Please enable JavaScript.
Coggle requires JavaScript to display documents.
W9C8: Securing Information Systems, Benjamin - Coggle Diagram
W9C8: Securing Information Systems
System Vulnerability and Abuse
Why Systems Are Vulnerable
Security
Controls
Hardware problems (breakdowns, configuration errors, damage from improper use or crime)
Software problems (programming errors, installation errors, unauthorized changes)
Disaster
Use of networks/computers outside of firm’s control
Loss and theft of portable devices
Internet Vulnerabilities
Network open to anyone
Use of fixed Internet addresses with cable / D S L modems creates fixed targets for hackers
Unencrypted VOIP
Wireless Security Challenges
Radio frequency bands easy to scan
SSIDs (service set identifiers)
War driving
Rogue access points
Malicious Software (Malware)
Viruses
Worms
Trojan horse
SQL injection attacks
Ransomware
Spyware
Hackers and Computer Crime
Activities
System intrusion
System damage
Cybervandalism
Hackers vs. crackers
Spoofing and sniffing
Denial-of-service attacks (DoS)
Distributed denial-of-service attacks (DDoS)
Botnets
Spam
Computer may be target of crime/instrument of crime
Identity theft
Phishing
Evil twins
Pharming
Click fraud
Cyberterrorism
Cyberwarfare
Internal Threats: Employees
Security threats often originate inside an organization
Sloppy security procedures
Both end users and information systems specialists are sources of risk
Software Vulnerability
Commercial software contains flaws that create security vulnerabilities
Bugs
Zero defects cannot be achieved
Flaws can open networks to intruders
Zero-day vulnerabilities
Patches
Business Value of Security and Control
Firms now are more vulnerable than ever
Confidential personal and financial data
Trade secrets, new products, strategies
Legal and Regulatory Requirements for Electronic Records Management
HIPAA
Gramm-Leach-Bliley Act
Sarbanes-Oxley Act
Electronic evidence
Computer forensics
Establishing a Framework for Security and Control
Information Systems Control
May be automated or manual
General controls
Application controls
Risk Assessment
Types of threat
Probability of occurrence during year
Potential losses, value of threat
Expected annual loss
Security Policy
Ranks information risks, identifies security goals and mechanisms for achieving these goals
Drives other policies
Acceptable use policy (AUP)
Identity management
Disaster Recovery Planning
Devises plans for restoration of disrupted services
Business Continuity Planning
Focuses on restoring business operations after disaster
The Role of Auditing
Information systems audit
Security audits
List and rank control weaknesses and the probability of occurrence
Assess financial and organizational impact of each threat
Technologies and Tools for Protecting Information Resources
Identity Management and Authentication
Identity management software
Authentication
Password systems
Tokens
Smart cards
Biometric authentication
Two-factor authentication
Firewall
Combination of hardware and software that prevents unauthorized users from accessing private networks
Intrusion detection system
Antivirus and antispyware software
Unified threat management (UTM) systems
Securing Wireless Networks
WEP security
WPA2 specification
Encryption and Public Key Infrastructure
Encryption
Transforming text or data into cipher text that cannot be read by unintended recipients
Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS)
Secure Hypertext Transfer Protocol (S-HTTP)
Symmetric key encryption
Public key encryption
Digital certificate
Public key infrastructure (PKI)
Securing Transactions with Blockchain
Secure transaction database
Encryption used to verify users and transactions
Decentralized
Records cannot be changed
Ensuring System Availability
Fault-tolerant computer systems
Deep packet inspection
Security outsourcing
Managed security service providers (MSSPs)
Security Issues for Cloud Computing and the Mobile Digital Platform
Security in the cloud
Securing mobile platforms
Ensuring Software Quality
Software metrics: Objective assessments of system in form of quantified measurements
Early and regular testing
Walkthrough
Debugging
Benjamin