8/4/2019 ISM Session 6
1/41
1
Information Systems Security
8/4/2019 ISM Session 6
2/41
2
System vulnerability & abuse
Why systems are
vulnerable
Hackers & viruses
Concerns for builders &
users
System quality problems
8/4/2019 ISM Session 6
3/41
3
Threats to information systems
Hardware failure,
Fire
Software failure,
Electrical problems Personnel actions,
User errors
Access penetration, program changes Theft of data, services, equipment
Telecommunications problems
8/4/2019 ISM Session 6
4/41
4
Why systems are
vulnerable
System complexity
Computerized procedures not always read or
audited
Extensive effect of disaster
Unauthorized access possible
8/4/2019 ISM Session 6
5/41
5
VULNERABILITIES
RADIATION: Allows recorders, bugs to tapsystem
CROSSTALK: Can garble data
HARDWARE: Improper connections, failureof protection circuits
SOFTWARE: Failure of protection features,
access control, bounds control FILES: Subject to theft, copying, unauthorized
access
8/4/2019 ISM Session 6
6/41
6
VULNERABILITIES
USER:
Identification, authentication, subtle software
modification
PROGRAMMER:
Disables protective features; reveals protectivemeasures
MAINTENANCE STAFF:
Disables hardware devices; uses stand-aloneutilities
OPERATOR:
Doesnt notify supervisor, reveals protective
measures
8/4/2019 ISM Session 6
7/41
7
HACKERS & COMPUTER VIRUSES
HACKER:
Person gains access to computer for
profit, criminal mischief, personal
pleasure
COMPUTER VIRUS:
Rogue program; difficult to detect;
spreads rapidly; destroys data; disruptsprocessing & memory
8/4/2019 ISM Session 6
8/41
8
Common computer viruses
Concept, Melissa:
Word documents, e-mail. Deletes files
Form:
Makes clicking sound, corrupts data
Explore.exe: Attached to e-mail, tries to e-mail to others, destroys files
Monkey:
Windows wont run
Chernobyl: Erases hard drive, ROM bios
JUNKIE:
Infects files, boot sector, memory conflicts
8/4/2019 ISM Session 6
9/41
9
Antivirus software
Software to detect
Eliminate viruses
Advanced versions run in memory to protect
processing, guard against viruses on disks, and
on incoming network files
8/4/2019 ISM Session 6
10/41
10
Concerns for builders & users
Disaster
Breach of security
Errors
8/4/2019 ISM Session 6
11/41
11
Disaster
Loss of hardware, software, data by fire,
power failure, flood or other calamity Fault-tolerant computer systems:
Backup systems to prevent system failure
(particularly on-line transaction processing)
8/4/2019 ISM Session 6
12/41
12
SECURITY
Policies, procedures, technical measures
to prevent
Unauthorized access,
alteration,
theft,
physical damage to information systems
8/4/2019 ISM Session 6
13/41
13
WHERE ERRORS OCCUR
DATA PREPARATION
TRANSMISSION
CONVERSION
FORM COMPLETION
ON-LINE DATA ENTRY
KEYPUNCHING;SCANNING; OTHER
INPUTS
8/4/2019 ISM Session 6
14/41
14
WHERE ERRORS OCCUR
Validation
Processing / file maintenance
Output
Transmission
Distribution
8/4/2019 ISM Session 6
15/41
15
System quality problems
Software & data
Bugs:
Program code defects or errors
Maintenance:
Modifying a system in production use; can
take up to 50% of analysts time
Data quality problems:
Finding, correcting errors; costly; tedious
8/4/2019 ISM Session 6
16/41
16
CREATING A CONTROL
ENVIRONMENT
Controls:
Methods, policies, procedures to protect
assets; accuracy & reliability of records;adherence to management standards
General controls
Application controls
8/4/2019 ISM Session 6
17/41
17
General controls
Implementation:
Audit system development to assure proper control,
management
Software:
Ensure security, reliability of software
Physical hardware:
Ensure physical security, performance of computer
hardware
8/4/2019 ISM Session 6
18/41
18
General controls
Computer operations:
Ensure procedures consistently, correctly applied todata storage, processing
Data security:
Ensure data disks, tapes protected from wrongfulaccess, change, destruction
Administrative:
Ensure controls properly executed, enforced
Segregation of functions: Divide responsibility from tasks
8/4/2019 ISM Session 6
19/41
19
APPLICATION CONTROLS
INPUT
PROCESSING
OUTPUT
8/4/2019 ISM Session 6
20/41
20
Input controls
Input authorization:
Record, monitor source documents
Data conversion:
Transcribe data properly from one form to
another
Batch control totals:
Count transactions prior to and after processing
Edit checks:
Verify input data, correct errors
8/4/2019 ISM Session 6
21/41
21
Processing controls
Establish that data is complete, accurate duringprocessing
RUN CONTROL TOTALS:
Generate control totals before & afterprocessing
COMPUTER MATCHING:
Match input data to master files
8/4/2019 ISM Session 6
22/41
22
Output controls
Establish that results are accurate,
complete, properly distributed
Balance input, processing, output totals
Review processing logs
Ensure only authorized recipients get
results
8/4/2019 ISM Session 6
23/41
23
SECURITY AND THE INTERNET
ENCRYPTION:
Coding & scrambling messages
to deny unauthorized access AUTHENTICATION: Ability
