Upload
bharatnaruka90
View
160
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
SECURITY CHALLENGES OF
INFORMATION TECHNOLOGY
SECURITY REQUIREMENTS FOR E-
COMMERCE
� Privacy – about who can see and who should not
� Authenticity – to know the identities of
communicating parties
� Integrity – assurance that stored or transmitted information is unaltered
� Reliability – assurance that systems will be available when needed and will perform
consistently.
� Blocking – ability to block unwanted information or
intrusions
INFORMATION SYSTEM CONTROLS
� Input controls
� Security codes
� Encryption
� Data entry screens
� Error signals
� Control totals (record count, batch totals)
� Processing Controls
� Software controls – checks right data processing
� Hardware controls – malfunction detection circuitry, redundant
components, special-purpose microprocessors and associated
circuitry
� Fire walls
� Checkpoints
� Output Controls
� Security Codes – ensures that information products are
complete and are available to authorized users in timely manner.
� Encryption
� Control totals = input + processing controls
� Control listings – provides hard copy evidence of all output
produced.
� End user feedback
� Storage controls – how can we protect our data resources?
� Security Codes
� Encryption
� Backup files
� Library procedures
� Database administration
FACILITY CONTROLS
� Methods that protect an organizations computing and network facilities and their contents from loss
or destruction.
� Network security – may be provided by specialized system software packages called system security
monitors.
� Protects from unauthorized use, fraud and destruction
(identification codes and passwords).
� Also restricts the use of computer, programs and data
files.
� Collects attempts of improper use.
FACILITY CONTROLS
1. Encryption –scrambling the data
using mathematical
algorithms, or keys.
� Software encryption
standards are RSA data security & PGP
(Pretty Good Privacy)
FACILITY CONTROLS
2. Firewalls
� External firewall keeps out unauthorized internet
users.
� Internal firewall prevents users from accessing sensitive human resources and financial data.
� Passwords and browser security features control access to specific intranet resources.
FACILITY CONTROLS3. Physical Protection Controls –
� Identification badges
� Electronic door locks
� Burglar alarms
� Security police
� CCTV, etc
� Fire detection and extinguishing systems
� Fireproof storage vaults
� Emergency power controls
� Humidity
� Dust controls
FACILITY CONTROLS
4. Biometric Controls – devices use special
sensors to measure and digitize a biometric
profile
�Voice verification
�Finger prints
�Hand geometry
�Signature dynamics
�Keystroke analysis
�Retina scanning
�Face recognition
FACILITY CONTROLS
5. Failure Controls – reasons of system failure
are:
�Power failure
�Electronic circuitry malfunctions
�Telecommunications network problems
�Hidden programming errors
�Computer viruses
�Computer operator errors
�Electronic damage
PROCEDURAL CONTROLS
1. Standard Procedures and documentation – an IS organization develops and follows standard procedures for its operations
� This promotes quality and minimizes
errors and fraud
� Documentation helps in the maintenance
of the system and must be kept up to
date
PROCEDURAL CONTROLS
2. Authorization requirements –
� requests for systems development and program changes need review before
authorization
� Conversion to new hardware, software,
network components and installation requires a formal notification
PROCEDURAL CONTROLS
3. Disaster Recovery – damage can be caused by:� Hurricanes
� Earthquakes
� Fire
� Floods
� Criminal and terrorists acts
� Human error
� Disaster recovery plans are made by organizations which specifies –� Which employee will participate in disaster recovery
and what will be their duties
� What hardware, software and facilities will be used
� Priority of applications that will be processed.
PROCEDURAL CONTROLS
4. Controls for End User Computing – this includes –� Methods for testing user-developed systems for
compliance with company policies and work procedures
� Methods for notifying other users when changes are planned
� Thorough documentation of user-developed systems
� Training several people in the operation and maintenance of a system
� Formal backup and recovery procedures
� Security controls
AUDITING INFORMATION SYSTEMS
� Information system should be audited periodically.
� Review and evaluate whether proper and
adequate system, procedural, facility and
managerial controls have been developed and implemented.
� 2 types
� Auditing around the computer system – verifying
the accuracy and Suitability of input data and output produced
� Auditing through the computer system –verifying the accuracy and integrity of software.
� Auditors develop test programs to test the
data.
Audit Trial
� Presence of documentation that allows a transaction to be
traced through all stages of its information processing.
