SlideShare a Scribd company logo

Unit v

B
bharatnaruka90
1 of 43
Download to read offline
SECURITY CHALLENGES OF INFORMATION TECHNOLOGY
SECURITY REQUIREMENTS FOR E- COMMERCE Privacy – about who can see and who should not Authenticity – to know the identities of communicating parties Integrity – assurance that stored or transmitted information is unaltered Reliability – assurance that systems will be available when needed and will perform consistently. Blocking – ability to block unwanted information or intrusions
INFORMATION SYSTEM CONTROLS
Input controls Security codes Encryption Data entry screens Error signals Control totals (record count, batch totals) Processing Controls Software controls – checks right data processing Hardware controls – malfunction detection circuitry, redundant components, special-purpose microprocessors and associated circuitry Fire walls Checkpoints
Output Controls Security Codes – ensures that information products are complete and are available to authorized users in timely manner. Encryption Control totals = input + processing controls Control listings – provides hard copy evidence of all output produced. End user feedback Storage controls – how can we protect our data resources? Security Codes Encryption Backup files Library procedures Database administration
FACILITY CONTROLS Methods that protect an organizations computing and network facilities and their contents from loss or destruction. Network security – may be provided by specialized system software packages called system security monitors. Protects from unauthorized use, fraud and destruction (identification codes and passwords). Also restricts the use of computer, programs and data files. Collects attempts of improper use.
FACILITY CONTROLS 1. Encryption – scrambling the data using mathematical algorithms, or keys. Software encryption standards are RSA data security & PGP (Pretty Good Privacy)
FACILITY CONTROLS 2. Firewalls External firewall keeps out unauthorized internet users. Internal firewall prevents users from accessing sensitive human resources and financial data. Passwords and browser security features control access to specific intranet resources.
FACILITY CONTROLS 3. Physical Protection Controls – Identification badges Electronic door locks Burglar alarms Security police CCTV, etc Fire detection and extinguishing systems Fireproof storage vaults Emergency power controls Humidity Dust controls
FACILITY CONTROLS 4. Biometric Controls – devices use special sensors to measure and digitize a biometric profile Voice verification Finger prints Hand geometry Signature dynamics Keystroke analysis Retina scanning Face recognition
FACILITY CONTROLS 5. Failure Controls – reasons of system failure are: Power failure Electronic circuitry malfunctions Telecommunications network problems Hidden programming errors Computer viruses Computer operator errors Electronic damage
PROCEDURAL CONTROLS 1. Standard Procedures and documentation – an IS organization develops and follows standard procedures for its operations This promotes quality and minimizes errors and fraud Documentation helps in the maintenance of the system and must be kept up to date
PROCEDURAL CONTROLS 2. Authorization requirements – requests for systems development and program changes need review before authorization Conversion to new hardware, software, network components and installation requires a formal notification
PROCEDURAL CONTROLS 3. Disaster Recovery – damage can be caused by: Hurricanes Earthquakes Fire Floods Criminal and terrorists acts Human error Disaster recovery plans are made by organizations which specifies – Which employee will participate in disaster recovery and what will be their duties What hardware, software and facilities will be used Priority of applications that will be processed.
PROCEDURAL CONTROLS 4. Controls for End User Computing – this includes – Methods for testing user-developed systems for compliance with company policies and work procedures Methods for notifying other users when changes are planned Thorough documentation of user-developed systems Training several people in the operation and maintenance of a system Formal backup and recovery procedures Security controls
AUDITING INFORMATION SYSTEMS Information system should be audited periodically. Review and evaluate whether proper and adequate system, procedural, facility and managerial controls have been developed and implemented. 2 types Auditing around the computer system – verifying the accuracy and Suitability of input data and output produced Auditing through the computer system – verifying the accuracy and integrity of software. Auditors develop test programs to test the data.
Audit Trial Presence of documentation that allows a transaction to be traced through all stages of its information processing. Electronic audit trial / Control logs – automatically records all network activity on magnetic disk or tape devices
Denial of Service Attacks Denial of service attacks depend on three layers of networked computer systems The victim’s website The victim’s Internet service provider Zombie or slave computers that have been commandeered by the cybercriminals 22
Defending Against Denial of Service At Zombie Machines Set and enforce security policies Scan for vulnerabilities At the ISP Monitor and block traffic spikes At the Victim’s Website Create backup servers and network connections 23
