Lecture12(IS342)(Control&Security)

1

Control and Information

Security(IS342)

Lecture Lecture Lecture Lecture 12121212

Abdisalam Issa-Salwe

Taibah University

Information Systems

College of Computer Science & Engineering

2Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Topic list

� About Control

� Security/Threats and risk

� Intrusion Prevention

� Contingency planning

� Building control into an information system

� Privacy and data protection

� Internal vs External Threat

2


About control

� Control is the process through which standards for performance of people and processes are set, communicated, and applied.

� Effective control systems use mechanisms to monitor activities and take corrective action, if necessary.


About control (cont…)

� The control process is a continuous flow between measuring, comparing and action. There are different steps in the control process, for example:

� Establishing performance standards,

� Measuring actual performance,

� Comparing measured performance against established standards, and

� Taking corrective action.

3


About control (cont…)

� Security controls are the set of organizational structures, policies, standards, procedures, and technologies which support the business functions of the enterprise while reducing risk exposure and protecting information� Preventative: Designed to keep errors or

irregularities from occurring� Detective: Designed to detect errors and

irregularities which have already occurred and to report to appropriate personnel

� Responsive: Designed to respond to errors or irregularities to restore operations and prevent future issues

� Administrative: Processes and procedures� Technical: Software and hardware technologies� Physical: Facility and environmental security


Why information Security? (cont…)

� Security in information management context means the protection of data from accidental or deliberate threats which might cause:

� unauthorised modification,

� disclosure or destruction of data, and

� the protection of the information system from the degradation or non-availability of services

4


Control/Security

� Information Security is the protection of information to prevent loss, unauthorized access or misuse.

� It is also the process of assessing threats and risks to information and the procedures and controls to preserve:

� Confidentiality: Access to data is limited to authorized entities

� Integrity: Assurance that the data is accurate and complete

� Availability: Data is accessible, when required, by those who are authorized to access it


Data management (cont…)

� Security protection of personal information starts with strong data management practices� Database Management

�User access controls�Database administrator access controls

�Restrictions on view, update, modification, or deletion of data

�Appropriate usage guidelines for data�Use of real personal information in development and test environments

5


Data management (cont…)

� The disaster recovery plan allows an organization to respond to an interruption in services by implementing a disaster recovery plan to restore critical business functions and data� Backups

� Backup media should be secure

� Backups should be reliable for recovery purposes

� Backup and restore processes should be controlled to avoid errors and unauthorized access

� Backup media should be tested regularly to ensure integrity

� Recovery

� Recovery plans should be documented and tested

� Data recovery is usually integrated with disaster recovery and business continuity plans


Intrusion Prevention

Prevention is the best possible cure

� Firewalls

� Anti-virus

� Content scanning

� Security patches

� Emerging intrusion prevention systems

� User awareness

6


Contingency planning� Risk is a function of the likelihood of a threat exploiting a

security vulnerability with a resulting impact

� Potential threats

� Emergency situations or natural events

� Organized or deliberate malicious actions

� Internal accidents, carelessness, or ignorance

� Malicious code (virus, worms, spyware, malware)

� Loss of utilities or services

� Equipment or systems failure

� Serious information security events

� Security vulnerabilities

� Unsecured accounts

� Unpatched systems

� Insecure configurations

� Network perimeter weaknesses

� Inappropriate trust models

� Untrained users and administrators


Why information Security?

� I.T and Computers have brought ‘Information Age’

� The spread of Internet & relative ease of access made easier ‘Information Breach’

� Unauthorised reading of data

� Unauthorised modification of data

� Unauthorised destruction of data

7



Why Information Security? (cont…)

� Your future is not secure if your information is not secure

� Information Resources need to be guarded, protected and controlled

8



9


Internal vs External Threat

The External ThreatsOrganisation’s connection to Internet


10



Phishing: a high-tech scam that uses email or websites to deceive you into disclosing your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information

11



12


Mobile Code: Automatically runs hostile programs on your computer without your knowledge simply because you visited a web site


13



To ensure your system does not get infected by viruses you should perform all of the following:• Scan all email attachments, • Ensure your anti-virus software scans your system daily, • Turn off the option for your email to automatically download attachments.

14



15



16



17



18


Physical access control

� Personal identification numbers (Pins)

� Door locks

� Card entry systems

� Computer theft


Building control into an information system

� Control can be classified into:

� Security control

� It is about protection of data from accidental or deliberate threats

� Integrity control:

� In the context of security is preserved when data is the same as in source documents and has not been accidentally or intentionally altered, destroyed or disclosed

� System integrity:

� Operating conforming to the design specification despite attempts (deliberate or accidental) to make it have incorrectly.

� Contingency controls:

� It is an unscheduled interruption of computing services that requires measures outside the day-to-day routing operating procedures

19



Building control into an information system (cont)…

� Data will maintain its integrity if it is complete and not corrupt. This means that:

�The original input of the data must be controlled

�Any processing and storage should be set up so that they are complete and correct

20


Building control into an information system (cont)…

� Input control should ensure the accuracy, completeness and validity:� Data verification involves ensuring data entered matches source documents

� Data validating involves ensuring that data entered is not incomplete or unreasonable. Various checks:

� Check digits

� Control totals

� Hash totals

� Range checks

� Limit checks


Privacy and data protection

� Privacy:

�The right of the individual to control the use of information about him or her, including information on financial status, health and lifestyle (i.e. prevent unauthorised disclosure).

21


Data protection principles

� Personal data is information about a living individual, including expression of opinion about him or her. Data about organisation is not personal data

� Data users are organisation or individuals who control personal data and the use of personal data

� A data subject is an individual who is the subject of personal data


22



23


Internet security issue

� Establishing organisation links to the Internet brings numerous security dangers

� Corruptions such as viruses on a single computer can spread through the network to all the organisation's computer

� Hacking: involves attempting to gain unauthorised access to a computer system


24


About virus� A program or piece of code that is loaded onto

your computer without your knowledge and runs against your wishes.

� Viruses can also replicate themselves. All computer viruses are manmade.

� A simple virus that can make a copy of itself over and over again is relatively easy to produce.

� Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt.

� An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems.


25



Type of virus/program� File virus: Files viruses infect program files

� Boot sector or ‘stealth’ virus: the boot sector is the part of every hard disk and diskette. The stealth virus hides from virus detection programs by hiding themselves in boot records or files.

� Trojan: it is a small program that performs unexpected function. It hides itself inside a ‘valid’ program.

� Logic bomb: a logic bomb is a program that is

executed when a specific act is performed.

26


Type of virus/program (cont…)

� Time bomb: a time bomb is a program that is activated at a certain time or date, such as Friday the 13th or April 1st

� Worm: it is a type of virus that can replicate (copy) itself and use memory, but cannot attach itself to other programs

� Droppers: it is a program that installs a virus while performing another function


Type of virus/program (cont…)

� Macro virus: it is a piece of self-replicating code written in an application’s ‘macro’ language. Example, Melissa was a well publicised macro virus

27



Tutorial Question

Information system management and security on the Internet

Discuss

28


Reference

� Barbara C. McNurlin and Ralph H. Sprague (2003): Information Systems Management in Practice 6th edition, Prentice Hall.

� Kioskea, IT Security - Introduction to IT Security, http://en.kioskea.net/contents/secu/secuintro.php3, accessed on 15/03/2010.

� Abdisalam Issa-Salwe, Taibah University Lecture Notes, 2010.

� Rackspace, Securing an IT Infrastructure: A Decision Maker’s Guide to Securing an IT Infrastructure, A Rackspace White Paper , 2010

Documents

Lecture12(IS342)(Control&Security)