CHAPTER FIVE

Information System Security

 Outline
 Introduction
 Major Threats To Information System Security
 Factors Contributing To Threat
 Computer Crime
 Managing Information System Security

2
 Chapter IV
Introduction

Information System Security

Threats – IS Factors Managing IS

Security Contributing to Security
Threat

➢ Goals
➢ Definition of IS ➢ Inadvertent act ➢ Strategy
Security ➢ Deliberate SW attack ✓ Policy
➢ Dimensions of IS ✓ Virus, Hacking, ✓ Authentication
Security identity theft, ✓ Access control
➢ Definition of IS cyber-harassment, ✓ Encryption
Security Threats war, crime ✓ Backup
➢ Natural Disaster ✓ Firewall
➢ Technical Failure ✓ IDS
➢ Management failure ✓ Physical security
3
 Chapter IV

MAJOR THREATS TO INFORMATION

SYSTEM SECURITY

4
 Definition of Information System Security
 Security is defined as “the quality/state of being secured – to
be secured from danger”
 Information security – practice of defending digital
information from unauthorized:
➢ Access

➢ Use

➢ Recording

➢ Disruption

➢ Modification

➢ Destruction

5
 Dimensions of Information Security
 Information is:
➢ stored on computer hardware
➢ manipulated by software
➢ transmitted by communication network
➢ used by people, etc.

 Multiple layers of security:

➢ Physical security: physical items/objects/areas
➢ Personal security: individuals/groups
➢ Operations security: series of activities
➢ Communication security: media, technology and content
➢ Information security: confidentiality, integrity and
accessibility
6
 Information Security Threats

 Security Threat: any action or interaction that could cause

disclosure, alteration, loss, damage or unavailability of a
company’s/individual’s assets

 Three components of threat:

➢ Target: organization’s assets that might be attacked

(information, HW, SW, Network service, etc.)

➢ Agent: people/organization originating threat

(intentional/non-intentional)

➢ Events: type of action that poses the threat

7
 Chapter IV

FACTORS CONTRIBUTING TO THREAT

8
Cont.
 INADVERTENT ACTS

➢acts that happen by mistake

➢not deliberate or with no malicious intent or ill will
➢examples of inadvertent acts
✓ Acts of Human error and failure (inexperienced, poor
training)

✓ Deviation from service quality,

✓ Communication error

9
Cont.
 DELEBERATE SOFTWARE ATTACKS
➢ Deliberate action aimed to violate/ compromise a system’s security
through the use of software:

✓ Use of malware

✓ Password cracking

✓ DoS and DDoS

✓ Spoofing

✓ Sniffing

10
Cont.
 NATURAL DISASTER

➢ dangerous - unexpected and occur without very

little warning, causes damage to information
 TECHNICAL FAILURE

➢ Two Types: (Technical Hardware Failure

✓ Technical Software Failure
 MANAGEMENT FAILURE

➢ Managers:
✓ Update, develop proper plan for good protection of the
information, Committed to upgrade 11
 Computer Crime
 What is computer crime?
➢ Using a computer to commit an illegal act
✓ Targeting a computer while committing an
offense
❖ Unauthorized access of a server to destroy data

➢Using a computer to:

✓commit an offense: to embezzle funds

✓support criminal activity: illegal gambling

12
Cont.
 Who commits a crime?
➢ Current or former employees; insider threat
➢ People with technical knowledge who commit business or
information sabotage for personal gain

➢ Career criminals who use computers to assist in crimes

➢ Outside crackers — commit millions of intrusions per year

13
 Types of Computer Crimes

Identity
Hacking & Cracking
Theft

Computer
Viruses

Cyber harassment,
Cyberstalking, Piracy
Cyberbullying

14
 Hackers & Crackers
 Hackers
➢ Anyone who can gain unauthorized access to computers

➢ White hat hackers don’t intend to do harm

 Crackers
➢ Individuals who break into computer systems with the
intent to commit crime or do damage
➢ Also called black hat hackers

 Hacktivists:
➢ Crackers who are motivated by political or ideological
goals and who use cracking to promote their interests

15
Computer Viruses
 perverse software which cause malicious
activity (spread destructive program routines)
➢hindering execution of other programs

➢ modification or complete destruction of data

✓ destroy the contents of memory, hard disks, and other
storage devices

➢ sabotaging the operating system

 Types: Virus, Worms, Trojan Horses, Bombs,

16
 Cont.

 Reasons for perverse activity:

