CH 08

Chapter 8
Securing Information Systems
2009 Pearson Education Canada
8-1
Management Information Systems

Chapter 8 Securing Information Systems LEARNING OBJECTIVES
Analyze why information systems need special protection from destruction, error, and abuse. Assess the business value of security and control. Design an organizational framework for security and control. Evaluate the most important tools and technologies for safeguarding information resources.
8-2

Chapter 8 Securing Information Systems SYSTEM VULNERABILITY AND ABUSE
Definitions Security: the policies, procedures and technical measures used to prevent unauthorized access, alteration, threat or physical damage to information systems Controls: methods to ensure the safety of assets, reliability of records and adherence to standards

Chapter 8 Securing Information Systems System Vulnerability and Abuse
Contemporary Security Challenges and Vulnerabilities
The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network.
Figure 8-1
8-5

Internet vulnerabilities
Vulnerable to outside attacks Abuses can have widespread impact E-mail increases system vulnerability
Wireless security challenges

The service set identifiers (SSID) identifying the access points broadcast multiple times and can be picked up by intruders WEP not always effective
8-6

Malicious Software Programs (Malware)

Computer viruses: Rogue software programs that attach to other programs in order to be executed, usually without user knowledge or permission Deliver a payload Can spread by email attachments
Continued
8-8

Malicious Software Programs (Malware) (continued) Worms: Programs that copy themselves from one computer to another over networks Can destroy data, programs, and halt operation of computer networks
Continued
8-9

Malicious Software Programs (Malware) (continued)

Trojan Horse: A software program that appears to be benign, but then does something unexpected Often transports a virus into a computer system Name is based on Greek ruse during Trojan war
8-10

Hackers and Cybervandalism

Hackers: individuals who attempt to gain unauthorized access to a computer system Cracker: a hacker with criminal intent Cybervandalism: intentional disruption, defacement, or destruction of a Web site or system
8-11

Spoofing
masquerading as someone else, or redirecting a Web link to an unintended address
Sniffing
an eavesdropping program that monitors information travelling over a network
8-12

Denial of Service (DoS) Attacks

Hackers flood a server with false communications in order to crash the system botnets may be used
8-13

Computer Crime: violation of criminal law that

involves a knowledge of technology for perpetration, investigation, or prosecution
Identity theft
A crime in which the imposter obtains key pieces of personal information
Phishing
Setting up fake Web sites or sending email messages that look legitimate, and using them to ask for confidential data Continued
8-16

Computer Crime (continued)

Click fraud Bogus clicks to drive up pay-per-click Cyberterrorism and Cyberwarfare Exploitation of systems by terrorists Internal Threats: Employees Software vulnerability
8-17

Chapter 8 Securing Information Systems Business Value of Security and Control
Inadequate security and control may create serious legal liability Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Failure to do so can lead to costly litigation for data exposure or theft A sound security and control framework that protects business information assets can thus produce a high return on investment
8-18

Chapter 8 Securing Information Systems Establishing a Framework for Security and Control
Risk Assessment
Determine level of risk to the firm in the case of improper controls
Security policy
Chief Security Officer (CSO) Acceptable Use Policy (AUP) Authorization Policies Authorization Management systems
8-20

Chapter 8 Securing Information Systems Establishing a Framework for Security and Control
Ensuring business continuity Fault-tolerant computer systems High-availability computing Recovery-oriented computing Disaster recovery planning and business continuity planning Security outsourcing The role of auditing
8-22

Chapter 8 Securing Information Systems TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Access controls: Consist of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders Authentication: ability to know that a person is who she or he claims to be
Passwords, tokens, biometric authentication

Firewalls: Hardware and software controlling flow of incoming and outgoing network traffic
Packet Filtering examines selected fields in the headers of data packets flowing back and forth from network and the Internet Stateful inspection provides additional security by determining whether packets are part of an ongoing dialogue between a sender and receiver
Firewalls, Intrusion Detection Systems, and Antivirus Software

Chapter 8 Securing Information Systems Technologies and Tools for Security
Intrusion Detection Systems

Full-time monitoring tools placed at the most vulnerable points of the corporate networks to detect and deter intruders
Antivirus and Antispyware

Checks computer systems for viruses
8-27

Encryption
Encryption
Coding and scrambling of messages to prevent unauthorized access to, or understanding of, the data being transmitted

Encryption (continued)
Public key encryption:

Uses two different keys, one private and one public. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key

Chapter 8 Securing Information Systems Technologies and Tools for Security
Public Key Encryption
A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock the data when they are received. The sender locates the recipients public key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message.
Figure 8-7
8-31

Public Key Infrastructure
Public Key Infrastructure (PKI):

Use of public key cryptography working with a certificate authority

Chapter 8 Securing Information Systems MANAGEMENT OPPORTUNITIES, CHALLENGES, AND SOLUTIONS
Solution Guidelines: Security and control must become a more visible and explicit priority and area of information systems investment Support and commitment from top management is required to show that security is indeed a corporate priority and vital to all aspects of the business Security and control should be the responsibility of everyone in the organization

CH 08

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

CH 08

Enviado por

Direitos autorais:

Formatos disponíveis

Chapter 8

Securing Information Systems

2009 Pearson Education Canada

Management Information Systems

2009 Pearson Education Canada

Management Information Systems

Management Information Systems

Contemporary Security Challenges and Vulnerabilities

Management Information Systems

Wireless security challenges

2009 Pearson Education Canada

Management Information Systems

Malicious Software Programs (Malware)

Management Information Systems

Management Information Systems

Malicious Software Programs (Malware) (continued)

2009 Pearson Education Canada

Management Information Systems

Hackers and Cybervandalism

2009 Pearson Education Canada

Management Information Systems

2009 Pearson Education Canada

Management Information Systems

Denial of Service (DoS) Attacks

2009 Pearson Education Canada

Management Information Systems

Computer Crime: violation of criminal law that

Management Information Systems

Computer Crime (continued)

2009 Pearson Education Canada

Management Information Systems

2009 Pearson Education Canada

Management Information Systems

Management Information Systems

2009 Pearson Education Canada

Management Information Systems

Management Information Systems

Firewalls, Intrusion Detection Systems, and Antivirus Software

Management Information Systems

Intrusion Detection Systems

Antivirus and Antispyware

2009 Pearson Education Canada

Management Information Systems

Management Information Systems

Public key encryption:

Management Information Systems

Public Key Encryption

Management Information Systems

Public Key Infrastructure

Public Key Infrastructure (PKI):

Management Information Systems

Você também pode gostar