版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
SecuringInformationSystemsSTUDENTLEARNINGOBJECTIVESEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsWhyareinformationsystemsvulnerabletodestruction,error,andabuse?Whatisthebusinessvalueofsecurityandcontrol?Whatarethecomponentsofanorganizationalframeworkforsecurityandcontrol?Evaluatethemostimportanttoolsandtechnologiesforsafeguardinginformationresources.STUDENTLEARNINGOBJECTIVESEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsLearningTracksTheBoomingJobMarketinITSecurityTheSarbanesOxleyActComputerForensicsGeneralandApplicationControlsforInformationSystemsManagementChallengesofSecurityandControlSoftwareVulnerabilityandReliabilityVideoCasesCase1:StuxnetandCyberwarfareCase2:IBMZoneTrustedInformationChannel(ZTIC)InstructionalVideo1:SonyPlayStationHacked;DataStolenfrom77MillionUsersInstructionalVideo2:ZapposWorkingtoCorrectOnlineSecurityBreachInstructionalVideo3:MeettheHackers:AnonymousStatementonHackingSONYYou’reonLinkedIn?WatchOut!LinkedIn:Oneoftheworld’slargestsocialnetworkswithmorethan225millionusersTargetforhackersaswidelyused“social”siteOutdatedsecurityprocessesProblem
Securitybreachresultsinexposureof6.5millionpasswordsReputationaldamageMultimilliondollarlawsuitEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsAlthoughLinkedIn’s
securitypolicieswereadequatesomeyearsago,in2012theywereveryinadequateMissing:ChiefsecurityofficerEvenminimalpasswordprotectionandencryptionPasswordsaltingtechniquesIllustrates:LackofliabilityforcompaniesinsocialtechnologyservicesDemonstrates:NeedforupdatingsecuritypoliciescontinuouslyEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsYou’reonLinkedIn?WatchOut!EssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsYou’reonLinkedIn?WatchOut!SystemVulnerabilityandAbuseAnunprotectedcomputerconnectedtoInternetmaybedisabledwithinsecondsSecurity:Policies,procedures,andtechnicalmeasuresusedtopreventunauthorizedaccess,alteration,theft,orphysicaldamagetoinformationsystemsControls:Methods,policies,andorganizationalproceduresthatensuresafetyoforganization’sassets;accuracyandreliabilityofitsaccountingrecords;andoperationaladherencetomanagementstandardsEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsWhySystemsAreVulnerableHardwareproblemsBreakdowns,configurationerrors,damagefromimproperuseorcrimeSoftwareproblemsProgrammingerrors,installationerrors,unauthorizedchangesDisastersPowerfailures,flood,fires,andsoonUseofnetworks,computersoutsideoffirm’scontrolDomesticoroffshoreoutsourcingvendorsMobiledevicesSystemVulnerabilityandAbuseEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsContemporarySecurityChallengesandVulnerabilitiesThearchitectureofaWeb-basedapplicationtypicallyincludesaWebclient,aserver,andcorporateinformationsystemslinkedtodatabases.Eachofthesecomponentspresentssecuritychallengesandvulnerabilities.Floods,fires,powerfailures,andotherelectricalproblemscancausedisruptionsatanypointinthenetwork.SystemVulnerabilityandAbuseEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsFigure8-1InternetvulnerabilitiesNetworkopentoanyoneSizeofInternetmeansabusescanhavewideimpactUseoffixedInternetaddresseswithpermanentconnectionstoInterneteasesidentificationbyhackersE-mailattachments,filedownloading,andsharingE-mailusedfortransmittingtradesecretsIMmessageslacksecurity,canbeeasilyinterceptedSystemVulnerabilityandAbuseEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsWirelesssecuritychallengesRadiofrequencybandseasytoscanSSIDs(servicesetidentifiers)Identifyaccesspoints.Broadcastmultipletimes.WardrivingEavesdroppersdrivebybuildingsandtrytointerceptnetworktrafficWithaccesstoSSID,hasaccesstonetwork’sresourcesRogueaccesspointsSystemVulnerabilityandAbuseEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsWi-FiSecurityChallengesFigure8-2ManyWi-Finetworkscanbepenetratedeasilybyintrudersusingsnifferprogramstoobtainanaddresstoaccesstheresourcesofanetworkwithoutauthorization.SystemVulnerabilityandAbuseEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsMaliciousSoftware:Viruses,Worms,TrojanHorses,andSpywareMalwareVirusesRoguesoftwareprogramthatattachesitselftoothersoftwareprogramsordatafilesinordertobeexecutedWormsIndependentcomputerprogramsthatcopythemselvesfromonecomputertoothercomputersoveranetworkTrojanhorsesSoftwareprogramthatappearstobebenignbutthendoessomethingotherthanexpected.SystemVulnerabilityandAbuseEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsMaliciousSoftware:Viruses,Worms,TrojanHorses,andSpywareSQLinjectionattacksSpywareSmallprogramsinstallthemselvessurreptitiouslyoncomputerstomonitoruserWebsurfingactivityandserveupadvertisingKeyloggersRecordeverykeystrokeoncomputertostealserialnumbers,passwords,launchInternetattacksSystemVulnerabilityandAbuseEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsHackersandComputerCrimeSystemVulnerabilityandAbuseHackersversuscrackersActivitiesinclude:SystemintrusionTheftofgoodsandservicesSystemdamageCybervandalism—Intentionaldisruption,defacement,destructionofWebsiteorcorporateinformationsystemEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsHackersandComputerCrimeSystemVulnerabilityandAbuseSpoofingMisrepresentingoneselfbyusingfakee-mailaddressesormasqueradingassomeoneelseRedirectingWeblinktoaddressdifferentfromintendedone,withsitemasqueradingasintendeddestinationSnifferEavesdroppingprogramthatmonitorsinformationtravelingovernetworkEnableshackerstostealproprietaryinformationsuchase-mail,companyfiles,andsoonEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsHackersandComputerCrimeSystemVulnerabilityandAbuseDenial-of-serviceattacks(DoS)Floodingserverwiththousandsoffalserequeststocrashthenetwork.Distributeddenial-of-serviceattacks(DDoS)UseofnumerouscomputerstolaunchaDoSBotnetsNetworksof“zombie”PCsinfiltratedbybotmalwareEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsHackersandComputerCrimeSystemVulnerabilityandAbuseComputercrimeAnyviolationsofcriminallawthatinvolveaknowledgeofcomputertechnologyfortheirperpetration,investigation,orprosecutionComputermaybetargetofcrime:BreachingconfidentialityofprotectedcomputerizeddataAccessingacomputersystemwithoutauthorityComputermaybeinstrumentofcrime:TheftoftradesecretsUsinge-mailforthreatsorharassmentEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsReadtheInteractiveSessionandthendiscussthefollowingquestions:Describethesecurityvulnerabilitiesexploitedbythehackers.Whatpeople,organizational,andtechnologyfactorscontributedtotheseproblems?Whatsolutionsareavailableforthisproblem?Howdifficultaretheytoimplement?Why?InteractiveSession:OrganizationsThe21stCenturyBankHeistSystemVulnerabilityandAbuseEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsHackersandComputerCrimeSystemVulnerabilityandAbuseIdentitytheftTheftofpersonalinformation(socialsecurityID,driver’slicense,orcreditcardnumbers)toimpersonatesomeoneelsePhishingSettingupfakeWebsitesorsendinge-mailmessagesthatlooklikelegitimatebusinessestoaskusersforconfidentialpersonaldataEviltwinsWirelessnetworksthatpretendtooffertrustworthyWi-FiconnectionstotheInternetEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsHackersandComputerCrimeSystemVulnerabilityandAbusePharmingRedirectsuserstoabogusWebpage,evenwhenindividualtypescorrectWebpageaddressintohisorherbrowserClickfraudFraudulentclicksononlineadsGlobalthreatsCyberterrorismCyberwarfareEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsInternalThreats:EmployeesSecuritythreatsoftenoriginateinsideanorganization.InsideknowledgeSloppysecurityproceduresUserlackofknowledgeSocialengineering:TrickingemployeesintorevealingtheirpasswordsbypretendingtobelegitimatemembersofthecompanyinneedofinformationSystemVulnerabilityandAbuseEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsSoftwareVulnerabilitySystemVulnerabilityandAbuseCommercialsoftwarecontainsflawsthatcreatesecurityvulnerabilities.Hiddenbugs(programcodedefects)ZerodefectscannotbeachievedbecausecompletetestingisnotpossiblewithlargeprogramsFlawscanopennetworkstointrudersPatches:SmallpiecesofsoftwaretorepairflawsreleasedbyvendorsHowever,amountofsoftwareinusecanmeanexploitscreatedfasterthanpatchescanbereleasedEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsFailedcomputersystemscanleadtosignificantortotallossofbusinessfunction.Firmsnowmorevulnerablethanever.Asecuritybreachmaycutintofirm’smarketvaluealmostimmediately.Inadequatesecurityandcontrolsalsobringforthissuesofliability.BusinessValueofSecurityandControlEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsLegalandRegulatoryRequirementsforElectronicRecordsManagementBusinessValueofSecurityandControlFirmsfacenewlegalobligationsfortheretentionandstorageofelectronicrecordsaswellasforprivacyprotectionHIPAA:medicalsecurityandprivacyrulesandproceduresGramm-Leach-BlileyAct:requiresfinancialinstitutionstoensurethesecurityandconfidentialityofcustomerdataSarbanes-OxleyAct:imposesresponsibilityoncompaniesandtheirmanagementtosafeguardtheaccuracyandintegrityoffinancialinformationthatisusedinternallyandreleasedexternallyEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsElectronicEvidenceandComputerForensicsEvidenceforwhitecollarcrimesoftenfoundindigitalformDatastoredoncomputerdevices,e-mail,instantmessages,e-commercetransactionsPropercontrolofdatacansavetime,moneywhenrespondingtolegaldiscoveryrequestComputerforensics:Scientificcollection,examination,authentication,preservation,andanalysisofdatafromcomputerstoragemediaforuseasevidenceincourtoflawIncludesrecoveryofambientandhiddendataBusinessValueofSecurityandControlEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsEstablishingaFrameworkforSecurityandControlInformationsystemscontrolsGeneralcontrolsGoverndesign,security,anduseofcomputerprogramsandsecurityofdatafilesingeneralthroughoutorganization’sinformationtechnologyinfrastructure.Applytoallcomputerizedapplications.Combinationofhardware,software,andmanualprocedurestocreateoverallcontrolenvironment.EssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsEstablishingaFrameworkforSecurityandControlTypesofgeneralcontrolsSoftwarecontrolsHardwarecontrolsComputeroperationscontrolsDatasecuritycontrolsImplementationcontrolsAdministrativecontrolsEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsEstablishingaFrameworkforSecurityandControlApplicationcontrolsSpecificcontrolsuniquetoeachcomputerizedapplication,suchaspayrollororderprocessing.Includebothautomatedandmanualprocedures.Ensurethatonlyauthorizeddataarecompletelyandaccuratelyprocessedbythatapplication.Include:InputcontrolsProcessingcontrolsOutputcontrolsEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsEstablishingaFrameworkforSecurityandControlRiskassessmentDetermineslevelofrisktofirmifspecificactivityorprocessisnotproperlycontrolledTypesofthreatProbabilityofoccurrenceduringyearPotentiallosses,valueofthreatExpectedannuallossEXPOSUREPROBABILITYLOSSRANGEEXPECTEDANNUALLOSSPowerfailure30%$5K–$200K$30,750Embezzlement5%$1K–$50K$1,275Usererror98%$200–$40K$19,698EssