Securing Information Systems

SECURING INFORMATION

SYSTEMSATHICHA SOOTHIPHAN 54104001-0

KHAJEEPAN CHAIWANG 54104002-8

NATTAWAN RANGKAEW 54107004-1

PATTADON KAEWINTRA 54103001-1

JAKKRIT PHUWASET 54104020-0

UGYEN DORJI 54103005-2

TSHERING YANGKI 54107017-3

PHUNTSHOK LHAMO 54104024-2

NIKESH MUDBHARY 54104011-9

ABHINAY SWAR 55104020-7

ITTIMA TANGSAHAMAITRI 54104019-2

BENJAPORN NANTAJAI 53104030-1

RAMITA PRODKHORNBURI 52107014-4

SYSTEM VULNERABILITY AND

ABUSE

Accessibility of networks.Hardware Problems. Software Problems. Loss of portable device.Use of networks outside of firm’s control.Disaster Internet Vulnerabilities.Wireless Security Challenges.

WHY SYSTEMS ARE VULNERABLE ?

Network open to anyone.Enormously widespread impactCreates fixed targets for hackersUnencrypted VOIP (Voice Over Internet Protocol)Widespread use of E-mail, P2P (Peer-to-peer) and

IM (Instant Messaging)

INTERNET VULNERABILITIES

Radio Frequency band easy to scan. SSIDs ( Service Set Identifiers)

WIRELESS SECURITY CHALLENGES

Security threats often originate inside an organization Inside knowledge Sloppy security procedures Social engineering

INTERNAL THREATS: EMPLOYEES

Computer VirusesWormsTrojan Horses SQL Injection Attacks Spyware

MALWARE

SnifferCyber terrorism and Cyberwar faceClick FraudPharmingEvil TwinsPhishing Identity theftComputer CrimeDDoS ( Distributed Denial-Of-Service Attacks)DoS ( Denial-Of-Service Attacks )

HACKERS AND COMPUTER CRIME

A weakness in a software that could allow an attacker to compromise the integrity, availability, or confidentiality of that software .

SOFTWARE VULNERABILITY

Hidden bug or the infect of code program is the mistake of the code’s program which make the hacker can hack the software.

Cause of Hidden BugAccidence Made

HIDDEN BUG

The software that fix the hidden bug (usually create after exploits is already happen)

Create by software development

PATCHES

BUSINESS VALUE OF SECURITY AND

CONTROL.

LEGAL AND REGULATORY

REQUIREMENTS FOR ELECTRONIC

RECORDS MANAGEMENT AND

PRIVACY PROTECTION

HIPAA Medical security and privacy rules and

procedures

Gramm-Leach-Billey Act Requires financial institutions to ensure the

security and confidentially of customer data

Sarbanes-Oxley Act Imposes responsibility on companies and

their management to safeguard the accuracy and integrity of financial information that is used internally and released externally

ELECTRONIC EVIDENCE

Evidence for white collar crimes often in digital form Proper control of data can save time and money when responding to legal discovery

request

COMPUTER FORENSICS

The scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law.

Include recovery of ambient and hidden data

ESTABLISHING A FRAMEWORK FOR

SECURITY AND CONTROLS

Protection of information resources requires a well-designed set of controls. Computer systems are controlled by a combination of general controls and application controls. General controls govern the design, security, and use of computer programs and the security of data files in general throughout the organization’s information technology infrastructure.

Types of Information Systems Controls

General controls include software controls, physical hardware controls, computer operations controls, data security controls, controls over the systems implementation process, and administrative controls.

GENERAL CONTROLS

Application controls include both automated and manual procedures that ensure that only authorized data are completely and accurately processed by that application. Application controls can be classified as (1) input controls, (2) processing controls, and (3) Output controls.

APPLICATION CONTROLS

ESTABLISHING A FRAMEWORK FOR

SECURITY AND CONTROL

SECURITY POLICY

Acceptable use policy (AUP)Authorization polices

EXPOSURE PROBABILITY LOSS RANGE (AVG)EXPECTED

ANNUAL LOSS

Power failure 30% $5K–$200K ($102,500) $30,750

Embezzlement 5% $1K–$50K ($25,500) $1,275

User error 98% $200–$40K ($20,100) $19,698

RISK ASSESSMENT

Type of threat

Probability of occurrence during year

Potential losses, value of threat

Expected annual loss

Identifies And Authorizes Different Categories Of Users

Specifies Which Portion Of System Users Can Access

Authenticating Users And Protects Identities

Captures Access Rules For Different Levels Of Users

IDENTIFY MANAGEMENT SYSTEM

IDENTIFY MANAGEMENT

Identify Firm’s Most Critical System

Determine Impact Of An Outage

Determine Which System Restored First

Disaster Recovery Planning

Business Continuity Planning

Identifies all the controls that govern individual information systems and assesses their effectiveness.

MIS Audit

TECHNOLOGIES & TOOLS FOR PROTECTING

INFORMATION RESOURCES

Identify Management Software

Authentication

Firewalls, Intrusion Detection System, Antivirus and Antispyware

Unified Threat Management System

Ensuring System Availability

Fault-Tolerant Computer System

High-Availability computing

Deep packet inception (DPI)

Recovery-oriented computing

Managed security service provider

Cipher text

Encryption

Cipher text

DIGITAL CERTIFICATE

Public key infrastructure (pki)

Security Issues

SECURING wireless network

Security Issues

Security in the cloud

Security IssuesSecuring mobile platforms