尊敬的 微信汇率:1円 ≈ 0.046166 元 支付宝汇率:1円 ≈ 0.046257元 [退出登录]
SlideShare a Scribd company logo

9 - Security

Download as PPTX, PDF
Raymond Gao
Raymond Gao

This document discusses information security and vulnerabilities in information systems. It covers why security is important, common threats like hacking, and security strategies. Specific vulnerabilities discussed include issues with networks, wireless access, malware, social engineering, software vulnerabilities, and insider threats. Frameworks for establishing security controls are also summarized, including general and application controls.

Education
1 of 56
Management Information Systems BCO-216 Fall 2014 (Security) Raymond Gao, MBA
Agenda • (1st half) – Why is Security so important? – Different Threats: Hacking and Penetrations – Security Strategies • (2nd half) – 101 China’s Cyber Warriors
A Day in the Life of IT Security
Learning Objectives • Explain why information systems are vulnerable to destruction, error, and abuse. • Describe the business value of security and control. • Describe the components of an organizational framework for security and control. • Describe the tools and technologies used for safeguarding information resources.
• Security: System Vulnerability and Abuse – Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems • Controls: – Methods, policies, and organizational procedures that ensure safety of organization’s assets; accuracy and reliability of its accounting records; and operational adherence to management standards
• Why systems are vulnerable – Accessibility of networks System Vulnerability and Abuse – Hardware problems (breakdowns, configuration errors, damage from improper use or crime) – Software problems (programming errors, installation errors, unauthorized changes) – Disasters – Use of networks/computers outside of firm’s control – Loss and theft of portable devices
CONTEMPORARY SECURITY CHALLENGES AND VULNERABILITIES The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network. FIGURE 8-1
• Internet vulnerabilities System Vulnerability and Abuse – Network open to anyone – Size of Internet means abuses can have wide impact – Use of fixed Internet addresses with cable / DSL modems creates fixed targets for hackers – Unencrypted VOIP – E-mail, P2P, IM • Interception • Attachments with malicious software • Transmitting trade secrets
• Wireless security challenges System Vulnerability and Abuse – Radio frequency bands easy to scan – SSIDs (service set identifiers) • Identify access points • Broadcast multiple times • Can be identified by sniffer programs • War driving – Eavesdroppers drive by buildings and try to detect SSID and gain access to network and resources • Once access point is breached, intruder can use OS to access networked drives and files
Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the resources of a network without authorization. FIGURE 8-2 WI-FI SECURITY CHALLENGES
• Malware (malicious software)* – Viruses* System Vulnerability and Abuse • Rogue software program that attaches itself to other software programs or data files in order to be executed – Worms* • Independent programs that copy themselves from one computer to other computers over a network. – Worms and viruses spread by • Downloads (drive-by downloads) • E-mail, IM attachments • Downloads on Web sites and social networks
• Malware (cont.) – Smartphones as vulnerable as computers • Study finds 13,000 types of smartphone malware – Trojan horses • Software that appears benign but does something other than expected – SQL injection attacks (Website / Corp relevant) • Hackers submit data to Web forms that exploits site’s unprotected software and sends rogue SQL query to database System Vulnerability and Abuse
• Malware (cont.) – Spyware System Vulnerability and Abuse • Small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising • Key loggers – Record every keystroke on computer to steal serial numbers, passwords, launch Internet attacks • Other types: – Reset browser home page – Redirect search requests – Slow computer performance by taking up memory
• Hackers and computer crime – Hackers vs. crackers – Activities include: • System intrusion • System damage • Cybervandalism System Vulnerability and Abuse – Intentional disruption, defacement, destruction of Web site or corporate information system
• Spoofing* System Vulnerability and Abuse* – Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else – Redirecting Web link to address different from intended one, with site masquerading as intended destination • Sniffer* – Eavesdropping program that monitors information traveling over network – Enables hackers to steal proprietary information such as e-mail, company files, and so on
System Vulnerability and Abuse • Denial-of-service attacks (DoS)* – Flooding server with thousands of false requests to crash the network • Distributed denial-of-service attacks (DDoS)* – Use of numerous computers to launch a DoS – Botnets • Networks of “zombie” PCs infiltrated by bot malware • Deliver 90% of world spam, 80% of world malware • Grum botnet: controlled 560K to 840K computers
• Computer crime System Vulnerability and Abuse – Defined as “any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution” – Computer may be target of crime, for example: • Breaching confidentiality of protected computerized data • Accessing a computer system without authority – Computer may be instrument of crime, for example: • Theft of trade secrets • Using e-mail for threats or harassment
• Identity theft* System Vulnerability and Abuse – Theft of personal Information (social security ID, driver’s license, or credit card numbers) to impersonate someone else • Phishing* – Setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask users for confidential personal data. • Evil twins – Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet
• Pharming System Vulnerability and Abuse – Redirects users to a bogus Web page, even when individual types correct Web page address into his or her browser • Click fraud – Occurs when individual or computer program fraudulently clicks on online ad without any intention of learning more about the advertiser or making a purchase • Cyberterrorism and Cyberwarfare
Stuxnet and the Changing Face of Cyberwarfare • Is cyberwarfare a serious problem? Why or why not? • Assess the management, organization, and technology factors that have created this problem. • What makes Stuxnet different from other cyberwarfare attacks? How serious a threat is this technology? • What solutions have been proposed for this problem? Do you think they will be effective? Why or why not?
• Internal threats: Employees System Vulnerability and Abuse – Security threats often originate inside an organization – Inside knowledge – Sloppy security procedures • User lack of knowledge – Social engineering: • Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information
• Software vulnerability System Vulnerability and Abuse – Commercial software contains flaws that create security vulnerabilities • Hidden bugs (program code defects) – Zero defects cannot be achieved because complete testing is not possible with large programs • Flaws can open networks to intruders – Patches • Small pieces of software to repair flaws • Exploits often created faster than patches can be released and implemented
Business Value of Security and Control • Failed computer systems can lead to significant or total loss of business function. • Firms now are more vulnerable than ever. – Confidential personal and financial data – Trade secrets, new products, strategies • A security breach may cut into a firm’s market value almost immediately. • Inadequate security and controls also bring forth issues of liability.
Business Value of Security and Control • Legal and regulatory requirements for electronic records management and privacy protection – HIPAA: Medical security and privacy rules and procedures – Gramm-Leach-Bliley Act: Requires financial institutions to ensure the security and confidentiality of customer data – Sarbanes-Oxley Act: Imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally
• Electronic evidence Business Value of Security and Control – Evidence for white collar crimes often in digital form • Data on computers, e-mail, instant messages, e-commerce transactions – Proper control of data can save time and money when responding to legal discovery request • Computer forensics: – Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law – Includes recovery of ambient and hidden data
Establishing a Framework for Security and Control • Information systems controls – Manual and automated controls – General and application controls • General controls – Govern design, security, and use of computer programs and security of data files in general throughout organization’s information technology infrastructure – Apply to all computerized applications – Combination of hardware, software, and manual procedures to create overall control environment
Establishing a Framework for Security and Control • Types of general controls* – Software controls – Hardware controls – Computer operations controls – Data security controls – Implementation controls – Administrative controls
