1、Chapter 16,1,Chapter 16,Information Technology For Management 6th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by L. Beaubien, Providence College John Wiley & Sons, Inc.,Managing Information Resources and Security,Chapter 16,2,Learning Objectives,Recognize the business value of security
2、and control Understand the role of the IS department and its relationships with end users. Discuss the role of the chief privacy officer. Recognize information systems vulnerability, threats, attack methods, and the possible symptoms of attack.,Chapter 16,3,Learning Objectives (Continued),Describe t
3、he major methods of defending information systems. Describe internal control and fraud. Describe the security issues of the Web and electronic commerce. Describe business continuity and disaster recovery planning. Understand the role of computer forensics in investigating and deterring security.,Cha
4、pter 16,4,Security & the Enterprise,Chapter 16,5,IS Vulnerability,Chapter 16,6,How a virus works,Chapter 16,7,Threats to Information Security,A threat to an information resource is any danger to which a system may be exposed. The exposure of an information resources is the harm, loss or damage that
5、can result if a threat compromises that resource. A systems vulnerability is the possibility that the system will suffer harm by a threat. Risk is the likelihood that a threat will occur. Information system controls are the procedures, devices, or software aimed at preventing a compromise to the sys
6、tem.,Chapter 16,8,Unintentional Threats,Human errors can occur in the design of the hardware and/or information system. Also can occur in programming, testing, data collection, data entry, authorization and procedures. Contribute to more than 50% of control and security-related problems in organizat
7、ions.,Chapter 16,9,Unintentional Threats (Continued),Environmental hazards include earthquakes, severe storms, floods, power failures or strong fluctuations, fires (most common hazard), explosions, etc. Computer system failures can occur as the result of poor manufacturing or defective materials.,Ch
8、apter 16,10,Intentional Threats,Typically, criminal in nature. Cybercrimes are fraudulent activities committed using computers and communications networks, particularly the Internet. Average cybercrime involves about $600,000 according to FBI.,Chapter 16,11,Intentional Threats (Continued),Hacker. An
9、 outside person who has penetrated a computer system, usually with no criminal intent. Cracker. A malicious hacker. Social engineering. Computer criminals or corporate spies get around security systems by building an inappropriate trust relationship with insiders.,Chapter 16,12,Espionage or Trespass
10、,The act of gaining access to the information an organization is trying to protect by an unauthorized individual. Industrial espionage occurs in areas where researching information about the competition goes beyond the legal limits. Governments practice industrial espionage against companies in othe
11、r countries. Shoulder surfing is looking at a computer monitor or ATM screen over another persons shoulder.,Chapter 16,13,System Vulnerability,A universal vulnerability is a state in a computing system which either: allows an attacker to execute commands as another user; allows an attacker to access
12、 data that is contrary to the access restrictions for that data; allows an attacker to pose as another entity; or allows an attacker to conduct a denial of service. An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either: allows an attacker
13、 to conduct information gathering activities; allows an attacker to hide activities; includes a capability that behaves as expected, but can be easily compromised; is a primary point of entry that an attacker may attempt to use to gain access to the system or data; and is considered a problem accord
14、ing to some reasonable security policy.,Chapter 16,14,Protecting Privacy,Privacy. The right to be left alone and to be free of unreasonable personal intrusions. Two rules have been followed fairly closely in past court decision in many countries: The right of privacy is not absolutes. Privacy must b
15、e balanced against the needs of society The publics right to know is superior to the individuals right of privacy. Electronic Surveillance. The tracking of peoples activities, online or offline, with the aid of computers. Personal Information in Databases. Information about individuals is being kept
16、 in many databases: banks, utilities co., govt. agencies, etc.; the most visible locations are credit-reporting agencies.,Chapter 16,15,Protecting Privacy (Continued),Information on Internet Bulletin Boards and Newsgroups. Electronic discussions such as chat rooms and these other sites appear on the
