SlideShare ist ein Scribd-Unternehmen logo

Chapter 8 securing information systems MIS

Als DOCX, PDF herunterladen
Amirul Shafiq Ahmad Zuperi
Amirul Shafiq Ahmad Zuperi

MIS

Bildung
1 von 7
DDC3013/3473 TOPIK 5 HSH Page 1 CHAPTER 8 : SECURING INFORMATION SYSTEMS 8.1 SYSTEM VULNERABILITYAND ABUSE Security-refers to the policies, procedures and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems. Controls are methods, policies, an organizational procedures that ensure the safety of the organization'sassets;the accuracyand reliability of itsrecords;andoperational adherence to management standards. 8.1.1 Why Systems Are Vulnerable  Whenlarge amountof data are storedin electronic form, they are vulnerable to many more kinds of threats than when they exists in manual form.  Most common threats against contemporary information systems are from technical, organizational, and environmental factors compounded by poor management decisions. 8.1.1.1 Internet Vulnerabilities  Large publicnetworks,suchasinternetare more vulnerable thaninternal networks because they are virtually open to anyone.  Vulnerability also increased from widespread use of e-mail, instant messaging (IM), and peer-to-peer file-sharing programs. 8.1.2 MaliciousSoftware: Viruses,Worms,Trojan Horses and Spyware  Malicioussoftware programsare referred to as malware and include a variety of threats, such as computer viruses, worms and Trojan Horses. a) A computer virus is a rogue software program that attaches itself to other software programs or files in order to be executed, usually without user knowledge or permission. b) Worms are independentcomputerprogramsthatcopythemselvesfromone computer to other computers over a network. Worms destroy data and programsas well asdisruptor evenhaltthe operationof computernetworks. c) Trojan Horse is a software program that appears to be benign but then do something other than expected. d) SQL injection attacks are the largest malware threat. SQL injection attacks take advantage of vulnerabilities in poorly coded Web application software to introduce malicious program code into a company’s systems and networks.
DDC3013/3473 TOPIK 5 HSH Page 2 e) Spyware install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising.  Keyloggers record every keystroke made on a computer steal serial numbersforsoftware,tolaunchInternetattacks, to gain access to e- mail accounts, to obtain passwords to protected computer systems, or to pick up personal information such as credit card numbers. 8.1.3 Hackers and Computer Crime  A hackers is an individual who intends to gain unauthorized access to a computer system.  Cracker – hacker with criminal intent.  Hackers and crackers gain unauthorized access by finding weaknesses in the security protectionsemployedbyWebsitesandcomputersystems,oftentakingadvantage of various features of the internet that make it an open system that is easy to use.  Cybevandalism-hackeractivitieshave broadenedbeyondmere systeminstruction to include theft of goods and information, as well as system damage and cybervandalism, the intentional disruption, defacement, or web destruction of a Web site or corporate information system. a) Spoofing and Sniffing o Spoofing involve redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination. o A snifferisatype of eavesdroppingprogramthatmonitorsinformation traveling over a network. Sniffers enable hackers to steal proprietary information from anywhere on a network, including e-mail messages, company files, and confidential reports. b) Denial-of-service (DoS) Attacks  In a denial-of-service attack, hackers flood a network server or Web Server with many thousands of false communications or requests for services to crash the networks. The network receives so many queries that it cannot keep up with them and is thus unavailable to service legitimate requests. c) Computer Crime  U.S Departmentof Justice define computer crime as “any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution”.  The most economically damaging kinds of computer crime are DoS attacks, introducing viruses, theft of services, and disruption of computer systems.
DDC3013/3473 TOPIK 5 HSH Page 3 d) Identity Theft  With the growth of the Internet and electronic commerce, identity theft has become especially troubling. Identity theft is a crime in which an imposter obtains key pieces of personal information, such as social security numbers, to impersonate someone else.  The information may be used to obtain credit, merchandise, or services in the name of the victim or to provide the thief with false credentials.  Phishing- involves setting up fake Web sites or sending e-mail or text messages that looklike those of legitimate businessestoaskusersforconfidentialpersonal data. The message instructrecipientsto update or confirm records by providing social securitynumbers,bankandcreditcard information,andotherconfidential data eitherbyrespondingtothe e-mail message,byenteringthe information at a bogus Web site, or by calling a telephone number.  Newphishingtechniquescalledeviltwinsandpharmingare hardertodetect.Evil twinsare wirelessnetworksthatpretendto offer trustworthy Wi-Fi connections to the Internet, such as those in airport lounges, hotels, or coffee shops.  Pharming redirects users to a bogus web page, even when the individual types the correct Web page address into his or her browser. e) Click Fraud  Clickfraudoccurs whenan individual orcomputerprogramfraudulentlyclicks on an online ad without any intention of learning more about the advertiser or makingpurchase.Clickfraudhasbecome a serious problem at Google and other Web sites that feature pay-per-click online advertising. f) Global Threats: Cyberterrorism and Cyberwarfare  The vulnerabilitiesof the internetor other networks make digital networks easy to targets for digital attacks by terrorists, foreign intelligence service, or other groups seeking to create widespread disruption and harm. 8.1.4 Internal Threats : Employees  Employeeshave accesstoprivileged information, and in the presence of sloppy internal security procedures, they are often able to roam throughout an organization’s systems without leaving a trace. 8.1.5 Software Vulnerability  A majorproblemwith software is the presence of hidden bugs or program code defects.
DDC3013/3473 TOPIK 5 HSH Page 4 8.2 BUSINESS VALUE OFSECURITYAND CONTROL  Companies have very valuable information assets to protect. Systems often house confidentialinformationaboutindividual’staxes,financial assets, medical records, and job performance reviews. They also can contain information on corporate operations, including trade secrets, new product development plans, and marketing strategies.  Governmentsystemsmaystore informationonweaponssystems, intelligence operations, and military targets.  These informationassetshave tremendousvalue,andthe repercussionscanbe devastating if theyare lost, destroyed, or placed in the wrong hands. Inadequate security and control may result in serious legal liability. 8.2.1 Legal And Regulatory Requirements For Electronic Records Management a. HIPAA (Health Insurance Portability and Accounting Act).  HIPAA of 1996, outlines medical security and privacy rules and procedures for simplifying the administration of health care billing and automating the transfer of health care data between health care providers, payers, and plans. It requires members of the health care industry to retain patient information for six years and ensure the confidentiality of those records.  Those whobreach the medical privacyanddisclosure patient records will be providing with penalties. b. Gamm-Leach_Bliley Act  Also known as Financial Services Modernization Act of 1999.  For firm providing financial services.  This act requires financial institutions to ensure the security and confidentiality of customer data. c. Sarbanes-Oxley Act  For those who work in publicity traded company.  Also known as the Public Company Accounting Reform and Investor Protection Act of 2002.  This act was designed to protect investors after the financial scandals at Enron, WorldCom, and other public companies.  It imposesresponsibility on companies and their management to safeguard the accuracy andintegrityof financial informationthat is used internally and releases externally.