Establishing a Framework for Security and Control • Application controls – Specific controls unique to each computerized application, such as payroll or order processing – Include both automated and manual procedures – Ensure that only authorized data are completely and accurately processed by that application – Include: • Input controls • Processing controls • Output controls
Establishing a Framework for Security and Control • Risk assessment: Determines level of risk to firm if specific activity or process is not properly controlled • Types of threat • Probability of occurrence during year • Potential losses, value of threat • Expected annual loss EXPOSURE PROBABILITY LOSS RANGE (AVG) EXPECTED ANNUAL LOSS Power failure 30% $5K–$200K ($102,500) $30,750 Embezzlement 5% $1K–$50K ($25,500) $1,275 User error 98% $200–$40K ($20,100) $19,698
• Security policy Establishing a Framework for Security and Control – Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals – Drives other policies • Acceptable use policy (AUP) – Defines acceptable uses of firm’s information resources and computing equipment • Authorization policies – Determine differing levels of user access to information assets
Establishing a Framework for Security and Control • Identity management – Business processes and tools to identify valid users of system and control access • Identifies and authorizes different categories of users • Specifies which portion of system users can access • Authenticating users and protects identities – Identity management systems • Captures access rules for different levels of users
These two examples represent two security profiles or data security patterns that might be found in a personnel system. Depending on the security profile, a user would have certain restrictions on access to various systems, locations, or data in an organization. FIGURE 8-3 SECURITY PROFILES FOR A PERSONNEL SYSTEM
Establishing a Framework for Security and Control • Disaster recovery (DR) planning*: Devises plans for restoration of disrupted services • Business continuity planning: Focuses on restoring business operations after disaster – Both types of plans needed to identify firm’s most critical systems – Business impact analysis to determine impact of an outage – Management must determine which systems restored first
• MIS audit Establishing a Framework for Security and Control – Examines firm’s overall security environment as well as controls governing individual information systems – Reviews technologies, procedures, documentation, training, and personnel. – May even simulate disaster to test response of technology, IS staff, other employees – Lists and ranks all control weaknesses and estimates probability of their occurrence – Assesses financial and organizational impact of each threat
SAMPLE AUDITOR’S LIST OF CONTROL WEAKNESSES This chart is a sample page from a list of control weaknesses that an auditor might find in a loan system in a local commercial bank. This form helps auditors record and evaluate control weaknesses and shows the results of discussing those weaknesses with management, as well as any corrective actions taken by management.
Technologies and Tools for Protecting Information Resources • Identity management software – Automates keeping track of all users and privileges – Authenticates users, protecting identities, controlling access • Authentication – Password systems – Tokens – Smart cards – Biometric authentication
Technologies and Tools for Protecting Information Resources • Firewall: – Combination of hardware and software that prevents unauthorized users from accessing private networks – Technologies include: • Static packet filtering • Stateful inspection • Network address translation (NAT) • Application proxy filtering
The firewall is placed between the firm’s private network and the public Internet or another distrusted network to protect against unauthorized traffic. FIGURE 8-5 A CORPORATE FIREWALL
Technologies and Tools for Protecting Information Resources • Intrusion detection systems: – Monitors hot spots on corporate networks to detect and deter intruders – Examines events as they are happening to discover attacks in progress • Antivirus and antispyware software: – Checks computers for presence of malware and can often eliminate it as well – Requires continual updating • Unified threat management (UTM) systems
Technologies and Tools for Protecting Information Resources • Securing wireless networks – WEP security can provide some security by: • Assigning unique name to network’s SSID and not broadcasting SSID • Using it with VPN technology – Wi-Fi Alliance finalized WAP2 specification, replacing WEP with stronger standards • Continually changing keys • Encrypted authentication system with central server
Technologies and Tools for Protecting Information Resources • Encryption: – Transforming text or data into cipher text that cannot be read by unintended recipients – Two methods for encryption on networks • Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS) • Secure Hypertext Transfer Protocol (S-HTTP)
Technologies and Tools for Protecting Information Resources • Two methods of encryption – Symmetric key encryption • Sender and receiver use single, shared key – Public key encryption • Uses two, mathematically related keys: Public key and private key • Sender encrypts message with recipient’s public key • Recipient decrypts with private key
A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock the data when they are received. The sender locates the recipient’s public key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message. FIGURE 8-6 PUBLIC KEY ENCRYPTION
Technologies and Tools for Protecting Information Resources • Digital certificate: – Data file used to establish the identity of users and electronic assets for protection of online transactions – Uses a trusted third party, certification authority (CA)*, to validate a user’s identity – CA verifies user’s identity, stores information in CA server, which generates encrypted digital certificate containing owner ID information and copy of owner’s public key • Public key infrastructure (PKI)* – Use of public key cryptography working with certificate authority – Widely used in e-commerce
Digital certificates help establish the identity of people or electronic assets. They protect online transactions by providing secure, encrypted, online communication. FIGURE 8-7 DIGITAL CERTIFICATES
Technologies and Tools for Protecting Information Resources • Ensuring system availability – Online transaction processing requires 100% availability, no downtime • Fault-tolerant computer systems – For continuous availability, for example, stock markets – Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service • High-availability computing – Helps recover quickly from crash – Minimizes, does not eliminate, downtime
Technologies and Tools for Protecting Information Resources • Recovery-oriented computing – Designing systems that recover quickly with capabilities to help operators pinpoint and correct faults in multi-component systems • Controlling network traffic – Deep packet inspection (DPI) • Video and music blocking • Security outsourcing – Managed security service providers (MSSPs)
Technologies and Tools for Protecting Information Resources • Security in the cloud – Responsibility for security resides with company owning the data – Firms must ensure providers provides adequate protection: • Where data are stored • Meeting corporate requirements, legal privacy laws • Segregation of data from other clients • Audits and security certifications – Service level agreements (SLAs)*
Technologies and Tools for Protecting Information Resources • Securing mobile platforms – Security policies should include and cover any special requirements for mobile devices • Guidelines for use of platforms and applications – Mobile device management tools • Authorization • Inventory records • Control updates • Lock down/erase lost devices • Encryption – Software for segregating corporate data on devices
How Secure Is Your Smartphone? • It has been said that a smartphone is a microcomputer in your hand. Discuss the security implications of this statement. • What management, organizational, and technology issues must be addressed by smartphone security? • What problems do smartphone security weaknesses cause for businesses? • What steps can individuals and businesses take to make their smartphones more secure?
Technologies and Tools for Protecting Information Resources • Ensuring software quality – Software metrics: Objective assessments of system in form of quantified measurements • Number of transactions • Online response time • Payroll checks printed per hour • Known bugs per hundred lines of code – Early and regular testing – Walkthrough: Review of specification or design document by small group of qualified people – Debugging: Process by which errors are eliminated
2nd Half China’s Cyber Warriors
China’s Cyber Warriors
THANK YOU! email: raymond.gao@euruni.edu Twitter: @raygao
Miscellaneous
The NSA