4 ETHICAL DIMENSIONS Egoism – what is best for a given individual is right Natural – promote health and life, propagate, pursue knowledge of world and God, have close relationships with other people. Utilitarianism – those actions are right that produce the greatest good for the greatest number of people. Respect for persons –
WESTERN AND NON-WESTERN VALUES Non-western Western Common Values Kyosei (Japanese): Individual liberty Respect for human Living and working dignity together for the common good Dharma (Hindu): the Political participation Respect for basic Fulfillment of inherited rights duty Zakat (Muslim): the Human rights Good citizenship duty to give alms to the Muslim poor
MODEL OF ETHICAL DECISION MAKING
SPOOFING To fool. In networking, the term is used to describe a variety of ways in which hardware and software can be fooled. IP spoofing, for example, involves trickery that makes a message appear as if it came from an authorized IP address E.g. - A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.
OUTSOURCING Is a phrase used to describe the practice of seeking resources - - or subcontracting -- outside of an organizational structure for all or part of an IT (Information Technology) function. Outsourcing for functions ranging from infrastructure to software development, maintenance and support. For example, an enterprise might outsource its IT management because it is cheaper to contract a third-party to do so than it would be to build its own in-house IT management team. Or a company might outsource all of its data storage needs because it does not want to buy and maintain its own data storage devices. Most large organizations only outsource a portion of any given IT function.
Information Protection - Why? • Information are an important strategic and operational asset for any organization. • Damages and misuses of information affect not only a single user or an application; they may have disastrous consequences on the entire organization • Additionally, the advent of the Internet as well as networking capabilities has made the access to information much easier
Information Security: Main Requirements Confidentiality Information Integrity Security Availability
Information Security: Examples • Consider a payroll database in a corporation, it must be ensured that: - salaries of individual employees are not disclosed to arbitrary users of the database - salaries are modified by only those individuals that are properly authorized - pay-checks are printed on time at the end of each pay period
Information Security: Examples • In a military environment, it is important that: - the target of a missile is not given to an unauthorized user - the target is not arbitrarily modified - the missile is launched when it is fired
Information Security - main requirements • Confidentiality - it refers to information protection from unauthorized read operations - the term privacy is often used when data to be protected refer to individuals • Integrity - it refers to information protection from modifications; it involves several goals: - Assuring the integrity of information with respect to the original information (relevant especially in web environment) - often referred to as authenticity - Protecting information from unauthorized modifications - Protecting information from incorrect modifications - referred to as semantic integrity • Availability - it ensures that access to information is not denied to authorized subjects
Information Security - additional requirements • Information Quality - it is not considered traditionally as part of information security but it is very relevant • Completeness - it refers to ensure that subjects receive all information they are entitled to access, according to the stated security policies
Classes of Threats • Disclosure - Snooping (Interfering), Trojan Horses • Deception -Modification, spoofing (fooling), repudiation (denial) of orig Denial of receipt • Disruption - Modification • Usurpation - Modification, spoofing, delay, denial of service
Goals of Security • Prevention - Prevent attackers from violating security policy • Detection - Detect attackers’ violation of security policy • Recovery - Stop attack, assess and repair damage - Continue to function correctly even if attack succeeds
Information Security - How? • Information must be protected at various levels: - The operating system - The network - The data management system - Physical protection is also important
Information Security - Mechanisms • Confidentiality is enforced by the access control mechanism • Integrity is enforced by the access control mechanism and by the integrity constraints • Availability is enforced by the recovery mechanism and by detection techniques.
Information Security - How? Additional mechanisms • User authentication - to verify the identity of subjects wishing to access the information • Information authentication - to ensure information authenticity - it is supported by signature mechanisms • Encryption - to protect information when being transmitted across systems and when being stored on secondary storage • Intrusion detection - to protect against impersonation of legitimate users and also against insider threats

