone or VAN– not over internet • Problem • Only prevents inexperienced hackers

  32. CERT • Computer Emergency Response Team • Helps determine who is breaking into sites, and publishes solutions to the method used for the breakin

  33. Discussion Questions • Crime • Bank robbery: average loss is $3400, 85% chance of being caught • White collar: average loss is $23,000 • Computer fraud: average loss is $600,000, extremely hard to catch culprit • Why?

  34. Discussion Questions cont’d • Computer fraud typically performed by insiders. • What measures can be used to minimize fraud? • Why doesn’t everyone use biometric access controls? • Should companies use firewalls to block employee access to outside web sites? • To track pages downloaded to PC? • Why don’t companies report computer fraud?

  35. Network Security: Need combination to Minimize Risk • Authorization management • Firewall • Encryption • Advisory organization and consultants • e.g., CERT, ex-hackers OR • Disconnect from internet

More Related