MANAGING SYSTEM SECURITY
LEARNING OBJECTIVES <ul><li>Examine information systems’ vulnerability and the possible damage from malfunctions. </li></u...
COMPUTER SYSTEMS MANAGEMENT <ul><li>Encompasses all activities related to the:  </li></ul><ul><ul><li>planning </li></ul><...
CASE:  CYBER CRIME   <ul><li>On  Feb . 6,  2000  -  the biggest  EC  sites were  hit by cyber crime .  </li></ul><ul><li>T...
MORE EXAMPLES <ul><li>An American computer programmer planted a virus to be activated two days after his name was deleted ...
MORE EXAMPLES <ul><li>A group installed an ATM in a busy shopping center in Hartford, Connecticut. Customers using the m/c...
MORE EXAMPLES <ul><li>The U.S. Social Security Service discovered an error in the program used to calculate retirement ben...
LESSONS LEARNED FROM THE CASES <ul><li>Information resources that include computers, networks, programs, and data are vuln...
LESSONS LEARNED FROM THE CASES <ul><li>Attackers can zero on a single company, or can attack many companies, without discr...
SECURITY THREATS
SECURITY PROBLEMS <ul><li>Defending information systems is not a simple or inexpensive task for the following reasons: </l...
SECURITY PROBLEMS <ul><li>Computer networks can be outside the organization and difficult to protect </li></ul><ul><li>Man...
INFORMATION SYSTEM RISK Risks to the organisations information resources include the following: <ul><li>Human errors </li>...
HUMAN ERRORS <ul><li>In the design of hardware and information systems </li></ul><ul><li>Programming, testing, authorisati...
ENVIRONMENTAL HAZARDS <ul><li>Earthquakes, hurricanes, floods, lightning strikes etc. </li></ul><ul><li>Fire, defective ai...
COMPUTER SYSTEMS FAILURES <ul><li>Poor design </li></ul><ul><li>Use of defective material </li></ul><ul><li>Lack of proper...
INTENTIONAL THREATS <ul><li>Theft of data, inappropriate use of data </li></ul><ul><li>Theft of computer time, equipment a...
INTENTIONAL THREATS <ul><li>Malicious damage including terrorist attacks </li></ul><ul><li>Destruction from virus attacks ...
CYBER CRIME <ul><li>Crimes can be performed by  </li></ul><ul><ul><li>Hackers </li></ul></ul><ul><ul><ul><li>outsiders who...
CYBER CRIME <ul><li>According to the FBI </li></ul><ul><ul><li>an average white-collar crime involves  $23,000 ; but  </li...
CYBER CRIME <ul><li>Two basic  methods of attack are  used in deliberate attacks on computer systems:  </li></ul><ul><li>D...
CYBER CRIME <ul><li>2. Programming fraud , e.g. Viruses </li></ul><ul><ul><li>Programming techniques used to modify a comp...
DEFENSE STRATEGIES <ul><li>The following are the major objectives of defence strategies: </li></ul><ul><ul><ul><li>Prevent...
<ul><ul><li>access control  </li></ul></ul><ul><ul><li>transaction logs and audit trails  </li></ul></ul><ul><ul><li>encry...
<ul><li>Documentation </li></ul><ul><ul><li>Computer operation Manual </li></ul></ul><ul><ul><li>Systems Administration Ma...
IT AUDITING <ul><ul><li>Involves a periodical examination and check of financial and accounting records and  PROCEDURES.  ...
IT AUDITING <ul><li>Auditors attempt to answer questions eg </li></ul><ul><ul><li>Are there sufficient controls in the sys...
IT AUDITING <ul><ul><li>Is there a clear separation of duties of employees? </li></ul></ul><ul><ul><li>Are there procedure...
HOW IS AUDITING EXECUTED? <ul><li>IT auditing procedures can be classified into three categories:  </li></ul><ul><ul><li>A...
IN SUMMARY <ul><li>Risk </li></ul><ul><li>Threats  </li></ul><ul><li>Defense strategies </li></ul><ul><li>Controls </li></...
Upcoming SlideShare
Loading in...5
×

Managing System Security

765

Published on

Examine information systems’ vulnerability and the possible damage from malfunctions.
Describe the major methods of defending information systems.
Describe the security issues of the Web and electronic commerce.
Describe security auditing

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
765
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
69
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • If interested have an academic article on cyber crime that is used in CSM&amp;A
  • If interested have an academic article on cyber crime that is used in CSM&amp;A
  • If interested have an academic article on cyber crime that is used in CSM&amp;A
  • Managing System Security

