Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Managing IT Security

    Enviado por

    AziziKhoirulHaq
    14 visualizações8 páginas
    IT

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    IT

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    14 visualizações8 páginas

    Managing IT Security

    Enviado por

    AziziKhoirulHaq
    IT

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 8

    INFORMATION SYSTEMS @ X

    Managing IT Security

    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Objectives
     Information Security
    

    The Threats
    Scope of Security Management
    Security
    Securitys Five Pillars
    Tools for Computer Security

     Business Continuity

    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Information Security
     Information security is more than just
    protecting hardware and software from being
    crashed
    crashed
     It
    Its about protecting the information resources
    that keep the company operating
     Goals are to ensure:
    

    Data integrity, availability and confidentiality


    Business continuity

    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Threats from outside

    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Common Attacks - Corporate


     Virus/Worm: A computer program that appears to
    perform a legitimate task, but is a hidden malware
    > E.g., wipe out a hard drive; send out an unauthorized email,
    etc.
    > Samy

     Sniffing: Interception and reading of electronic


    messages as they travel over the Internet
    > E.g., copy passwords, or credit card information

     Denial of Service: Attacks from coordinated computers


    that floods a site with so many requests until the site
    crashes
    > Thousands of page requests/minute on an ecommerce site
    (virus as well)
    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Common Attacks - Personal


     Spoofing: Masquerade as a legitimate web site and
    redirect traffic to a fraudulent site
     Con artists: calling to offer credit card account to
    obtain info about email, SSN, etc.
     Phishing or Fishing: Fraudulent email attempt to obtain
    sensitive information
    > E.g., email notifying a bank account owner that s/he
    account had a security breach, and request the owner to log
    in a fraudulent website to reset the password
    password

    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Threats from inside


    inside.
     Employee illegally accesses email accounts
     Angry / misguided technical personnel:
    

    Deletes sensitive data


    Rewrites a program so data is corrupted/company can
    cant
    operate
    Leaves a cyber bomb
    bomb that detonates in the event he/she is
    fired

     Employee steals sensitive data (customer) and sells it to


    a competitor

    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Many dimensions of security


    
    
    
    
    

    Data security
    Application and OS security
    Network security
    Facility security
    Egress security should be enforced

    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Catch me if you can


    can
     Why are criminals able to carry out identity theft?
     What can credit card companies due to prevent this?
     Individuals?

    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Securitys Five Pillars


     Authentication:
    Authentication: Verifying the authenticity of users ensuring
    people are who they say they are.
    > ID/Password, biometric, questions

     Identification:
    Identification: Identifying users to grant them appropriate
    access
    > Allowing system to know who someone is to give appropriate
    access rights

     Privacy:
    Privacy: Protecting information from being seen
    > E.g., against spyware installed without consent in a computer to
    collect information

    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Security Five Pillars


     Integrity:
    Integrity: Keeping information in its original form
    > Ensuring data is not altered in any way

     Non-repudiation:
    Non-repudiation: Preventing parties from denying
    actions they have taken
    > Ensuring that the parties in a transaction are who they say
    they are and cannot deny that transaction took place

    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Technical Countermeasures
     Firewalls:
    Firewalls:
    

    hardware/software to control access between


    networks / blocking unwanted access
    > Windows Vista

     Encryption/decryption:
    Encryption/decryption:
    

    Using an algorithm (cipher) to make a plain text


    unreadable to anyone that does not have a key
    > SSL

    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Technical Countermeasures
     Virtual Private Networks (VPNs)
    

    Allow strong protection for data communications


    Cheaper than private networks, but do not provide
    100% end-to-end security

    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Encryption / SSL
     An SSL Certificate
    enables encryption of
    sensitive information
    during online
    transactions.
     Each SSL Certificate
    contains unique,
    authenticated
    information about the
    certificate owner.
     Each SSL Certificate consists of a public key and a
     A Certificate Authority
    private key. Public key: scramble; Private Key:
    verifies the identity of
    unscramble
    the certificate owner
     Secure Sockets Layer handshake authenticates the
    when it is issued.
    server (Web site) and the client (Web browser).
     Unique session key established and secure
    transmission can begin.
    INFO420: Managing the IT Function

    INFORMATION SYSTEMS @ X

    Business Continuity
    
    
    
    
    
    
    

    Earlier: technical disaster recovery


    recovery
    9/11 and Katrina: business continuity
    continuity
    Alternate workspace for people with working
    computers and communications
    Backup IT sites (business programs and data)
    Backup mobile devices with corporate information
    Up-to-date evacuation plans and drills
    Disaster recovery support (emergency procedures, etc.)

    INFO420: Managing the IT Function

    Você também pode gostar