� Electronic audit trial / Control logs – automatically
records all network activity on magnetic disk or tape
devices
Denial of Service Attacks
� Denial of service attacks depend on three layers of networked computer systems
� The victim’s website
� The victim’s Internet service provider
� Zombie or slave computers that have been commandeered by
the cybercriminals
22
Defending Against Denial of Service
� At Zombie Machines
� Set and enforce security policies
� Scan for vulnerabilities
� At the ISP
� Monitor and block traffic spikes
� At the Victim’s Website
� Create backup servers and network connections
23
4 ETHICAL DIMENSIONS
� Egoism – what is best for a given individual is right
� Natural – promote health and life, propagate,
pursue knowledge of world and God, have close
relationships with other people.
� Utilitarianism – those actions are right that produce
the greatest good for the greatest number of people.
� Respect for persons –
WESTERN AND NON-WESTERN VALUES
Non-western Western Common Values
Kyosei (Japanese):
Living and working
together for the
common good
Individual liberty Respect for human
dignity
Dharma (Hindu): the
Fulfillment of inherited
duty
Political participation Respect for basic
rights
Zakat (Muslim): the
duty to give alms to
the Muslim poor
Human rights Good citizenship
MODEL OF ETHICAL DECISION
MAKING
SPOOFING
� To fool. In networking, the term is used to describe a variety
of ways in which hardware and software can be fooled. IP
spoofing, for example, involves trickery that makes a
message appear as if it came from an authorized IP address
� E.g. - A technique used to gain unauthorized access to
computers, whereby the intruder sends messages to a
computer with an IP address indicating that the message is
coming from a trusted host. To engage in IP spoofing,
a hacker must first use a variety of techniques to find an IP
address of a trusted host and then modify the packet headers
so that it appears that the packets are coming from that host.
OUTSOURCING
� Is a phrase used to describe the practice of seeking resources -
- or subcontracting -- outside of an organizational structure for
all or part of an IT (Information Technology) function.
� Outsourcing for functions ranging from infrastructure
to software development, maintenance and support.
� For example, an enterprise might outsource its IT
management because it is cheaper to contract a third-party to
do so than it would be to build its own in-house IT
management team. Or a company might outsource all of
its data storage needs because it does not want to buy and
maintain its own data storage devices. Most large
organizations only outsource a portion of any given IT
function.
Information Protection - Why?
• Information are an important strategic and operational
asset for any organization.
• Damages and misuses of information affect not only a
single user or an application; they may have disastrous
consequences on the entire organization
• Additionally, the advent of the Internet as well as
networking capabilities has made the access to
information much easier
Information Security: Main Requirements
Confidentiality Information
SecurityIntegrity
Availability
Information Security: Examples
• Consider a payroll database in a
corporation, it must be ensured that:
- salaries of individual employees are not
disclosed to arbitrary users of the database
- salaries are modified by only those
individuals that are properly authorized
- pay-checks are printed on time at the end of
each pay period
Information Security: Examples
• In a military environment, it is important
that:
- the target of a missile is not given to an
unauthorized user
- the target is not arbitrarily modified
- the missile is launched when it is fired
Information Security - main requirements
• Confidentiality - it refers to information protection fromunauthorized read operations
- the term privacy is often used when data to be protectedrefer to individuals
• Integrity - it refers to information protection frommodifications; it involves several goals:- Assuring the integrity of information with respect to the original
information (relevant especially in web environment) - often referredto as authenticity
- Protecting information from unauthorized modifications
- Protecting information from incorrect modifications - referred to assemantic integrity
• Availability - it ensures that access to information is notdenied to authorized subjects
Information Security -
additional requirements
• Information Quality - it is not considered
traditionally as part of information security but
it is very relevant
• Completeness - it refers to ensure that subjects
receive all information they are entitled to
access, according to the stated security policies
Classes of Threats
• Disclosure
- Snooping (Interfering), Trojan Horses
• Deception
-Modification, spoofing (fooling), repudiation (denial) of origDenial of receipt
• Disruption
- Modification
• Usurpation
- Modification, spoofing, delay, denial of service
Goals of Security
• Prevention
- Prevent attackers from violating securitypolicy
• Detection
- Detect attackers’ violation of security policy
• Recovery
- Stop attack, assess and repair damage
- Continue to function correctly even if attacksucceeds
Information Security - How?
• Information must be protected at various
levels:
- The operating system
- The network
- The data management system
- Physical protection is also important
Information Security - Mechanisms
• Confidentiality is enforced by the access control
mechanism
• Integrity is enforced by the access control mechanism
and by the integrity constraints
• Availability is enforced by the recovery mechanism and
by detection techniques.
Information Security - How?
Additional mechanisms
• User authentication - to verify the identity of subjectswishing to access the information
• Information authentication - to ensure informationauthenticity - it is supported by signature mechanisms
• Encryption - to protect information when beingtransmitted across systems and when being stored onsecondary storage
• Intrusion detection - to protect against impersonation oflegitimate users and also against insider threats