DDC3013/3473 TOPIK 5 HSH Page 5 8.2.2 Electronic Evidence And Computer Forensics  Legal cases today increasing rely on evidence represented as digital data stored on portable floppydisks,CDs,andcomputerharddiskdrives,aswell asine-mail,instant messages, and e-commerce transactions over the internet.  Email is currently the most common type of electronic evidence.  Computer Forensics is the scientific collection, examination, authentication, preservation,andanalysisof dataheldonor retrievedfromcomputerstorage media in such a way that the information can be used as evidence in a court of law. 8.3 ESTABLISHINGAFRAMEWORK FOR SECURITYANDCONTROL A firmneedtoknowwhere the companyisat riskand what controls they must have in place to protecttheir information systems. They must also need to develop a security policy and plans for keeping their business running if their information systems aren’t operating. 8.3.1 Information Systems Controls  Information systems controls are both manual and automated and consists of both general controls and application controls.  General controls govern the design security and use of computer programs and the securityof data filesingeneral throughoutthe organization’sinformationtechnology infrastructure. It consist of a combination of hardware, software, and manual procedures that create an overall environment.  Application controls are specific controls unique to each computerized application, such as payroll ororder processing.Applicationcontrolscanbe classified as (1) input controls, (2) processing controls, and (3) output controls. 8.3.2 Risk Assessment A riskassessmentdeterminesthe levelof riskothe firm if a specific activity or process is not properlycontrolled. Notall riskscanbe anticipatedandmeasured,but most businesses will be able to acquire some understanding of the risks they face. 8.3.3 SecurityPolicy  A security policy consists of statements ranking information risks, identifying acceptable securitygoals,andidentifyingthe mechanisms for achieving these goals.  The security policy drives policies determining acceptable use of the firm’s information resources and which members of the company have access to its information assets.  An acceptable use policy (AUP) defines acceptable uses of the firm’s information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet. The policy should clarify company policyregardingprivacy,userresponsibility, andpersonal use of companyequipment and networks.
DDC3013/3473 TOPIK 5 HSH Page 6  Security policy also includes provisions for identity management. Identity management consists of business processes and software tools for identifying the valid users of a system and controlling their access to system resources. 8.3.4 Disaster recovery planning and business continuity planning  Disaster recovery planning devices plans for the restoration of computing and communicationsservicesaftertheyhave beendisrupted. It is focus primarily on the technical issues involved in keeping systems up and running, such as which files to back up and the maintenance of backup computer systems o disaster recovery.  For example, MasterCard maintains a duplicate computer centre in Kansas City, Missouri, to serve as an emergency backup to its primary computer centre in St. Louis.  Business continuity planning focuses on how the company can restore business operations after the disaster strikes. 8.3.5 The Role of auditing  An MIS audit examines the firm’s overall security environment as well as controls governing individual information systems. 8.4 TECHNOLOGIES AND TOOLS FOR PROTECTING ONFORMATION RESOURCES 8.4.1 Identity Management and Authentications  Identitymanagementsoftwareautomatesthe processof keeping track of all these users and their system privileges, assigning each user a unique digital identity for accessing each system. It also includes tools for authenticating users, protecting user identities, and controlling access to system resources.  Authentication refers to the ability to know that a person is who he or she claims to be. Authenticationisoftenestablished by using passwords known only to authorized users. An enduseruses password to log on to a computer system and may also use passwords for accessing specific systems and files. However, users often forget passwords, share them, or choose poor passwords that are easy to guess, which compromises security.  New authentication technologies, such as tokens, smart cards, and biometric authentication, overcome some of these problems. a) A tokenisa physical device,similartoan identificationcardthat isdesigned to prove the identity of a single user. Tokens are small gadgets hat typically fit on key rings and display passcodes that change frequently.
DDC3013/3473 TOPIK 5 HSH Page 7 b) A smart card isa device aboutthe size of a credit card that contains a chip formatted with access permission and other data. c) Biometricauthenticationusessystemsthatreadadinterpretindividualhumantraits, such as fingerprints,irises, and voices, in order to grant or deny access. It compares a person’s unique characteristics, such as the fingerprints, face, or retinal image, againsta storedprofile of these characteristics to determine whether there are any differences between these characteristics and the stored profile. 8.4.2 Firewalls, Intrusion Detection Systems, and Antivirus Software a. Firewall  Firewallspreventunauthorizedusersfromaccessingprivatenetworks. A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic. It is generally placed between the organization’s private internal networks and distrusted external networks, such as the Internet.  The firewall actslike gate keeperwhoexamineseachuser’scredentialsbefore access isgrantedto a network. The firewallidentifiesnames,IPaddresses,applications,and other characteristics of incoming traffic. b. Intrusion Detection Systems  Intrusion detection systems feature full-time monitoring tools placed at the most vulnerablypointsor“hotspots” of corporate networksto detect and deter intruders continually.  The systems generates an alarm if it finds a suspicious or anomalous event. c. Antivirus and Antispyware Software  Antivirus software is designed to check computer systems and drives for the presence of computer viruses. Often the software eliminates the virus from the infected area.