Recommended

Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of ComputerFaizan Janjua
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Kirti Ahirrao
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information systemOnline
 
Information systems security(1)
Information systems security(1)Information systems security(1)
Information systems security(1)Sandeep Agarwal
 
Security and control in Management Information System
Security and control in Management Information SystemSecurity and control in Management Information System
Security and control in Management Information SystemSatya P. Joshi
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professionalciso_insights
 
06. security concept
06. security concept06. security concept
06. security conceptMuhammad Ahad
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 

Recommended

Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of ComputerFaizan Janjua
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Kirti Ahirrao
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information systemOnline
 
Information systems security(1)
Information systems security(1)Information systems security(1)
Information systems security(1)Sandeep Agarwal
 
Security and control in Management Information System
Security and control in Management Information SystemSecurity and control in Management Information System
Security and control in Management Information SystemSatya P. Joshi
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professionalciso_insights
 
06. security concept
06. security concept06. security concept
06. security conceptMuhammad Ahad
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1abdifatah said
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
internet securityand cyber law Unit2
internet securityand cyber law Unit2internet securityand cyber law Unit2
internet securityand cyber law Unit2Royalzig Luxury Furniture
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical SecurityAlfred Ouyang
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehAnne Starr
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 
Personal Data Protection
Personal Data ProtectionPersonal Data Protection
Personal Data ProtectionCreatorsCircle
 
Development of security architecture
Development of security architectureDevelopment of security architecture
Development of security architectureImran Khan
 
Security and Control Issues in Information System
Security and Control Issues in Information SystemSecurity and Control Issues in Information System
Security and Control Issues in Information SystemDaryl Conson
 
Mobile security
Mobile securityMobile security
Mobile securityEng Hasan Shamroukh CISCO Exams Author
 
Security and control in mis
Security and control in misSecurity and control in mis
Security and control in misGurjit
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012RECIPA
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditingSweta Kumari Barnwal
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 csebhaskard8
 
Information system and security control
Information system and security controlInformation system and security control
Information system and security controlCheng Olayvar
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and TrainingPriyank Hada
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
The NDIS: a role-based ICT approach - Dr Scott Hollier at the Disability Empl...
The NDIS: a role-based ICT approach - Dr Scott Hollier at the Disability Empl...The NDIS: a role-based ICT approach - Dr Scott Hollier at the Disability Empl...
The NDIS: a role-based ICT approach - Dr Scott Hollier at the Disability Empl...Media Access Australia
 
Toys
ToysToys
ToysPrasanna Dixit
 

More Related Content

What's hot

Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1abdifatah said
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehAnne Starr
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 
Personal Data Protection
Personal Data ProtectionPersonal Data Protection
Personal Data ProtectionCreatorsCircle
 
Development of security architecture
Development of security architectureDevelopment of security architecture
Development of security architectureImran Khan
 
Security and Control Issues in Information System
Security and Control Issues in Information SystemSecurity and Control Issues in Information System
Security and Control Issues in Information SystemDaryl Conson
 
Security and control in mis
Security and control in misSecurity and control in mis
Security and control in misGurjit
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012RECIPA
 
Information system and security control
Information system and security controlInformation system and security control
Information system and security controlCheng Olayvar
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and TrainingPriyank Hada
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 

What's hot (20)

Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1
 
Information security management
Information security managementInformation security management
Information security management
 
internet securityand cyber law Unit2
internet securityand cyber law Unit2internet securityand cyber law Unit2
internet securityand cyber law Unit2
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical Security
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
 
Personal Data Protection
Personal Data ProtectionPersonal Data Protection
Personal Data Protection
 
Development of security architecture
Development of security architectureDevelopment of security architecture
Development of security architecture
 
Security and Control Issues in Information System
Security and Control Issues in Information SystemSecurity and Control Issues in Information System
Security and Control Issues in Information System
 
Mobile security
Mobile securityMobile security
Mobile security
 
Security and control in mis
Security and control in misSecurity and control in mis
Security and control in mis
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditing
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
 
Information system and security control
Information system and security controlInformation system and security control
Information system and security control
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 

Viewers also liked

The NDIS: a role-based ICT approach - Dr Scott Hollier at the Disability Empl...
The NDIS: a role-based ICT approach - Dr Scott Hollier at the Disability Empl...The NDIS: a role-based ICT approach - Dr Scott Hollier at the Disability Empl...
The NDIS: a role-based ICT approach - Dr Scott Hollier at the Disability Empl...Media Access Australia
 
