1

MIS 2000MIS 2000

Class 22Class 22

System SecuritySystem Security

Update: Winter 2015Update: Winter 2015

Outline

Security threats conceptSniffingEncryption defenseMalwareData theftIntrusion detections system, password & firewall defensesInternet threats and defensesInternal threats & defenses Summary

2

3

Information Systems’ Vulnerability

Network-related challenges:

Access to local and wide area networks (Internet) brings risks.

Anyone from inside/outside the organization can attempt to infiltrate information systems. The risks of unauthorized access to data, stealing and destruction is greater than with paper that exists in one original form and can be securely locked.

Digital data can also be changed, while the fraud is not easily detected. One of disadvantages in comparison with paper.*

Security Threats - External

4

Data theft

Malware(virus,

worm…)

False identity(spoofing/phishing)

Power failure,

Natural disasterSniffing

Sniffing

Sniffing refers to listening to a communication channel performed by an uninvited party.

Sniffing is a version of unauthorized access.

Conversations on cell phones can easily be sniffed.*

WiFi channels are also vulnerable.

Defense: Encryption of the data transferred. The content is jammed into illegible format by using some programming method.

Example: “Hi, how are you?” can be encrypted into something like “xy&*z-&8w4}”. See next slide.

5

6

EncryptionEncryption = Scrambling of a message to prevent unauthorized parties from reading it.Encryption is a defense against sniffing communication channel.Single key encryption – Sender and receiver use the same private key for encryption and decryption. Double key encryption – Sender and Receiver use a combination of a public and a private key:

Digital Certificate - public key and a proof of its validity issued by a certificate authority (e.g., VeriSign); licensed annually. Critical for e-commerce; important in other Internet communications

Encrypt with Recipient’s Public Key

Decrypt with Recipient’s Private Key

Digital Certificate Digital Certificate

Digital Signaturecan beapplied

Certificate Authority

77

MalwareMalware = malicious software that can harm data, and/or computer software and even hardware.

Virus (a legend about their origin) – destructive to data & software

Warm – replicates itself taking computing resources and impairing computer functioning (e.g., speed, and screen freeze).

Trojan – blocks system security functions, so opening doors for other malware.

Adware – presents unwanted ads in pop-up or pop-under windows.

Spyware – observes user's activities and reports it to external party.

Defenses:

Anti-virus software. Automatic and continuously updated online by vendor. Critical for Internet. *

Firewall (see later slide)

Data Theft

Data theft is stealing data by hackers. This is also

internal threat in organizations when unauthorized

person accesses data.

Also, data storage devices or mobile tech. can be stolen

or lost.

Defenses:Firewall: a whole security-tasked IS for guarding access

8

More Defenses from Data TheftIntrusion Detection System (IDS). Automatically detects suspicious network traffic.

Passwords for accessPhysical: Locking up computers and storage devices.Mobile tech. methods: Combining passwords, storage encryption*, locks, remote data wipes.

9

• Supports Firewall• Rules defining suspicious moves• Monitoring internal traffic as well

False Identity

Also called spoofing, phishing, social engineering…*

A malevolent party pretends to be a company or a person they really are not, and tries to get personal data (credit card numbers etc.).

Defense: Vigilance and caution!

Never go to Web sites your are invited to via email or on social media, unless you are absolutely sure the site/invitation is real.**

Never engage in “money transfer” schemes unknown persons offer you via email or texting.

10

1111

Internal Security Threats & Defenses

Within organizations. Threats are bigger as people are closer to technologies and data storage.

Unauthorized access, change and copying of data; also, stealing data storage.

Unauthorized access to data: when a user does not have a particular privilege (read, write, change, delete) but gets it somehow.

Human errors: leaving data unprotected, poor & lost passwords, not locking data/hardware/software.

Defenses:

Physical securing; passwords; biometric methods (fingertip readers).

Managing access to data (system administrators)

Training, supervision

Power failure & Natural disasters

12

Power failure can be internal or external threat.

Defense: Have backup electricity generators ready to take over.

Natural disasters belong to external threats.

Defense:

Have disaster management plans

Extra computing facilities off-site (can be rented).

Keep backup data off-site.

Run regular checks to assess preparedness.

SummarySecurity threats are external and internal, and include malware, false identity, sniffing, data theft, and unauthorized access and change of data tempering.

Mobile phones and devices and wireless channels are very vulnerable.

Internet increases security risks.

Defenses include data encryption, intrusion detections system, passwords, firewalls, physical means, and managing system access.

13