Information Systems Security

System vulnerability & abuse

Why systems are vulnerable Hackers & viruses Concerns for builders & users System quality problems

Threats to information systems

Hardware failure, Fire Software failure, Electrical problems Personnel actions, User errors Access penetration, program changes Theft of data, services, equipment Telecommunications problems
3

Why systems are vulnerable

System complexity Computerized procedures not always read or audited Extensive effect of disaster Unauthorized access possible

VULNERABILITIES
RADIATION: Allows recorders, bugs to tap system CROSSTALK: Can garble data HARDWARE: Improper connections, failure of protection circuits SOFTWARE: Failure of protection features, access control, bounds control FILES: Subject to theft, copying, unauthorized access
5

VULNERABILITIES
USER: Identification, authentication, subtle software modification PROGRAMMER: Disables protective features; reveals protective measures MAINTENANCE STAFF: Disables hardware devices; uses stand-alone utilities OPERATOR: Doesnt notify supervisor, reveals protective 6 measures

HACKERS & COMPUTER VIRUSES HACKER:

Person gains access to computer for profit, criminal mischief, personal pleasure

COMPUTER VIRUS:
Rogue program; difficult to detect; spreads rapidly; destroys data; disrupts processing & memory

Common computer viruses

Concept, Melissa: Word documents, e-mail. Deletes files Form: Makes clicking sound, corrupts data Explore.exe: Attached to e-mail, tries to e-mail to others, destroys files Monkey: Windows wont run Chernobyl: Erases hard drive, ROM bios JUNKIE:
Infects files, boot sector, memory conflicts
8

Antivirus software
Software to detect Eliminate viruses Advanced versions run in memory to protect processing, guard against viruses on disks, and on incoming network files

Concerns for builders & users

Disaster Breach of security Errors

10

Disaster
Loss of hardware, software, data by fire, power failure, flood or other calamity Fault-tolerant computer systems:
Backup systems to prevent system failure
(particularly on-line transaction processing)

11

SECURITY Policies, procedures, technical measures to prevent

Unauthorized access, alteration, theft, physical damage to information systems

12

WHERE ERRORS OCCUR

DATA PREPARATION TRANSMISSION CONVERSION FORM COMPLETION ON-LINE DATA ENTRY KEYPUNCHING; SCANNING; OTHER INPUTS
13

WHERE ERRORS OCCUR

Validation Processing / file maintenance Output Transmission Distribution

14

System quality problems

Software & data Bugs:
Program code defects or errors

Maintenance:
Modifying a system in production use; can take up to 50% of analysts time

Data quality problems:

Finding, correcting errors; costly; tedious
15

CREATING A CONTROL ENVIRONMENT

Controls:
Methods, policies, procedures to protect assets; accuracy & reliability of records; adherence to management standards

General controls Application controls

16

General controls
Implementation:
Audit system development to assure proper control, management

Software:
Ensure security, reliability of software

Physical hardware:
Ensure physical security, performance of computer hardware
17

General controls
Computer operations:
Ensure procedures consistently, correctly applied to data storage, processing

Data security:
Ensure data disks, tapes protected from wrongful access, change, destruction

Administrative:
Ensure controls properly executed, enforced
Segregation of functions:
Divide responsibility from tasks

18

APPLICATION CONTROLS
INPUT PROCESSING OUTPUT

19

Input controls
Input authorization:
Record, monitor source documents

Data conversion:
Transcribe data properly from one form to another

Batch control totals:

Count transactions prior to and after processing

Edit checks:
Verify input data, correct errors
20

Processing controls
Establish that data is complete, accurate during processing RUN CONTROL TOTALS: Generate control totals before & after processing COMPUTER MATCHING: Match input data to master files

21

Output controls
Establish that results are accurate, complete, properly distributed Balance input, processing, output totals Review processing logs Ensure only authorized recipients get results