Accessibility & the Cloud: Current & Future Trends - Dr Scott Hollier at the ...
Accessibility & the Cloud: Current & Future Trends - Dr Scott Hollier at the ...Accessibility & the Cloud: Current & Future Trends - Dr Scott Hollier at the ...
Accessibility & the Cloud: Current & Future Trends - Dr Scott Hollier at the ...Media Access Australia
 
Security compentency s lideshare july 2015
Security compentency s lideshare july 2015Security compentency s lideshare july 2015
Security compentency s lideshare july 2015Patrick Doyle
 

Viewers also liked (6)

The NDIS: a role-based ICT approach - Dr Scott Hollier at the Disability Empl...
The NDIS: a role-based ICT approach - Dr Scott Hollier at the Disability Empl...The NDIS: a role-based ICT approach - Dr Scott Hollier at the Disability Empl...
The NDIS: a role-based ICT approach - Dr Scott Hollier at the Disability Empl...
 
Toys
ToysToys
Toys
 
Accessibility & the Cloud: Current & Future Trends - Dr Scott Hollier at the ...
Accessibility & the Cloud: Current & Future Trends - Dr Scott Hollier at the ...Accessibility & the Cloud: Current & Future Trends - Dr Scott Hollier at the ...
Accessibility & the Cloud: Current & Future Trends - Dr Scott Hollier at the ...
 
Security compentency s lideshare july 2015
Security compentency s lideshare july 2015Security compentency s lideshare july 2015
Security compentency s lideshare july 2015
 
403 10
403 10403 10
403 10
 
Robotics
RoboticsRobotics
Robotics
 

Similar to Unit v

Securityandethicalchallengesofinfornationtechnology 090902132631-phpapp02
Securityandethicalchallengesofinfornationtechnology 090902132631-phpapp02Securityandethicalchallengesofinfornationtechnology 090902132631-phpapp02
Securityandethicalchallengesofinfornationtechnology 090902132631-phpapp02anjalee990
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxedgar6wallace88877
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxfathwaitewalter
 
Network Security
Network SecurityNetwork Security
Network Securityforpalmigho
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptxKnownId
 
DATA SECURITY AND CONTROL.ppt
DATA SECURITY AND CONTROL.pptDATA SECURITY AND CONTROL.ppt
DATA SECURITY AND CONTROL.pptWilsonWanjohi5
 
It security
It securityIt security
It securityavi2607
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
Seguridad web -articulo completo- ingles
Seguridad web -articulo completo- inglesSeguridad web -articulo completo- ingles
Seguridad web -articulo completo- inglesisidro luna beltran
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)Zara Nawaz
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).pptGooglePay16
 
Ch15 power point
Ch15 power pointCh15 power point
Ch15 power pointbodo-con
 

Similar to Unit v (20)

IS Unit II.pptx
IS Unit II.pptxIS Unit II.pptx
IS Unit II.pptx
 
Securityandethicalchallengesofinfornationtechnology 090902132631-phpapp02
Securityandethicalchallengesofinfornationtechnology 090902132631-phpapp02Securityandethicalchallengesofinfornationtechnology 090902132631-phpapp02
Securityandethicalchallengesofinfornationtechnology 090902132631-phpapp02
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docx
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docx
 
Network Security
Network SecurityNetwork Security
Network Security
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
 
Security and Control.ppt
Security and Control.pptSecurity and Control.ppt
Security and Control.ppt
 
DATA SECURITY AND CONTROL.ppt
DATA SECURITY AND CONTROL.pptDATA SECURITY AND CONTROL.ppt
DATA SECURITY AND CONTROL.ppt
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
 
It security
It securityIt security
It security
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
 
Seguridad web -articulo completo- ingles
Seguridad web -articulo completo- inglesSeguridad web -articulo completo- ingles
Seguridad web -articulo completo- ingles
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
 
Mis
MisMis
Mis
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).ppt
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
I0516064
I0516064I0516064
I0516064
 
