Professional Documents
Culture Documents
Means protecting information and information systems from unauthorized access, use disclosure, disruption, modification, or destruction
The process of ensuring business systems and information assets are protected, secure and available.
WHY IT IS IMPORTANT
Information security can be expected to achieve important business objectives by protecting: Information assets Mission critical applications and systems Productivity daily activities and operations The privacy of individuals and their confidential information The legal position of the organization by complying with laws and contracts
With the migration toward an Internet-based world, it becomes more critical to protect Internet-based applications. Web-based applications, Ecommerce, Voice over IP (Internet Protocol) , etc.
COMMUNICATIONS
Integrity
INFORMATION
A
Availability
aspect of information security and risk management is recognizing the value o information and defining appropriate procedures and protection requirements for the information Not all information is equal and so not all information requires the same degree of protection.
Data Bases
1. Tapping 2. Sniffing 1. Unauthorized 3. Message Access Alteration 2. Errors 4. Theft & Fraud 1. Hacking 2. Viruses 3. Theft & Fraud 4. Vandalism 5. Denial of Service Attacks
1. 2. 3. 4. 5.
Theft of Data Copying Data Alteration of Data Hardware Failure Software Failure
TYPES OF VULNERABILITIES
Internet Vulnerabilities Wireless Security Challenges
Intruder
Malicious Software: Viruses, Worms, Trojan Horses, & Spy ware Hackers Computer Crime & Cyber Terrorism Internal Threats: Employees Software Vulnerability
HACKER MOTIVATIONS
Attack the Evil Empire (Microsoft) Display of dominance Showing off, revenge Misdirected creativity Embezzlement, greed Who knows what evil lurks in the hearts of men?
THREATS: MALWARE
Malware is Malicious Software deliberately created and specifically designed to damage, disrupt or destroy network services, computer data and software. There are several types... types...
MALWARE TYPES
Viruses: Conceal themselves Infect computer systems Replicate themselves Deliver a payload
MALWARE TYPES
Worms: Worms: Programs that are capable of independently propagating throughout a computer network. They replicate fast and consume large amounts of the host computers memory.
Malware Types
Trojan Horses: Programs that contain hidden functionality that can harm the host computer and the data it contains. THs are not automatic replicators - computer users inadvertently set them off.
Malware Types
Software Bombs: Time Bombs - triggered by a specific time/date Logic Bombs - triggered by a specific event Both are introduced some time before and will damage the host system
2. 3.
Security and Control have become a critical , although perhaps unappreciated, area of information systems investment The longer computer systems are down, the more serious the consequences for the firm Computers have very valuable information assets to protect
Types of Information Systems Controls: General Controls Application Controls Input Controls Processing Controls Output Controls Risk Assessment Security Policy Ensuring Business Continuity Security Outsourcing
FIREWALLS
A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic. It is placed between the organizations private internal networks and untrusted external networks such as the Internet.
Internet
Data Base
Policy Rules
Intrusion
Detection Systems
Feature full-time monitoring tools placed at the fullmost vulnerable points or hot spots of corporate networks to detect and deter intruders continually. The system generates an alarm if it finds a suspicious or anomalous event. It also be customized to shut down a particularly sensitive part of a network if it receives unauthorized traffic.
Antivirus Software
It is designed to check computer systems and drives for the presence of computer viruses. The software can eliminate the virus from the infected area. However, most antivirus software is effective only against viruses already known when the software was written. To remain effective, the antivirus software must be continually updated.
Public Key Encryption Sender Scrambled Message Encrypt With Public key Encrypt With Private key Recipient
DISASTER RECOVERY
a) Natural Disasters
Tsunami Earth quakes Fires Criminal & Terrorist acts floods b) Man-Made Disasters Man-
Maintaining security in web-based webtransactions Privacy Authentication Integrity Motivating efficient & effective operation Auditing IS
types of controls
Corporate security policy, Password policy, Hiring policy & Disciplinary policy
Administrative
Logical
Passwords, network & host based firewalls, network detection systems, access control list
Physical
Doors, locks, heating, fencing, security guards, air conditioning, smoke, fire alarms, fire suppression systems, cameras, etc
Audit Process
Audit Planning & Preparation Establishing Audit Objectives Performing the Review
Data Centre Personnel Equipment Policies & Procedures Physical Security/Environmental Controls Backup Procedures