Recommended

System vulnerability and abuse
System vulnerability and abuseSystem vulnerability and abuse
System vulnerability and abuse
Prakash Raval
 
System Vulnerability and Abuse
System Vulnerability and AbuseSystem Vulnerability and Abuse
System Vulnerability and Abuse
Albrecht Jones
 
Security Basics
Security BasicsSecurity Basics
Security Basics
Rishi Prasath
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer security
PrajktaGN
 
Computer security and
Computer security andComputer security and
Computer security and
Rana Usman Sattar
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer security
Arzath Areeff
 
Phishing, Pharming, and the latest potholes on the Information Highway
Phishing, Pharming, and the latest potholes on the Information HighwayPhishing, Pharming, and the latest potholes on the Information Highway
Phishing, Pharming, and the latest potholes on the Information Highway
Kevin Lim
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
swapneel07
 

Recommended

System vulnerability and abuse
System vulnerability and abuseSystem vulnerability and abuse
System vulnerability and abuse
Prakash Raval
 
System Vulnerability and Abuse
System Vulnerability and AbuseSystem Vulnerability and Abuse
System Vulnerability and Abuse
Albrecht Jones
 
Security Basics
Security BasicsSecurity Basics
Security Basics
Rishi Prasath
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer security
PrajktaGN
 
Computer security and
Computer security andComputer security and
Computer security and
Rana Usman Sattar
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer security
Arzath Areeff
 
Phishing, Pharming, and the latest potholes on the Information Highway
Phishing, Pharming, and the latest potholes on the Information HighwayPhishing, Pharming, and the latest potholes on the Information Highway
Phishing, Pharming, and the latest potholes on the Information Highway
Kevin Lim
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
swapneel07
 
Computer Security risks Shelly
Computer Security risks ShellyComputer Security risks Shelly
Computer Security risks Shelly
Adeel Khurram
 
BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESS
Md Abu Syeem Dipu
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basics
anandraje
 
06. security concept
06. security concept06. security concept
06. security concept
Muhammad Ahad
 
Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of Computer
Faizan Janjua
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
arun alfie
 
Computer security risks
Computer security risksComputer security risks
Computer security risks
Aasim Mushtaq
 
4.2.1 computer security risks
4.2.1 computer security risks4.2.1 computer security risks
4.2.1 computer security risks
hazirma
 
CH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and PrivacyCH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and Privacy
malik1972
 
5 Security Tips to Protect Your Login Credentials and More
5 Security Tips to Protect Your Login Credentials and More5 Security Tips to Protect Your Login Credentials and More
5 Security Tips to Protect Your Login Credentials and More
Community IT Innovators
 
Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3
Muhammad Talha Zaroon
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and Ethics
Mohsin Riaz
 
Unauthorized access and use
Unauthorized access and useUnauthorized access and use
Unauthorized access and use
chrispaul8676
 
Basic Security Computere
Basic Security ComputereBasic Security Computere
Basic Security Computere
rashmi1234
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
Vibrant Event
 
Security concepts
Security conceptsSecurity concepts
Security concepts
artisriva
 
Computer Security 101
Computer Security 101Computer Security 101
Computer Security 101
Progressive Integrations
 
Managing and securing the enterprise
Managing and securing the enterpriseManaging and securing the enterprise
Managing and securing the enterprise
Abha Damani
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer Privacy
Saqib Raza
 
Application of security computer
Application of security computerApplication of security computer
Application of security computer
ibrahimzubairu2003
 
Chapter-2 (1).pptx
Chapter-2 (1).pptxChapter-2 (1).pptx
Chapter-2 (1).pptx
PaulaRodalynMateo1
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
Mohamed Madar
 

More Related Content

What's hot

Computer Security risks Shelly
Computer Security risks ShellyComputer Security risks Shelly
Computer Security risks Shelly
Adeel Khurram
 
BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESS
Md Abu Syeem Dipu
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basics
anandraje
 
06. security concept
06. security concept06. security concept
06. security concept
Muhammad Ahad
 
Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of Computer
Faizan Janjua
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
arun alfie
 
Computer security risks
Computer security risksComputer security risks
Computer security risks
Aasim Mushtaq
 
4.2.1 computer security risks
4.2.1 computer security risks4.2.1 computer security risks
4.2.1 computer security risks
hazirma
 
CH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and PrivacyCH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and Privacy
malik1972
 
5 Security Tips to Protect Your Login Credentials and More
5 Security Tips to Protect Your Login Credentials and More5 Security Tips to Protect Your Login Credentials and More
5 Security Tips to Protect Your Login Credentials and More
Community IT Innovators
 
Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3
Muhammad Talha Zaroon
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and Ethics
Mohsin Riaz
 
Unauthorized access and use
Unauthorized access and useUnauthorized access and use
Unauthorized access and use
chrispaul8676
 
Basic Security Computere
Basic Security ComputereBasic Security Computere
Basic Security Computere
rashmi1234
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
Vibrant Event
 
Security concepts
Security conceptsSecurity concepts
Security concepts
artisriva
 
Computer Security 101
Computer Security 101Computer Security 101
Computer Security 101
Progressive Integrations
 
Managing and securing the enterprise
Managing and securing the enterpriseManaging and securing the enterprise
Managing and securing the enterprise
Abha Damani
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer Privacy
Saqib Raza
 
Application of security computer
Application of security computerApplication of security computer
Application of security computer
ibrahimzubairu2003
 

What's hot (20)

Computer Security risks Shelly
Computer Security risks ShellyComputer Security risks Shelly
Computer Security risks Shelly
 
BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESS
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basics
 
06. security concept
06. security concept06. security concept
06. security concept
 
Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of Computer
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
 
Computer security risks
Computer security risksComputer security risks
Computer security risks
 
4.2.1 computer security risks
4.2.1 computer security risks4.2.1 computer security risks
4.2.1 computer security risks
 
CH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and PrivacyCH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and Privacy
 
