43
SECURITY CHALLENGES OF INFORMATION TECHNOLOGY

Unit v

Tags:

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Unit v

SECURITY CHALLENGES OF

INFORMATION TECHNOLOGY

Page 2: Unit v

SECURITY REQUIREMENTS FOR E-

COMMERCE

� Privacy – about who can see and who should not

� Authenticity – to know the identities of

communicating parties

� Integrity – assurance that stored or transmitted information is unaltered

� Reliability – assurance that systems will be available when needed and will perform

consistently.

� Blocking – ability to block unwanted information or

intrusions

Page 3: Unit v
Page 4: Unit v

INFORMATION SYSTEM CONTROLS

Page 5: Unit v

� Input controls

� Security codes

� Encryption

� Data entry screens

� Error signals

� Control totals (record count, batch totals)

� Processing Controls

� Software controls – checks right data processing

� Hardware controls – malfunction detection circuitry, redundant

components, special-purpose microprocessors and associated

circuitry

� Fire walls

� Checkpoints

Page 6: Unit v

� Output Controls

� Security Codes – ensures that information products are

complete and are available to authorized users in timely manner.

� Encryption

� Control totals = input + processing controls

� Control listings – provides hard copy evidence of all output

produced.

� End user feedback

� Storage controls – how can we protect our data resources?

� Security Codes

� Encryption

� Backup files

� Library procedures

� Database administration

Page 7: Unit v
Page 8: Unit v
Page 9: Unit v

FACILITY CONTROLS

� Methods that protect an organizations computing and network facilities and their contents from loss

or destruction.

� Network security – may be provided by specialized system software packages called system security

monitors.

� Protects from unauthorized use, fraud and destruction

(identification codes and passwords).

� Also restricts the use of computer, programs and data

files.

� Collects attempts of improper use.

Page 10: Unit v

FACILITY CONTROLS

1. Encryption –scrambling the data

using mathematical

algorithms, or keys.

� Software encryption

standards are RSA data security & PGP

(Pretty Good Privacy)

Page 11: Unit v

FACILITY CONTROLS

2. Firewalls

� External firewall keeps out unauthorized internet

users.

� Internal firewall prevents users from accessing sensitive human resources and financial data.

� Passwords and browser security features control access to specific intranet resources.

Page 12: Unit v

FACILITY CONTROLS3. Physical Protection Controls –

� Identification badges

� Electronic door locks

� Burglar alarms

� Security police

� CCTV, etc

� Fire detection and extinguishing systems

� Fireproof storage vaults

� Emergency power controls

� Humidity

� Dust controls

Page 13: Unit v

FACILITY CONTROLS

4. Biometric Controls – devices use special

sensors to measure and digitize a biometric

profile

�Voice verification

�Finger prints

�Hand geometry

�Signature dynamics

�Keystroke analysis

�Retina scanning

�Face recognition

Page 14: Unit v

FACILITY CONTROLS

5. Failure Controls – reasons of system failure

are:

�Power failure

�Electronic circuitry malfunctions

�Telecommunications network problems

�Hidden programming errors

�Computer viruses

�Computer operator errors

�Electronic damage

Page 15: Unit v
Page 16: Unit v

PROCEDURAL CONTROLS

1. Standard Procedures and documentation – an IS organization develops and follows standard procedures for its operations

� This promotes quality and minimizes

errors and fraud

� Documentation helps in the maintenance

of the system and must be kept up to

date

Page 17: Unit v

PROCEDURAL CONTROLS

2. Authorization requirements –

� requests for systems development and program changes need review before

authorization

� Conversion to new hardware, software,

network components and installation requires a formal notification

Page 18: Unit v

PROCEDURAL CONTROLS

3. Disaster Recovery – damage can be caused by:� Hurricanes

� Earthquakes

� Fire

� Floods

� Criminal and terrorists acts

� Human error

� Disaster recovery plans are made by organizations which specifies –� Which employee will participate in disaster recovery

and what will be their duties

� What hardware, software and facilities will be used

� Priority of applications that will be processed.

