MANAGING SYSTEM SECURITY MANAGING INFORMATION SYSTEMS IN ORGANIZATIONS Prepared by: Jan Wong Download at: www.slideshare.net/janwong
MANAGING SYSTEM SECURITY
MANAGING INFORMATION SYSTEMS IN ORGANIZATIONSPrepared by: Jan Wong Download at: www.slideshare.net/janwong
• Cost of investment. • Hundreds of potential threats exists. • All resource, data, software, processes can be at
risk at any time. • Computing resources may be distributed.
WHY IS IT IMPORTANT TO MANAGE SYSTEM SECURITY?DEFENDING IS NOT A SIMPLE OR INEXPENSIVE TASK.
• Cost of investment. • Hundreds of potential threats exists. • All resource, data, software, processes can be at
risk at any time. • Computing resources may be distributed. • Networks and architectures may span outside the
organization. • Many individuals involved in managing data assets. • Rapid technological changes cause security
controls to be obsolete. • Computer crimes can be undetected for long
periods of time. • People tend to violate security procedures.
DEFENDING IS NOT A SIMPLE OR INEXPENSIVE TASK.
WHAT ARE THE OBJECTIVES OF DEFENSE STRATEGIES?
4 1. PREVENTION & DETERRENCE • To prevent future attacks
2. DETECTION • For early realisation / alert
3. RECOVERY • To fix damaged systems
4. CORRECTION • To eliminate the problem
CASE STUDY: DOS ATTACK
Case: The biggest eCommerce sites were hit by DOS attacks from an attacker using a method called Denial-of-Service (DOS) attack.
Damage: Estimated to be about USD 5-10 billion.Results: The alleged attacker from the Philippines, was not prosecuted as he did not break any law in the country.
Date: 6 Feb 2000
What Is It: DOS attack “hammers” a website with too many requests for information and ultimately clogs the system; causing it to fail.
CASE STUDY: VIRUS ATTACK
Case: An American programmer planted a virus to be automatically activated two days after his name was deleted from the payroll file (HR records).
Damage: The virus eliminated 168,000 payroll records which resulted in a one-month delay in processing payroll cheques.Results: Donald Burleston was found guilty of a third degree felony and was fined USD5,000.
Date: Unknown
What Is It: Virus are programs created to harm the integrity of a system.
CASE STUDY: HUMAN ERROR
Case: The U.S. Social Security Service discovered an error in the program used to calculate retirement benefits. This error had been in the system for over 20 years.
Damage: The system shortchanged 700,000 people of over USD850 million.
Results: It took three years to fix the problem.
Date: Unknown
What Is It: A mistake caused by human’s negligence or oversight.
CASE STUDY: PHISHING
Case: A group installed an ATM in a busy shopping mall in Hartford, Connecticut. Customers using the machine were shown the message “Sorry, no transactions possible” after inserting their cards and pin no.
Damage: Using counterfeit cards, the group netted about USD100,000.
Results: N/A
Date: Unknown
What Is It: A method to disguise itself as the “real thing” to “fish” for data.
LESSONS TO LEARNFROM THE CASE STUDIES,
LESSONS TO LEARNFROM THE CASE STUDIES,
• All information resources are vulnerable to attacks, not just the server.
• Many countries do not have sufficient cyberlaws. • Protection of networked systems are complex. • Attackers can zero-in to a single individual or
multiple companies without discrimination. • Attackers use multiple methods. • Even though these attacks are common, it’s still
difficult and expensive to defend.
RISKS IN INFORMATION SYSTEMSTHE COMMON CATEGORIES TO BE AWARE OF
5
HUMAN ERRORS• Design of hardware or systems. • Negligence or oversight during
programming, testing or authorisation.
• Lack of knowledge or experience. • Greed.
1
ENVIRONMENTAL HAZARDS• Earthquakes, floods, fire, lightning strikes
and any natural disaster. • Also includes defective aircond, cooling
systems, radioactive fallout and etc. • Smoke, heat and water damage resulting
from environmental changes and hazards.
2
COMPUTER SYSTEM FAILURES• Poor design. • Use of defective materials. • Lack of quality control. • Inadequate specification by the buyer.
3
CYBER CRIME• Attackers are typically known as hackers;
outsiders that penetrates the system without permission, or, insiders that misuse their authorization.
• Data tampering - inserts false data (e.g. wages, stock count, etc).
• DOS attack - hammering a website with more requests than it can handle.
• Programming fraud - programming techniques used to modify a computer program (virus, worm, trojan horse, spoofing, phishing).
4
INTENTIONAL THREATS• Targeted theft of data. • Deliberate manipulation of data
and systems. • Strikes, riots, sabotage and
terrorist attacks. • Destruction from virus attacks. • Computer abuses and crimes.
5
HOW TO CONTROL & SECURE INFORMATION SYSTEMS?ALSO KNOWN AS SECURITY MEASURES
HOW TO CONTROL & SECURE INFORMATION SYSTEMS?ALSO KNOWN AS SECURITY MEASURES• Physical access control • Power generator • Uninterruptible power
supply (UPS) • Surge protector • Humidity control • Temperature control • Water detector • Raised floors • Fire extinguisher • Alarm systems
• CCTV • Transaction logs • Audit Trails (around, through,
with the computer) • Encryption • Archiving • Anti-Virus • Firewall • Documentation / User
Manuals • Separation of Functions
Questions, anyone?