Upload
binsalwe
View
2
Download
0
Tags:
Embed Size (px)
Citation preview
1
Control and Information
Security(IS342)
Lecture Lecture Lecture Lecture 12121212
Abdisalam Issa-Salwe
Taibah University
Information Systems
College of Computer Science & Engineering
2Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Topic list
� About Control
� Security/Threats and risk
� Intrusion Prevention
� Contingency planning
� Building control into an information system
� Privacy and data protection
� Internal vs External Threat
2
3Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
About control
� Control is the process through which standards for performance of people and processes are set, communicated, and applied.
� Effective control systems use mechanisms to monitor activities and take corrective action, if necessary.
4Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
About control (cont…)
� The control process is a continuous flow between measuring, comparing and action. There are different steps in the control process, for example:
� Establishing performance standards,
� Measuring actual performance,
� Comparing measured performance against established standards, and
� Taking corrective action.
3
5Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
About control (cont…)
� Security controls are the set of organizational structures, policies, standards, procedures, and technologies which support the business functions of the enterprise while reducing risk exposure and protecting information� Preventative: Designed to keep errors or
irregularities from occurring� Detective: Designed to detect errors and
irregularities which have already occurred and to report to appropriate personnel
� Responsive: Designed to respond to errors or irregularities to restore operations and prevent future issues
� Administrative: Processes and procedures� Technical: Software and hardware technologies� Physical: Facility and environmental security
6Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Why information Security? (cont…)
� Security in information management context means the protection of data from accidental or deliberate threats which might cause:
� unauthorised modification,
� disclosure or destruction of data, and
� the protection of the information system from the degradation or non-availability of services
4
7Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Control/Security
� Information Security is the protection of information to prevent loss, unauthorized access or misuse.
� It is also the process of assessing threats and risks to information and the procedures and controls to preserve:
� Confidentiality: Access to data is limited to authorized entities
� Integrity: Assurance that the data is accurate and complete
� Availability: Data is accessible, when required, by those who are authorized to access it
8Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Data management (cont…)
� Security protection of personal information starts with strong data management practices� Database Management
�User access controls�Database administrator access controls
�Restrictions on view, update, modification, or deletion of data
�Appropriate usage guidelines for data�Use of real personal information in development and test environments
5
9Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Data management (cont…)
� The disaster recovery plan allows an organization to respond to an interruption in services by implementing a disaster recovery plan to restore critical business functions and data� Backups
� Backup media should be secure
� Backups should be reliable for recovery purposes
� Backup and restore processes should be controlled to avoid errors and unauthorized access
� Backup media should be tested regularly to ensure integrity
� Recovery
� Recovery plans should be documented and tested
� Data recovery is usually integrated with disaster recovery and business continuity plans
10Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Intrusion Prevention
Prevention is the best possible cure
� Firewalls
� Anti-virus
� Content scanning
� Security patches
� Emerging intrusion prevention systems
� User awareness
6
11Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Contingency planning� Risk is a function of the likelihood of a threat exploiting a
security vulnerability with a resulting impact
� Potential threats
� Emergency situations or natural events
� Organized or deliberate malicious actions
� Internal accidents, carelessness, or ignorance
� Malicious code (virus, worms, spyware, malware)
� Loss of utilities or services
� Equipment or systems failure
� Serious information security events
� Security vulnerabilities
� Unsecured accounts
� Unpatched systems
� Insecure configurations
� Network perimeter weaknesses
� Inappropriate trust models
� Untrained users and administrators
12Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Why information Security?
� I.T and Computers have brought ‘Information Age’
� The spread of Internet & relative ease of access made easier ‘Information Breach’
� Unauthorised reading of data
� Unauthorised modification of data
� Unauthorised destruction of data
7
13Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
14Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Why Information Security? (cont…)
� Your future is not secure if your information is not secure
� Information Resources need to be guarded, protected and controlled
8
15Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
16Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
9
17Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Internal vs External Threat
The External ThreatsOrganisation’s connection to Internet
18Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
10
19Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
20Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Phishing: a high-tech scam that uses email or websites to deceive you into disclosing your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information
11
21Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
22Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
12
23Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Mobile Code: Automatically runs hostile programs on your computer without your knowledge simply because you visited a web site
24Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
13
25Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
26Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
To ensure your system does not get infected by viruses you should perform all of the following:• Scan all email attachments, • Ensure your anti-virus software scans your system daily, • Turn off the option for your email to automatically download attachments.
