The document discusses security issues related to information systems. It covers areas like vulnerabilities in information systems from malware and hacking, tools to safeguard information like firewalls and encryption, and the importance of security and controls for businesses. Specific topics covered include types of malware, hacking methods, security controls at different levels, and the value of computer forensics for legal purposes.
The document discusses security issues related to information systems. It covers areas like vulnerabilities in information systems from malware and hacking, tools to safeguard information like firewalls and encryption, and the importance of security and controls for businesses. Specific topics covered include types of malware, hacking methods, security controls at different levels, and the value of computer forensics for legal purposes.
The document discusses security issues related to information systems. It covers areas like vulnerabilities in information systems from malware and hacking, tools to safeguard information like firewalls and encryption, and the importance of security and controls for businesses. Specific topics covered include types of malware, hacking methods, security controls at different levels, and the value of computer forensics for legal purposes.
BMC511S Lesson 4 – Securing information Systems, Ethical & Social issues in Information Systems 03 May 2021 Faculty of Computing and Informatics
Security of information systems
1. An introduction to the security of information systems
2. Areas of vulnerabilities in information systems 3. Hackers and computer crime 4. Information systems controls 5. Tools and technologies for safeguarding information resources 6. The business value of security and control in IS Faculty of Computing and Informatics
An introduction to the security of information systems
• Security – the policies, procedures and technical measures used to prevent unauthorized access, alteration, theft or physical damage to information systems
• Controls are the methods, policies and organisational procedures that
ensure the safety of an organisation’s assets, the accuracy and reliability of its records and operational adherence to management standards Faculty of Computing and Informatics
Areas of vulnerabilities in IS – malicious software
• Malware – Malicious software programs, e.g. computer viruses, worms, Trojan horses • Computer virus – rogue software that attaches itself to other software programs or data files in order to be executed, e.g. display message, destroy data, clog computer • Worms – computer programs that copy themselves from one computer to other computers over the network. They don’t attack other programs, but destroy data and programs to halt operations • Trojan horse – software program that does not replicate like the virus but opens the way for malicious code to be introduced e.g. steal login details Faculty of Computing and Informatics
Other areas of vulnerabilities in information systems
• Internet vulnerability – Hackers can intercept conversations, flood servers with bogus traffic • Wireless security challenges – e.g. radio frequency bands are easy to scan; hackers use tools to detect and monitor unprotected networks • SQL injection attacks – take advantage of vulnerabilities in poorly-coded web application software to introduce malicious programs • Ransomware – takes control of computers and users have to pay to regain access • Spyware – software installs themselves on computers to monitor web surfing activity • Keyloggers – records every keystroke made on a computer to steal passwords, personal information, etc Faculty of Computing and Informatics
Hackers and computer crime
• A hacker is an individual who intends to gain unauthorized access to a computer system by finding weaknesses in the security of the system • Spoofing: Hackers hide their true identity by using fake email addresses or masquerading as someone else, e.g. direct customers to fake web sites • Sniffer: a type of eavesdropping program that monitors information travelling over a network. • Denial-of-service-attacks: hackers flood a server with requests for services/email that crash the network • Computer crime – any violations of criminal law that involve a knowledge of computer technology for perpetration, investigation or prosecution Faculty of Computing and Informatics
Hackers and computer crime
• Identity theft: an impostor obtains key pieces of personal information such as ID, driver’s license, credit card details • Phishing: a form of spoofing involving setting up websites or sending email messages that look like those of legitimate businesses to ask users for confidential personal data • Evil twins: wireless networks that pretend to offer trustworthy WiFi connections to the internet, e.g. in airport lounges or hotels to capture passwords • Pharming: redirects users to a bogus web page, even when the individual types the correct web age address into their web browser Faculty of Computing and Informatics
Hackers and computer crime
• Click fraud: when you click on an ad on a search engine, the click directs the potential buyers to a company website. The company then pays the search engine for the service. When the click occurs and the customer is not directed to the company’s website, then the company pays the search engine for nothing • Cyber warfare: is a state-sponsored activity designed to cripple another state or nation by penetrating its computers or networks for the purpose of causing damage and disruption • Internal threats from employees: employees have access to privileged information; employees forget passwords or allow co-workers to use them; Faculty of Computing and Informatics
Information systems controls
• General controls – the design, security and use of computer programs and the security of data files throughout an organisation’s IT infrastructure • Software controls – monitor the use of systems software and prevent unauthorised access to software programs, systems software and computer programs • Hardware controls – ensure computer hardware is physically secure and check for equipment malfunction • Computer operations controls – programmed procedures are consistently and correctly applied to the storage and processing of data, e.g. backup and recovery procedures Faculty of Computing and Informatics
Information systems controls
• Data security controls: ensure that valuable business data files are not subject to unauthorized access , change or destruction while they are is use or storage • Implementation controls: Audit the systems development process at various points to ensure that the process is properly controlled and managed • Administrative controls: Formalise standards, rules, procedures and control disciplines to ensure that the organisation’s general and application controls are properly executed and enforced Faculty of Computing and Informatics
Information systems controls – application controls
• Application controls are specific controls that are unique to each computerized application • Input controls – check data for accuracy and completeness when they enter the system • Processing controls – establish that the data are complete and accurate during updating • Output controls – ensure that the results of computer processing are accurate, complete and properly distributed Faculty of Computing and Informatics
Tools and technologies for safeguarding information resources
• Identity management and authentication – process of keeping track of all
users and their system privileges, assigning each user a unique digital identity for accessing each system e.g. password, biometric identification, smart card • Firewalls – prevent unauthorized users from accessing private networks. It is a combination of hardware and software that controls the flow of incoming and outgoing network traffic • Intrusion detection systems – full-time monitoring tools are placed at the most vulnerable points of networks to detect and deter intruders – sends an alarm if it finds a suspicious event Faculty of Computing and Informatics
Tools and technologies for safeguarding information resources
• Anti-virus and anti-spyware software – prevents, detects and removes
malware, including viruses, worms, Trojan horses, spyware • Unified Threat Management (UTM) – a single appliance of various security tools including firewalls , virtual private networks (VPNs), intrusion-detection systems and web filtering and anti-spam software • Encryption – transforming text or data into cipher text that cannot be read by anyone other than the sender and receiver. Data is encrypted using an encryption key Faculty of Computing and Informatics
The business value of security and control in IS
• There is valuable information assets to protect, e.g. confidential information
about taxes, medical records and financial assets
• Inadequate security and control may result in serious legal liability and costly litigation
• Computer forensics is the scientific collection, examination, authentication,
preservation and analysis of data held on or retrieved from computer storage media in such a way that the information is used as evidence in a court of law 13 Storch Street T: +264 61 207 2258 Private Bag 13388 F: +264 61 207 9258 Windhoek E: fci@nust.na NAMIBIA W: www.nust.na