VINEET SHARMA(11800378)

MUNISH KUMAR(11800601)
HARPREET KAUR
(11800488)
 Why are information systems vulnerable to
destruction, error, and abuse?
 What is the business value of security and
control?
 What are the components of an organizational
framework for security and control?
 What are the most important tools and
technologies for safeguarding information
resources?
Security:
Policies, procedures and technical measures used to
prevent unauthorized access, alteration, theft, or
physical damage to information systems.
Controls:
Controls are methods, policies and organizational
procedures that ensure the safety of the organization’s
assets , the accuracy and reliability of its records , and
operational adherence to management standards.
 Hardware problems include breakdowns, configuration
errors, damage from improper use or crime
 Software problems include programming errors, installation
errors, unauthorized changes.

Environmental Factors
Floods, Fire, Power Failures, Electrical problems and Natural
Disasters.

Organizational Factors
 Use of networks/computers outside of firm’s control
 Loss and theft of portable devices
 Viruses
 Rogue software program that attaches itself to other software
programs or data files in order to be executed. Spread from
computer to computer when users take an action
 Worms
 Independent computer programs that copy themselves from
one computer to other computers over a network.
 Trojan horses
 Software program that appears to be benign but then does
something other than expected. It is not itself a virus as it
does not replicate but is often a way for viruses or other
malicious code to be introduced into a computer system. Eg.
DSNX-05
 Spyware
 Small programs install themselves surreptitiously on
computers to monitor user Web surfing activity and serve up
advertising. Possibility of invading privacy.

 Key loggers
 Record every keystroke on computer to steal serial numbers,
passwords, launch Internet attacks
 Hackers vs. crackers
 A hacker is an individual who intends to
gain unauthorized access to a computer
system.

 Cracker is typically used to denote

hacker with criminal intent.
 Spoofing
 Misrepresenting oneself by using fake e-mail addresses
or masquerading as someone else
 Sniffer
 Eavesdropping program that monitors information
travelling over network
 Enables hackers to steal proprietary information such as
e-mail, company files, etc.
 Can also be used legitimately to help identify potential
network trouble spots or criminal activity on networks.
 Flooding server with thousands of false requests to crash the
network.
 Distributed denial-of-service attacks (DDoS)
 Use of numerous computers to launch a DoS and thus overwhelm
the network from various launch points.
 DoS attacks do not destroy information or access restricted
areas but they often cause a website to shut down making it
impossible for legitimate users to access the site.
 Computer crime is defined as “any violations of criminal law
that involve a knowledge of computer technology for their
perpetration, investigation, or prosecution”
 Identity theft
 Theft of personal Information (social security id, driver’s
license or credit card numbers) to impersonate someone
else
 Fastest growing crime off or on the Internet is identity
theft.
 Even though identity theft is most likely to occur in an
offline environment, once your personal information has
been stolen its easy to use it in an online environment
 Phishing
 Setting up fake Web sites or sending e-mail
messages that look like legitimate businesses to
ask users for confidential personal data.
 The two phishing techniques are Evil twins and
pharming
 Pharming
 Redirects users to a bogus Web page, even when individual
types correct Web page address into his or her browser
 Click fraud
 Occurs when individual or computer program fraudulently
clicks on online ad without any intention of learning more
about the advertiser or making a purchase
 Cyberterrorism and Cyber warfare
 Concern is that terrorists or foreign intelligence services
could exploit network or Internet vulnerabilities to commit
cyber terrorism or cyber warfare and cripple networks
controlling essential services such as electrical grids and air
traffic control systems.
 Security threats often originate inside an
organization.
 Employees have access to privileged knowledge and
with Sloppy security procedures it becomes risky.
 User lack of knowledge

 Social engineering:
 Tricking employees into revealing their passwords by
pretending to be legitimate members of the company
in need of information
 Chief Security Officer (CSO) functions

 Head of security functions.

 Educates & trains users.
 Keep management aware of security threats &
breakdowns.
 Maintains tools to implement security.
 Responsible for enforcing firms security policy.
Risk assessment
Ranks information risks, identifies acceptable
security goals, and identifies mechanisms for
achieving these goals

 Firms most important information assets?

 Who generates this information?
 Existing security policy in place?
 Level of acceptable risk for each?
 Cost to achieve this level?
 Online transaction processing – immediate
processing, multitudinous changes each instant.
 Fault – tolerant computer system – redundant h/w,
s/w & power supply components for uninterrupted
services (self checking logic).
 High availability computing – recovers quickly from
system crash, must for e-commerce processing/high
dependence on digital n/w.
 Recovery – oriented computing – recovers even
more quickly & pinpoints source of faults.
 Examines firm’s overall security environment as well as
controls governing individual information systems.
 Reviews technologies, procedures, documentation,
training, and personnel.
 May even simulate disaster to test response of
technology, IS staff, other employees.
 Lists and ranks all control weaknesses and estimates
probability of their occurrence.
 Assesses financial and organizational impact of each
threat.
 TECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROL

Access Control

Access control: Consists of all the policies and procedures

a company uses to prevent improper access to systems by
unauthorized insiders and outsiders

Authentication: The ability of each party in a transaction

to ascertain the identity of the other party.
• Passwords
• smart cards
• Biometric authentication
 TECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROL

 Firewall:
 Combination of hardware and software that
prevents unauthorized users from accessing
private networks
 TECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROL

The firewall is placed

between the firm’s
private network and
the public Internet or
another distrusted
network to protect
against unauthorized
traffic.

A CORPORATE FIREWALL
 TECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROL

 Intrusion detection systems:

 Monitor hot spots on corporate networks to detect and
deter intruders
 Examines events as they are happening to discover
attacks in progress
 Antivirus and antispyware software:
 Checks computers for presence of malware and can
often eliminate it as well
 Require continual updating
 TECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROL

 Encryption:
 Encryption is the coding of messages to
prevent unauthorized access to or
understanding of the data being
transmitted.
 TECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROL

 Recovery-oriented computing
 Designing systems that recover quickly with capabilities
to help operators pinpoint and correct faults in multi-
component systems
 TECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROL

 Security in the cloud

 Responsibility for security resides with company owning
the data
 Firms must ensure providers provides adequate
protection
 Service level agreements (SLAs)
 Securing mobile platforms
 Security policies should include and cover any special
requirements for mobile devices
 E.g. updating smart phones with latest security patches, etc.
GO CONFIDENTLY IN
THE DIRECTION OF
YOUR DREAMS.
LIVE THE LIFE YOU
HAVE IMAGINED.