    1. 1. MANAGING SYSTEM SECURITY
    2. 2. LEARNING OBJECTIVES <ul><li>Examine information systems’ vulnerability and the possible damage from malfunctions. </li></ul><ul><li>Describe the major methods of defending information systems. </li></ul><ul><li>Describe the security issues of the Web and electronic commerce. </li></ul><ul><li>Describe security auditing </li></ul>
    3. 3. COMPUTER SYSTEMS MANAGEMENT <ul><li>Encompasses all activities related to the: </li></ul><ul><ul><li>planning </li></ul></ul><ul><ul><li>organizing, acquiring </li></ul></ul><ul><ul><li>maintaining </li></ul></ul><ul><ul><li>Securing </li></ul></ul><ul><ul><li>controlling of IT resources. </li></ul></ul>
    4. 4. CASE: CYBER CRIME <ul><li>On Feb . 6, 2000 - the biggest EC sites were hit by cyber crime . </li></ul><ul><li>The attacker used a method called denial of service (DOS). </li></ul><ul><ul><li>By hammering a Web site’s equipment with too many requests for information, an attacker can effectively clog a system. </li></ul></ul><ul><li>The total damage worldwide was estimated at $5 -10 billion (U.S.). </li></ul><ul><ul><li>T he alleged attacker, from the Philippines, was not prosecuted because he did not break any law in the Philippines. </li></ul></ul>
    5. 5. MORE EXAMPLES <ul><li>An American computer programmer planted a virus to be activated two days after his name was deleted from the payroll file. The virus eliminated 168,000 payroll records which resulted in a one-month delay in processing payroll cheques. Donald Burleston was found guilty of a third degree felony and fined $5,000 </li></ul><ul><li>A fire disabled a Bell switching exchange in the U.S. The effect disabled the voice and data telecommunications for a period ranging from two days to three weeks. The business cost to the community was estimated at $300 million. </li></ul>
    6. 6. MORE EXAMPLES <ul><li>A group installed an ATM in a busy shopping center in Hartford, Connecticut. Customers using the m/c were shown the message “sorry, no transactions possible” after inserting their cards and entering the pin numbers. Using counterfeit cards made from the information given the group netted around $100,000. </li></ul><ul><li>An teenager was arrested on suspicion of hacking into the Pentagon and over 700 other sensitive computer sites worldwide. The teenager became an instant folk hero and received many highly paid security assignments as a result. </li></ul>
    7. 7. MORE EXAMPLES <ul><li>The U.S. Social Security Service discovered an error in the program used to calculate retirement benefits. The error had been in the system for over 20 years. It had shortchanged 700,000 people of over $850 million and took more than three years to fix the problem. </li></ul>
    8. 8. LESSONS LEARNED FROM THE CASES <ul><li>Information resources that include computers, networks, programs, and data are vulnerable to unforeseen attacks. </li></ul><ul><li>Many countries do not have sufficient laws to deal with computer criminals. </li></ul><ul><li>Protection of networked systems can be a complex issue. </li></ul>
    9. 9. LESSONS LEARNED FROM THE CASES <ul><li>Attackers can zero on a single company, or can attack many companies, without discrimination. </li></ul><ul><li>Attackers use different attack methods. </li></ul><ul><li>Although variations of the attack methods are known, the defence against them is difficult and/or expensive. </li></ul>
    10. 10. SECURITY THREATS
    11. 11. SECURITY PROBLEMS <ul><li>Defending information systems is not a simple or inexpensive task for the following reasons: </li></ul><ul><ul><li>IS physical resources, data, software, procedures and other resources may be at risk at any time </li></ul></ul><ul><ul><li>Hundreds of potential threats exist </li></ul></ul><ul><ul><li>Computing resources may be distributed across many locations – Intranets, Extranets </li></ul></ul>
    12. 12. SECURITY PROBLEMS <ul><li>Computer networks can be outside the organization and difficult to protect </li></ul><ul><li>Many individuals control information assets </li></ul><ul><li>Rapid technological changes make some controls obsolete as soon as they are installed </li></ul><ul><li>Many computer crimes are undetected for a long period of time. </li></ul><ul><li>People tend to violate security procedures because the y are inconvenient </li></ul>
    13. 13. INFORMATION SYSTEM RISK Risks to the organisations information resources include the following: <ul><li>Human errors </li></ul><ul><li>Environmental hazards </li></ul><ul><li>Computer systems failures </li></ul><ul><li>Intentional threats </li></ul><ul><li>Cyber Crime </li></ul>
    14. 14. HUMAN ERRORS <ul><li>In the design of hardware and information systems </li></ul><ul><li>Programming, testing, authorisation </li></ul><ul><li>These errors contribute to the vast majority of control and security related problems. </li></ul>
