lOMoARcPSD|35583974

Securing Information Systems

Why Systems are Vulnerable - Rogue access points.

- Accessibility of networks. Malicious Software

- Hardware problems: breakdowns,
confg errors, damage from improper Malware
use... Programs exploiting computing system
- Software problems: programming vulnerabilities.
errors, installation errors, ⇒ We differentiate between
unauthorized changes. software threats that:
- Use of networks/computers outside of - Do not replicate: activated by a trigger
the firm's control. (e.g., logic bombs, viruses)
- Loss and theft of portable devices. - Do replicate/propagate itself: (e.g.,
bots and worms)
Internet Vulnerabilities
- Network open to anyone. Malware Terminology
- Size of the Internet means abuses can - Virus: A piece of code that inserts itself into
have a wide impact. a host program (infects it). It cannot run
- Use of fixed Internet addresses with independently. It requires that its host
cable/DSL modems creates fixed program be run to activate it.
targets for hackers. - Worm: A program that can run indep and can
- Unencrypted VOIP. propagate a complete working version of itself
- Interception. onto other hosts on a network.
- Attachments with malicious software. - Logic bomb: A program inserted into
software by an intruder. It executes on a
specific condition (trigger).
Wireless Security Challenges
⇒ Triggers for logic bombs can
- Radio frequency bands are easy to
include change in a file, by a
scan.
- SSIDs (service set identifiers): Identify particular series of keystrokes,
or at a specific time or date.
access points, broadcast multiple
- Trojan horse: Programs that appear to have
times, and can be identified by sniffer
programs. one (useful) fct but actually perform another
- (malicious) fct, without the user’s knowledge.
War driving: Eavesdroppers drive by
- Backdoor (trapdoor): Any mechanism that
buildings and try to detect SSID and
bypasses a normal security check. It is a code
gain access to network and resources.
⇒ Once access point is that recognizes for example some special
breached, intruder can gain input sequence of input.
access to networked drives
and files.
 lOMoARcPSD|35583974

Hackers and Computer Crime - Expected annual loss.

- Activities include: System intrusion //

System damage // Cybervandalism Security Policy:
(Intentional disruption, defacement, Ranks info risks, identifies security goals and
destruction of website or corporate mechanisms for achieving these goals + drives
information). other policies.
- Denial-of-service attacks (DoS). - Acceptable use policy (AUP):
- Distributed denial-of-service attacks (DDoS). Defines acceptable uses of firm’s
- Botnets. info resources and computing eq.
- Spam. - Identity manag:
- Computer crime: Computers may be targets ● Identifying valid users.
of crime/instruments of crime. ● Controlling access.

Software Vulnerability: The Role of Auditing

- Information systems audit:
Commercial software contains flaws that
● Examines firm’s overall security
create security vulnerabilities:
envt as well as controls
- Bugs (program code defects).
governing indiv info systems.
- Zero defects cannot be achieved.
- Security audits:
- Flaws can open networks to intruders.
● Review tech, procedures,
Patches: Small pieces of software to repair
documentation, training, and
flaws.
personnel.
● May even simulate disaster to
What is the Business Value of
test responses.
Security and Control?
- Failed computer systems can lead to
significant or total loss of business fct. Tools and Techs for Safeguarding
- Firms now are more vulnerable than IS:
ever. - Identity manag software:
- A security breach may cut into a firm’s ● Automates keeping track of all
market value almost immediately. users and privileges.
- Inadequate security and controls also ● Authenticates users, protecting
bring forth issues of liability. identities, controlling access.
- Authentication: Password systems //
Risk Assessment : Tokens // Smart cards // Biometric
authentication // Two-factor
Determines level of risk to firm if specific
authentication.
activity or process is not properly controlled:
- Firewall: Combination of hardware and
- Types of threat.
software that prevents unauthorized
- Probability of occurrence during the
users from accessing private networks:
year.
● Packet filtering.
- Potential losses, value of threat.
 lOMoARcPSD|35583974
● Stateful inspection.
● Network address translation
(NAT).
● Application proxy filtering.
- Intrusion detection system: Monitors
hot spots on corporate networks to
detect and deter intruders.
- Antivirus and antispyware software:
● Checks computers for presence
of malware and can often
eliminate it as well.
● Requires continual updating.
- Unified threat manag (UTM) systems.
- WEP security:
● Static encryption keys are
relatively easy to crack.
● Improved if used in conjunction
with VPN.
● WPA2 specification: Replaces
WEP with stronger standards.
● Continually changing, longer
encryption keys.
Encryption and Public Key
Infrastructure:
Encryption: Transforming text or data into
cipher text that cannot be read by unintended
recipients:
- Methods for encryption on networks:
● Secure Sockets Layer (SSL) and
successor Transport Layer
Security (TLS).
● Secure Hypertext Transfer
Protocol (S-HTTP).
- Symmetric key encryption:
● Sender and receiver use a
single, shared key.
- Public key encryption: Uses two,
mathematically related keys: public
key and private key.
● Sender encrypts the message
with the recipient's public key.
● Recipient decrypts with private
key .
- Digital certificate: Data file used to
establish the identity of users and
electronic assets for protection of
online transactions.
● Uses a trusted third party,
certification authority (CA), to
validate a user's identity.
● CA verifies user’s identity,
stores information in CA server,
which generates encrypted
digital certificate containing
owner ID information and copy
of owner’s public key.
- Public key infrastructure (PKI): Use of
public key cryptography working with
certificate authority.
Security Issues for Cloud
Computing and the Mobile Digital
Platform:
Security in the cloud: Responsibility for
security resides with the company owning
the data.
- Firms must ensure providers provide
adequate protection: Where data are
stored // Meeting corporate reqs, legal
privacy laws // Segregation of data
from other clients // Audits and
security certifications.
- Service level agreements (SLAs).
Securing mobile platforms:
- Security policies should include and
cover any special reqs for mobile
devices.
- Mobile device manag tools:
Authorization // Inventory records //
Control updates // Lockdown/erase
lost devices // Encryption.