Chapter 6 - Information Systems Security

Chapter 6 - Information Systems Security

Info Security Life Cycle

•  Systems Planning – Tone at top

•  System Analysis - Analyze system vulnerabilities (threats & loss exposure)

• 

•  Systems Design – Design security measures & contingency plans

•  Systems Implementation – Implement security measures & contingency plans

•  Systems Operation, Evaluation & Control - Operate system & assess effectiveness & efficiency. Make changes as needed

Analyzing Vulnerabilities & Threats

•  Quantitative Approach

•  Qualitative Approach

consider......

–  business interruption

–  loss of software or hardware

–  loss of data

–  loss of facilities

–  loss of personnel

–  loss of customers / negative publicity!!!!!!!

•  Vulnerability - weakness in a system

•  Threat - potential exploitation of a vulnerability

–  Active Threats - Fraud and Computer Sabotage

–  Passive Threats -

•  System Faults (component equipment failures (disk failures, power outages))

•  Natural Disasters (earthquakes, floods, fires, hurricanes)

This is serious.....

•  Computer-based crimes are part of the general problem of white collar crime

–  fraud and embezzlement exceed losses from bribery, burglary, and shoplifting

Who to watch out for....it could be anyone!!!

•  Computer systems personnel

–  Computer maintenance personnel

–  Programmers

–  Network Operators

–  Information Systems Management

–  Data Control Clerks

•  Users

•  Intruders & Hackers (unnoticed intruders, wiretappers, piggy backers, impersonating intruders, eavesdroppers)

Control Environment (the foundation for overall control)

•  Mgt Philosophy & Operating Style

•  Org. Structure

•  Board of Directors and Committee

•  Mgt Control Activities

•  Internal Audit Function

•  Personnel Policies & Practices

•  External Influences

What are Active Threats?

•  Input Manipulation - the easiest & most common

•  Program Alteration (trap door)

•  Direct File Alteration

•  Data Theft

•  Sabotage

–  Logic bomb

–  Trojan horse

–  Virus program

–  Worm

•  Misappropriation /Theft of Info Resources

Computer Virus

•  A computer program that alters the performance of the system or its computer files

–  Computer virus detection programs are one guard against this

Controls for Active Threats

•  Use the layered look (layered approach to access control)

•  1st - classify data (according to importance & vulnerability)

•  Site Access Controls (badges, biometric hardware authentication)

•  System Access Controls (User ID & Passwords)

•  File Access Controls (data & program files)

AUTHENTICATE

•  Make sure something is what it is - Potential users are valid

•  Biometrics – fingerprints, retina eye patterns, signatures, voice recognition.

•  PINs

•  ID or plastic cards

PASSWORDS

•  1st line of defense!

•  Easy to remember but hard to guess

•  Combines Alpha & Numeric

•  Which of the following would be most common? Now which is best?

–  CATDOG

–  12345678

–  BUSTER

–  GGGG1234

–  GR1267JE

•  Typical Passwords – are static (stay the same – at least for 30 days or so)

•  TOKEN “Smart” cards – dynamic password – one-time only (strongest protection against unauthorized access to a network

Controls for Passive Threats

•  Fault-Tolerant Systems

–  monitoring & redundancy

Network communications (dup. Communication paths)

CPU processors (watchdog processor)

DASDs (read-after-write checks, bad-sector lockouts, disk mirroring or shadowing)

power supply (uninterruptible power supply (UPS))

individual transactions (rollback processing / database shadowing)

•  Correcting Faults: File Back-ups

(Over 50% of individuals do not properly back-up their files)

full back up, incremental or differential back up

Internet Security

•  Intranets

•  Firewalls

•  Reject incoming packets of data that do not originate from pre-approved IP addresses

•  Encryption

Encryption

•  Encryption is the transformation of input data (referred to as plain text or cleartext) it cipher text using a cryptographic technique

•  Secret-Key Encryption - A single private key is used of both encryption and decryption. The DES (data encryption standard) is probably the most widely used private-key encryption algorithm

•  Public Key Encryption - 2 keys -- public key that everyone knows, and a private key that only one person knows. Each key unlocks the code that the other makes. RSA is a well-known public-key encryption

•  Double-Key Encryption - Uses elements of bother private-key & public-key encryption

Disaster Risk Management

•  Preventing Disasters

•  Contingency Planning

–  Disaster Recovery & Business Resumption

–  Assess Critical Needs

•  List Priorities for Recovery

Recovery Strategies & Procedures

•  Emergency Response Center

•  Escalation Procedures

•  Alternate Processing Arrangements

–  hot site (dedicated contingency facility)

–  warm site

–  cold site (empty shell)

–  service bureau (may be good for small companies) - Comdisco

–  Shared contingency agreement / reciprocal disaster agreement

•  Personal Relocation / Replacement

•  Salvage Plan

•  Testing & Maintaining the System

Seg. of Duties in Data Processing

•  Systems Analysts

•  Database Administrators

•  Programmers

•  Computer Operators

•  Librarian

•  Data Control Group

•  Most critical – separate developing applications from those operating apps – WHY???

Chapter 6 – Information Security Page 3 of 5