Information Systems
LECTURE 10:
Spyware
Phishing
Hoaxes
4
It has become imperative that organisations have
different types of controls depending on the sensitivity of
information, volume of transactions and size of the
organisation.
5
Viruses: Rogue software program that attaches itself to other
software programs or data files in order to be executed
SPAM
Junk e-mail
Avoid spam: Separate e-mail account
Spam filters
6
Antispam practices
TYPES OF CONTROL
Physical Control can be implemented is restricting access to a certain
compound, to authorised users only
Software controls through:
access privileges depending on their roles
password protection & authentication
anti-virus software,
Firewalls
intrusion detection systems
encryption
Virtual Private Networks (VPNs).
Surge protectors can be used for power surges and Uninterruptible
Power Supply (UPS) can be used for power outages
Proper backups and disaster recovery plans have to be designed
through program backup and data backup.
Clean-up services of computer hardware are also available which 7
include cleaning keyboards, CPUs, mouse, servers, joystick
Why Systems Are Vulnerable
Hardware problems
Breakdowns, configuration errors, damage from improper use
or crime
Software problems
Programming errors, installation errors, unauthorized
changes)
Disasters
Power failures, flood, fires, etc.
Use of networks and computers outside of firms control
E.g. with domestic or offshore outsourcing vendors
8
Hackers and Computer Crime
Hacking activities include
System intrusion
System damage
Cybervandalism
Intentional disruption, defacement,
destruction of Web site or corporate
information system
9
INTERNAL THREATS: EMPLOYEES
Security threats often originate inside an
organization
Inside knowledge
Social engineering:
Patches
Vendors release small pieces of software to repair flaws
11
INFORMATION SECURITY
Sniffer
Eavesdropping program that monitors information traveling
over network
16
Denial-of-service attacks (DoS)
Flooding server with thousands of false requests to
crash the network.
Botnets
Phishing
Setting up fake Web sites or sending e-mail messages
that look like legitimate businesses to ask users for
confidential personal data.
Evil twins
Wireless networks that pretend to offer trustworthy
Wi-Fi connections to the Internet 18
Pharming
Redirects users to a bogus Web page, even when
individual types correct Web page address into his
or her browser
Click fraud
Occurs when individual or computer program
fraudulently clicks on online ad without any
intention of learning more about the advertiser or
making a purchase
19
Computer crime
Defined as any violations of criminal law that involve
a knowledge of computer technology for their
perpetration, investigation, or prosecution
General controls
Govern design, security, and use of computer programs
and security of data files in general throughout
21
TYPES OF GENERAL CONTROLS
Software controls
Hardware controls
Computer operations controls
Data security controls
Implementation controls
Administrative controls
22
Security is defined as
Controls refer to
23
S AND CONTROLS AUDIT
25
IS Audit
29
Securing IS
Firewall:
Combination of hardware and software that prevents unauthorized
users from accessing private networks
Technologies include:
Static packet filtering
Network address translation (NAT)
Application proxy filtering
Intrusion detection systems:
Monitor hot spots on corporate networks to detect and deter intruders
Examines events as they are happening to discover attacks in progress
Antivirus and antispyware software:
Checks computers for presence of malware and can often eliminate it as
well
Require continual updating 31
Encryption
32
Digital certificate:
Data file used to establish the identity of users and
electronic assets for protection of online transactions
Uses a trusted third party, certification authority (CA),
to validate a users identity
CA verifies users identity, stores information in CA
server, which generates encrypted digital certificate
containing owner ID information and copy of owners
public key
Public key infrastructure (PKI)
Use of public key cryptography working with certificate
authority 33
36
Access Control
37
Access control is the basis for security against
threats by unauthorized persons.
Access control three-step process includes:
User identification.
User authentication.
User authorization.
38
INFORMAL CONTROLS
Education.
Training programs.
Management development programs.
Intended to ensure the firms employees both
understand and support the security program.
Good business practice is not to spend more for a
control than the expected cost of the risk that it
addresses.
Establish controls at the proper level.
39
AUDIT TRAILS
40
References
http://www.deloitte.com/view/en_GR/gr/services/enterprise-risk-services/it-
control-assurance/information-systems-and-controls-audit/index.htm
http://www.kpmg.com/CN/en/IssuesAndInsights/ArticlesPublications/Docu
ments/IS-Governance-Services-0804.pdf
http://www.slideshare.net/markroman1/information-systems-governance-
5741792
http://markearnest.net/presentations/security_day_2006.pdf
41
CLASS DISCUSSION QUESTIONS