5 Security Tips to Protect Your Login Credentials and More
5 Security Tips to Protect Your Login Credentials and More5 Security Tips to Protect Your Login Credentials and More
5 Security Tips to Protect Your Login Credentials and More
 
Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and Ethics
 
Unauthorized access and use
Unauthorized access and useUnauthorized access and use
Unauthorized access and use
 
Basic Security Computere
Basic Security ComputereBasic Security Computere
Basic Security Computere
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Security concepts
Security conceptsSecurity concepts
Security concepts
 
Computer Security 101
Computer Security 101Computer Security 101
Computer Security 101
 
Managing and securing the enterprise
Managing and securing the enterpriseManaging and securing the enterprise
Managing and securing the enterprise
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer Privacy
 
Application of security computer
Application of security computerApplication of security computer
Application of security computer
 

Similar to 9 - Security

Chapter-2 (1).pptx
Chapter-2 (1).pptxChapter-2 (1).pptx
Chapter-2 (1).pptx
PaulaRodalynMateo1
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
Mohamed Madar
 
Ethics,security and privacy control
Ethics,security and privacy controlEthics,security and privacy control
Ethics,security and privacy control
Sifat Hossain
 
Session 7 - Management challenges in Information security.ppt
Session 7 - Management challenges in Information security.pptSession 7 - Management challenges in Information security.ppt
Session 7 - Management challenges in Information security.ppt
ENRIQUE EGLESIAS
 
Security and Control.ppt
Security and Control.pptSecurity and Control.ppt
Security and Control.ppt
AfricaRealInformatic
 
Chapter 5 MIS
Chapter 5 MISChapter 5 MIS
Chapter 5 MIS
Amirul Shafiq Ahmad Zuperi
 
Security and control in mis
Security and control in misSecurity and control in mis
Security and control in mis
Gurjit
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for business
Daniel Thomas
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurity
Venkat Alagarsamy
 
Week nine- Securing info systems lecture
Week nine- Securing info systems lectureWeek nine- Securing info systems lecture
Week nine- Securing info systems lecture
Aiman Niazi
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information system
Online
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).ppt
GooglePay16
 
Security Architectures and Models.pptx
Security Architectures and Models.pptxSecurity Architectures and Models.pptx
Security Architectures and Models.pptx
RushikeshChikane2
 
Cyber security slideshare_oct_2020
Cyber security slideshare_oct_2020Cyber security slideshare_oct_2020
Cyber security slideshare_oct_2020
Arun Velayudhan
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001
eaiti
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewalls
Murali Mohan
 
Lecture 5.1.pptx
Lecture 5.1.pptxLecture 5.1.pptx
Lecture 5.1.pptx
Dibyesh1
 
Chapter 13 security and ethical challenges
Chapter 13 security and ethical challengesChapter 13 security and ethical challenges
Chapter 13 security and ethical challenges
Advance Saraswati Prakashan Pvt Ltd
 
css ppt.ppt
css ppt.pptcss ppt.ppt
css ppt.ppt
ShivaTyagi26
 
Chap11
Chap11Chap11
Chap11
Aman Sharma
 

Similar to 9 - Security (20)

Chapter-2 (1).pptx
Chapter-2 (1).pptxChapter-2 (1).pptx
Chapter-2 (1).pptx
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Ethics,security and privacy control
Ethics,security and privacy controlEthics,security and privacy control
Ethics,security and privacy control
 
Session 7 - Management challenges in Information security.ppt
Session 7 - Management challenges in Information security.pptSession 7 - Management challenges in Information security.ppt
Session 7 - Management challenges in Information security.ppt
 
Security and Control.ppt
Security and Control.pptSecurity and Control.ppt
Security and Control.ppt
 
Chapter 5 MIS
Chapter 5 MISChapter 5 MIS
Chapter 5 MIS
 
Security and control in mis
Security and control in misSecurity and control in mis
Security and control in mis
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for business
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurity
 
Week nine- Securing info systems lecture
Week nine- Securing info systems lectureWeek nine- Securing info systems lecture
Week nine- Securing info systems lecture
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information system
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).ppt
 
Security Architectures and Models.pptx
Security Architectures and Models.pptxSecurity Architectures and Models.pptx
Security Architectures and Models.pptx
 
Cyber security slideshare_oct_2020
Cyber security slideshare_oct_2020Cyber security slideshare_oct_2020
Cyber security slideshare_oct_2020
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewalls
 
Lecture 5.1.pptx
Lecture 5.1.pptxLecture 5.1.pptx
Lecture 5.1.pptx
 
Chapter 13 security and ethical challenges
Chapter 13 security and ethical challengesChapter 13 security and ethical challenges
Chapter 13 security and ethical challenges
 
css ppt.ppt
css ppt.pptcss ppt.ppt
css ppt.ppt
 
Chap11
Chap11Chap11
Chap11
 

More from Raymond Gao

System modeling and design
System modeling and designSystem modeling and design
System modeling and design
Raymond Gao
 
2020 Enterprise IT Outlook
2020 Enterprise IT Outlook2020 Enterprise IT Outlook
2020 Enterprise IT Outlook
Raymond Gao
 
Student Presentation - Social Media & E-Commerce (Groupon) / BCO-216
Student Presentation - Social Media & E-Commerce (Groupon) / BCO-216Student Presentation - Social Media & E-Commerce (Groupon) / BCO-216
Student Presentation - Social Media & E-Commerce (Groupon) / BCO-216
Raymond Gao
 
Student Presentation on Cloud Computing (MCO-205)
Student Presentation on Cloud Computing (MCO-205)Student Presentation on Cloud Computing (MCO-205)
Student Presentation on Cloud Computing (MCO-205)
Raymond Gao
 
10 - Project Management
10 - Project Management10 - Project Management
10 - Project Management
Raymond Gao
 
8 E-Commerce
8 E-Commerce8 E-Commerce
8 E-Commerce
Raymond Gao
 
7 - Enterprise IT in Action
7 - Enterprise IT in Action7 - Enterprise IT in Action
7 - Enterprise IT in Action
Raymond Gao
 
5 - Infrastructure and Cloud Computing
5 - Infrastructure and Cloud Computing5 - Infrastructure and Cloud Computing
5 - Infrastructure and Cloud Computing
Raymond Gao
 
4 - Mobiility & Impacts
4 - Mobiility & Impacts4 - Mobiility & Impacts
4 - Mobiility & Impacts
Raymond Gao
 
3 - Social Media and Enterprise
3 - Social Media and Enterprise3 - Social Media and Enterprise
3 - Social Media and Enterprise
Raymond Gao
 
2 - Value Chain & Porter's 5 Forces
2 - Value Chain & Porter's 5 Forces2 - Value Chain & Porter's 5 Forces
2 - Value Chain & Porter's 5 Forces
Raymond Gao
 