Page 19: Unit v

PROCEDURAL CONTROLS

4. Controls for End User Computing – this includes –� Methods for testing user-developed systems for

compliance with company policies and work procedures

� Methods for notifying other users when changes are planned

� Thorough documentation of user-developed systems

� Training several people in the operation and maintenance of a system

� Formal backup and recovery procedures

� Security controls

Page 20: Unit v

AUDITING INFORMATION SYSTEMS

� Information system should be audited periodically.

� Review and evaluate whether proper and

adequate system, procedural, facility and

managerial controls have been developed and implemented.

� 2 types

� Auditing around the computer system – verifying

the accuracy and Suitability of input data and output produced

� Auditing through the computer system –verifying the accuracy and integrity of software.

� Auditors develop test programs to test the

data.

Page 21: Unit v

Audit Trial

� Presence of documentation that allows a transaction to be

traced through all stages of its information processing.

� Electronic audit trial / Control logs – automatically

records all network activity on magnetic disk or tape

devices

Page 22: Unit v

Denial of Service Attacks

� Denial of service attacks depend on three layers of networked computer systems

� The victim’s website

� The victim’s Internet service provider

� Zombie or slave computers that have been commandeered by

the cybercriminals

22

Page 23: Unit v

Defending Against Denial of Service

� At Zombie Machines

� Set and enforce security policies

� Scan for vulnerabilities

� At the ISP

� Monitor and block traffic spikes

� At the Victim’s Website

� Create backup servers and network connections

23

Page 24: Unit v
Page 25: Unit v

4 ETHICAL DIMENSIONS

� Egoism – what is best for a given individual is right

� Natural – promote health and life, propagate,

pursue knowledge of world and God, have close

relationships with other people.

� Utilitarianism – those actions are right that produce

the greatest good for the greatest number of people.

� Respect for persons –

Page 26: Unit v

WESTERN AND NON-WESTERN VALUES

Non-western Western Common Values

Kyosei (Japanese):

Living and working

together for the

common good

Individual liberty Respect for human

dignity

Dharma (Hindu): the

Fulfillment of inherited

duty

Political participation Respect for basic

rights

Zakat (Muslim): the

duty to give alms to

the Muslim poor

Human rights Good citizenship

Page 27: Unit v

MODEL OF ETHICAL DECISION

MAKING

Page 28: Unit v
Page 29: Unit v
Page 30: Unit v
Page 31: Unit v

SPOOFING

� To fool. In networking, the term is used to describe a variety

of ways in which hardware and software can be fooled. IP

spoofing, for example, involves trickery that makes a

message appear as if it came from an authorized IP address

� E.g. - A technique used to gain unauthorized access to

computers, whereby the intruder sends messages to a

computer with an IP address indicating that the message is

coming from a trusted host. To engage in IP spoofing,

a hacker must first use a variety of techniques to find an IP

address of a trusted host and then modify the packet headers

so that it appears that the packets are coming from that host.

Page 32: Unit v

OUTSOURCING

� Is a phrase used to describe the practice of seeking resources -

- or subcontracting -- outside of an organizational structure for

all or part of an IT (Information Technology) function.

� Outsourcing for functions ranging from infrastructure

to software development, maintenance and support.

� For example, an enterprise might outsource its IT

management because it is cheaper to contract a third-party to

do so than it would be to build its own in-house IT

management team. Or a company might outsource all of

its data storage needs because it does not want to buy and

maintain its own data storage devices. Most large

organizations only outsource a portion of any given IT

function.

Page 33: Unit v

Information Protection - Why?

• Information are an important strategic and operational

asset for any organization.

