Securing Information Systems

SECURING INFORMATION SYSTEMS

Introduction to Security

  • Security: Refers to the policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to Information Systems.

  • Control: Methods, policies, and organizational procedures that ensure the safety of the organization’s assets; the accuracy and reliability of its records; and operational adherence to management standards.

Vulnerabilities

  • Vulnerability: A weakness within the system that can potentially lead to loss or harm.
      - Examples of vulnerabilities: Threat of natural disasters, erroneous programs.

Threats to Computerized Information Systems

  • Common threats include:
      - Hardware failure
      - Software failure
      - Personnel actions
      - Terminal access penetration
      - Theft of data, services, equipment
      - Fire and electrical problems
      - User errors
      - Unauthorized program changes
      - Telecommunication problems

Internet Security Challenges and Vulnerabilities

  • Client to Server Challenges:
      - Computer Viruses: Malicious software that can corrupt or affect system operations.
      - Line taps & Sniffing: Techniques used to intercept communication.
      - Theft and Fraud: Hacking, data theft, alteration of data, etc.
      - Denial of Service Attacks: Overloading a network to make it unavailable.

Telecommunications Networks Vulnerabilities

  • Vulnerabilities in communication systems relate to:
      - Radiation/Noise
      - Crosstalk: Interference from other communications.
      - Access Issues:
        - Improper connections
        - Unauthorized access to sensitive data

  • User identification and Authentication Issues: Problems in verifying user identity can lead to vulnerabilities.

Computer Crime

  • Definition (U.S. Department of Justice): Any violations of criminal law that involve knowledge of computer technology for perpetration, investigation, or prosecution.

  • Includes:
      - Unauthorized use, access, or modification of hardware, software, and data.
      - Unauthorized release or copying of information.
      - Denying users access to their own resources.
      - Illegally obtaining information or assets through computer resources.
      - Breaching confidentiality of protected data.
      - Commit fraud by accessing protected computers.

Cybercrime Protection Measures

  • Security Technologies Used:
      - Antivirus: 96%
      - Virtual Private Networks (VPNs): 86%
      - Intrusion Detection Systems: 85%
      - Content Filtering/Monitoring: 77%
      - Public-key Infrastructure: 45%
      - Smart Cards: 43%
      - Biometrics: 19%

  • Security Management:
      - Security budgets constitute 6-8% of IT budgets.
      - 63% plan to establish the role of a Chief Security Officer.
      - 39% acknowledged having compromised systems in the past year.
      - 24% have cyber risk insurance.

Malicious Software (Malware)

  • Malware: Includes computer viruses, worms, and Trojan horses.
      - Computer Virus: Software that attaches to other programs or files and executes without user permission.
      - Worms: Standalone programs that replicate themselves across networks.
      - Trojan Horse: Programs that deceive users by performing unexpected actions.

Hackers

  • Definition: An individual aiming to gain unauthorized access to a computer system.

  • Spoofing: Misrepresenting oneself to trick users into revealing critical information.

  • Sniffer: Eavesdropping program monitoring network travel for sensitive data.

Denial-of-Service Attacks

  • Hackers bombard servers with numerous false communication requests, causing the network to become unavailable for legitimate users. This can lead to:
      - System slowdowns or crashes.

Computer Forensics

  • Definition: The scientific collection, examination, authentication, preservation, and analysis of data to be used as evidence.
      - Includes data recovery, secure storage, and court presentation protocols.

Information System Controls

  • IS Controls: Comprise both manual and automated controls.
      - General Controls: Govern design, security, and usage of programs and data, applicable across all applications.

  • Classification of Controls:
      - General Controls: Software, hardware, operations, security, and administrative controls.
      - Application Controls: Unique to specific applications ensuring only authorized data processing.
        - Types: Input, processing, and output controls.

Protecting the Digital Firm

  • Includes high-availability computing, fault-tolerance, disaster recovery, and load balancing strategies.

  • Business Continuity Planning: Focuses on restoring operations post-disaster, while disaster recovery planning deals with service restoration.

Technologies and Tools for Protecting Information Resources

  • Access Control: Policies preventing unauthorized access, requiring authentication.
      - Authentication: Verifying the identity of users accessing the system.

  • Biometric Authentication: Measures unique traits (e.g., fingerprints) for access control.

Firewalls

  • Definition: Combination of hardware and software controlling network traffic flow, providing barrier against unauthorized access.
      - Types of screening technologies: Static packet filtering, stateful inspection, network address translation, and application proxy filtering.

Intrusion Detection Systems (IDS)

  • Purpose: Continuous monitoring of networks for suspicious activity, triggering alarms for suspicious events.

Antivirus and Antispyware Software

  • Function: Scans systems for viruses; major vendors include McAfee and Symantec.

Encryption

  • Definition: Process of converting plaintext into ciphertext, reversible via decryption with a specific key.
      - Used to secure data in transit and stored information from unauthorized access.

  • Methods:
      - Symmetric Key Encryption: Uses a single key to encrypt and decrypt messages.
      - Public Key Encryption: Utilizes a pair of keys (public and private) for secure communication.

Public Key Encryption Process

  1. Creating Keys: Generate public/private key pairs.

  2. Encrypt messages with recipient's public key.

  3. Recipient uses private key for decryption, ensuring confidentiality.

Security Measures

  • Security Codes: Encrypted passwords and multilevel systems.

  • Backup Files: Duplicate data to prevent loss.

  • Security Monitors: Prevent unauthorized use and fraud.

  • Biometrics Systems: Assess unique physical traits for user access.

Confidentiality, Integrity, and Availability

  • Organizations must achieve:
      - Confidentiality: Protect sensitive information from unauthorized access.
      - Integrity: Ensure data accuracy and reliability.
      - Availability: Guarantee access to information for legitimate users at all times.