    15. 15. ENVIRONMENTAL HAZARDS <ul><li>Earthquakes, hurricanes, floods, lightning strikes etc. </li></ul><ul><li>Fire, defective air-conditioning, radio-active fallout, water-cooling systems failures. </li></ul><ul><li>Smoke, heat and water damage resulting </li></ul><ul><li>from the other environmental hazards. </li></ul>
    16. 16. COMPUTER SYSTEMS FAILURES <ul><li>Poor design </li></ul><ul><li>Use of defective material </li></ul><ul><li>Lack of proper quality control </li></ul><ul><li>Inadequate specification of hardware by the buyer </li></ul>
    17. 17. INTENTIONAL THREATS <ul><li>Theft of data, inappropriate use of data </li></ul><ul><li>Theft of computer time, equipment and programs </li></ul><ul><li>Deliberate manipulation of data and programs </li></ul><ul><li>Strikes, riots, sabotage </li></ul>
    18. 18. INTENTIONAL THREATS <ul><li>Malicious damage including terrorist attacks </li></ul><ul><li>Destruction from virus attacks </li></ul><ul><li>Miscellaneous computer abuses and crimes </li></ul><ul><li>Fraud and crimes related to the use of the internet </li></ul>
    19. 19. CYBER CRIME <ul><li>Crimes can be performed by </li></ul><ul><ul><li>Hackers </li></ul></ul><ul><ul><ul><li>outsiders who penetrate a computer system or by </li></ul></ul></ul><ul><ul><ul><li>insiders who are authorised to use the computer system but are misusing their authorization. </li></ul></ul></ul>
    20. 20. CYBER CRIME <ul><li>According to the FBI </li></ul><ul><ul><li>an average white-collar crime involves $23,000 ; but </li></ul></ul><ul><ul><li>an average computer crime involves about $600,000 </li></ul></ul>
    21. 21. CYBER CRIME <ul><li>Two basic methods of attack are used in deliberate attacks on computer systems: </li></ul><ul><li>Data tampering </li></ul><ul><ul><li>False, fabricated or fraudulent data </li></ul></ul><ul><ul><li>Changing or deleting data </li></ul></ul><ul><ul><li>Examples – </li></ul></ul><ul><ul><ul><li>Wages clerk and the extra employee </li></ul></ul></ul><ul><ul><ul><li>Stock clerk and the damaged stock </li></ul></ul></ul><ul><ul><ul><li>Shift supervisor and the extra overtime </li></ul></ul></ul>
    22. 22. CYBER CRIME <ul><li>2. Programming fraud , e.g. Viruses </li></ul><ul><ul><li>Programming techniques used to modify a computer program </li></ul></ul><ul><ul><ul><li>Virus </li></ul></ul></ul><ul><ul><ul><li>Worm </li></ul></ul></ul><ul><ul><ul><li>Trojan Horse </li></ul></ul></ul><ul><ul><ul><li>Spoofing </li></ul></ul></ul>
    23. 23. DEFENSE STRATEGIES <ul><li>The following are the major objectives of defence strategies: </li></ul><ul><ul><ul><li>Prevention & deterrence </li></ul></ul></ul><ul><ul><ul><li>Detection </li></ul></ul></ul><ul><ul><ul><li>Limitation </li></ul></ul></ul><ul><ul><ul><li>Recovery </li></ul></ul></ul><ul><ul><ul><li>Correction </li></ul></ul></ul>
    24. 24. <ul><ul><li>access control </li></ul></ul><ul><ul><li>transaction logs and audit trails </li></ul></ul><ul><ul><li>encryption </li></ul></ul><ul><ul><li>archiving </li></ul></ul><ul><ul><li>virus protection </li></ul></ul><ul><ul><li>Firewall </li></ul></ul>Preventive Control Systems
    25. 25. <ul><li>Documentation </li></ul><ul><ul><li>Computer operation Manual </li></ul></ul><ul><ul><li>Systems Administration Manual </li></ul></ul><ul><li>Separation of Functions </li></ul><ul><li>Personnel Control </li></ul><ul><li>IS Audit </li></ul>Preventive Control Systems
    26. 26. IT AUDITING <ul><ul><li>Involves a periodical examination and check of financial and accounting records and PROCEDURES. – the system audit </li></ul></ul><ul><li>Two types of auditors (and audits): </li></ul><ul><ul><ul><li>Internal </li></ul></ul></ul><ul><ul><ul><li>External </li></ul></ul></ul>
    27. 27. IT AUDITING <ul><li>Auditors attempt to answer questions eg </li></ul><ul><ul><li>Are there sufficient controls in the system? </li></ul></ul><ul><ul><li>Which areas are not covered by controls? </li></ul></ul><ul><ul><li>Which controls are not necessary ? </li></ul></ul><ul><ul><li>Are the controls implemented properly? </li></ul></ul><ul><ul><li>Are the controls effective; do they check the output of the system? </li></ul></ul>
    28. 28. IT AUDITING <ul><ul><li>Is there a clear separation of duties of employees? </li></ul></ul><ul><ul><li>Are there procedures to ensure compliance with the controls? </li></ul></ul><ul><ul><li>Are there procedures to ensure reporting and corrective actions in case of violations of controls? </li></ul></ul>
    29. 29. HOW IS AUDITING EXECUTED? <ul><li>IT auditing procedures can be classified into three categories: </li></ul><ul><ul><li>Auditing around the computer - verifying processing by checking for known outputs using specific inputs. </li></ul></ul><ul><ul><li>Auditing through the computer - inputs, outputs, and processing are checked. </li></ul></ul><ul><ul><li>Auditing with the computer - using a combination of client data, auditor software, and client and auditor hardware. </li></ul></ul>
    30. 30. IN SUMMARY <ul><li>Risk </li></ul><ul><li>Threats </li></ul><ul><li>Defense strategies </li></ul><ul><li>Controls </li></ul><ul><li>IT Audit </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×