ISM Session 6

8/4/2019 ISM Session 6

1/41

1

Information Systems Security


2/41

2

System vulnerability & abuse

Why systems are

vulnerable

Hackers & viruses

Concerns for builders &

users

System quality problems


3/41

3

Threats to information systems

Hardware failure,

Fire

Software failure,

Electrical problems Personnel actions,

User errors

Access penetration, program changes Theft of data, services, equipment

Telecommunications problems


4/41

4

Why systems are

vulnerable

System complexity

Computerized procedures not always read or

audited

Extensive effect of disaster

Unauthorized access possible


5/41

5

VULNERABILITIES

RADIATION: Allows recorders, bugs to tapsystem

CROSSTALK: Can garble data

HARDWARE: Improper connections, failureof protection circuits

SOFTWARE: Failure of protection features,

access control, bounds control FILES: Subject to theft, copying, unauthorized

access


6/41

6

VULNERABILITIES

USER:

Identification, authentication, subtle software

modification

PROGRAMMER:

Disables protective features; reveals protectivemeasures

MAINTENANCE STAFF:

Disables hardware devices; uses stand-aloneutilities

OPERATOR:

Doesnt notify supervisor, reveals protective

measures


7/41

7

HACKERS & COMPUTER VIRUSES

HACKER:

Person gains access to computer for

profit, criminal mischief, personal

pleasure

COMPUTER VIRUS:

Rogue program; difficult to detect;

spreads rapidly; destroys data; disruptsprocessing & memory


8/41

8

Common computer viruses

Concept, Melissa:

Word documents, e-mail. Deletes files

Form:

Makes clicking sound, corrupts data

Explore.exe: Attached to e-mail, tries to e-mail to others, destroys files

Monkey:

Windows wont run

Chernobyl: Erases hard drive, ROM bios

JUNKIE:

Infects files, boot sector, memory conflicts


9/41

9

Antivirus software

Software to detect

Eliminate viruses

Advanced versions run in memory to protect

processing, guard against viruses on disks, and

on incoming network files


10/41

10

Concerns for builders & users

Disaster

Breach of security

Errors


11/41

11

Disaster

Loss of hardware, software, data by fire,

power failure, flood or other calamity Fault-tolerant computer systems:

Backup systems to prevent system failure

(particularly on-line transaction processing)


12/41

12

SECURITY

Policies, procedures, technical measures

to prevent

Unauthorized access,

alteration,

theft,

physical damage to information systems


13/41

13

WHERE ERRORS OCCUR

DATA PREPARATION

TRANSMISSION

CONVERSION

FORM COMPLETION

ON-LINE DATA ENTRY

KEYPUNCHING;SCANNING; OTHER

INPUTS


14/41

14

WHERE ERRORS OCCUR

Validation

Processing / file maintenance

Output

Transmission

Distribution


15/41

15

System quality problems

Software & data

Bugs:

Program code defects or errors

Maintenance:

Modifying a system in production use; can

take up to 50% of analysts time

Data quality problems:

Finding, correcting errors; costly; tedious


16/41

16

CREATING A CONTROL

ENVIRONMENT

Controls:

Methods, policies, procedures to protect

assets; accuracy & reliability of records;adherence to management standards

General controls

Application controls


17/41

17

General controls

Implementation:

Audit system development to assure proper control,

management

Software:

Ensure security, reliability of software

Physical hardware:

Ensure physical security, performance of computer

hardware


18/41

18

General controls

Computer operations:

Ensure procedures consistently, correctly applied todata storage, processing

Data security:

Ensure data disks, tapes protected from wrongfulaccess, change, destruction

Administrative:

Ensure controls properly executed, enforced

Segregation of functions: Divide responsibility from tasks


19/41

19

APPLICATION CONTROLS

INPUT

PROCESSING

OUTPUT


20/41

20

Input controls

Input authorization:

Record, monitor source documents

Data conversion:

Transcribe data properly from one form to

another

Batch control totals:

Count transactions prior to and after processing

Edit checks:

Verify input data, correct errors


21/41

21

Processing controls

Establish that data is complete, accurate duringprocessing

RUN CONTROL TOTALS:

Generate control totals before & afterprocessing

COMPUTER MATCHING:

Match input data to master files


22/41

22

Output controls

Establish that results are accurate,

complete, properly distributed

Balance input, processing, output totals

Review processing logs

Ensure only authorized recipients get

results


23/41

23

SECURITY AND THE INTERNET

ENCRYPTION:

Coding & scrambling messages

to deny unauthorized access AUTHENTICATION: Ability

to identify another party

MESSAGE INTEGRITY

DIGITAL SIGNATURE

DIGITAL CERTIFICATE


24/41

24

SECURITY AND THE INTERNET

SENDER SCRAMBLED

MESSAGE

RECIPIENT

Encryptwith public key

Decryptwith private key

PUBLIC KEY ENCRYPTION


25/41

25

Security and the Internet

DIGITAL WALLET

Software stores credit card, electronic cash,

owner ID, address for e-commerce transactions SECURE ELECTRONIC TRANSACTION

Standard for securing credit card transactions

on internet


26/41

26

ELECTRONIC PAYMENT SYSTEMS

CREDIT CARD-SET Protocol for payment security

ELECTRONIC CASH Digital currency

ELECTRONIC CHECK Encrypted digital signature

SMART CARD Chip stores e-cash

ELECTRONIC BILL PAYMENT Electronic funds transfer


27/41

27

DEVELOPING A CONTROL

STRUCTURE

COSTS

Can be expensive to build; complicated to use

BENEFITS Reduces expensive errors, loss of time, resources, good will

RISK ASSESSMENT

Determine frequency of occurrence of problem, cost,

damage if it were to occur


28/41

28

MIS AUDIT

IDENTIFIES CONTROLS OF INFORMATION SYSTEMS,ASSESSES THEIR EFFECTIVENESS

SOFTWARE METRICS:

Objective measurements to assess system

TESTING: Early, regular controlled efforts to detect, reduce errors

WALKTHROUGH

DEBUGGING

DATA QUALITY AUDIT:

Survey samples of files for accuracy, completeness


29/41

29

Auditing Information Systems

These audits review and evaluate whether proper and

adequate information system controls, procedural

controls, facility controls and other managerial controls

have been developed and implemented

There are following two basic approaches for auditing

information systems:

- Auditing around the computer

- Auditing through the computer


30/41

30

Ways of protecting digital firms

Online transaction processing: Transactions entered online are immediately

processed by computer

Fault-tolerant computer systems: Contain extra hardware, software, and power

supply components to provide continuous

uninterrupted service


31/41

31

Contd.

High-availability computing:

Tools and technologies enabling system to recover quickly

from a crash

Disaster recovery plan:

Runs business in event of computer outage Load balancing:

Distributes large number of requests for access among

multiple servers


32/41

32

Contd.

Mirroring:

Duplicating all processes and transactions of server on

backup server to prevent any interruption in service

Clustering: Linking two computers together so that a second

computer can act as a backup to the primary computer

or speed up processing


33/41

33

Security while using Internet

Firewalls Prevent unauthorized users from accessing private

networks

Two types: proxies and stateful inspection Intrusion Detection System

Monitors vulnerable points in network to detect and

deter unauthorized intruders


34/41

34


35/41

35

Security aspects related to e-commerce Encryption:

Coding and scrambling of messages to prevent their accesswithout authorization

Authentication: Ability of each party in a transaction to ascertain identity of

other party

Message integrity: Ability to ascertain that transmitted message has not been

copied or altered


36/41

36

Contd.

Digital signature: Digital code attached to electronically

transmitted message to uniquely identify

contents and sender

Digital certificate:

Attachment to electronic message to verifythe sender and to provide receiver with

means to encode reply


37/41

37

Security Management of E-Business

Encryption

Denial of ServiceDefenses

Fire Walls

MonitorE-mail

VirusDefenses


38/41

38

Other E-Business Security Measures

SecurityCodes

SecurityMonitors

BackupFiles

BiometricSecurity Controls


39/41

39

E-Business System Controls and Audits

ProcessingControls

Fire wallsSoftwareHardware

Checkpoints

StorageControls

InputControls

OutputControls

Security CodesEncryptionError Signals

Security CodesEncryptionBackup Files

Security CodesEncryptionControl Totals

User Feedback


40/41

40

Computer System Failure Controls

Applications Environmental,HW and SW Faults

Application redundancy,Checkpoints

Systems Outages System isolationData security

Databases Data errors Transaction histories,backup files

Networks Transmission errors Alternate routing, errorcorrecting routines

Processes HW and SW faults Checkpoints

Files Media Errors Replication of data

Processors HW Faults Instruction retry

Layer Threat Fault Tolerant Methods

Di t R


41/41

41

Disaster Recovery

Who will participate?

What will be their duties?

What hardware and

software will be used?

Priority of applications tobe run?

What alternative facilities

will be used?

Where will databases be

stored?

ISM Session 6

Documents