17、 Internet, within corporate intranets, and on blogs. A blog (Weblog) is an informal, personal journal that is frequently updated and intended for general public reading. Privacy Codes and Policies. An organizations guidelines with respect to protecting the privacy of customers, clients, and employee
18、s. International Aspects of Privacy. Privacy issues that international organizations and governments face when information spans countries and jurisdictions.,Chapter 16,16,Information Extortion,When an attacker or formerly trusted employee steal information from a computer system and then demands co
19、mpensation for its return or an agreement not to disclose it.,Chapter 16,17,Sabotage or Vandalism,A popular type of online vandalism is hacktivist or cyberactivist activities. Hacktivist or cyberactivist use technology for high-tech civil disobedience to protest operations, policies, or actions of a
20、n individual, an organization, or a government agency.,Chapter 16,18,Sabotage or Vandalism (Continued),Cyberterrorism is a premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence against noncombatant targets by subnationa
21、l groups or clandestine agents. Cyberwar. War in which a countrys information systems could be paralyzed from a massive attack by destructive software. Theft is the illegal taking of property that belongs to another individual or organization.,Chapter 16,19,Identity Theft,Crime in which someone uses
22、 the personal information of others, usually obtained from the Internet, to create a false identity and then commits fraud. Fastest growing white-collar crime. Biggest problem is restoring victims damaged credit rating.,Chapter 16,20,Software Attacks,Malicious software (malware) designed to damage,
23、destroy, or deny service to the targeted systems. Most common types of software attacks are viruses, worms, Trojan horses, logic bombs, back doors, denial-of-service, alien software, phishing and pharming.,Chapter 16,21,Software Attacks (Continued),Viruses. Segments of computer code that performs un
24、intended actions ranging from merely annoying to destructive. Worms. Destructive programs that replicate themselves without requiring another program to provide a safe environment for replication. Trojan horses. Software progams that hide in other computer programs and reveal their designed behavior
25、 only when they are activated.,Chapter 16,22,Software Attacks (Continued),Logic bombs. Designed to activate and perform a destructive action at a certain time. Back doors or trap doors. Typically a password, known only to the attacker, that allows access to the system without having to go through an
26、y security. Denial-of-service. An attacker sends so many information requests to a target system that the target cannot handle them successfully and can crash the entire system.,Chapter 16,23,Alien Software,Pestware. Clandestine software that uses up valuable system resources and can report on your
27、Web surfing habits and other personal information. Adware. Designed to help popup advertisements appear on your screen. Spyware. Software that gathers user information through the users Internet connection without their knowledge (i.e. keylogger, password capture).,Chapter 16,24,Alien Software (Cont
28、inued),Spamware. Designed to use your computer as a launch pad for spammers. Spam. Unsolicited e-mail, usually for purposes of advertising. Cookies. Small amount of information that Web sites store on your computer, temporarily or more-or-less permanently.,Chapter 16,25,Alien Software (Continued),We
29、b bugs. Small, usually invisible, graphic images that are added to a Web page or e-mail. Phishing. Uses deception to fraudulently acquire sensitive personal information such as account numbers and passwords disguised as an official-looking e-mail. Pharming. Fraudulently acquires the Domain Name for
30、a companys Web site and when people type in the Web site url they are redirected to a fake Web site.,Chapter 16,26,Compromises to Intellectual Property,Intellectual property. Property created by individuals or corporations which is protected under trade secret, patent, and copyright laws. Trade secr
31、et. Intellectual work, such as a business plan, that is a company secret and is not based on public information. Patent. Document that grants the holder exclusive rights on an invention or process for 20 years.,Chapter 16,27,Compromises to Intellectual Property (Continued),Copyright. Statutory grant
32、 that provides creators of intellectual property with ownership of the property for life of the creator plus 70 years. Piracy. Copying a software program without making payment to the owner.,Chapter 16,28,Corporate Security Plan - Protecting,Chapter 16,29,Defense Strategy - Controls,Chapter 16,30,Co
33、ntrols,Controls evaluation. Identifies security deficiencies and calculates the costs of implementing adequate control measures. General controls. Established to protect the system regardless of their application. Physical controls. Physical protection of computer facilities and resources. Access co