to identify another party
MESSAGE INTEGRITY
DIGITAL SIGNATURE
DIGITAL CERTIFICATE
8/4/2019 ISM Session 6
24/41
24
SECURITY AND THE INTERNET
SENDER SCRAMBLED
MESSAGE
RECIPIENT
Encryptwith public key
Decryptwith private key
PUBLIC KEY ENCRYPTION
8/4/2019 ISM Session 6
25/41
25
Security and the Internet
DIGITAL WALLET
Software stores credit card, electronic cash,
owner ID, address for e-commerce transactions SECURE ELECTRONIC TRANSACTION
Standard for securing credit card transactions
on internet
8/4/2019 ISM Session 6
26/41
26
ELECTRONIC PAYMENT SYSTEMS
CREDIT CARD-SET Protocol for payment security
ELECTRONIC CASH Digital currency
ELECTRONIC CHECK Encrypted digital signature
SMART CARD Chip stores e-cash
ELECTRONIC BILL PAYMENT Electronic funds transfer
8/4/2019 ISM Session 6
27/41
27
DEVELOPING A CONTROL
STRUCTURE
COSTS
Can be expensive to build; complicated to use
BENEFITS Reduces expensive errors, loss of time, resources, good will
RISK ASSESSMENT
Determine frequency of occurrence of problem, cost,
damage if it were to occur
8/4/2019 ISM Session 6
28/41
28
MIS AUDIT
IDENTIFIES CONTROLS OF INFORMATION SYSTEMS,ASSESSES THEIR EFFECTIVENESS
SOFTWARE METRICS:
Objective measurements to assess system
TESTING: Early, regular controlled efforts to detect, reduce errors
WALKTHROUGH
DEBUGGING
DATA QUALITY AUDIT:
Survey samples of files for accuracy, completeness
8/4/2019 ISM Session 6
29/41
29
Auditing Information Systems
These audits review and evaluate whether proper and
adequate information system controls, procedural
controls, facility controls and other managerial controls
have been developed and implemented
There are following two basic approaches for auditing
information systems:
- Auditing around the computer
- Auditing through the computer
8/4/2019 ISM Session 6
30/41
30
Ways of protecting digital firms
Online transaction processing: Transactions entered online are immediately
processed by computer
Fault-tolerant computer systems: Contain extra hardware, software, and power
supply components to provide continuous
uninterrupted service
8/4/2019 ISM Session 6
31/41
31
Contd.
High-availability computing:
Tools and technologies enabling system to recover quickly
from a crash
Disaster recovery plan:
Runs business in event of computer outage Load balancing:
Distributes large number of requests for access among
multiple servers
8/4/2019 ISM Session 6
32/41
32
Contd.
Mirroring:
Duplicating all processes and transactions of server on
backup server to prevent any interruption in service
Clustering: Linking two computers together so that a second
computer can act as a backup to the primary computer
or speed up processing
8/4/2019 ISM Session 6
33/41
33
Security while using Internet
Firewalls Prevent unauthorized users from accessing private
networks
Two types: proxies and stateful inspection Intrusion Detection System
Monitors vulnerable points in network to detect and
deter unauthorized intruders
8/4/2019 ISM Session 6
34/41
34
8/4/2019 ISM Session 6
35/41
35
Security aspects related to e-commerce Encryption:
Coding and scrambling of messages to prevent their accesswithout authorization
Authentication: Ability of each party in a transaction to ascertain identity of
other party
Message integrity: Ability to ascertain that transmitted message has not been
copied or altered
8/4/2019 ISM Session 6
36/41
36
Contd.
Digital signature: Digital code attached to electronically
transmitted message to uniquely identify
contents and sender
Digital certificate:
Attachment to electronic message to verifythe sender and to provide receiver with
means to encode reply
8/4/2019 ISM Session 6
37/41
37
Security Management of E-Business
Encryption
Denial of ServiceDefenses
Fire Walls
MonitorE-mail
VirusDefenses
8/4/2019 ISM Session 6
38/41
38
Other E-Business Security Measures
SecurityCodes
SecurityMonitors
BackupFiles
BiometricSecurity Controls
8/4/2019 ISM Session 6
39/41
39
E-Business System Controls and Audits
ProcessingControls
Fire wallsSoftwareHardware
Checkpoints
StorageControls
InputControls
OutputControls
Security CodesEncryptionError Signals
Security CodesEncryptionBackup Files
Security CodesEncryptionControl Totals
User Feedback
8/4/2019 ISM Session 6
40/41
40
Computer System Failure Controls
Applications Environmental,HW and SW Faults
Application redundancy,Checkpoints
Systems Outages System isolationData security
Databases Data errors Transaction histories,backup files
Networks Transmission errors Alternate routing, errorcorrecting routines
Processes HW and SW faults Checkpoints
Files Media Errors Replication of data
Processors HW Faults Instruction retry
Layer Threat Fault Tolerant Methods
Di t R
8/4/2019 ISM Session 6
41/41
41
Disaster Recovery
Who will participate?
What will be their duties?
What hardware and
software will be used?
Priority of applications tobe run?
What alternative facilities
will be used?
Where will databases be
stored?