IS, Chapter 4 notes
Popular in Intro Computer Based Information Systems
Popular in Department
This 4 page Class Notes was uploaded by Daria Trikolenko on Friday September 16, 2016. The Class Notes belongs to CIS 2010 at Georgia State University taught by Jim Senn in Fall 2016. Since its upload, it has received 20 views.
Reviews for IS, Chapter 4 notes
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 09/16/16
Chapter 4. Introduction to information security Security can be defined as the degree of protection against criminal activity, danger, damage and loss. Information security- all of the processes and polices designed to protect an organization’s info and info system from unauthorized access, use, disclosure, disruption, modification, or destruction. 1) Organization collect info and inform systems that are subject to myriad threats (danger to which system may be exposed) 2) The exposure of info is the harm, loss or damage that can result it a threat compromises that resource. 3) An info resource’s vulnerability is the possibility that system will be harmed by a threat. Five key factors to the increasing vulnerability: Today’s interconnected, interdependent, wirelessly networking business environment; Smaller, faster, cheaper computers and storage devices; Decreasing skills necessary to be a computer hacker; International organized crime taking over cybercrime; Lack of management support. Unintentional threats to IS: This is an act performed without malicious intent that nevertheless represent a serious threat to Info security. Human errors: Higher level of employee, the greater the threat he poses to info security; The employees in two areas of the organization pose significant threat to information security: human resource and IS. Errors are typically the result of laziness, carelessness, or lack of awareness concerning info, security. Social Engineering Attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as password. Two social engineering techniques: 1) Tailgating-allow the perpetrator to enter restricted areas that are controlled with locks or card entry; 2) Shoulder surfing- when perpetrator watches an employee’s computer screen over the employee’s shoulder. Deliberate threats to IS: Espionage or trespass- when an unauthorized individual attempts to gain illegal access to organizational information - Competitive intelligence: legal info, gathering techniques, studying web-site and press releases. - Industrial espionage: crosses the legal boundary. Information extortion – an attacker either threatens to steal or actually steals information from company; Sabotage or vandalism- deliberate acts that involve defacing an organization’s Web-site, potentially damaging the org. image and causing its customers to lose faith. Theft of equipment or information- small devices (cell phones) easier to steal and use information. Dumpster diving- involves rummaging through commercial or residential trash to find discarded info (papers, files, letters, IDs). Identify theft- deliberate assumption of another person’s identity, to gain access to his financial info or to frame him for crime. Compromises to intellectual property- property created by individuals or corporations that is protected under trade secret, patent, copyright, laws. Trade secret- intellectual work, which is company secret and is not based on public info. A patent- an official document that grants the holder exclusive rights on an invention or a process for a specified period of time. (20years) Copyright- a statutory grant that provides the creator or owns of intellectual property with ownership for a designed period. (+70 years) Piracy- major problem for software vendors. Software attacks: - Malware attacks- typically via the Web, to make money; - Remote attacks requiring user action (virus, worm, phishing attack); - Remote attacks needing no user action (denial-of-service attack, distribution denial-of-service attack); - Attacks by a programmer developing a system (Trojan horse, back door, logic bomb). Alien software- clandestine software that is installed on your computer through duplicitous methods: - adware pop-up ads; - spyware; - spamware; - cookies. Supervisory control and data acquisition attacks – large-scale, distributed measurements and control system, used to monitor or to control chemical physical, and transport process (oil refineries); Cyberterrorism and cyberwarfare- refer to malicious acts in which attacks use a target’s computer system, particularly via the internet, to cause physical, real world harm or severe disruption, often to carry out a political agenda. What organizations are doing to protect info resources Difficulties in protecting: - Hundreds of potential threats; - Resources may be situated in many locations; - Networks located outside of organization; - Online commerce industry is not willing o install safeguards; - Difficult to catch perpetrators. Risk- the probability that a threat will impact an information resource. The goal of risk management is to identify, control and minimize the impact of threats, reduce risk of acceptable levels: Risk analysis: 1) Assessing the value of each asset being protected 2) Estimating the probability that each asset will be compromised 3) Comparing the probable costs of the asset’s being compromised with cost of protecting this asset. Risk mitigation- taking concentrate to prevent against risks: 1) Implementing controls to prevent identified threats from occurring; 2) Developing a means of recovery if the threat becomes a reality Most common risks: Risk acceptance Risk limitations Risk transference Control evaluations- examines the cost of implementing adequate control measures against the value of those control measures. Information Security Controls Controls are designed to protect all of the components of an IS, including data, networks Physical Controls Prevent unauthorized individuals from gaining access to company’s facilities. (walls, doors, fencing, gates, pressure sensors, motion detectors). Organizations implement physical security measures that limit computer users to acceptable login times and locations. Access controls Restrict unauthorized individuals from using info resources: - Authentication-confirms the identity of the person requiring access; - Authorization- determines which action, rights or privileges that person has. Communications control: Or network controls secure the movement of data across network. Consist of: 1) Firewalls- system that prevents a specific type of information from moving between untrusted networks and private networks. 2) Anti-malware system (antivirus)- software packages that attempt to identify and eliminate viruses and worms, and other malicious software. Filter traffic according to a database of specific problem. 3) Whitelisting- process in which a company identifies the software that it will allow to run on its computers. Blacklisting- allows everything to run unless it is in the blacklist. 4) Encryption- process of converting an original message into a form that cannot be read by anyone except the intended receiver. Public-key encryption- uses two different keys: public and private; 5) Virtual private networking –private network that uses a public network to connect users. - Allow remote users to access the company network - Provide flexibility - Org. can impose their security policies through VPNs. 6) Transport layer security- an encryption standard used for secure transaction such as credit cards purchases and online banking; 7) Employee monitoring system – scrutinize their employee’s computers, e-mail activities, and internet surfing activities. Business continuity planning It is chain of events lining planning to protection and to recovery. Provide guidance to people who keep the business operating after a disaster occurs. Information system auditing It is an examination of informational systems, their inputs, outputs, and processing. Auditors: - internal (corporate), - external (reviews the findings of the internal audits) Audits: - internal, - external (part of the overall external auditing performing by CPA) How is auditing executed? Auditing around computer: verifying processing by checking for known outputs using specific inputs; Auditing though computer: check inputs, outputs, processing; Auditing with the computer: using a combination of driven data, auditor software, and client and auditor hardware.
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'