Download - Securing Information Systems
SECURING INFORMATION
SYSTEMSATHICHA SOOTHIPHAN 54104001-0
KHAJEEPAN CHAIWANG 54104002-8
NATTAWAN RANGKAEW 54107004-1
PATTADON KAEWINTRA 54103001-1
JAKKRIT PHUWASET 54104020-0
UGYEN DORJI 54103005-2
TSHERING YANGKI 54107017-3
PHUNTSHOK LHAMO 54104024-2
NIKESH MUDBHARY 54104011-9
ABHINAY SWAR 55104020-7
ITTIMA TANGSAHAMAITRI 54104019-2
BENJAPORN NANTAJAI 53104030-1
RAMITA PRODKHORNBURI 52107014-4
SYSTEM VULNERABILITY AND
ABUSE
Accessibility of networks.Hardware Problems. Software Problems. Loss of portable device.Use of networks outside of firm’s control.Disaster Internet Vulnerabilities.Wireless Security Challenges.
WHY SYSTEMS ARE VULNERABLE ?
Network open to anyone.Enormously widespread impactCreates fixed targets for hackersUnencrypted VOIP (Voice Over Internet Protocol)Widespread use of E-mail, P2P (Peer-to-peer) and
IM (Instant Messaging)
INTERNET VULNERABILITIES
Radio Frequency band easy to scan. SSIDs ( Service Set Identifiers)
WIRELESS SECURITY CHALLENGES
Security threats often originate inside an organization Inside knowledge Sloppy security procedures Social engineering
INTERNAL THREATS: EMPLOYEES
Computer VirusesWormsTrojan Horses SQL Injection Attacks Spyware
MALWARE
SnifferCyber terrorism and Cyberwar faceClick FraudPharmingEvil TwinsPhishing Identity theftComputer CrimeDDoS ( Distributed Denial-Of-Service Attacks)DoS ( Denial-Of-Service Attacks )
HACKERS AND COMPUTER CRIME
A weakness in a software that could allow an attacker to compromise the integrity, availability, or confidentiality of that software .
SOFTWARE VULNERABILITY
Hidden bug or the infect of code program is the mistake of the code’s program which make the hacker can hack the software.
Cause of Hidden BugAccidence Made
HIDDEN BUG
The software that fix the hidden bug (usually create after exploits is already happen)
Create by software development
PATCHES
BUSINESS VALUE OF SECURITY AND
CONTROL.
LEGAL AND REGULATORY
REQUIREMENTS FOR ELECTRONIC
RECORDS MANAGEMENT AND
PRIVACY PROTECTION
HIPAA Medical security and privacy rules and
procedures
Gramm-Leach-Billey Act Requires financial institutions to ensure the
security and confidentially of customer data
Sarbanes-Oxley Act Imposes responsibility on companies and
their management to safeguard the accuracy and integrity of financial information that is used internally and released externally
ELECTRONIC EVIDENCE
Evidence for white collar crimes often in digital form Proper control of data can save time and money when responding to legal discovery
request
COMPUTER FORENSICS
The scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law.
Include recovery of ambient and hidden data
ESTABLISHING A FRAMEWORK FOR
SECURITY AND CONTROLS
Protection of information resources requires a well-designed set of controls. Computer systems are controlled by a combination of general controls and application controls. General controls govern the design, security, and use of computer programs and the security of data files in general throughout the organization’s information technology infrastructure.
Types of Information Systems Controls
General controls include software controls, physical hardware controls, computer operations controls, data security controls, controls over the systems implementation process, and administrative controls.
GENERAL CONTROLS
Application controls include both automated and manual procedures that ensure that only authorized data are completely and accurately processed by that application. Application controls can be classified as (1) input controls, (2) processing controls, and (3) Output controls.
APPLICATION CONTROLS
ESTABLISHING A FRAMEWORK FOR
SECURITY AND CONTROL
SECURITY POLICY
Acceptable use policy (AUP)Authorization polices
EXPOSURE PROBABILITY LOSS RANGE (AVG)EXPECTED
ANNUAL LOSS
Power failure 30% $5K–$200K ($102,500) $30,750
Embezzlement 5% $1K–$50K ($25,500) $1,275
User error 98% $200–$40K ($20,100) $19,698
RISK ASSESSMENT
Type of threat
Probability of occurrence during year
Potential losses, value of threat
Expected annual loss
Identifies And Authorizes Different Categories Of Users
Specifies Which Portion Of System Users Can Access
Authenticating Users And Protects Identities
Captures Access Rules For Different Levels Of Users
IDENTIFY MANAGEMENT SYSTEM
IDENTIFY MANAGEMENT
Identify Firm’s Most Critical System
Determine Impact Of An Outage
Determine Which System Restored First
Disaster Recovery Planning
Business Continuity Planning
Identifies all the controls that govern individual information systems and assesses their effectiveness.
MIS Audit
TECHNOLOGIES & TOOLS FOR PROTECTING
INFORMATION RESOURCES
Identify Management Software
Authentication
Firewalls, Intrusion Detection System, Antivirus and Antispyware
Unified Threat Management System
Ensuring System Availability
Fault-Tolerant Computer System
High-Availability computing
Deep packet inception (DPI)
Recovery-oriented computing
Managed security service provider
Cipher text
Encryption
Cipher text
DIGITAL CERTIFICATE
Public key infrastructure (pki)
Security Issues
SECURING wireless network
Security Issues
Security in the cloud
Security IssuesSecuring mobile platforms