Empfohlen

Chapter 5 MIS
Chapter 5 MISChapter 5 MIS
Chapter 5 MIS
Amirul Shafiq Ahmad Zuperi
 
MIS-CH08: Securing Information Systems
MIS-CH08: Securing Information SystemsMIS-CH08: Securing Information Systems
MIS-CH08: Securing Information Systems
Sukanya Ben
 
MIS-CH10: e-Commerce: Digital Markets, Digital Goods
MIS-CH10: e-Commerce: Digital Markets, Digital GoodsMIS-CH10: e-Commerce: Digital Markets, Digital Goods
MIS-CH10: e-Commerce: Digital Markets, Digital Goods
Sukanya Ben
 
MIS-CH15: Managing Global Systems
MIS-CH15: Managing Global SystemsMIS-CH15: Managing Global Systems
MIS-CH15: Managing Global Systems
Sukanya Ben
 
MIS-CH02: Global e-Business and Collaboration
MIS-CH02: Global e-Business and CollaborationMIS-CH02: Global e-Business and Collaboration
MIS-CH02: Global e-Business and Collaboration
Sukanya Ben
 
Chap13 Security and Ethical Challenges
Chap13 Security and Ethical ChallengesChap13 Security and Ethical Challenges
Chap13 Security and Ethical Challenges
Aqib Syed
 
Chapter 6 MIS
Chapter 6 MISChapter 6 MIS
Chapter 6 MIS
Amirul Shafiq Ahmad Zuperi
 
MIS-CH6: Foundation of BUsiness Intelligence: Databases & IS
MIS-CH6: Foundation of BUsiness Intelligence: Databases & ISMIS-CH6: Foundation of BUsiness Intelligence: Databases & IS
MIS-CH6: Foundation of BUsiness Intelligence: Databases & IS
Sukanya Ben
 

Empfohlen

Chapter 5 MIS
Chapter 5 MISChapter 5 MIS
Chapter 5 MIS
Amirul Shafiq Ahmad Zuperi
 
MIS-CH08: Securing Information Systems
MIS-CH08: Securing Information SystemsMIS-CH08: Securing Information Systems
MIS-CH08: Securing Information Systems
Sukanya Ben
 
MIS-CH10: e-Commerce: Digital Markets, Digital Goods
MIS-CH10: e-Commerce: Digital Markets, Digital GoodsMIS-CH10: e-Commerce: Digital Markets, Digital Goods
MIS-CH10: e-Commerce: Digital Markets, Digital Goods
Sukanya Ben
 
MIS-CH15: Managing Global Systems
MIS-CH15: Managing Global SystemsMIS-CH15: Managing Global Systems
MIS-CH15: Managing Global Systems
Sukanya Ben
 
MIS-CH02: Global e-Business and Collaboration
MIS-CH02: Global e-Business and CollaborationMIS-CH02: Global e-Business and Collaboration
MIS-CH02: Global e-Business and Collaboration
Sukanya Ben
 