34、ntrols. Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.,Chapter 16,31,Controls (Continued),Communications (networks) controls. To protect the movement of data across networks and include border security controls, authentic
35、ation and authorization. Firewalls. System that enforces access-control policy between two networks. Encryption. Process of converting an original message into a form that cannot be read by anyone except the intended receiver.,Chapter 16,32,Controls (Continued),All encryption systems use a key. Symm
36、etric encryption. Sender and the recipient use the same key. Public-key encryption. Uses two different keys: a public key and a private key. Certificate authority. Asserts that each computer is identified accurately and provides the public keys to each computer.,Chapter 16,33,Controls (Continued),Vi
37、rtual Private Networking. Uses the Internet to carry information within a company and among business partners but with increased security by uses of encryption, authentication and access control. Application controls. Controls that protect specific applications and include: input, processing and out
38、put controls.,Chapter 16,34,Controls (Continued),Information systems auditing. Independent or unbiased observers task to ensure that information systems work properly. Types of Auditors and Audits Internal. Performed by corporate internal auditors. External. Reviews internal audit as well as the inp
39、uts, processing and outputs of information systems. Audit. Examination of information systems, their inputs, outputs and processing.,Chapter 16,35,IS Auditing Procedure,Auditing around the computer means verifying processing by checking for known outputs or specific inputs. Auditing through the comp
40、uter means inputs, outputs and processing are checked. Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware.,Chapter 16,36,Auditing,Implementing controls in an organization can be very complicated and difficult to enforce. Are control
41、s installed as intended? Are they effective? Did any breach of security occur? These and other questions need to be answered by independent and unbiased observers. Such observers perform an auditing task.,There are two types of auditors: An internal auditor is usually a corporate employee who is not
42、 a member of the ISD. An external auditor is a corporate outsider. This type of auditor reviews the findings of the internal audit. There are two types of audits. The operational audit determines whether the ISD is working properly. The compliance audit determines whether controls have been implemen
43、ted properly and are adequate.,Chapter 16,37,Protecting Information Resources,Risk. The probability that a threat will impact an information resource. Risk management. To identify, control and minimize the impact of threats. Risk analysis. To assess the value of each asset being protected, estimate
44、the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.,Chapter 16,38,Protecting Information Resources (Continued),Risk mitigation is when the organization takes concrete actions against risk. It has two functions: (1) implement
45、 controls to prevent identified threats from occurring, and (2) developing a means of recovery should the threat become a reality.,Chapter 16,39,Risk Mitigation Strategies,Risk Acceptance. Accept the potential risk, continue operating with no controls, and absorb any damages that occur. Risk limitat
46、ion. Limit the risk by implementing controls that minimize the impact of threat. Risk transference. Transfer the risk by using other means to compensate for the loss, such as purchasing insurance.,Chapter 16,40,Disaster Recovery Planning,Disaster recovery. The chain of events linking planning to pro
47、tection to recovery, disaster recovery plan. Disaster avoidance. Oriented towards prevention, uninterrupted power supply (UPS). Hot sites. External data center that is fully configured and has copies of the organizations data and programs.,Chapter 16,41,Business Continuity,An important element in an
48、y security system is the business continuity plan, also known as the disaster recovery plan. Such a plan outlines the process by which businesses should recover from a major disaster.,The purpose of a business continuity plan is to keep the business running after a disaster occurs. Recovery planning
49、 is part of asset protection. Planning should focus on recovery from a total loss of all capabilities. Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current. All critical applications must be identified and their recovery procedures addressed
50、. The plan should be written so that it will be effective in case of disaster.,Chapter 16,42,Managerial Issues,What is the business value of IT security and control? Why are these legal obligations? How important is IT security to management IT security and internal control must be implemented top-down Acceptable use policies,