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsEstablishingaFrameworkforSecurityandControlSecuritypolicyRanksinformationrisksIdentifiesacceptablesecuritygoalsIdentifiesmechanismsforachievingthesegoalsDrivesotherpoliciesAcceptableusepolicy(AUP)AuthorizationpoliciesProvisionsforidentitymanagementEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsEstablishingaFrameworkforSecurityandControlIdentitymanagementBusinessprocessandtechnologiesforidentifyingvalidusersofsystemCreatesdifferentlevelsorrolesofsystemuserandaccessAllowseachuseraccessonlytothoseportionsofsystemunderthatuserroleEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsSecurityProfilesforaPersonnelSystemFigure8-3Thesetwoexamplesrepresenttwosecurityprofilesordatasecuritypatternsthatmightbefoundinapersonnelsystem.Dependingonthesecurityprofile,auserwouldhavecertainrestrictionsonaccesstovarioussystems,locations,ordatainanorganization.EssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsEstablishingaFrameworkforSecurityandControlEstablishingaFrameworkforSecurityandControlDisasterrecoveryplanning:DevisesplansforrestorationofdisruptedservicesBusinesscontinuityplanning:FocusesonrestoringbusinessoperationsafterdisasterBothtypesofplansneededtoidentifyfirm’smostcriticalsystemsBusinessimpactanalysistodetermineimpactofanoutageManagementmustdeterminewhichsystemsrestoredfirstDisasterRecoveryPlanningandBusinessContinuityPlanningEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsEstablishingaFrameworkforSecurityandControlTheRoleofAuditingMISauditExaminesfirm’soverallsecurityenvironmentaswellascontrolsgoverningindividualinformationsystemsReviewstechnologies,procedures,documentation,training,andpersonnelMayevensimulatedisastertotestresponseoftechnology,ISstaff,otheremployeesListsandranksallcontrolweaknessesandestimatesprobabilityoftheiroccurrence.AssessesfinancialandorganizationalimpactofeachthreatEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsSampleAuditor’sListofControlWeaknessesFigure8-4Thischartisasamplepagefromalistofcontrolweaknessesthatanauditormightfindinaloansysteminalocalcommercialbank.Thisformhelpsauditorsrecordandevaluatecontrolweaknessesandshowstheresultsofdiscussingthoseweaknesseswithmanagement,aswellasanycorrectiveactionstakenbymanagement.EssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsEstablishingaFrameworkforSecurityandControlIdentityManagementandAuthenticationTechnologiesandToolsforProtectingInformationResourcesAuthenticationPasswordsystemsTokensSmartcardsBiometricauthenticationFingerprints,irises,voicesEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsFirewall:CombinationofhardwareandsoftwarethatpreventsunauthorizedaccesstonetworkTechnologiesinclude:PacketfilteringStatefulinspectionNetworkaddresstranslation(NAT)ApplicationproxyfilteringFirewalls,IntrusionDetectionSystems,andAntivirusSoftwareEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsTechnologiesandToolsforProtectingInformationResourcesACorporateFirewallFigure8-5Thefirewallisplacedbetweenthefirm’sprivatenetworkandthepublicInternetoranotherdistrustednetworktoprotectagainstunauthorizedtraffic.EssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsTechnologiesandToolsforProtectingInformationResourcesIntrusiondetectionsystems:Monitorhotspotsoncorporatenetworkstodetectanddeterintruders.Examineeventsastheyarehappeningtodiscoverattacksinprogress.Antivirusandantispywaresoftware:Checkcomputersforpresenceofmalwareandcanofteneliminateitaswell.Requirecontinualupdating.UnifiedThreatManagement(UTM)systemsEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsTechnologiesandToolsforProtectingInformationResourcesWEPsecuritycanbeimproved:ActivatingitAssigninguniquenametonetwork’sSSIDUsingitwithVPNtechnologyWi-FiAlliancefinalizedWPA2specification,replacingWEPwithstrongerstandardsContinuallychangingkeysEncryptedauthenticationsystemwithcentralserverSecuringWirelessNetworksEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsTechnologiesandToolsforProtectingInformationResourcesEncryption:TransformingtextordataintociphertextthatcannotbereadbyunintendedrecipientsTwomethodsforencryptiononnetworksSecureSocketsLayer(SSL)andsuccessorTransportLayerSecurity(TLS)SecureHypertextTransferProtocol(S-HTTP)EncryptionandPublicKeyInfrastructureEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsTechnologiesandToolsforProtectingInformationResourcesTwomethodsofencryptionSymmetrickeyencryptionSenderandreceiverusesingle,sharedkeyPublickeyencryptionUsestwo,mathematicallyrelatedkeys:publickeyandprivatekeySenderencryptsmessagewithrecipient’spublickeyRecipientdecryptswithprivatekeyEncryptionandPublicKeyInfrastructureEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsTechnologiesandToolsforProtectingInformationResourcesPublicKeyEncryptionFigure8-6Apublickeyencryptionsystemcanbeviewedasaseriesofpublicandprivatekeysthatlockdatawhentheyaretransmittedandunlockthedatawhentheyarereceived.Thesenderlocatestherecipient’spublickeyinadirectoryandusesittoencryptamessage.ThemessageissentinencryptedformovertheInternetoraprivatenetwork.Whentheencryptedmessagearrives,therecipientuseshisorherprivatekeytodecryptthedataandreadthemessage.EssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsTechnologiesandToolsforProtectingInformationResourcesDigitalcertificate:DatafileusedtoestablishtheidentityofusersandelectronicassetsforprotectionofonlinetransactionsUsescertificationauthority(CA)tovalidateauser’sidentityCAverifiesuser’sidentity,storesinformationinCAserver,whichgeneratesencrypteddigitalcertificatecontainingownerIDinformationandcopyofowner’spublickeyPublickeyinfrastructure(PKI)UseofpublickeycryptographyworkingwithcertificateauthorityWidelyusedine-commerceEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsTechnologiesandToolsforProtectingInformationResourcesDigitalCertificatesFigure8-7Digitalcertificateshelpestablishtheidentityofpeopleorelectronicassets.Theyprotectonlinetransactionsbyprovidingsecure,encrypted,onlinecommunication.EssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsTechnologiesandToolsforProtectingInformationResourcesOnlinetransactionprocessingrequires100percentavailability,nodowntime.Fault-tolerantcomputersystemsForcontinuousavailability,forexample,stockmarketsContainredundanthardware,software,andpowersupplycomponentsthatcreateanenvironmentthatprovidescontinuous,uninterruptedserviceHigh-availabilitycomputingHelpsrecoverquicklyfromcrashMinimizes,doesnoteliminate,downtimeEnsuringSystemAvailabilityEssentialsofManagementInformationSystemsChapter8SecuringInformationSystemsTechnologiesandToolsforProtectingInformationResourcesRecovery-orientedcomputingDesigningsystemsthatrecoverquicklywithcapabilitiestohelpoperatorspinpointandcorrectfault
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 二零二五年度残障人士职业康复服务合同2篇
- 温州职业技术学院《BM概论与实训》2023-2024学年第一学期期末试卷
- 2025年度智能设备租赁服务与技术支持合同2篇
- 二零二五年度金融资产证券化股份质押交易合同3篇
- 2025年度学校窗帘更换及节能环保合同3篇
- 个人财产质押借款协议书(2024年修订)版
- 个人房产抵押贷款协议范本(2024版)版B版
- 渭南师范学院《乐理视唱二》2023-2024学年第一学期期末试卷
- 2024版简易自愿离婚合同书范例一
- 二零二五年度新能源汽车采购合同质量监控与配送管理细则3篇
- DB33T 2570-2023 营商环境无感监测规范 指标体系
- 上海市2024年中考英语试题及答案
- 房屋市政工程生产安全重大事故隐患判定标准(2024版)宣传海报
- 房屋市政工程生产安全重大事故隐患判定标准(2024版)宣传画册
- 垃圾车驾驶员聘用合同
- 2025年道路运输企业客运驾驶员安全教育培训计划
- 南京工业大学浦江学院《线性代数(理工)》2022-2023学年第一学期期末试卷
- 2024版机床维护保养服务合同3篇
- 《论拒不执行判决、裁定罪“执行能力”之认定》
- 工程融资分红合同范例
- 2024年贵州省公务员录用考试《行测》真题及答案解析
评论
0/150
提交评论