Chap13 Security and Ethical Challenges
Chap13 Security and Ethical ChallengesChap13 Security and Ethical Challenges
Chap13 Security and Ethical Challenges
Aqib Syed
 
Chapter 6 MIS
Chapter 6 MISChapter 6 MIS
Chapter 6 MIS
Amirul Shafiq Ahmad Zuperi
 
MIS-CH6: Foundation of BUsiness Intelligence: Databases & IS
MIS-CH6: Foundation of BUsiness Intelligence: Databases & ISMIS-CH6: Foundation of BUsiness Intelligence: Databases & IS
MIS-CH6: Foundation of BUsiness Intelligence: Databases & IS
Sukanya Ben
 
MIS-CH05: IT Infrastructure and Emerging Technologies
MIS-CH05: IT Infrastructure and Emerging TechnologiesMIS-CH05: IT Infrastructure and Emerging Technologies
MIS-CH05: IT Infrastructure and Emerging Technologies
Sukanya Ben
 
Chapter 8 securing information systems
Chapter 8 securing information systemsChapter 8 securing information systems
Chapter 8 securing information systems
Van Chau
 
MIS-CH04: Ethical and Social Issues in INformation Systems
MIS-CH04: Ethical and Social Issues in INformation SystemsMIS-CH04: Ethical and Social Issues in INformation Systems
MIS-CH04: Ethical and Social Issues in INformation Systems
Sukanya Ben
 
MIS-CH9: Achieving Operational Excellence and Customer Intimacy
MIS-CH9: Achieving Operational Excellence and Customer IntimacyMIS-CH9: Achieving Operational Excellence and Customer Intimacy
MIS-CH9: Achieving Operational Excellence and Customer Intimacy
Sukanya Ben
 
MIS Chapter 3
MIS Chapter 3MIS Chapter 3
MIS Chapter 3
Dr. Muath Asmar
 
Securing information systems
Securing information systemsSecuring information systems
Securing information systems
Prof. Othman Alsalloum
 
Chapter 3 MIS
Chapter 3 MISChapter 3 MIS
Chapter 3 MIS
Amirul Shafiq Ahmad Zuperi
 
MIS-CH01: IS in Business Today
MIS-CH01: IS in Business TodayMIS-CH01: IS in Business Today
MIS-CH01: IS in Business Today
Sukanya Ben
 
Information Systems in Global Business Today
Information Systems in Global Business TodayInformation Systems in Global Business Today
Information Systems in Global Business Today
tvto1381
 
The Moral Dimensions of Information Systems
The Moral Dimensions of Information SystemsThe Moral Dimensions of Information Systems
The Moral Dimensions of Information Systems
Albrecht Jones
 
Laudon mis14 ch01
Laudon mis14 ch01Laudon mis14 ch01
Laudon mis14 ch01
Rizwanah Parwin
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
Biswajit Bhattacharjee
 
Social and Ethical Issues in Information System
Social and Ethical Issues in Information SystemSocial and Ethical Issues in Information System
Social and Ethical Issues in Information System
university of education,Lahore
 
Information system ethics
Information system ethicsInformation system ethics
Information system ethics
Kriscila Yumul
 
lecture 1 information systems and business strategy
lecture 1 information systems and business strategylecture 1 information systems and business strategy
lecture 1 information systems and business strategy
Norazila Mat
 
MIS-CH11: Managing Knowledge
MIS-CH11: Managing KnowledgeMIS-CH11: Managing Knowledge
MIS-CH11: Managing Knowledge
Sukanya Ben
 
MIS-CH12: Enhancing Decision Making
MIS-CH12: Enhancing Decision MakingMIS-CH12: Enhancing Decision Making
MIS-CH12: Enhancing Decision Making
Sukanya Ben
 
Laudon Ch10
Laudon Ch10Laudon Ch10
Laudon Ch10
Riju Nair
 
Chapter 12 enhancing decision making
Chapter 12 enhancing decision makingChapter 12 enhancing decision making
Chapter 12 enhancing decision making
Van Chau
 
Chapter 9 MIS
Chapter 9 MISChapter 9 MIS
Chapter 9 MIS
Amirul Shafiq Ahmad Zuperi
 
Management information system
Management information systemManagement information system
Management information system
Praveenkumar Aivalli
 
Management information system (MIS)
Management information system (MIS)Management information system (MIS)
Management information system (MIS)
Pawel Gautam
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Moral Dimensions of Information Systems
The Moral Dimensions of Information SystemsThe Moral Dimensions of Information Systems
The Moral Dimensions of Information Systems
Albrecht Jones
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
Biswajit Bhattacharjee
 
lecture 1 information systems and business strategy
lecture 1 information systems and business strategylecture 1 information systems and business strategy
lecture 1 information systems and business strategy
Norazila Mat
 

Was ist angesagt? (20)

MIS-CH05: IT Infrastructure and Emerging Technologies
MIS-CH05: IT Infrastructure and Emerging TechnologiesMIS-CH05: IT Infrastructure and Emerging Technologies
MIS-CH05: IT Infrastructure and Emerging Technologies
 