1-Intro to MIS
1-Intro to MIS1-Intro to MIS
1-Intro to MIS
Raymond Gao
 
IUT presentation - English
IUT presentation - EnglishIUT presentation - English
IUT presentation - English
Raymond Gao
 
2nd iut presentation - French
2nd iut presentation - French2nd iut presentation - French
2nd iut presentation - French
Raymond Gao
 
5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBC5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBC
Raymond Gao
 
Salesforce & SAP Integration
Salesforce & SAP IntegrationSalesforce & SAP Integration
Salesforce & SAP Integration
Raymond Gao
 
Lean Start & Cloud Computing Methodology in French
Lean Start & Cloud Computing Methodology in FrenchLean Start & Cloud Computing Methodology in French
Lean Start & Cloud Computing Methodology in French
Raymond Gao
 
What is CloudSpokes?
What is CloudSpokes?What is CloudSpokes?
What is CloudSpokes?
Raymond Gao
 
Building Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and SalesforceBuilding Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and Salesforce
Raymond Gao
 

More from Raymond Gao (19)

System modeling and design
System modeling and designSystem modeling and design
System modeling and design
 
2020 Enterprise IT Outlook
2020 Enterprise IT Outlook2020 Enterprise IT Outlook
2020 Enterprise IT Outlook
 
Student Presentation - Social Media & E-Commerce (Groupon) / BCO-216
Student Presentation - Social Media & E-Commerce (Groupon) / BCO-216Student Presentation - Social Media & E-Commerce (Groupon) / BCO-216
Student Presentation - Social Media & E-Commerce (Groupon) / BCO-216
 
Student Presentation on Cloud Computing (MCO-205)
Student Presentation on Cloud Computing (MCO-205)Student Presentation on Cloud Computing (MCO-205)
Student Presentation on Cloud Computing (MCO-205)
 
10 - Project Management
10 - Project Management10 - Project Management
10 - Project Management
 
8 E-Commerce
8 E-Commerce8 E-Commerce
8 E-Commerce
 
7 - Enterprise IT in Action
7 - Enterprise IT in Action7 - Enterprise IT in Action
7 - Enterprise IT in Action
 
5 - Infrastructure and Cloud Computing
5 - Infrastructure and Cloud Computing5 - Infrastructure and Cloud Computing
5 - Infrastructure and Cloud Computing
 
4 - Mobiility & Impacts
4 - Mobiility & Impacts4 - Mobiility & Impacts
4 - Mobiility & Impacts
 
3 - Social Media and Enterprise
3 - Social Media and Enterprise3 - Social Media and Enterprise
3 - Social Media and Enterprise
 
2 - Value Chain & Porter's 5 Forces
2 - Value Chain & Porter's 5 Forces2 - Value Chain & Porter's 5 Forces
2 - Value Chain & Porter's 5 Forces
 
1-Intro to MIS
1-Intro to MIS1-Intro to MIS
1-Intro to MIS
 
IUT presentation - English
IUT presentation - EnglishIUT presentation - English
IUT presentation - English
 
2nd iut presentation - French
2nd iut presentation - French2nd iut presentation - French
2nd iut presentation - French
 
5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBC5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBC
 
Salesforce & SAP Integration
Salesforce & SAP IntegrationSalesforce & SAP Integration
Salesforce & SAP Integration
 
Lean Start & Cloud Computing Methodology in French
Lean Start & Cloud Computing Methodology in FrenchLean Start & Cloud Computing Methodology in French
Lean Start & Cloud Computing Methodology in French
 
What is CloudSpokes?
What is CloudSpokes?What is CloudSpokes?
What is CloudSpokes?
 
Building Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and SalesforceBuilding Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and Salesforce
 

Recently uploaded

Contiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptxContiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptx
Kalna College
 
How to Create User Notification in Odoo 17
How to Create User Notification in Odoo 17How to Create User Notification in Odoo 17
How to Create User Notification in Odoo 17
Celine George
 
A Quiz on Drug Abuse Awareness by Quizzito
A Quiz on Drug Abuse Awareness by QuizzitoA Quiz on Drug Abuse Awareness by Quizzito
A Quiz on Drug Abuse Awareness by Quizzito
Quizzito The Quiz Society of Gargi College
 
Interprofessional Education Platform Introduction.pdf
Interprofessional Education Platform Introduction.pdfInterprofessional Education Platform Introduction.pdf
Interprofessional Education Platform Introduction.pdf
Ben Aldrich
 
Decolonizing Universal Design for Learning
Decolonizing Universal Design for LearningDecolonizing Universal Design for Learning
Decolonizing Universal Design for Learning
Frederic Fovet
 
Diversity Quiz Prelims by Quiz Club, IIT Kanpur
Diversity Quiz Prelims by Quiz Club, IIT KanpurDiversity Quiz Prelims by Quiz Club, IIT Kanpur
Diversity Quiz Prelims by Quiz Club, IIT Kanpur
Quiz Club IIT Kanpur
 
220711130082 Srabanti Bag Internet Resources For Natural Science
220711130082 Srabanti Bag Internet Resources For Natural Science220711130082 Srabanti Bag Internet Resources For Natural Science
220711130082 Srabanti Bag Internet Resources For Natural Science
Kalna College
 
Library news letter Kitengesa Uganda June 2024
Library news letter Kitengesa Uganda June 2024Library news letter Kitengesa Uganda June 2024
Library news letter Kitengesa Uganda June 2024
Friends of African Village Libraries
 
INTRODUCTION TO HOSPITALS & AND ITS ORGANIZATION
INTRODUCTION TO HOSPITALS & AND ITS ORGANIZATION INTRODUCTION TO HOSPITALS & AND ITS ORGANIZATION
INTRODUCTION TO HOSPITALS & AND ITS ORGANIZATION
ShwetaGawande8
 
Post init hook in the odoo 17 ERP Module
Post init hook in the odoo 17 ERP ModulePost init hook in the odoo 17 ERP Module
Post init hook in the odoo 17 ERP Module
Celine George
 
Accounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record ProperlyAccounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record Properly
TechSoup
 
bryophytes.pptx bsc botany honours second semester
bryophytes.pptx bsc botany honours second semesterbryophytes.pptx bsc botany honours second semester
bryophytes.pptx bsc botany honours second semester
Sarojini38
 
Slides Peluncuran Amalan Pemakanan Sihat.pptx
Slides Peluncuran Amalan Pemakanan Sihat.pptxSlides Peluncuran Amalan Pemakanan Sihat.pptx
Slides Peluncuran Amalan Pemakanan Sihat.pptx
shabeluno
 