Ch15 power point
Ch15 power pointCh15 power point
Ch15 power point
 
Mis 1
Mis 1Mis 1
Mis 1
 
Mis
MisMis
Mis
 

Unit v

  • 2. SECURITY REQUIREMENTS FOR E- COMMERCE Privacy – about who can see and who should not Authenticity – to know the identities of communicating parties Integrity – assurance that stored or transmitted information is unaltered Reliability – assurance that systems will be available when needed and will perform consistently. Blocking – ability to block unwanted information or intrusions
  • 3.
  • 5. Input controls Security codes Encryption Data entry screens Error signals Control totals (record count, batch totals) Processing Controls Software controls – checks right data processing Hardware controls – malfunction detection circuitry, redundant components, special-purpose microprocessors and associated circuitry Fire walls Checkpoints
  • 6. Output Controls Security Codes – ensures that information products are complete and are available to authorized users in timely manner. Encryption Control totals = input + processing controls Control listings – provides hard copy evidence of all output produced. End user feedback Storage controls – how can we protect our data resources? Security Codes Encryption Backup files Library procedures Database administration
  • 7.
  • 8.
  • 9. FACILITY CONTROLS Methods that protect an organizations computing and network facilities and their contents from loss or destruction. Network security – may be provided by specialized system software packages called system security monitors. Protects from unauthorized use, fraud and destruction (identification codes and passwords). Also restricts the use of computer, programs and data files. Collects attempts of improper use.
  • 10. FACILITY CONTROLS 1. Encryption – scrambling the data using mathematical algorithms, or keys. Software encryption standards are RSA data security & PGP (Pretty Good Privacy)
  • 11. FACILITY CONTROLS 2. Firewalls External firewall keeps out unauthorized internet users. Internal firewall prevents users from accessing sensitive human resources and financial data. Passwords and browser security features control access to specific intranet resources.
  • 12. FACILITY CONTROLS 3. Physical Protection Controls – Identification badges Electronic door locks Burglar alarms Security police CCTV, etc Fire detection and extinguishing systems Fireproof storage vaults Emergency power controls Humidity Dust controls
  • 13. FACILITY CONTROLS 4. Biometric Controls – devices use special sensors to measure and digitize a biometric profile Voice verification Finger prints Hand geometry Signature dynamics Keystroke analysis Retina scanning Face recognition
  • 14. FACILITY CONTROLS 5. Failure Controls – reasons of system failure are: Power failure Electronic circuitry malfunctions Telecommunications network problems Hidden programming errors Computer viruses Computer operator errors Electronic damage
  • 15.
  • 16. PROCEDURAL CONTROLS 1. Standard Procedures and documentation – an IS organization develops and follows standard procedures for its operations This promotes quality and minimizes errors and fraud Documentation helps in the maintenance of the system and must be kept up to date
  • 17. PROCEDURAL CONTROLS 2. Authorization requirements – requests for systems development and program changes need review before authorization Conversion to new hardware, software, network components and installation requires a formal notification
  • 18. PROCEDURAL CONTROLS 3. Disaster Recovery – damage can be caused by: Hurricanes Earthquakes Fire Floods Criminal and terrorists acts Human error Disaster recovery plans are made by organizations which specifies – Which employee will participate in disaster recovery and what will be their duties What hardware, software and facilities will be used Priority of applications that will be processed.
  • 19. PROCEDURAL CONTROLS 4. Controls for End User Computing – this includes – Methods for testing user-developed systems for compliance with company policies and work procedures Methods for notifying other users when changes are planned Thorough documentation of user-developed systems Training several people in the operation and maintenance of a system Formal backup and recovery procedures Security controls
  • 20. AUDITING INFORMATION SYSTEMS Information system should be audited periodically. Review and evaluate whether proper and adequate system, procedural, facility and managerial controls have been developed and implemented. 2 types Auditing around the computer system – verifying the accuracy and Suitability of input data and output produced Auditing through the computer system – verifying the accuracy and integrity of software. Auditors develop test programs to test the data.
  • 21. Audit Trial Presence of documentation that allows a transaction to be traced through all stages of its information processing. Electronic audit trial / Control logs – automatically records all network activity on magnetic disk or tape devices
  • 22. Denial of Service Attacks Denial of service attacks depend on three layers of networked computer systems The victim’s website The victim’s Internet service provider Zombie or slave computers that have been commandeered by the cybercriminals 22
  • 23. Defending Against Denial of Service At Zombie Machines Set and enforce security policies Scan for vulnerabilities At the ISP Monitor and block traffic spikes At the Victim’s Website Create backup servers and network connections 23