Chapter 8 securing information systems
Chapter 8 securing information systemsChapter 8 securing information systems
Chapter 8 securing information systems
 
MIS-CH04: Ethical and Social Issues in INformation Systems
MIS-CH04: Ethical and Social Issues in INformation SystemsMIS-CH04: Ethical and Social Issues in INformation Systems
MIS-CH04: Ethical and Social Issues in INformation Systems
 
MIS-CH9: Achieving Operational Excellence and Customer Intimacy
MIS-CH9: Achieving Operational Excellence and Customer IntimacyMIS-CH9: Achieving Operational Excellence and Customer Intimacy
MIS-CH9: Achieving Operational Excellence and Customer Intimacy
 
MIS Chapter 3
MIS Chapter 3MIS Chapter 3
MIS Chapter 3
 
Securing information systems
Securing information systemsSecuring information systems
Securing information systems
 
Chapter 3 MIS
Chapter 3 MISChapter 3 MIS
Chapter 3 MIS
 
MIS-CH01: IS in Business Today
MIS-CH01: IS in Business TodayMIS-CH01: IS in Business Today
MIS-CH01: IS in Business Today
 
Information Systems in Global Business Today
Information Systems in Global Business TodayInformation Systems in Global Business Today
Information Systems in Global Business Today
 
The Moral Dimensions of Information Systems
The Moral Dimensions of Information SystemsThe Moral Dimensions of Information Systems
The Moral Dimensions of Information Systems
 
Laudon mis14 ch01
Laudon mis14 ch01Laudon mis14 ch01
Laudon mis14 ch01
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
 
Social and Ethical Issues in Information System
Social and Ethical Issues in Information SystemSocial and Ethical Issues in Information System
Social and Ethical Issues in Information System
 
Information system ethics
Information system ethicsInformation system ethics
Information system ethics
 
lecture 1 information systems and business strategy
lecture 1 information systems and business strategylecture 1 information systems and business strategy
lecture 1 information systems and business strategy
 
MIS-CH11: Managing Knowledge
MIS-CH11: Managing KnowledgeMIS-CH11: Managing Knowledge
MIS-CH11: Managing Knowledge
 
MIS-CH12: Enhancing Decision Making
MIS-CH12: Enhancing Decision MakingMIS-CH12: Enhancing Decision Making
MIS-CH12: Enhancing Decision Making
 
Laudon Ch10
Laudon Ch10Laudon Ch10
Laudon Ch10
 
Chapter 12 enhancing decision making
Chapter 12 enhancing decision makingChapter 12 enhancing decision making
Chapter 12 enhancing decision making
 
Chapter 9 MIS
Chapter 9 MISChapter 9 MIS
Chapter 9 MIS
 

Andere mochten auch

Andere mochten auch (8)

Management information system
Management information systemManagement information system
Management information system
 
Management information system (MIS)
Management information system (MIS)Management information system (MIS)
Management information system (MIS)
 
Management Information System
Management Information SystemManagement Information System
Management Information System
 
Management information system
Management information system Management information system
Management information system
 
Management Information System
Management Information SystemManagement Information System
Management Information System
 
MIS Chapter 1
MIS Chapter 1MIS Chapter 1
MIS Chapter 1
 
Management Information System (Full Notes)
Management Information System (Full Notes)Management Information System (Full Notes)
Management Information System (Full Notes)
 
Management information system
Management information systemManagement information system
Management information system
 

Ähnlich wie Chapter 8 securing information systems MIS

Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network Analysis
IJERD Editor
 
Mis security system threads
Mis security system threadsMis security system threads
Mis security system threads
Leena Reddy
 
Information Security
Information SecurityInformation Security
Information Security
steffiann88
 

Ähnlich wie Chapter 8 securing information systems MIS (20)

Task 3
Task 3Task 3
Task 3
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standards
 
C018131821
C018131821C018131821
C018131821
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network Analysis
 
Computer-Security.pptx
Computer-Security.pptxComputer-Security.pptx
Computer-Security.pptx
 
Mis security system threads
Mis security system threadsMis security system threads
Mis security system threads
 
Shailendra Pandey.ppt
Shailendra Pandey.pptShailendra Pandey.ppt
Shailendra Pandey.ppt
 
Managing System Security
Managing System SecurityManaging System Security
Managing System Security
 
Information Security
Information SecurityInformation Security
Information Security
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage Devices
 
Cyber security
Cyber securityCyber security
Cyber security
 
Top 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail IndustryTop 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail Industry
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
 
Information security
Information securityInformation security
Information security
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
unit-1-is1.pptx
unit-1-is1.pptxunit-1-is1.pptx
unit-1-is1.pptx
 
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
 
Shailendra Pandey.ppt
Shailendra Pandey.pptShailendra Pandey.ppt
Shailendra Pandey.ppt
 
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSE-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
 

Mehr von Amirul Shafiq Ahmad Zuperi

Institusi islam - Perbezaan Ekonomi Islam dan Barat
Institusi islam - Perbezaan Ekonomi Islam dan BaratInstitusi islam - Perbezaan Ekonomi Islam dan Barat
Institusi islam - Perbezaan Ekonomi Islam dan Barat
Amirul Shafiq Ahmad Zuperi
 