➢For gaining publicity

➢Revenge on company/person

➢In-born natural desire to tease other people

➢ act of maniac

17
 Spyware, Spam, and Cookies

 Spyware: software that monitors the computer use, such as

the Web sites visible or even the keystrokes of the user

 Spam: Bulk unsolicited e-mail sent to millions of users at

extremely low cost, typically seeking to sell a product,
distribute malware, or conduct a phishing attack

 Cookies: A small file Web sites place on a user’s computer;

can be legitimate (to capture items in a shopping cart) but
can be abused (to track individuals’ browsing habits) and can
contain sensitive information (like credit card numbers) and
pose a security risk
18
 Denial-of-Service (DoS)
 A denial-of-service attack seeks to overload
servers, typically using a network of hacked
computers that are controlled remotely, by
sending too many requests or messages to the
server for it to handle.

 When a server has too many requests to

handle, it becomes overloaded and unable to
serve the requests of legitimate users.

19
 Sniffing
 use of a program or device that can monitor data
traveling over a network

 Unauthorized sniffers – sniff/extract critical

information; can’t be detected

20
 Identity Theft
 Stealing Social Security, credit card, bank account
numbers and information
➢ thieves even withdraw money directly from victims’
bank accounts
➢ organizations keep information about individuals in
accessible databases

 One of the fastest growing information crimes

 Possible solutions
➢ Government and private sector working together to
change practices
➢ Use of biometrics and encryption
21
 Software Piracy
 Unauthorized copying of computer programs, which is intellectual
property protected by copy right law.

 using software that isn’t properly licensed and paid for, such as by
purchasing one copy of a product and then using it on multiple
computers.

 Huge profit loss by software publishers.

Region Piracy Level Dollar Loss
(in US$ millions)
North America Western 19% 10,958
Europe 32% 13,749
Asia/Pacific 60% 20,998
Latin America 61% 7,459
Middle East/Africa 58% 4,159
Eastern Europe 62% 6,133
Worldwide 42% 63,456
22
 Chapter IV

Managing Information System Security

23
 Goals of Information Security

 Availability:
➢ Ensuring that legitimate users can access the system

 Integrity
➢ Preventing unauthorized manipulations of data and systems

 Confidentiality
➢ Protecting data from unauthorized access

 Accountability
➢ Ensuring that actions can be traced

24
 Developing IS Security Strategy
 Options for addressing information security risks

➢ Risk Reduction
✓ Actively installing countermeasures

➢ Risk Acceptance

✓ Accepting any losses that occur

➢ Risk Transference

✓ Have someone else absorb the risk (insurance, outsourcing)

➢ Risk Avoidance

✓ Using alternative means, avoiding risky tasks

25
Cont.
 A strategy is developed detailing the information security controls
 Types of Controls

➢ Preventive:

✓ negative event from occurring: intruders

➢ Detective

✓ recognizing wrong incidents: unauthorized access attempts

➢ Corrective

✓ mitigating the impact

 Principles of least permissions and least privileges

26
Cont.

 IS Security Mechanisms:
➢ Developing Information System Security Policy

➢ Use of authentication mechanism

➢ Access control

➢ Back-ups

➢ Firewalls

➢Intrusion detection system

➢ Physical Security
27
 IS Security Policy & Procedure

 Policies and procedures include:

➢ Information policy: handling, storage, transmission, and destroying

➢ Security policy: access limitations, audit-control software, firewalls,

etc.

➢ Use policy: proper use

➢ Backup policy: requirements – critical data

➢ Account management policy: adding & removing users

➢ Incident handling procedures: list procedures to follow when

handling a security breach.

➢ Disaster recovery plan: restore computer operations in case of a

natural or deliberate disaster

28
 Authentication Mechanism

 Use of Passwords: secret alphanumeric text used

for authentication
➢ can be compromised if it is weak
 Use of key or smart cards:
➢ can be easily stolen/lost
 Use of physical characteristics
➢Biometric: Identification via fingerprints, retinal
patterns in the eye, facial features, or other bodily
characteristics
29
 Access Control
 which users are authorized to read, write, modify,
add, delete after login through password

 only those with such capabilities are allowed to

perform those functions

30
 Chapter V

Physical Security
 Locked doors

 Physical intrusion detection

➢ Security cameras

 Secured equipment – e.g. hard disc – locked

 Environmental monitoring
➢ monitoring temperature, humidity, airflow → for servers

and other high value equipment

 Employee training – how to secure

31
 Chapter V

Antivirus
 used to prevent, detect and remove malware

 It runs in the background at all times.

 It should be kept updated.

 It runs computer disk scans periodically.

 Eg. McAfee, Norton, Kaspersky.

32
Thank you !!!!

33