14
27Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
28Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
15
29Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
30Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
16
31Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
32Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
17
33Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
34Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
18
35Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Physical access control
� Personal identification numbers (Pins)
� Door locks
� Card entry systems
� Computer theft
36Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Building control into an information system
� Control can be classified into:
� Security control
� It is about protection of data from accidental or deliberate threats
� Integrity control:
� In the context of security is preserved when data is the same as in source documents and has not been accidentally or intentionally altered, destroyed or disclosed
� System integrity:
� Operating conforming to the design specification despite attempts (deliberate or accidental) to make it have incorrectly.
� Contingency controls:
� It is an unscheduled interruption of computing services that requires measures outside the day-to-day routing operating procedures
19
37Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
38Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Building control into an information system (cont)…
� Data will maintain its integrity if it is complete and not corrupt. This means that:
�The original input of the data must be controlled
�Any processing and storage should be set up so that they are complete and correct
20
39Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Building control into an information system (cont)…
� Input control should ensure the accuracy, completeness and validity:� Data verification involves ensuring data entered matches source documents
� Data validating involves ensuring that data entered is not incomplete or unreasonable. Various checks:
� Check digits
� Control totals
� Hash totals
� Range checks
� Limit checks
40Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Privacy and data protection
� Privacy:
�The right of the individual to control the use of information about him or her, including information on financial status, health and lifestyle (i.e. prevent unauthorised disclosure).
21
41Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Data protection principles
� Personal data is information about a living individual, including expression of opinion about him or her. Data about organisation is not personal data
� Data users are organisation or individuals who control personal data and the use of personal data
� A data subject is an individual who is the subject of personal data
42Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
22
43Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
44Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
23
45Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Internet security issue
� Establishing organisation links to the Internet brings numerous security dangers
� Corruptions such as viruses on a single computer can spread through the network to all the organisation's computer
� Hacking: involves attempting to gain unauthorised access to a computer system
46Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
24
47Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
About virus� A program or piece of code that is loaded onto
your computer without your knowledge and runs against your wishes.
� Viruses can also replicate themselves. All computer viruses are manmade.
� A simple virus that can make a copy of itself over and over again is relatively easy to produce.
� Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt.
� An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems.
48Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
25
49Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
50Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Type of virus/program� File virus: Files viruses infect program files
� Boot sector or ‘stealth’ virus: the boot sector is the part of every hard disk and diskette. The stealth virus hides from virus detection programs by hiding themselves in boot records or files.
� Trojan: it is a small program that performs unexpected function. It hides itself inside a ‘valid’ program.
� Logic bomb: a logic bomb is a program that is
executed when a specific act is performed.
26
51Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Type of virus/program (cont…)
� Time bomb: a time bomb is a program that is activated at a certain time or date, such as Friday the 13th or April 1st
� Worm: it is a type of virus that can replicate (copy) itself and use memory, but cannot attach itself to other programs
� Droppers: it is a program that installs a virus while performing another function
52Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Type of virus/program (cont…)
� Macro virus: it is a piece of self-replicating code written in an application’s ‘macro’ language. Example, Melissa was a well publicised macro virus
27
53Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
54Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Tutorial Question
Information system management and security on the Internet
Discuss
28
55Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
Reference
� Barbara C. McNurlin and Ralph H. Sprague (2003): Information Systems Management in Practice 6th edition, Prentice Hall.
� Kioskea, IT Security - Introduction to IT Security, http://en.kioskea.net/contents/secu/secuintro.php3, accessed on 15/03/2010.
� Abdisalam Issa-Salwe, Taibah University Lecture Notes, 2010.
� Rackspace, Securing an IT Infrastructure: A Decision Maker’s Guide to Securing an IT Infrastructure, A Rackspace White Paper , 2010