Non-Verbal Communication for Tech Professionals
Non-Verbal Communication for Tech ProfessionalsNon-Verbal Communication for Tech Professionals
Non-Verbal Communication for Tech Professionals
MattVassar1
 
220711130088 Sumi Basak Virtual University EPC 3.pptx
220711130088 Sumi Basak Virtual University EPC 3.pptx220711130088 Sumi Basak Virtual University EPC 3.pptx
220711130088 Sumi Basak Virtual University EPC 3.pptx
Kalna College
 
Talking Tech through Compelling Visual Aids
Talking Tech through Compelling Visual AidsTalking Tech through Compelling Visual Aids
Talking Tech through Compelling Visual Aids
MattVassar1
 
nutrition in plants chapter 1 class 7...
nutrition in plants chapter 1 class 7...nutrition in plants chapter 1 class 7...
nutrition in plants chapter 1 class 7...
chaudharyreet2244
 
The basics of sentences session 8pptx.pptx
The basics of sentences session 8pptx.pptxThe basics of sentences session 8pptx.pptx
The basics of sentences session 8pptx.pptx
heathfieldcps1
 
8+8+8 Rule Of Time Management For Better Productivity
8+8+8 Rule Of Time Management For Better Productivity8+8+8 Rule Of Time Management For Better Productivity
8+8+8 Rule Of Time Management For Better Productivity
RuchiRathor2
 
220711130095 Tanu Pandey message currency, communication speed & control EPC ...
220711130095 Tanu Pandey message currency, communication speed & control EPC ...220711130095 Tanu Pandey message currency, communication speed & control EPC ...
220711130095 Tanu Pandey message currency, communication speed & control EPC ...
Kalna College
 

Recently uploaded (20)

Contiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptxContiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptx
 
How to Create User Notification in Odoo 17
How to Create User Notification in Odoo 17How to Create User Notification in Odoo 17
How to Create User Notification in Odoo 17
 
A Quiz on Drug Abuse Awareness by Quizzito
A Quiz on Drug Abuse Awareness by QuizzitoA Quiz on Drug Abuse Awareness by Quizzito
A Quiz on Drug Abuse Awareness by Quizzito
 
Interprofessional Education Platform Introduction.pdf
Interprofessional Education Platform Introduction.pdfInterprofessional Education Platform Introduction.pdf
Interprofessional Education Platform Introduction.pdf
 
Decolonizing Universal Design for Learning
Decolonizing Universal Design for LearningDecolonizing Universal Design for Learning
Decolonizing Universal Design for Learning
 
Diversity Quiz Prelims by Quiz Club, IIT Kanpur
Diversity Quiz Prelims by Quiz Club, IIT KanpurDiversity Quiz Prelims by Quiz Club, IIT Kanpur
Diversity Quiz Prelims by Quiz Club, IIT Kanpur
 
220711130082 Srabanti Bag Internet Resources For Natural Science
220711130082 Srabanti Bag Internet Resources For Natural Science220711130082 Srabanti Bag Internet Resources For Natural Science
220711130082 Srabanti Bag Internet Resources For Natural Science
 
Library news letter Kitengesa Uganda June 2024
Library news letter Kitengesa Uganda June 2024Library news letter Kitengesa Uganda June 2024
Library news letter Kitengesa Uganda June 2024
 
INTRODUCTION TO HOSPITALS & AND ITS ORGANIZATION
INTRODUCTION TO HOSPITALS & AND ITS ORGANIZATION INTRODUCTION TO HOSPITALS & AND ITS ORGANIZATION
INTRODUCTION TO HOSPITALS & AND ITS ORGANIZATION
 
Post init hook in the odoo 17 ERP Module
Post init hook in the odoo 17 ERP ModulePost init hook in the odoo 17 ERP Module
Post init hook in the odoo 17 ERP Module
 
Accounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record ProperlyAccounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record Properly
 
bryophytes.pptx bsc botany honours second semester
bryophytes.pptx bsc botany honours second semesterbryophytes.pptx bsc botany honours second semester
bryophytes.pptx bsc botany honours second semester
 
Slides Peluncuran Amalan Pemakanan Sihat.pptx
Slides Peluncuran Amalan Pemakanan Sihat.pptxSlides Peluncuran Amalan Pemakanan Sihat.pptx
Slides Peluncuran Amalan Pemakanan Sihat.pptx
 
Non-Verbal Communication for Tech Professionals
Non-Verbal Communication for Tech ProfessionalsNon-Verbal Communication for Tech Professionals
Non-Verbal Communication for Tech Professionals
 
220711130088 Sumi Basak Virtual University EPC 3.pptx
220711130088 Sumi Basak Virtual University EPC 3.pptx220711130088 Sumi Basak Virtual University EPC 3.pptx
220711130088 Sumi Basak Virtual University EPC 3.pptx
 
Talking Tech through Compelling Visual Aids
Talking Tech through Compelling Visual AidsTalking Tech through Compelling Visual Aids
Talking Tech through Compelling Visual Aids
 
nutrition in plants chapter 1 class 7...
nutrition in plants chapter 1 class 7...nutrition in plants chapter 1 class 7...
nutrition in plants chapter 1 class 7...
 
The basics of sentences session 8pptx.pptx
The basics of sentences session 8pptx.pptxThe basics of sentences session 8pptx.pptx
The basics of sentences session 8pptx.pptx
 
8+8+8 Rule Of Time Management For Better Productivity
8+8+8 Rule Of Time Management For Better Productivity8+8+8 Rule Of Time Management For Better Productivity
8+8+8 Rule Of Time Management For Better Productivity
 
220711130095 Tanu Pandey message currency, communication speed & control EPC ...
220711130095 Tanu Pandey message currency, communication speed & control EPC ...220711130095 Tanu Pandey message currency, communication speed & control EPC ...
220711130095 Tanu Pandey message currency, communication speed & control EPC ...
 