Mehr von Amirul Shafiq Ahmad Zuperi (20)

Chapter 15 managing global systems MIS
Chapter 15 managing global systems MISChapter 15 managing global systems MIS
Chapter 15 managing global systems MIS
 
Chapter 14 managing projects MIS
Chapter 14 managing projects MISChapter 14 managing projects MIS
Chapter 14 managing projects MIS
 
Chapter 13 building information system MIS
Chapter 13 building information system MISChapter 13 building information system MIS
Chapter 13 building information system MIS
 
Chapter 11 managing knowledge MIS
Chapter 11 managing knowledge MISChapter 11 managing knowledge MIS
Chapter 11 managing knowledge MIS
 
Chapter 9 achieving operation excellenct MIS
Chapter 9 achieving operation excellenct MISChapter 9 achieving operation excellenct MIS
Chapter 9 achieving operation excellenct MIS
 
Chapter 3 organization and information systems MIS
Chapter 3 organization and information systems MISChapter 3 organization and information systems MIS
Chapter 3 organization and information systems MIS
 
Chapter 2 global e business and collaboration MIS
Chapter 2 global e business and collaboration MISChapter 2 global e business and collaboration MIS
Chapter 2 global e business and collaboration MIS
 
Chapter 1 sistem maklumat dalam dunia global MIS
Chapter 1 sistem maklumat dalam dunia global MISChapter 1 sistem maklumat dalam dunia global MIS
Chapter 1 sistem maklumat dalam dunia global MIS
 
Project MIS
Project MISProject MIS
Project MIS
 
Chapter 11 MIS
Chapter 11 MISChapter 11 MIS
Chapter 11 MIS
 
Chapter 10 MIS
Chapter 10 MISChapter 10 MIS
Chapter 10 MIS
 
Chapter 7 MIS
Chapter 7 MISChapter 7 MIS
Chapter 7 MIS
 
Chapter 4 MIS
Chapter 4 MISChapter 4 MIS
Chapter 4 MIS
 
Chapter 2 MIS
Chapter 2 MISChapter 2 MIS
Chapter 2 MIS
 
Chapter 1 MIS
Chapter 1 MISChapter 1 MIS
Chapter 1 MIS
 
Silibus MIS
Silibus MISSilibus MIS
Silibus MIS
 
Krja kursus
Krja kursusKrja kursus
Krja kursus
 
Institusi islam - Perbezaan Ekonomi Islam dan Barat
Institusi islam - Perbezaan Ekonomi Islam dan BaratInstitusi islam - Perbezaan Ekonomi Islam dan Barat
Institusi islam - Perbezaan Ekonomi Islam dan Barat
 
Skrip in bi Its All About Money
Skrip in bi Its All About MoneySkrip in bi Its All About Money
Skrip in bi Its All About Money
 
Skrip Drama Pendek Its All About Money
Skrip Drama Pendek Its All About MoneySkrip Drama Pendek Its All About Money
Skrip Drama Pendek Its All About Money
 

Kürzlich hochgeladen

Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Kürzlich hochgeladen (20)

Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf arts
 

Chapter 8 securing information systems MIS

  • 1. DDC3013/3473 TOPIK 5 HSH Page 1 CHAPTER 8 : SECURING INFORMATION SYSTEMS 8.1 SYSTEM VULNERABILITYAND ABUSE Security-refers to the policies, procedures and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems. Controls are methods, policies, an organizational procedures that ensure the safety of the organization'sassets;the accuracyand reliability of itsrecords;andoperational adherence to management standards. 8.1.1 Why Systems Are Vulnerable  Whenlarge amountof data are storedin electronic form, they are vulnerable to many more kinds of threats than when they exists in manual form.  Most common threats against contemporary information systems are from technical, organizational, and environmental factors compounded by poor management decisions. 8.1.1.1 Internet Vulnerabilities  Large publicnetworks,suchasinternetare more vulnerable thaninternal networks because they are virtually open to anyone.  Vulnerability also increased from widespread use of e-mail, instant messaging (IM), and peer-to-peer file-sharing programs. 8.1.2 MaliciousSoftware: Viruses,Worms,Trojan Horses and Spyware  Malicioussoftware programsare referred to as malware and include a variety of threats, such as computer viruses, worms and Trojan Horses. a) A computer virus is a rogue software program that attaches itself to other software programs or files in order to be executed, usually without user knowledge or permission. b) Worms are independentcomputerprogramsthatcopythemselvesfromone computer to other computers over a network. Worms destroy data and programsas well asdisruptor evenhaltthe operationof computernetworks. c) Trojan Horse is a software program that appears to be benign but then do something other than expected. d) SQL injection attacks are the largest malware threat. SQL injection attacks take advantage of vulnerabilities in poorly coded Web application software to introduce malicious program code into a company’s systems and networks.
  • 2. DDC3013/3473 TOPIK 5 HSH Page 2 e) Spyware install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising.  Keyloggers record every keystroke made on a computer steal serial numbersforsoftware,tolaunchInternetattacks, to gain access to e- mail accounts, to obtain passwords to protected computer systems, or to pick up personal information such as credit card numbers. 8.1.3 Hackers and Computer Crime  A hackers is an individual who intends to gain unauthorized access to a computer system.  Cracker – hacker with criminal intent.  Hackers and crackers gain unauthorized access by finding weaknesses in the security protectionsemployedbyWebsitesandcomputersystems,oftentakingadvantage of various features of the internet that make it an open system that is easy to use.  Cybevandalism-hackeractivitieshave broadenedbeyondmere systeminstruction to include theft of goods and information, as well as system damage and cybervandalism, the intentional disruption, defacement, or web destruction of a Web site or corporate information system. a) Spoofing and Sniffing o Spoofing involve redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination. o A snifferisatype of eavesdroppingprogramthatmonitorsinformation traveling over a network. Sniffers enable hackers to steal proprietary information from anywhere on a network, including e-mail messages, company files, and confidential reports. b) Denial-of-service (DoS) Attacks  In a denial-of-service attack, hackers flood a network server or Web Server with many thousands of false communications or requests for services to crash the networks. The network receives so many queries that it cannot keep up with them and is thus unavailable to service legitimate requests. c) Computer Crime  U.S Departmentof Justice define computer crime as “any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution”.  The most economically damaging kinds of computer crime are DoS attacks, introducing viruses, theft of services, and disruption of computer systems.
  • 3. DDC3013/3473 TOPIK 5 HSH Page 3 d) Identity Theft  With the growth of the Internet and electronic commerce, identity theft has become especially troubling. Identity theft is a crime in which an imposter obtains key pieces of personal information, such as social security numbers, to impersonate someone else.  The information may be used to obtain credit, merchandise, or services in the name of the victim or to provide the thief with false credentials.  Phishing- involves setting up fake Web sites or sending e-mail or text messages that looklike those of legitimate businessestoaskusersforconfidentialpersonal data. The message instructrecipientsto update or confirm records by providing social securitynumbers,bankandcreditcard information,andotherconfidential data eitherbyrespondingtothe e-mail message,byenteringthe information at a bogus Web site, or by calling a telephone number.  Newphishingtechniquescalledeviltwinsandpharmingare hardertodetect.Evil twinsare wirelessnetworksthatpretendto offer trustworthy Wi-Fi connections to the Internet, such as those in airport lounges, hotels, or coffee shops.  Pharming redirects users to a bogus web page, even when the individual types the correct Web page address into his or her browser. e) Click Fraud  Clickfraudoccurs whenan individual orcomputerprogramfraudulentlyclicks on an online ad without any intention of learning more about the advertiser or makingpurchase.Clickfraudhasbecome a serious problem at Google and other Web sites that feature pay-per-click online advertising. f) Global Threats: Cyberterrorism and Cyberwarfare  The vulnerabilitiesof the internetor other networks make digital networks easy to targets for digital attacks by terrorists, foreign intelligence service, or other groups seeking to create widespread disruption and harm. 8.1.4 Internal Threats : Employees  Employeeshave accesstoprivileged information, and in the presence of sloppy internal security procedures, they are often able to roam throughout an organization’s systems without leaving a trace. 8.1.5 Software Vulnerability  A majorproblemwith software is the presence of hidden bugs or program code defects.
  • 4. DDC3013/3473 TOPIK 5 HSH Page 4 8.2 BUSINESS VALUE OFSECURITYAND CONTROL  Companies have very valuable information assets to protect. Systems often house confidentialinformationaboutindividual’staxes,financial assets, medical records, and job performance reviews. They also can contain information on corporate operations, including trade secrets, new product development plans, and marketing strategies.  Governmentsystemsmaystore informationonweaponssystems, intelligence operations, and military targets.  These informationassetshave tremendousvalue,andthe repercussionscanbe devastating if theyare lost, destroyed, or placed in the wrong hands. Inadequate security and control may result in serious legal liability. 8.2.1 Legal And Regulatory Requirements For Electronic Records Management a. HIPAA (Health Insurance Portability and Accounting Act).  HIPAA of 1996, outlines medical security and privacy rules and procedures for simplifying the administration of health care billing and automating the transfer of health care data between health care providers, payers, and plans. It requires members of the health care industry to retain patient information for six years and ensure the confidentiality of those records.  Those whobreach the medical privacyanddisclosure patient records will be providing with penalties. b. Gamm-Leach_Bliley Act  Also known as Financial Services Modernization Act of 1999.  For firm providing financial services.  This act requires financial institutions to ensure the security and confidentiality of customer data. c. Sarbanes-Oxley Act  For those who work in publicity traded company.  Also known as the Public Company Accounting Reform and Investor Protection Act of 2002.  This act was designed to protect investors after the financial scandals at Enron, WorldCom, and other public companies.  It imposesresponsibility on companies and their management to safeguard the accuracy andintegrityof financial informationthat is used internally and releases externally.
