4/15: Security & Controls in IS • Systems Vulnerabilities • Controls: what to use to guard against vulnerabilities – General controls – Application controls • Internet & eCommerce controls – Firewalls – Encryption – Authentication • Assessments & Audits
25
Embed
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
4/15: Security & Controls in IS• Systems Vulnerabilities
• Controls: what to use to guard against vulnerabilities– General controls– Application controls
• Internet & eCommerce controls– Firewalls – Encryption– Authentication
• Assessments & Audits
Systems Vulnerabilities• Ex: DDoS attacks in February 2000
• Why worry?– Financial impact of downtime is staggering:
Type of Loss Brokerage site Auction site
(8 hrs) (22 hrs)
Direct revenues loss $204,000 $341,652
Compensatory loss $0 $943,521
Lost future revenues $4,810,320 $1,024,955
Worker downtime loss $117,729 $46,097
Delay-to-market $60,000 $358,734
Total impact $5,220,159 $2,773,416
How are systems vulnerable?• If destroyed
– Systems cannot be replicated manually– Systems are not easily understood or audited– Systems’ records can be permanently lost
• Hardware: fire, earthquake, etc.
• Software: electrical problems, bugs
• Personnel actions: user errors, maliciousness
• Access: program changes, data changes
• Data & services: telecommunication failures
So what if it’s vulnerable?• Use a risk assessment to decide if the costs of
protecting against the vulnerability outweigh the potential losses from it.
• Ex. Online Order Processing Risk AssessmentExposure Prob. (%) Loss range / avg.
($)Exp. ann. loss($)
Power failure 30% $5,000 – 200,000$102,500
$30,750
Embezzlement 5% $1,000 – 50,000$25,500
$1,275
User error 98% $200 - 40,000$20,100
$19,698
Example of vulnerabilities: hackers• Hackers
– “A person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure.”
– Create computer viruses, DDoS attacks, etc.
Examples of vulnerabilities: viruses• “Rogue software programs that are difficult to
detect and spread rapidly, destroying data or disrupting processing & memory systems.”
• Chernobyl (CIH) virus
• Badtrans.B virus
• Nimda virus
• Antivirus software is a necessity. – Virus definitions MUST BE
• Use an MIS audit.– “Identifies all the controls that govern individual
information systems and assesses their effectiveness.”
• The audit:– Lists and ranks all the control weaknesses, – Estimates the probability of occurrence, and – Assesses financial & organizational impact of each