1 / 28

Chapter 17

Chapter 17. Risks, Controls and Security Measures. Learning Objectives. When you finish this chapter, you will: Be able to identify the main types of risks to information systems. List various types of attacks on networked systems

margot
Download Presentation

Chapter 17

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 17 Risks, Controls and Security Measures

  2. Learning Objectives • When you finish this chapter, you will: • Be able to identify the main types of risks to information systems. • List various types of attacks on networked systems • Identify types of controls required to ensure the integrity of data entry and processing and uninterrupted e-commerce.

  3. Learning Objectives • Know the principles of how organizations develop recovery plans. • Be able to explain the economic aspects of pursuing information security.

  4. Nearly 20,000 digital attacks* occurred in January 2003 At this rate, we could see 180,000 attacks resulting in $80-100 billion in damages *mi2g Ltd., a digital risk management firm. Why do we care?

  5. Goals of Information Security • Reduce the risk of systems and organizations ceasing operations • Maintain information confidentiality • Ensure the integrity and reliability of data resources • Ensure uninterrupted availability of data resources and online operations • Ensure compliance with national security laws and privacy policies and laws

  6. Risks to Information Systems • Causes of systems downtime • Number-one is hardware failure • Fire and theft are the next two contributors • Risks to Hardware • Natural disasters • Blackouts and brownouts • Vandalism

  7. Risks to Information Systems • Risks to Applications and Data • Theft of information • Data alteration, data destruction, and defacement • Computer viruses and Logic Bombs • Nonmalicious mishaps

  8. Figure 17.2 Frequency of security breaches in a 12-month period based on a survey of 745 professionals Risks to Information Systems

  9. Risks to Online Operations • Denial of Service (DoS) • Too many requests are received to log on to a Web site’s pages • If perpetrated from multiple computers it is called distributed denial of service (DDoS) • Spoofing • Deception of users to make them think they are logged on at one site while they actually are on another

  10. Figure 17.3 Common controls to protect systems from risk Controlling Information System Risks • Controls: Constraints imposed on a user or a system to secure systems against risks.

  11. Controlling Information System Risks • Program Robustness and Data Entry Controls • Provide a clear and sound interface with the user • Menus and limits / data input constraints • Backup • Periodic duplication of all data • Access Controls • Ensure that only authorized people can gain access to systems and files • Access codes and passwords • Biometric • An access control unique in physical, measurable characteristic of a human being that is used to identify a person

  12. Controlling Information System Risks • Atomic Transactions • Ensures that transaction data are recorded properly in all the pertinent files to ensure integrity

  13. Controlling Information System Risks • Audit Trails • Built into an IS so that transactions can be traced to people, times, and authorization information

  14. Encryption • Authentication • Process of ensuring that the sender and receiver of a message is indeed that person • Original message – plaintext • Coded message – ciphertext • Messages scrambled on sending end; descramble to plain text on receiving end

  15. Figure 17.6 Estimated time needed to break encryption keys, using $100,000 worth of computer equipment Encryption Strength

  16. Encryption • Distribution Restrictions • Public Key encryption • Symmetric • Both sender and recipient use same key • Key is referred to as secret key • Asymmetric (also called public key encryption) • Sender is able to communicate key to recipient before message is sent

  17. Encryption

  18. Encryption • Secure Sockets Layer and Secure Hypertext Transport Protocol ensure online transactions are secure • Pretty Good Privacy – Network Associates product that allows individuals to register for public and private keys

  19. Digital signatures and Digital Certificates • Electronic Signatures • Digital Signatures • Different each time you send a message • Digital Certificates • Computer files that serve as the equivalent of ID cards

  20. Firewalls • Software whose purpose is to manage access to computing resources • Early firewalls used combination of hardware and software • While firewalls are used to keep unauthorized users out, they are also used to keep unauthorized software or instructions away • Computer viruses and other rogue software • Proxy Servers act as a buffer between internal and external networks

  21. Security Standards • The Orange Book (DOD)- Four security levels • Decision A: Verify Protection • Decision B: Mandatory Protection • Decision C: Discretionary Protection • Decision D: Minimal Protection or No Protection • The ISO Standard • Common set of requirements for IT product security functions and for assurance measures during security evaluation • Permits comparability between results of independent security tests

  22. The Downside of Security Controls • Security measures slow data communications and require discipline that is not easy to maintain • Passwords • Encryption • Firewalls • Drains personnel resources as well…

  23. Chief Security Officers

  24. Recovery Measures • The Business Recovery Plan – Nine steps proposed for development • Obtain management’s commitment to the plan • Establish a planning committee • Perform risk assessment and impact analysis • Prioritize recovery needs • Select a recovery plan • Select vendors • Develop and implement the plan • Test the plan • Continually test and evaluate

  25. Recovery Measures • Outsourcing the Recovery Plan • Some companies may choose not to develop their own recovery plan • Small companies may not be able to afford an expensive recovery plan • May opt for a Web-based service

  26. Median Amounts of IT Security Budgets by Industry

  27. The Economic Aspect of Security Measures • Two types of costs to consider when determining how much to spend on data security: • The cost of potential damage • The cost of implementing a preventive measure

  28. Figure 17.12 The total cost to the enterprise is lowest at “Optimum.” No less, and no more, should be spent on information security measures. The Economic Aspect of Security Measures

More Related