1 chapter 17 risks, controls and security measures
Post on 20-Jan-2016
223 views
TRANSCRIPT
![Page 1: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/1.jpg)
1
Chapter 17
Risks, Controls and Security Measures
![Page 2: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/2.jpg)
2
Learning Objectives
When you finish this chapter, you will: Be able to identify the main types of risks to
information systems. List various types of attacks on networked
systems Identify types of controls required to ensure
the integrity of data entry and processing and uninterrupted e-commerce.
![Page 3: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/3.jpg)
3
Learning Objectives
Know the principles of how organizations develop recovery plans.
Be able to explain the economic aspects of pursuing information security.
![Page 4: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/4.jpg)
4
Why do we care?
Nearly 20,000 digital attacks* occurred in January 2003
At this rate, we could see 180,000 attacks resulting in $80-100 billion in damages
*mi2g Ltd., a digital risk management firm.
![Page 5: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/5.jpg)
5
Goals of Information Security
Reduce the risk of systems and organizations ceasing operations
Maintain information confidentiality Ensure the integrity and reliability of data
resources Ensure uninterrupted availability of data
resources and online operations Ensure compliance with national security laws
and privacy policies and laws
![Page 6: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/6.jpg)
6
Risks to Information Systems
Causes of systems downtime Number-one is hardware failure Fire and theft are the next two contributors
Risks to Hardware Natural disasters Blackouts and brownouts Vandalism
![Page 7: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/7.jpg)
7
Risks to Information Systems
Risks to Applications and Data Theft of information Data alteration, data destruction, and
defacement Computer viruses and Logic Bombs Nonmalicious mishaps
![Page 8: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/8.jpg)
8
Risks to Information Systems
Figure 17.2 Frequency of security breaches in a 12-month period based on a survey of 745 professionals
![Page 9: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/9.jpg)
9
Risks to Online Operations
Denial of Service (DoS) Too many requests are received to log on to a
Web site’s pages If perpetrated from multiple computers it is
called distributed denial of service (DDoS) Spoofing
Deception of users to make them think they are logged on at one site while they actually are on another
![Page 10: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/10.jpg)
10
Controlling Information System Risks
Controls: Constraints imposed on a user or a system to secure systems against risks.
Figure 17.3 Common controls to protect systems from risk
![Page 11: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/11.jpg)
11
Controlling Information System Risks
Program Robustness and Data Entry Controls Provide a clear and sound interface with the user Menus and limits / data input constraints
Backup Periodic duplication of all data
Access Controls Ensure that only authorized people can gain access to
systems and files Access codes and passwords Biometric
An access control unique in physical, measurable characteristic of a human being that is used to identify a person
![Page 12: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/12.jpg)
12
Controlling Information System Risks
Atomic Transactions Ensures that
transaction data are recorded properly in all the pertinent files to ensure integrity
![Page 13: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/13.jpg)
13
Controlling Information System Risks
Audit Trails Built into an IS so that transactions can be
traced to people, times, and authorization information
![Page 14: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/14.jpg)
14
Encryption
Authentication Process of ensuring that the sender and
receiver of a message is indeed that person Original message – plaintext Coded message – ciphertext Messages scrambled on sending end;
descramble to plain text on receiving end
![Page 15: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/15.jpg)
15
Encryption Strength
Figure 17.6 Estimated time needed to break encryption keys, using $100,000 worth of computer equipment
![Page 16: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/16.jpg)
16
Encryption
Distribution Restrictions Public Key encryption
Symmetric Both sender and recipient use same key
Key is referred to as secret key Asymmetric (also called public key encryption)
Sender is able to communicate key to recipient before message is sent
![Page 17: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/17.jpg)
17
Encryption
![Page 18: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/18.jpg)
18
Encryption
Secure Sockets Layer and Secure Hypertext Transport Protocol ensure online transactions are secure
Pretty Good Privacy – Network Associates product that allows individuals to register for public and private keys
![Page 19: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/19.jpg)
19
Digital signatures and Digital Certificates Electronic Signatures Digital Signatures
Different each time you send a message Digital Certificates
Computer files that serve as the equivalent of ID cards
![Page 20: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/20.jpg)
20
Firewalls
Software whose purpose is to manage access to computing resources Early firewalls used combination of hardware
and software While firewalls are used to keep unauthorized
users out, they are also used to keep unauthorized software or instructions away Computer viruses and other rogue software
Proxy Servers act as a buffer between internal and external networks
![Page 21: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/21.jpg)
21
Security Standards
The Orange Book (DOD)- Four security levels Decision A: Verify Protection Decision B: Mandatory Protection Decision C: Discretionary Protection Decision D: Minimal Protection or No Protection
The ISO Standard Common set of requirements for IT product security
functions and for assurance measures during security evaluation
Permits comparability between results of independent security tests
![Page 22: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/22.jpg)
22
The Downside of Security Controls
Security measures slow data communications and require discipline that is not easy to maintain Passwords Encryption Firewalls
Drains personnel resources as well…
![Page 23: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/23.jpg)
23
Chief Security Officers
![Page 24: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/24.jpg)
24
Recovery Measures
The Business Recovery Plan – Nine steps proposed for development
1. Obtain management’s commitment to the plan2. Establish a planning committee3. Perform risk assessment and impact analysis4. Prioritize recovery needs5. Select a recovery plan6. Select vendors7. Develop and implement the plan8. Test the plan9. Continually test and evaluate
![Page 25: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/25.jpg)
25
Recovery Measures
Outsourcing the Recovery Plan Some companies may choose not to develop
their own recovery plan Small companies may not be able to afford an
expensive recovery plan May opt for a Web-based service
![Page 26: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/26.jpg)
26
Median Amounts of IT Security Budgets by Industry
![Page 27: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/27.jpg)
27
The Economic Aspect of Security Measures Two types of costs to consider when
determining how much to spend on data security: The cost of potential damage The cost of implementing a preventive
measure
![Page 28: 1 Chapter 17 Risks, Controls and Security Measures](https://reader036.vdocuments.mx/reader036/viewer/2022062322/56649d445503460f94a20e38/html5/thumbnails/28.jpg)
28
The Economic Aspect of Security Measures
Figure 17.12 The total cost to the enterprise is lowest at “Optimum.” No less, and no more, should be spent on information security measures.