• Damages and misuses of information affect not only a

single user or an application; they may have disastrous

consequences on the entire organization

• Additionally, the advent of the Internet as well as

networking capabilities has made the access to

information much easier

Page 34: Unit v

Information Security: Main Requirements

Confidentiality Information

SecurityIntegrity

Availability

Page 35: Unit v

Information Security: Examples

• Consider a payroll database in a

corporation, it must be ensured that:

- salaries of individual employees are not

disclosed to arbitrary users of the database

- salaries are modified by only those

individuals that are properly authorized

- pay-checks are printed on time at the end of

each pay period

Page 36: Unit v

Information Security: Examples

• In a military environment, it is important

that:

- the target of a missile is not given to an

unauthorized user

- the target is not arbitrarily modified

- the missile is launched when it is fired

Page 37: Unit v

Information Security - main requirements

• Confidentiality - it refers to information protection fromunauthorized read operations

- the term privacy is often used when data to be protectedrefer to individuals

• Integrity - it refers to information protection frommodifications; it involves several goals:- Assuring the integrity of information with respect to the original

information (relevant especially in web environment) - often referredto as authenticity

- Protecting information from unauthorized modifications

- Protecting information from incorrect modifications - referred to assemantic integrity

• Availability - it ensures that access to information is notdenied to authorized subjects

Page 38: Unit v

Information Security -

additional requirements

• Information Quality - it is not considered

traditionally as part of information security but

it is very relevant

• Completeness - it refers to ensure that subjects

receive all information they are entitled to

access, according to the stated security policies

Page 39: Unit v

Classes of Threats

• Disclosure

- Snooping (Interfering), Trojan Horses

• Deception

-Modification, spoofing (fooling), repudiation (denial) of origDenial of receipt

• Disruption

- Modification

• Usurpation

- Modification, spoofing, delay, denial of service

Page 40: Unit v

Goals of Security

• Prevention

- Prevent attackers from violating securitypolicy

• Detection

- Detect attackers’ violation of security policy

• Recovery

- Stop attack, assess and repair damage

- Continue to function correctly even if attacksucceeds

Page 41: Unit v

Information Security - How?

• Information must be protected at various

levels:

- The operating system

- The network

- The data management system

- Physical protection is also important

Page 42: Unit v

Information Security - Mechanisms

• Confidentiality is enforced by the access control

mechanism

• Integrity is enforced by the access control mechanism

and by the integrity constraints

• Availability is enforced by the recovery mechanism and

by detection techniques.

Page 43: Unit v

Information Security - How?

Additional mechanisms

• User authentication - to verify the identity of subjectswishing to access the information

• Information authentication - to ensure informationauthenticity - it is supported by signature mechanisms

• Encryption - to protect information when beingtransmitted across systems and when being stored onsecondary storage

• Intrusion detection - to protect against impersonation oflegitimate users and also against insider threats


Unit v perception

Unit v perception

Education
UNIT - V (1)

UNIT - V (1)

Documents
B.LAW UNIT - V

B.LAW UNIT - V

Documents
Globalisation(Unit v)

Globalisation(Unit v)

Documents
BAB V DIMENSI UNIT – UNIT PENGOLAHAN

BAB V DIMENSI UNIT – UNIT PENGOLAHAN

Documents
Electrochemistry (Unit v)

Electrochemistry (Unit v)

Documents
UNIT V firewalls

UNIT V firewalls

Documents
kom Unit-V

kom Unit-V

Documents
Unit v entrepreneurship

Unit v entrepreneurship

Education
Unit V - WWII

Unit V - WWII

Documents
DAA Unit - V

DAA Unit - V

Documents
IM Unit v Modern Concepts Unit V

IM Unit v Modern Concepts Unit V

Documents
Ethics Unit V

Ethics Unit V

Documents
Vlsi unit v

Vlsi unit v

Engineering
Unit v(dsc++)

Unit v(dsc++)

Engineering
Ibe Unit V

Ibe Unit V

Business
UNIT V GIS

UNIT V GIS

Documents
Unit V Flashcards

Unit V Flashcards

Documents
Smqa unit v

Smqa unit v

Education
Editing Unit V

Editing Unit V

Documents
Cnc unit V

Cnc unit V

Documents
Unit v Finance

Unit v Finance

Documents
UNIT V HRM

UNIT V HRM

Documents
SAN unit V

SAN unit V

Documents
Unit v jeopardy

Unit v jeopardy

Documents
Unit v rpq1

Unit v rpq1

Education
Unit v review

Unit v review

Education
Unit v Sampling

Unit v Sampling

Documents
UNIT V DEPRECIATION

UNIT V DEPRECIATION

Documents
Unit v Peripherals

Unit v Peripherals

Documents