22

SECURITY AND THE INTERNET

ENCRYPTION:
Coding & scrambling messages to deny unauthorized access

AUTHENTICATION: Ability to identify another party

MESSAGE INTEGRITY DIGITAL SIGNATURE DIGITAL CERTIFICATE

23

SECURITY AND THE INTERNET

PUBLIC KEY ENCRYPTION

SENDER

SCRAMBLED MESSAGE

RECIPIENT

Encrypt with public key

Decrypt with private key

24

Security and the Internet

DIGITAL WALLET Software stores credit card, electronic cash, owner ID, address for e-commerce transactions SECURE ELECTRONIC TRANSACTION Standard for securing credit card transactions on internet

25

ELECTRONIC PAYMENT SYSTEMS

CREDIT CARD-SET
Protocol for payment security

ELECTRONIC CASH
Digital currency

ELECTRONIC CHECK
Encrypted digital signature

SMART CARD
Chip stores e-cash

ELECTRONIC BILL PAYMENT

Electronic funds transfer
26

DEVELOPING A CONTROL STRUCTURE

COSTS
Can be expensive to build; complicated to use

BENEFITS
Reduces expensive errors, loss of time, resources, good will

RISK ASSESSMENT
Determine frequency of occurrence of problem, cost, damage if it were to occur

27

MIS AUDIT
IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS

SOFTWARE METRICS:
Objective measurements to assess system

TESTING:
Early, regular controlled efforts to detect, reduce errors WALKTHROUGH DEBUGGING

DATA QUALITY AUDIT:

Survey samples of files for accuracy, completeness
28

Auditing Information Systems

These audits review and evaluate whether proper and adequate information system controls, procedural controls, facility controls and other managerial controls have been developed and implemented There are following two basic approaches for auditing information systems: - Auditing around the computer - Auditing through the computer
29

Ways of protecting digital firms

Online transaction processing:
Transactions entered online are immediately processed by computer

Fault-tolerant computer systems:

Contain extra hardware, software, and power supply components to provide continuous uninterrupted service

30

Contd.
High-availability computing:
Tools and technologies enabling system to recover quickly from a crash

Disaster recovery plan:

Runs business in event of computer outage

Load balancing:
Distributes large number of requests for access among multiple servers

31

Contd.
Mirroring:
Duplicating all processes and transactions of server on backup server to prevent any interruption in service

Clustering:
Linking two computers together so that a second computer can act as a backup to the primary computer or speed up processing

32

Security while using Internet

Firewalls Prevent unauthorized users from accessing private networks Two types: proxies and stateful inspection Intrusion Detection System Monitors vulnerable points in network to detect and deter unauthorized intruders

33

34

Security aspects related to e-commerce

Encryption:
Coding and scrambling of messages to prevent their access without authorization

Authentication:
Ability of each party in a transaction to ascertain identity of other party

Message integrity:
Ability to ascertain that transmitted message has not been copied or altered
35

Contd.
Digital signature:
Digital code attached to electronically transmitted message to uniquely identify contents and sender

Digital certificate:
Attachment to electronic message to verify the sender and to provide receiver with means to encode reply
36

Security Management of E-Business

Encryption

Fire Walls

Virus Defenses

Denial of Service Defenses

Monitor E-mail
37

Other E-Business Security Measures

Security Codes Backup Files

Security Monitors

Biometric Security Controls

38

E-Business System Controls and Audits

Input Controls
Processing Controls Output Controls

Fire walls
Software Hardware Checkpoints Security Codes Encryption Error Signals Storage Controls Security Codes Encryption Control Totals User Feedback Security Codes Encryption Backup Files
39

Computer System Failure Controls

Layer
Applications

Threat
Environmental, HW and SW Faults Outages

Fault Tolerant Methods

Application redundancy, Checkpoints System isolation Data security Transaction histories, backup files Alternate routing, error correcting routines Checkpoints

Systems

Databases

Data errors

Networks

Transmission errors

Processes

HW and SW faults

Files

Media Errors

Replication of data
40

Processors

HW Faults

Instruction retry

Disaster Recovery
Who will participate? What will be their duties? What hardware and software will be used? Priority of applications to be run? What alternative facilities will be used? Where will databases be stored?
41