Mis 1


Published on

Various Security Issues in Using MIS

  • Be the first to comment

  • Be the first to like this

Mis 1

  1. 1. Various Security Issues in Using MIS Submitted to: Prof. Sumeet Gupta Submitted by: Rohit Garg 12PGP091 Management Information System Indian Institute of Management, Raipur 2012 – 2013IIM Raipur 1 | Page
  2. 2. Abstract: This report describes common sources of security threats and defines majorelements of an organizational security policy and presents the most common types oftechnical, data, and human security safeguards. Primary focus is on management’sresponsibility for organization’s security policy and for implementing human securitysafeguards.1. Concerns for Personal Security: Identity TheftIdentity theft is the manipulation of, or improperly accessing, another person’s identifyinginformation, such as social security number, mother’s maiden name, or personalidentification number (rather than account number) in order to fraudulently establish credit ortake over a deposit, credit or other financial account for benefit. Thieves gain access topersonal data via: A stolen wallet or purse Stealing or diverting mail Rummaging through trash Fraudulently obtaining a credit report From personal information on the Internet From a business by conning or bribing an employee who has access to confidential data2. Threats to Information Security: Sources • Human error and mistakes Security threats arise from three • Malicious human activity sources • Natural events and disastersHuman error stems from employees and nonemployees: They may misunderstand operating procedures and inadvertently cause data to be deleted. Poorly written application programs and poorly designed procedures may allow employees to enter data incorrectly or misuse the system. Employees may make physical mistakes like unplugging a piece of hardware that causes the system to crash.Malicious human activity results from employees, former employees, and hackers whointentionally destroy data or system components: Breaking into systems with the intent of stealing or destroying data. Introducing viruses and worms into a system. Acts of terrorism. White-hat hackers are hired by organizations to test security systemsNatural events and disasters pose problems stemming not just from the initial loss ofcapability and service but also problems a company may experience as it recovers from theinitial problem.  Pre-texting: is the practice of getting your information under false pretences.  Phishing: is a similar technique that uses pre-texting via email. The phisher pretends to be a legitimate company and sends an email requesting confidential data.  Spoofing: is another term for pre-texting. Someone pretending to be someone else.  Sniffing: is a technique for intercepting computer communications.  Hacking: is the act of breaking into a computer system IIM Raipur 2 | Page
  3. 3. 3. Senior Management’s Security Role Risk Assessment Factors: Assets Threats Safeguards Vulnerability Consequences Likelihood Probable lossSenior managers should ensure their organization has an effective security policy thatincludes these elements: A general statement of the organization’s security program Issue-specific policies like personal use of email and the Internet System-specific policies that ensure the company are complying with laws and regulations. Senior managers must also manage risks associated with information systems security. Risk is the likelihood of an adverse occurrence. Effective Security Requires Balanced Attention to All Five Components: Hardware Software Data Procedures People4. Safeguards Available: Identification and AuthenticationEvery information system today should require users to sign in with a user name andpassword. The user name identifies the user, and the password authenticates the user. Three types of authentication methods  What you know; e.g. a password  What you have; e.g., a smart card which is loaded with identifying data.  What you are; e.g., biometric authentication Encryption: Senders use a key to encrypt a plaintext message and then send the encrypted message to a recipient, who uses a key to decrypt it. Both sender and recipient must keep the key secret which becomes a problem when too many people use the same key. Digital Certificate: An electronic file that is the equivalent of an “online passport” that can be appended to the message to ensure the identity of the sender. The certificate is issued by a trusted third party knows as a certification authority. It also contains the digital signature of the certificate-issuing authority and of the recipient. Firewall: A firewall is a computing device that prevents unauthorized network access. It can be a special-purpose computer or a program on a general-purpose computer or on a router. Organizations normally use multiple firewalls.  Perimeter firewall sits outside the organization network. It is the first device that Internet traffic encounters.  Internal firewalls are inside the organizational network in addition to the perimeter firewall.  Packet-filtering firewall examines each packet and determines whether to let the packet pass. They can also disallow traffic from particular sites, such as known hacker addresses.  Firewalls can filter outbound traffic as well. IIM Raipur 3 | Page
  4. 4.  Malware: Malicious software seeks to disrupt or damage a computer system.  A computer virus is a program that replicates itself  A Trojan horse is a virus masquerading as a useful program or file  A worm is a virus that propagates itself using the Internet or other computer network  Spyware: Software that is installed on the user’s computer without the user’s knowledge. It resides in the background and, unknown to the user, observes the user’s actions and keystrokes, monitors computer activity, and reports the user’s activities to sponsoring organizations.  Adware: Similar to spyware in that it is installed without the user’s permission and resides in the background and observes user behaviour.  Most adware is benign in that it does not perform malicious acts or steal data.  Adware produces pop-up ads and can also change the user’s default window or modify search results and switch the user’s search engine.5. Human Safeguards Available: Employee / Non-Employee Effective human safeguards begin with definitions of job tasks and responsibilities. User accounts should be defined to give users the least possible privilege needed to perform their jobs. Employees need to be made aware of the security policies, procedures, and responsibilities they will have. The security sensitivity should be documented for each position. Security considerations should be part of the hiring process; when hiring for high- sensitive positions, extensive screening interviews, references, and high background investigations are appropriate. Employee security training begins during new-employee training with the explanation of general security policies and procedures. Monitoring functions are activity log analyses, security testing, and investigating and learning from security incidents. An important security function is to analyze activity logs for threats, successful and unsuccessful attacks, and evidence of security vulnerabilities.  Many information system programs produce activity logs.  Firewalls produce logs of their activities, including lists of all dropped packets, infiltration attempts, and unauthorized access attempts.  DBMS products produce logs of successful and failed log-ins.  Web servers produce voluminous logs of Web activities.  The operating systems in personal computers can produce logs of log-ins and firewall activities. To protect databases and other data sources, an organization should follow various safeguards which include the following:  Determine data rights and responsibilities  Enforce rights by user accounts and passwords  Encrypt sensitive data  Establish backup and recovery procedures  Establish physical security Remember, data and the information from it is one of the most important resources an organization has. IIM Raipur 4 | Page
  5. 5. 6. Organization’s Respond to Incidents: Disaster PreparednessNo system is fail-proof. Every organization must have an effective plan for dealing with aloss of computing systems. Locate infrastructure in safe location Identify mission-critical systems Identify resources needed to run those systems Prepare remote backup facilities provide remote processing centres run by Hot sites commercial disaster-recovery services provide office space, but customers themselves Cold sites provide and install the equipment needed to continue operations7. Extent of Computer CrimesComputer crimes are illegal acts through the use of a computer or against a computer system.Computer crimes are on the increase. Computer abuse is unethical acts but not necessarilyillegal acts. IIM Raipur 5 | Page