  • 5. DDC3013/3473 TOPIK 5 HSH Page 5 8.2.2 Electronic Evidence And Computer Forensics  Legal cases today increasing rely on evidence represented as digital data stored on portable floppydisks,CDs,andcomputerharddiskdrives,aswell asine-mail,instant messages, and e-commerce transactions over the internet.  Email is currently the most common type of electronic evidence.  Computer Forensics is the scientific collection, examination, authentication, preservation,andanalysisof dataheldonor retrievedfromcomputerstorage media in such a way that the information can be used as evidence in a court of law. 8.3 ESTABLISHINGAFRAMEWORK FOR SECURITYANDCONTROL A firmneedtoknowwhere the companyisat riskand what controls they must have in place to protecttheir information systems. They must also need to develop a security policy and plans for keeping their business running if their information systems aren’t operating. 8.3.1 Information Systems Controls  Information systems controls are both manual and automated and consists of both general controls and application controls.  General controls govern the design security and use of computer programs and the securityof data filesingeneral throughoutthe organization’sinformationtechnology infrastructure. It consist of a combination of hardware, software, and manual procedures that create an overall environment.  Application controls are specific controls unique to each computerized application, such as payroll ororder processing.Applicationcontrolscanbe classified as (1) input controls, (2) processing controls, and (3) output controls. 8.3.2 Risk Assessment A riskassessmentdeterminesthe levelof riskothe firm if a specific activity or process is not properlycontrolled. Notall riskscanbe anticipatedandmeasured,but most businesses will be able to acquire some understanding of the risks they face. 8.3.3 SecurityPolicy  A security policy consists of statements ranking information risks, identifying acceptable securitygoals,andidentifyingthe mechanisms for achieving these goals.  The security policy drives policies determining acceptable use of the firm’s information resources and which members of the company have access to its information assets.  An acceptable use policy (AUP) defines acceptable uses of the firm’s information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet. The policy should clarify company policyregardingprivacy,userresponsibility, andpersonal use of companyequipment and networks.
  • 6. DDC3013/3473 TOPIK 5 HSH Page 6  Security policy also includes provisions for identity management. Identity management consists of business processes and software tools for identifying the valid users of a system and controlling their access to system resources. 8.3.4 Disaster recovery planning and business continuity planning  Disaster recovery planning devices plans for the restoration of computing and communicationsservicesaftertheyhave beendisrupted. It is focus primarily on the technical issues involved in keeping systems up and running, such as which files to back up and the maintenance of backup computer systems o disaster recovery.  For example, MasterCard maintains a duplicate computer centre in Kansas City, Missouri, to serve as an emergency backup to its primary computer centre in St. Louis.  Business continuity planning focuses on how the company can restore business operations after the disaster strikes. 8.3.5 The Role of auditing  An MIS audit examines the firm’s overall security environment as well as controls governing individual information systems. 8.4 TECHNOLOGIES AND TOOLS FOR PROTECTING ONFORMATION RESOURCES 8.4.1 Identity Management and Authentications  Identitymanagementsoftwareautomatesthe processof keeping track of all these users and their system privileges, assigning each user a unique digital identity for accessing each system. It also includes tools for authenticating users, protecting user identities, and controlling access to system resources.  Authentication refers to the ability to know that a person is who he or she claims to be. Authenticationisoftenestablished by using passwords known only to authorized users. An enduseruses password to log on to a computer system and may also use passwords for accessing specific systems and files. However, users often forget passwords, share them, or choose poor passwords that are easy to guess, which compromises security.  New authentication technologies, such as tokens, smart cards, and biometric authentication, overcome some of these problems. a) A tokenisa physical device,similartoan identificationcardthat isdesigned to prove the identity of a single user. Tokens are small gadgets hat typically fit on key rings and display passcodes that change frequently.
  • 7. DDC3013/3473 TOPIK 5 HSH Page 7 b) A smart card isa device aboutthe size of a credit card that contains a chip formatted with access permission and other data. c) Biometricauthenticationusessystemsthatreadadinterpretindividualhumantraits, such as fingerprints,irises, and voices, in order to grant or deny access. It compares a person’s unique characteristics, such as the fingerprints, face, or retinal image, againsta storedprofile of these characteristics to determine whether there are any differences between these characteristics and the stored profile. 8.4.2 Firewalls, Intrusion Detection Systems, and Antivirus Software a. Firewall  Firewallspreventunauthorizedusersfromaccessingprivatenetworks. A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic. It is generally placed between the organization’s private internal networks and distrusted external networks, such as the Internet.  The firewall actslike gate keeperwhoexamineseachuser’scredentialsbefore access isgrantedto a network. The firewallidentifiesnames,IPaddresses,applications,and other characteristics of incoming traffic. b. Intrusion Detection Systems  Intrusion detection systems feature full-time monitoring tools placed at the most vulnerablypointsor“hotspots” of corporate networksto detect and deter intruders continually.  The systems generates an alarm if it finds a suspicious or anomalous event. c. Antivirus and Antispyware Software  Antivirus software is designed to check computer systems and drives for the presence of computer viruses. Often the software eliminates the virus from the infected area.