  • 24.
  • 25. 4 ETHICAL DIMENSIONS Egoism – what is best for a given individual is right Natural – promote health and life, propagate, pursue knowledge of world and God, have close relationships with other people. Utilitarianism – those actions are right that produce the greatest good for the greatest number of people. Respect for persons –
  • 26. WESTERN AND NON-WESTERN VALUES Non-western Western Common Values Kyosei (Japanese): Individual liberty Respect for human Living and working dignity together for the common good Dharma (Hindu): the Political participation Respect for basic Fulfillment of inherited rights duty Zakat (Muslim): the Human rights Good citizenship duty to give alms to the Muslim poor
  • 27. MODEL OF ETHICAL DECISION MAKING
  • 28.
  • 29.
  • 30.
  • 31. SPOOFING To fool. In networking, the term is used to describe a variety of ways in which hardware and software can be fooled. IP spoofing, for example, involves trickery that makes a message appear as if it came from an authorized IP address E.g. - A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.
  • 32. OUTSOURCING Is a phrase used to describe the practice of seeking resources - - or subcontracting -- outside of an organizational structure for all or part of an IT (Information Technology) function. Outsourcing for functions ranging from infrastructure to software development, maintenance and support. For example, an enterprise might outsource its IT management because it is cheaper to contract a third-party to do so than it would be to build its own in-house IT management team. Or a company might outsource all of its data storage needs because it does not want to buy and maintain its own data storage devices. Most large organizations only outsource a portion of any given IT function.
  • 33. Information Protection - Why? • Information are an important strategic and operational asset for any organization. • Damages and misuses of information affect not only a single user or an application; they may have disastrous consequences on the entire organization • Additionally, the advent of the Internet as well as networking capabilities has made the access to information much easier
  • 34. Information Security: Main Requirements Confidentiality Information Integrity Security Availability
  • 35. Information Security: Examples • Consider a payroll database in a corporation, it must be ensured that: - salaries of individual employees are not disclosed to arbitrary users of the database - salaries are modified by only those individuals that are properly authorized - pay-checks are printed on time at the end of each pay period
  • 36. Information Security: Examples • In a military environment, it is important that: - the target of a missile is not given to an unauthorized user - the target is not arbitrarily modified - the missile is launched when it is fired
  • 37. Information Security - main requirements • Confidentiality - it refers to information protection from unauthorized read operations - the term privacy is often used when data to be protected refer to individuals • Integrity - it refers to information protection from modifications; it involves several goals: - Assuring the integrity of information with respect to the original information (relevant especially in web environment) - often referred to as authenticity - Protecting information from unauthorized modifications - Protecting information from incorrect modifications - referred to as semantic integrity • Availability - it ensures that access to information is not denied to authorized subjects
  • 38. Information Security - additional requirements • Information Quality - it is not considered traditionally as part of information security but it is very relevant • Completeness - it refers to ensure that subjects receive all information they are entitled to access, according to the stated security policies
  • 39. Classes of Threats • Disclosure - Snooping (Interfering), Trojan Horses • Deception -Modification, spoofing (fooling), repudiation (denial) of orig Denial of receipt • Disruption - Modification • Usurpation - Modification, spoofing, delay, denial of service
  • 40. Goals of Security • Prevention - Prevent attackers from violating security policy • Detection - Detect attackers’ violation of security policy • Recovery - Stop attack, assess and repair damage - Continue to function correctly even if attack succeeds
  • 41. Information Security - How? • Information must be protected at various levels: - The operating system - The network - The data management system - Physical protection is also important
  • 42. Information Security - Mechanisms • Confidentiality is enforced by the access control mechanism • Integrity is enforced by the access control mechanism and by the integrity constraints • Availability is enforced by the recovery mechanism and by detection techniques.
  • 43. Information Security - How? Additional mechanisms • User authentication - to verify the identity of subjects wishing to access the information • Information authentication - to ensure information authenticity - it is supported by signature mechanisms • Encryption - to protect information when being transmitted across systems and when being stored on secondary storage • Intrusion detection - to protect against impersonation of legitimate users and also against insider threats