9 - Security

  • 1. Management Information Systems BCO-216 Fall 2014 (Security) Raymond Gao, MBA
  • 2. Agenda • (1st half) – Why is Security so important? – Different Threats: Hacking and Penetrations – Security Strategies • (2nd half) – 101 China’s Cyber Warriors
  • 3. A Day in the Life of IT Security
  • 4. Learning Objectives • Explain why information systems are vulnerable to destruction, error, and abuse. • Describe the business value of security and control. • Describe the components of an organizational framework for security and control. • Describe the tools and technologies used for safeguarding information resources.
  • 5. • Security: System Vulnerability and Abuse – Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems • Controls: – Methods, policies, and organizational procedures that ensure safety of organization’s assets; accuracy and reliability of its accounting records; and operational adherence to management standards
  • 6. • Why systems are vulnerable – Accessibility of networks System Vulnerability and Abuse – Hardware problems (breakdowns, configuration errors, damage from improper use or crime) – Software problems (programming errors, installation errors, unauthorized changes) – Disasters – Use of networks/computers outside of firm’s control – Loss and theft of portable devices
  • 7. CONTEMPORARY SECURITY CHALLENGES AND VULNERABILITIES The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network. FIGURE 8-1
  • 8. • Internet vulnerabilities System Vulnerability and Abuse – Network open to anyone – Size of Internet means abuses can have wide impact – Use of fixed Internet addresses with cable / DSL modems creates fixed targets for hackers – Unencrypted VOIP – E-mail, P2P, IM • Interception • Attachments with malicious software • Transmitting trade secrets
  • 9. • Wireless security challenges System Vulnerability and Abuse – Radio frequency bands easy to scan – SSIDs (service set identifiers) • Identify access points • Broadcast multiple times • Can be identified by sniffer programs • War driving – Eavesdroppers drive by buildings and try to detect SSID and gain access to network and resources • Once access point is breached, intruder can use OS to access networked drives and files
  • 10. Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the resources of a network without authorization. FIGURE 8-2 WI-FI SECURITY CHALLENGES
  • 11. • Malware (malicious software)* – Viruses* System Vulnerability and Abuse • Rogue software program that attaches itself to other software programs or data files in order to be executed – Worms* • Independent programs that copy themselves from one computer to other computers over a network. – Worms and viruses spread by • Downloads (drive-by downloads) • E-mail, IM attachments • Downloads on Web sites and social networks
  • 12. • Malware (cont.) – Smartphones as vulnerable as computers • Study finds 13,000 types of smartphone malware – Trojan horses • Software that appears benign but does something other than expected – SQL injection attacks (Website / Corp relevant) • Hackers submit data to Web forms that exploits site’s unprotected software and sends rogue SQL query to database System Vulnerability and Abuse
  • 13. • Malware (cont.) – Spyware System Vulnerability and Abuse • Small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising • Key loggers – Record every keystroke on computer to steal serial numbers, passwords, launch Internet attacks • Other types: – Reset browser home page – Redirect search requests – Slow computer performance by taking up memory
  • 14. • Hackers and computer crime – Hackers vs. crackers – Activities include: • System intrusion • System damage • Cybervandalism System Vulnerability and Abuse – Intentional disruption, defacement, destruction of Web site or corporate information system
  • 15. • Spoofing* System Vulnerability and Abuse* – Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else – Redirecting Web link to address different from intended one, with site masquerading as intended destination • Sniffer* – Eavesdropping program that monitors information traveling over network – Enables hackers to steal proprietary information such as e-mail, company files, and so on
  • 16. System Vulnerability and Abuse • Denial-of-service attacks (DoS)* – Flooding server with thousands of false requests to crash the network • Distributed denial-of-service attacks (DDoS)* – Use of numerous computers to launch a DoS – Botnets • Networks of “zombie” PCs infiltrated by bot malware • Deliver 90% of world spam, 80% of world malware • Grum botnet: controlled 560K to 840K computers
  • 17. • Computer crime System Vulnerability and Abuse – Defined as “any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution” – Computer may be target of crime, for example: • Breaching confidentiality of protected computerized data • Accessing a computer system without authority – Computer may be instrument of crime, for example: • Theft of trade secrets • Using e-mail for threats or harassment
  • 18. • Identity theft* System Vulnerability and Abuse – Theft of personal Information (social security ID, driver’s license, or credit card numbers) to impersonate someone else • Phishing* – Setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask users for confidential personal data. • Evil twins – Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet
  • 19. • Pharming System Vulnerability and Abuse – Redirects users to a bogus Web page, even when individual types correct Web page address into his or her browser • Click fraud – Occurs when individual or computer program fraudulently clicks on online ad without any intention of learning more about the advertiser or making a purchase • Cyberterrorism and Cyberwarfare
  • 20. Stuxnet and the Changing Face of Cyberwarfare • Is cyberwarfare a serious problem? Why or why not? • Assess the management, organization, and technology factors that have created this problem. • What makes Stuxnet different from other cyberwarfare attacks? How serious a threat is this technology? • What solutions have been proposed for this problem? Do you think they will be effective? Why or why not?
  • 21. • Internal threats: Employees System Vulnerability and Abuse – Security threats often originate inside an organization – Inside knowledge – Sloppy security procedures • User lack of knowledge – Social engineering: • Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information
  • 22. • Software vulnerability System Vulnerability and Abuse – Commercial software contains flaws that create security vulnerabilities • Hidden bugs (program code defects) – Zero defects cannot be achieved because complete testing is not possible with large programs • Flaws can open networks to intruders – Patches • Small pieces of software to repair flaws • Exploits often created faster than patches can be released and implemented
  • 23. Business Value of Security and Control • Failed computer systems can lead to significant or total loss of business function. • Firms now are more vulnerable than ever. – Confidential personal and financial data – Trade secrets, new products, strategies • A security breach may cut into a firm’s market value almost immediately. • Inadequate security and controls also bring forth issues of liability.
  • 24. Business Value of Security and Control • Legal and regulatory requirements for electronic records management and privacy protection – HIPAA: Medical security and privacy rules and procedures – Gramm-Leach-Bliley Act: Requires financial institutions to ensure the security and confidentiality of customer data – Sarbanes-Oxley Act: Imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally
  • 25. • Electronic evidence Business Value of Security and Control – Evidence for white collar crimes often in digital form • Data on computers, e-mail, instant messages, e-commerce transactions – Proper control of data can save time and money when responding to legal discovery request • Computer forensics: – Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law – Includes recovery of ambient and hidden data
  • 26. Establishing a Framework for Security and Control • Information systems controls – Manual and automated controls – General and application controls • General controls – Govern design, security, and use of computer programs and security of data files in general throughout organization’s information technology infrastructure – Apply to all computerized applications – Combination of hardware, software, and manual procedures to create overall control environment
  • 27. Establishing a Framework for Security and Control • Types of general controls* – Software controls – Hardware controls – Computer operations controls – Data security controls – Implementation controls – Administrative controls
  • 28. Establishing a Framework for Security and Control • Application controls – Specific controls unique to each computerized application, such as payroll or order processing – Include both automated and manual procedures – Ensure that only authorized data are completely and accurately processed by that application – Include: • Input controls • Processing controls • Output controls
