Security of Information Systems

advertisement
MIS 2000
Class 22
System Security
Update: Winter 2015
1
Outline
Security threats concept
Sniffing
Encryption defense
Malware
Data theft
Intrusion detections system, password & firewall defenses
Internet threats and defenses
Internal threats & defenses
Summary
2
Information Systems’ Vulnerability
Network-related challenges:
Access to local and wide area networks (Internet) brings risks.
Anyone from inside/outside the organization can attempt to
infiltrate information systems. The risks of unauthorized access
to data, stealing and destruction is greater than with paper that
exists in one original form and can be securely locked.
Digital data can also be changed, while the fraud is not easily
detected. One of disadvantages in comparison with paper.*
3
Security Threats - External
Sniffing
False identity
(spoofing/phishing)
Data theft
Malware
(virus, worm…)
4
Sniffing
Sniffing refers to listening to a communication channel
performed by an uninvited party.
Sniffing is a version of unauthorized access.
Conversations on cell phones can easily be sniffed.*
WiFi channels are also vulnerable.
Defense: Encryption of the data transferred. The content is
jammed into illegible format by using some programming
method.
Example: “Hi, how are you?” can be encrypted
into something like “xy&*z-&8w4}”. See next slide.
5
Encryption
Encryption = Scrambling of a message to prevent unauthorized parties from
reading it.
Encryption is a defense against sniffing communication channel.
Single key encryption – Sender and receiver use the same private key for
encryption and decryption.
Double key encryption – Sender and Receiver use a combination of a public and a
Certificate Authority
private key:
Digital Signature
can be
applied
Encrypt with Recipient’s
Public Key
Decrypt with Recipient’s
Private Key
Digital Certificate - public key and a proof of its validity issued by a
certificate authority (e.g., VeriSign); licensed annually.
Critical for e-commerce; important in other Internet communications
6
Malware
Malware = malicious software that can harm data, and/or computer software
and even hardware.
Virus (a legend about their origin) – destructive to data & software
Warm – replicates itself taking computing resources and impairing computer
functioning (e.g., speed, and screen freeze).
Trojan – blocks system security functions, so opening doors for other malware.
Adware – presents unwanted ads in pop-up or pop-under windows.
Spyware – observes user's activities and reports it to external party.
Defenses:
Anti-virus software. Automatic and continuously updated online by vendor.
Critical for Internet. *
Firewall (see later slide)
7
Data Theft
Data theft is stealing data by hackers. This is also internal threat
in organizations when unauthorized person accesses data.
Also, data storage devices or mobile tech. can be stolen or lost.
Defenses:
Firewall: a whole security-tasked IS for guarding access
8
More Defenses from Data Theft
Intrusion Detection System (IDS). Automatically
detects suspicious network traffic.
•
•
•
Supports Firewall
Rules defining suspicious moves
Monitoring internal traffic as well
Passwords for access
Physical: Locking up computers and storage devices.
Mobile tech. methods: Combining passwords,
storage encryption*, locks, remote data wipes.
9
False Identity
Also called spoofing, phishing, social engineering…*
A malevolent party pretends to be a company or a person they
really are not, and tries to get personal data (credit card numbers
etc.).
Defense: Vigilance and caution!
Never go to Web sites your are invited to via email or on
social media, unless you are absolutely sure the site/invitation
is real.**
Never engage in “money transfer” schemes unknown persons
offer you via email or texting.
10
Internal Security Threats &
Defenses
Within organizations. Threats are bigger as people are closer to
technologies and data storage.
Unauthorized access, change and copying of data; also, stealing data
storage.
Unauthorized access to data: when a user does not have a particular
privilege (read, write, change, delete) but gets it somehow.
Human errors: leaving data unprotected, poor & lost passwords, not
locking data/hardware/software.
Defenses:
Physical securing; passwords; biometric methods (fingertip readers).
Managing access to data (system administrators)
Training, supervision
11
Power failure & Natural disasters
Power failure can be internal or external threat.
Defense: Have backup electricity generators ready to take over.
Natural disasters belong to external threats.
Defense:
Have disaster management plans
Extra computing facilities off-site (can be rented).
Keep backup data off-site.
Run regular checks to assess preparedness.
12
Summary
Security threats are external and internal, and include malware,
false identity, sniffing, data theft, and unauthorized access and
change of data tempering.
Mobile phones and devices and wireless channels are very
vulnerable.
Internet increases security risks.
Defenses include data encryption, intrusion detections system,
passwords, firewalls, physical means, and managing system
access.
13
Download