View
1.179
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Prepared by: Jan Wong
ManagementInformation
Systemsin Organizations
MANAGINGSYSTEM SECURITY
The Learning Outcomes
At the end of this session you should be able to:
the vulnerability of IS and the possible damage from malfunctions
the security issues of the Web and E-Commerce
EXAMINE
DISCUSS
the major methods in defending information systems
DESCRIBE
security auditingDESCRIBE
Computer Systems Management
• Encompasses all activities related to the: • Planning• Organizing, Acquiring• Maintaining• Securing• Controlling of IT resources
CASE: DOS ATTACK
• On Feb. 6, 2000 - the biggest EC sites were hit by cyber crime• The attacker used a method called denial of service (DOS)
• By hammering a Web site’s equipment with too many requests for information, an attacker can effectively clog a system
• The total damage worldwide was estimated at $5 -10 billion (U.S.)• The alleged attacker, from the Philippines, was not prosecuted because he did not break any law in the Philippines
MORE CASES• An American computer programmer planted a virus to be activated two days after his name was deleted from the payroll file. The virus eliminated 168,000 payroll records which resulted in a one-month delay in processing payroll cheques. Donald Burleston was found guilty of a third degree felony and fined $5,000
•A group installed an ATM in a busy shopping center in Hartford, Connecticut. Customers using the m/c were shown the message “sorry, no transactions possible” after inserting their cards and entering the pin numbers. Using counterfeit cards made from the information given the group netted around $100,000.
MORE CASES• The U.S. Social Security Service discovered an error in the program used to calculate retirement benefits. The error had been in the system for over 20 years. It had shortchanged 700,000 people of over $850 million and took more than three years to fix the problem.
Lessons Learnt from the Cases
• Information resources that include computers, networks, programs, and data are vulnerable to unforeseen attacks.
• Many countries do not have sufficient laws to deal with computer criminals.
• Protection of networked systems can be a complex issue.
• Attackers can zero on a single company, or can attack many companies, without discrimination.
• Attackers use different attack methods.
• Although variations of the attack methods are known, the defense against them is difficult and/or expensive.
Security Threats
SecurityProblems
• IS physical resources, data, software, procedures and other resources may be at risk at any time
• Hundreds of potential threats exist
• Computing resources may be distributed across many locations – Intranets, Extranets
• Computer networks can be outside the organization and difficult to protect
• Many individuals control information assets
“Defending information systems is not a simple or inexpensive task”
SecurityProblems
• Rapid technological changes make some controls obsolete as soon as they are installed
• Many computer crimes are undetected for a long period of time.
• People tend to violate security procedures because they are inconvenient
• e.g. Windows Vista
“Defending information systems is not a simple or inexpensive task”
Risks in Information Systems
1. Human errors In the design of
hardware and information systems
Programming, testing, authorization
These errors contribute to the vast majority of control and security related problems.
2. Environmental hazards Earthquakes, hurricanes,
floods, lightning strikes etc.
Fire, defective air-conditioning, radio-active fallout, water-cooling systems failures.
Smoke, heat and water damage resulting from the other environmental hazards.
5“Human errors, environmental hazards, computer system failures, cyber crime & intentional threats”
Risks in Information Systems
3. Computer systems failures
• Poor design• Use of defective material• Lack of proper quality
control• Inadequate specification
of hardware by the buyer
4. Cyber Crime• Hackers
• outsiders who penetrate a computer system or by
• insiders who are authorized to use the computer system but are misusing their authorization.
5“Human errors, environmental hazards, computer system failures, cyber crime & intentional threats”
Risks in Information Systems
4. Cyber Crime (cont’)
• According to the FBI• an average white-collar
crime involves $23,000; but
• an average computer crime involves about $600,000
• 2 Basic Types of Attack:• Data tampering
• False, fabricated or fraudulent data
• Changing or deleting data• Examples –
• Wages clerk and the extra employee
• Stock clerk and the damaged stock
• Shift supervisor and the extra overtime
5“Human errors, environmental hazards, computer system failures, cyber crime & intentional threats”
Risks in Information Systems
4. Cyber Crime (cont’)
• Programming fraud, e.g. Viruses• Programming
techniques used to modify a computer program• Virus• Worm• Trojan Horse• Spoofing
5“Human errors, environmental hazards, computer system failures, cyber crime & intentional threats”
Risks in Information Systems
5. Intentional threats• Theft of data,
inappropriate use of data• Theft of computer time,
equipment and programs• Deliberate manipulation
of data and programs• Strikes, riots, sabotage • Malicious damage
including terrorist attacks• Destruction from virus
attacks• Miscellaneous computer
abuses and crimes• Fraud and crimes related
to the use of the internet
5“Human errors, environmental hazards, computer system failures, cyber crime & intentional threats”
Objectives of Defense Strategies
The following are the major objectives of defense strategies:
1. Prevention & deterrence
To prevent future attacks
2. Detection For early detection
3. Recovery Fixing damaged IS
4. Correction To eliminate problem
Preventive Control Systems• Access control • Transaction logs and audit trails • Encryption • Archiving • Virus protection / Firewall• Documentation
• Computer operation Manual• Systems Administration Manual
• Separation of Functions• Personnel Control• IS Audit
IT Auditing
• Involves a periodical examination and check of financial and accounting records and PROCEDURES. – the system audit
• Two types of auditors (and audits): Internal External
IT Auditing
Auditors attempt to answer questions such as:
1. Are there sufficient controls in the system?
2. Which areas are not covered by controls?
3. Which controls are not necessary?
4. Are the controls implemented properly?
5. Are the controls effective; do they check the output of the system?
IT Auditing
6. Is there a clear separation of duties of employees?
7. Are there procedures to ensure compliance with the controls?
8. Are there procedures to ensure reporting and corrective actions in case of violations of controls?
How is Auditing Executed?
• IT auditing procedures can be classified into three categories:
1. Auditing around the computer - verifying processing by checking for known outputs using specific inputs.
2. Auditing through the computer - inputs, outputs, and processing are checked.
3. Auditing with the computer - using a combination of client data, auditor software, and client and auditor hardware.
THINGS TO TAKE NOTE OFF
• 5 risks in information systems
• Security threats
• Defense strategies against threats
• What are preventive control systems?
• IT Audit
M a n a g i n g S y s t e m S e c u r i t y
IT’S TIME FOR SOME DISCUSSIONS!
• Describe prevention, deterrence, detection, recovery, and correction.
• Discuss the terms controls, threats, vulnerability, and backup.
• What is the difference between authorized and authenticated users?
• Describe auditing of information systems.
IT’S TIME FOR ANIN-CLASS ACTIVITY!
• Get into groups of 5-6 members
• Identify 3 risks that your Information System is susceptible to
• Provide solutions to the risks identified
C o m i n g s o o n … n e x t c l a s sManagementInformation
Systemsin Organizations
DISASTERRECOVERY PLAN
What is a disaster recovery plan? How does it minimize risk?