  • 29. Establishing a Framework for Security and Control • Risk assessment: Determines level of risk to firm if specific activity or process is not properly controlled • Types of threat • Probability of occurrence during year • Potential losses, value of threat • Expected annual loss EXPOSURE PROBABILITY LOSS RANGE (AVG) EXPECTED ANNUAL LOSS Power failure 30% $5K–$200K ($102,500) $30,750 Embezzlement 5% $1K–$50K ($25,500) $1,275 User error 98% $200–$40K ($20,100) $19,698
  • 30. • Security policy Establishing a Framework for Security and Control – Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals – Drives other policies • Acceptable use policy (AUP) – Defines acceptable uses of firm’s information resources and computing equipment • Authorization policies – Determine differing levels of user access to information assets
  • 31. Establishing a Framework for Security and Control • Identity management – Business processes and tools to identify valid users of system and control access • Identifies and authorizes different categories of users • Specifies which portion of system users can access • Authenticating users and protects identities – Identity management systems • Captures access rules for different levels of users
  • 32. These two examples represent two security profiles or data security patterns that might be found in a personnel system. Depending on the security profile, a user would have certain restrictions on access to various systems, locations, or data in an organization. FIGURE 8-3 SECURITY PROFILES FOR A PERSONNEL SYSTEM
  • 33. Establishing a Framework for Security and Control • Disaster recovery (DR) planning*: Devises plans for restoration of disrupted services • Business continuity planning: Focuses on restoring business operations after disaster – Both types of plans needed to identify firm’s most critical systems – Business impact analysis to determine impact of an outage – Management must determine which systems restored first
  • 34. • MIS audit Establishing a Framework for Security and Control – Examines firm’s overall security environment as well as controls governing individual information systems – Reviews technologies, procedures, documentation, training, and personnel. – May even simulate disaster to test response of technology, IS staff, other employees – Lists and ranks all control weaknesses and estimates probability of their occurrence – Assesses financial and organizational impact of each threat
  • 35. SAMPLE AUDITOR’S LIST OF CONTROL WEAKNESSES This chart is a sample page from a list of control weaknesses that an auditor might find in a loan system in a local commercial bank. This form helps auditors record and evaluate control weaknesses and shows the results of discussing those weaknesses with management, as well as any corrective actions taken by management.
  • 36. Technologies and Tools for Protecting Information Resources • Identity management software – Automates keeping track of all users and privileges – Authenticates users, protecting identities, controlling access • Authentication – Password systems – Tokens – Smart cards – Biometric authentication
  • 37. Technologies and Tools for Protecting Information Resources • Firewall: – Combination of hardware and software that prevents unauthorized users from accessing private networks – Technologies include: • Static packet filtering • Stateful inspection • Network address translation (NAT) • Application proxy filtering
  • 38. The firewall is placed between the firm’s private network and the public Internet or another distrusted network to protect against unauthorized traffic. FIGURE 8-5 A CORPORATE FIREWALL
  • 39. Technologies and Tools for Protecting Information Resources • Intrusion detection systems: – Monitors hot spots on corporate networks to detect and deter intruders – Examines events as they are happening to discover attacks in progress • Antivirus and antispyware software: – Checks computers for presence of malware and can often eliminate it as well – Requires continual updating • Unified threat management (UTM) systems
  • 40. Technologies and Tools for Protecting Information Resources • Securing wireless networks – WEP security can provide some security by: • Assigning unique name to network’s SSID and not broadcasting SSID • Using it with VPN technology – Wi-Fi Alliance finalized WAP2 specification, replacing WEP with stronger standards • Continually changing keys • Encrypted authentication system with central server
  • 41. Technologies and Tools for Protecting Information Resources • Encryption: – Transforming text or data into cipher text that cannot be read by unintended recipients – Two methods for encryption on networks • Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS) • Secure Hypertext Transfer Protocol (S-HTTP)
  • 42. Technologies and Tools for Protecting Information Resources • Two methods of encryption – Symmetric key encryption • Sender and receiver use single, shared key – Public key encryption • Uses two, mathematically related keys: Public key and private key • Sender encrypts message with recipient’s public key • Recipient decrypts with private key
  • 43. A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock the data when they are received. The sender locates the recipient’s public key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message. FIGURE 8-6 PUBLIC KEY ENCRYPTION
  • 44. Technologies and Tools for Protecting Information Resources • Digital certificate: – Data file used to establish the identity of users and electronic assets for protection of online transactions – Uses a trusted third party, certification authority (CA)*, to validate a user’s identity – CA verifies user’s identity, stores information in CA server, which generates encrypted digital certificate containing owner ID information and copy of owner’s public key • Public key infrastructure (PKI)* – Use of public key cryptography working with certificate authority – Widely used in e-commerce
  • 45. Digital certificates help establish the identity of people or electronic assets. They protect online transactions by providing secure, encrypted, online communication. FIGURE 8-7 DIGITAL CERTIFICATES
  • 46. Technologies and Tools for Protecting Information Resources • Ensuring system availability – Online transaction processing requires 100% availability, no downtime • Fault-tolerant computer systems – For continuous availability, for example, stock markets – Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service • High-availability computing – Helps recover quickly from crash – Minimizes, does not eliminate, downtime
  • 47. Technologies and Tools for Protecting Information Resources • Recovery-oriented computing – Designing systems that recover quickly with capabilities to help operators pinpoint and correct faults in multi-component systems • Controlling network traffic – Deep packet inspection (DPI) • Video and music blocking • Security outsourcing – Managed security service providers (MSSPs)
  • 48. Technologies and Tools for Protecting Information Resources • Security in the cloud – Responsibility for security resides with company owning the data – Firms must ensure providers provides adequate protection: • Where data are stored • Meeting corporate requirements, legal privacy laws • Segregation of data from other clients • Audits and security certifications – Service level agreements (SLAs)*
  • 49. Technologies and Tools for Protecting Information Resources • Securing mobile platforms – Security policies should include and cover any special requirements for mobile devices • Guidelines for use of platforms and applications – Mobile device management tools • Authorization • Inventory records • Control updates • Lock down/erase lost devices • Encryption – Software for segregating corporate data on devices
  • 50. How Secure Is Your Smartphone? • It has been said that a smartphone is a microcomputer in your hand. Discuss the security implications of this statement. • What management, organizational, and technology issues must be addressed by smartphone security? • What problems do smartphone security weaknesses cause for businesses? • What steps can individuals and businesses take to make their smartphones more secure?
  • 51. Technologies and Tools for Protecting Information Resources • Ensuring software quality – Software metrics: Objective assessments of system in form of quantified measurements • Number of transactions • Online response time • Payroll checks printed per hour • Known bugs per hundred lines of code – Early and regular testing – Walkthrough: Review of specification or design document by small group of qualified people – Debugging: Process by which errors are eliminated
  • 52. 2nd Half China’s Cyber Warriors
  • 54. THANK YOU! email: raymond.gao@euruni.edu Twitter: @raygao
  翻译: