The document discusses various threats to information systems and the need for controls to protect systems. It describes common threats like accidents, natural disasters, sabotage, theft, and unauthorized access. It then discusses different strategies for information security controls, including containment, deterrence, obfuscation, and recovery. It also outlines specific types of controls like physical, biometric, telecommunications, failure, and auditing controls. Finally, it discusses techniques for controlling information systems, such as security policies, passwords, encryption, procedures, user validation, and backup protocols.

1. Chapter 15 Managing information security

2. Topics The need for controls Control strategies Types of controls Techniques for controlling IS Threats related to Internet services

3. The need for controls Controls upon information systems are based upon two underlying principles: The need to ensure the accuracy of the data held by the organization The need to protect against loss or damage

4. The need for controls (Continued) The most common threats faced by organizational information systems can be placed into the following categories: Accidents Natural Disasters Sabotage (Industrial and Individual) Vandalism Theft Unauthorised Use (Hacking) Computer Viruses (to be discussed later)

5. The need for controls (Continued) Accidents – due to human error Ways in which human errors can occur include: Inaccurate data entry Attempts to carry out tasks beyond the ability of the employee Failure to comply with procedures for the use of the organizational information systems Failure to carry out backup procedures or verify data backups.

6. The need for controls (Continued) Natural disasters All information systems are susceptible to damage caused by natural phenomena such as storms, lightning strikes, floods and earthquakes. Sabotage With regard to information systems, sabotage may be deliberate or unintentional and carried out on an individual basis or as an act of industrial sabotage.

7. The need for controls (Continued) Vandalism Deliberate damage caused to hardware, software and data is considered a serious threat to information systems security. Theft As with vandalism, the loss of important hardware, software or data can have significant effects on an organization’s effectiveness. Theft can be divided into two basic categories: physical theft and data theft.

8. The need for controls (Continued) Physical theft involves the theft of hardware and software. Data theft involves stealing sensitive information or making unauthorized changes to computer records. Unauthorized use One of the most common security risks in relation to computerized information systems is the danger of unauthorized access to confidential data.

9. The need for controls (Continued) A hacker is a person who attempts to gain unauthorized access to a computer-based information system, usually via a telecommunications link. A cracker is a person who gains access to an information systems for malicious reasons.

10. The need for controls (Continued) Hackers can be considered to fall into one of three categories: Those who wish to demonstrate their computer skills by outwitting the designers of a particular system. Those who wish to gain some form of benefit *usually financial) by stealing, altering or deleting confidential information. Those who wish to cause malicious damage to an information system, perhaps as an act of revenge against a former employer.

11. Topics The need for controls Control strategies Types of controls Techniques for controlling IS Threats related to Internet services

12. Control strategies Strategies for reducing threats to information systems are discussed. There are four major approaches that can be taken to ensure the integrity of information systems. These are Containment Deterrence Obfuscation Recovery

13. Control strategies (Continued) Containment The strategy of containment attempts to control access to an information system. There are 3 approaches. Making potential targets as unattractive as possible. This could be done by creating the impression that the target IS contains data of little or no value. Creating an effective series of defences against potential threats . If the expense, time and effort required to gain access to the information system is grater than any benefits derived from gaining access, then intrusion becomes less likely.

14. Control strategies (Continued) 3. Removing the target information system from potential threats. Typical ways in which this might be achieved include distributing asses across a large geographical area, distributing important data across the entire organization or isolating important systems.

15. Control strategies (Continued) Deterrence A strategy based upon deterrence uses the threat of punishment to discourage potential intruders. The overall approach is one of anticipating and countering the motives of those most likely to threaten the security of the system. Constantly advertising and reinforcing the penalties for unauthorized access. Attempting to detect potential threats as early as possible, e.g. by monitoring patterns of IS usage and investigating all anomalies. Predicting likely areas of attack and then implementing appropriate defences or countermeasures.

16. Control strategies (Continued) Obfuscation concerns itself with hiding or distributing assets so that any damage caused can be limited. Monitoring all of the organization’s activities, not just those related to the use of its IS. Carrying out regular audits of data, hardware, software and security measures.

17. Control strategies (Continued) Recovery A strategy based upon recovery recognizes that, no matter how well defended, a breach in the security of an IS will eventually occur. Such a strategy is largely concerned with ensuring that the normal operation of the IS is restored as quickly as possible, with as little disruption to the organization as possible. In anticipating damage or loss, a great deal of emphasis is placed upon backup procedures and recovery measures. In large organizations, a backup site might be created, so that data processing can be switched to a secondary site immediately in the event of an emergency.

18. Topics The need for controls Control strategies Types of controls Techniques for controlling IS Threats related to Internet services

19. Types of controls There are five major categories of controls that can be applied to IS. These are: Physical protection Biometric controls Telecommunications controls Failure controls Auditing

20. Types of controls (Continued) Physical protection Involves the use of physical barriers intended to protect against theft and unauthorized access. Biometric controls These controls make use of the unique characteristics of individuals in order to restrict access to sensitive information or equipment. Scanners that check fingerprints, voice prints or even retinal patterns are examples of biometric controls.

21. Types of controls (Continued) Telecommunications controls These controls help to verify the identity of a particular user. Common types include passwords and user validation routines. Failure controls These controls attempt to limit or avoid damage caused by the failure of an information system. Typical examples include recovery procedures and regular backups of data.

22. Types of controls (Continued) Auditing Auditing involves taking stock of procedures, hardware, software and data at regular intervals. Audits can be carried out automatically with an appropriate program. Auditing software works by scanning the hard disk drives of any computers, terminals and servers attached to a network system.

23. Topics The need for controls Control strategies Types of controls Techniques for controlling IS Threats related to Internet services

24. Techniques for controlling IS Common techniques are: Formal security policies Passwords Encryption Organizational procedures governing the use of IS User validation techniques Backup procedures

25. Techniques for controlling IS 1. Formal security policy The simplest and most effective control is the formulation of a comprehensive policy on security. Once the policy has been formulated, it must be publicized in order for it to become effective. The support of management is essential in order to ensure that employees adhere to the guidelines contained within the policy.

26. Techniques for controlling IS 2. Passwords The password represents one of the most common forms of protection. Passwords provide a number of benefits. It provides a simple, inexpensive means of restricting access to equipment and sensitive data. Access to the system can be divided into levels by issuing different passwords to employees based on their positions and the work they carry out. The actions of an employee can be regulated and supervised by monitoring the use of their password. If a password is discovered or stolen by an external party, it should be possible to limit any damage arising as a result. The use of passwords can encourage employees to take some of the responsibility for the overall security of the system.

27. Techniques for controlling IS (Continued) 3. Encryption An addition layer of protection for sensitive data can be provided by making use of encryption techniques. Modern encryption methods rely upon the use of one or more keys. Without the correct key, any encrypted data is meaningless – and therefore of no value – to a potential thief.

28. Techniques for controlling IS (Continued) 4. Procedures Under normal circumstances, a set of procedures for the use of an IS will arise from the creation of a formal security policy. Such procedures describe in detail the correct operation of the system and responsibilities of users. The procedures should highlight issues related to security, should explain some of the reasoning behind them and should also describe the penalties for failing to comply with instructions.

29. Techniques for controlling IS (Continued) 5. User validation It involves checks made to ensure the user is permitted access to a system. It involves user names and passwords and can also include biometric techniques.

30. Techniques for controlling IS (Continued) 6. Backup procedures One of the most common methods of protecting valuable data is to use the “ grandfather, father, son ” technique. A rotating set of backup disks or tapes are used so that three different versions of the same data are held at any one time. Table 15.2 illustrates the operation of the “grandfather, father, son” method.

31. Table 15.2 The “grandfather, father, son” backup method Disk 2 Son Disk 1 Son Disk 3 Son Disk 1 Father Disk 3 Father Disk 2 Father Disk 3 Grandfather Disk 2 Grandfather Disk 1 Grandfather Day 3 Day 2 Day 1

32. Malware The term “malware” (Malicious software) is a generic term for software intended to gather confidential information from a computer system, or cause harm to valuable data. In general, malware can be broken down into a number of categories: Computer viruses Trojans and key loggers Spyware

33. Computer viruses A computer virus is a computer program that is capable of self-replication, allowing it to spread from one ‘infected’ machine to another. All viruses should be considered to be harmful. Even if a virus program does nothing more than reproduce itself, it may still cause system crashes and data loss.

34. Types of viruses (Continued) Two other kinds of programs are related to computer viruses: worms and Trojans. A worm is a small program that moves through a computer system randomly changing or overwriting pieces of data as it moves. A Trojan appears as a legitimate program in order to gain access to a computer system. Trojans are often used as delivery systems for computer viruses. They appeared to be a genuine good program but was actually delivering destructive computer virus.

35. Spyware Spyware represents a new type of threat for business and home users. Spyware describes a category of software designed to capture and record confidential information without a user’s knowledge or consent. Example: A software called key loggers record every key pressed by a user. This software can be used to collect passwords and other information such as the contents of documents and email messages over a period of time.

36. Spyware (Continued) Spyware is also produced and disseminated as adware (advertising-supported software). Adware describes a type of software that contains spyware intended to monitor a user’s online activities, usually so that advertising can be targeted more accurately. Adware monitor how people use their computers and the Internet. It collects information such as details of any websites visited, and reports back to a central server.

37. Topics The need for controls Control strategies Types of controls Techniques for controlling IS Threats related to Internet services

38. Threats related to Internet services Denial of service (DoS) This is a form of attack on company information systems that involves flooding the company’s Internet servers with huge amounts of traffic. Such attacks effectively halt all of the company’s Internet activities. Identity theft and brand abuse Identity theft involves using another person’s identity to carry out acts that range from sending libelous email to make fraudulent purchases.

39. Threats related to Internet services (Continued) Extortion Various approaches can be used to extort money from companies. Cybersquatting involves registering an Internet domain that a company or celebrity is likely to want to own. A more common form of extortion usually occurs after a security breach in which sensitive company information has been obtained. Often, the threat involves making the information available to competitors or the public unless payment is made.

40. Threats related to Internet services (Continued) Abuse of resources Organizations have always needed to ensure that employees do not take advantage of company resources for personal reasons. Whilst certain acts, such as sending the occasional personal emails, are tolerated by most companies, the increased availability of Internet access and email facilities increases the risk that such facilities may be abused.

41. Threats related to Internet services (Continued) Other risks Cyber-terrorism describes attacks made on information systems that are motivated by political or religious beliefs. Online stock fraud -- Most online stock fraud involves posting false information to the Internet in order to increase or decrease the values of stocks. Social engineering – This involves tricking people into providing information that can be used to gain access to a computer system. Phishing – A relatively new development, phishing involves attempting to gather confidential information through taking email message web websites.

42. Managing threats to Internet services Recently, a range of speciali z ed software applications have appeared that help individuals and companies maintain the security of their systems. Examples include: Firewalls . Firewalls act as a barrier between an information system and the Internet. The software attempts to monitor and control all incoming and outgoing traffic in an attempt to prevent outsiders gaining access to the information system. Firewall is a specialized software application mounted on a server at the point the company is connected to the Internet to prevent unauthorized access into the company from outsiders.

43. Managing threats to Internet services (Continued) Intrusion detection software . This type of software monitors activity on a network in order to identify intruders. Typically, the software will look for characteristic patterns of behaviour that might identify the fact that someone has gained access to the network. AI software . Many organi z ations have begun to develop applications that use artificial intelligence in order to detect intrusion attempts or unusual activity that might indicate a breach in security.