Post on 18-Dec-2015
transcript
4/15: Security & Controls in IS• Systems Vulnerabilities
• Controls: what to use to guard against vulnerabilities– General controls– Application controls
• Internet & eCommerce controls– Firewalls – Encryption– Authentication
• Assessments & Audits
Systems Vulnerabilities• Ex: DDoS attacks in February 2000
• Why worry?– Financial impact of downtime is staggering:
Type of Loss Brokerage site Auction site
(8 hrs) (22 hrs)
Direct revenues loss $204,000 $341,652
Compensatory loss $0 $943,521
Lost future revenues $4,810,320 $1,024,955
Worker downtime loss $117,729 $46,097
Delay-to-market $60,000 $358,734
Total impact $5,220,159 $2,773,416
How are systems vulnerable?• If destroyed
– Systems cannot be replicated manually– Systems are not easily understood or audited– Systems’ records can be permanently lost
• Hardware: fire, earthquake, etc.
• Software: electrical problems, bugs
• Personnel actions: user errors, maliciousness
• Access: program changes, data changes
• Data & services: telecommunication failures
So what if it’s vulnerable?• Use a risk assessment to decide if the costs of
protecting against the vulnerability outweigh the potential losses from it.
• Ex. Online Order Processing Risk AssessmentExposure Prob. (%) Loss range / avg.
($)Exp. ann. loss($)
Power failure 30% $5,000 – 200,000$102,500
$30,750
Embezzlement 5% $1,000 – 50,000$25,500
$1,275
User error 98% $200 - 40,000$20,100
$19,698
Example of vulnerabilities: hackers• Hackers
– “A person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure.”
– Create computer viruses, DDoS attacks, etc.
Examples of vulnerabilities: viruses• “Rogue software programs that are difficult to
detect and spread rapidly, destroying data or disrupting processing & memory systems.”
• Chernobyl (CIH) virus
• Badtrans.B virus
• Nimda virus
• Antivirus software is a necessity. – Virus definitions MUST BE
UPDATED FREQUENTLY (min. every 2 weeks).
Concerns for systems builders• Disaster
– Build backup facilities– Build fault-tolerant systems
• Have extra hardware, software, power, processing capability in case something fails
– Contract with a disaster recovery firm
• Security– “Policies procedures, and technical measures used to
prevent unauthorized access, alteration, theft, or physical damage to IS.”
• Errors: prevention
Systems quality issues: software• Software bugs
– “Program code defects or errors.”– Main Sources: decision code, poor design specs.
• Maintenance– 50% of ITS staff time is spent “maintaining” existing
systems.– Why?
• Organizational changes
• Software complexity
• Faulty systems analysis discovered too late
Systems quality issue: data quality• Most common source of IS failure
• “Bad data”: – Input improperly or incorrectly– Faulty processing or database design
• FBI’s computerized criminal-records system– Estimated that 54% of records
are wrong, incomplete, or ambiguous.
Controls: Guards against Errors• “All of the methods, policies, and procedures
that ensure protection of the organization’s assets, accuracy and reliability of its records, and operational adherence to management standards.”
• Two types of IS controls:– General controls– Application Controls
General controls• “Overall controls that establish a framework for
controlling the design, security, and use of computer programs in the organization.”
• Implementation controls
• Software controls
• Hardware controls
• Computer operations controls
• Data security controls
• Administrative controls
General controls• Implementation controls
– “The audit of the systems development process at various points to make sure that it is properly controlled and managed”
– Controlling the systems development process
General controls• Software controls
– “Controls to ensure the security and reliability of software.”
– Control access and use of computer programs.
General controls• Hardware controls
– “Controls to ensure the physical security and correct performance of computer hardware.”
– Physical security: • locking doors to computer
rooms
• Ensuring correct humidity & temperature of computer rooms
• Etc.
General controls• Computer operations controls
– “Procedures to ensure that programmed procedures are consistently and correctly applied to data storage and processing.”
– Examples:• Backing up and recovering files
• Controlling setup of computer processing jobs
• Etc.
General controls• Data security controls
– “Controls to ensure that data files on either disk or tape are not subject to unauthorized access, change, or destruction.”
– Keeping data safe & secure• Restricting physical access to terminals to authorized users
• System passwords
• Additional password sets for specific data or applications
General controls• Administrative controls
– “Formalized standards, rules, procedures, and disciplines to ensure that the organization’s controls are properly executed and enforced.”
– Making sure that the people do what they’re supposed to do.
– Examples:• Segregation of functions:
– No one position has total access to, responsibility for, or control of data
• Written policies & procedures for controlling IS operations
Application controls• “Specific controls within each separate computer
application, such as payroll or order processing.”
• Input controls– Check data coming into system.– Control totals count # of transactions or fields before
processing– Edit checks can fix errors in inputs before processing
• Processing controls
• Output controls
Application controls• Input controls• Processing controls
– Establish that data are complete & accurate during processing
– Run control totals reconcile the input control totals with the totals of items that have updated a file.
– Computer matching highlights unmatched items between what was input and what was processed.
– Edit checks can highlight errors before processing is finalized.
• Output controls
Application controls• Input controls
• Processing controls
• Output controls– Ensure that results of processing are accurate,
complete, and properly distributed.
Internet & eCommerce controls• Threats are greater because of greater access to
systems by anonymous outsiders.
• Firewalls: proxy & stateful inspection
• Encryption
• Authentication: digital signatures, digital certificates
Internet controls: Firewalls• Prevent access by unauthorized users to a private
network from the outside, usually the Internet.
• Proxy firewalls– Accept data from outside, then pass a copy (not the
original files) along to the internal destination.– Can work similarly going from inside to outside.
• Stateful inspection firewalls– Checks each type of packet that comes in, and lets it
pass if it is an approved type.
Internet controls: Encryption• Coding and scrambling of messages to prevent
unauthorized access to or understanding of the data being transmitted.
• Public key encryption: uses two “keys”, one public, one private.
Sender RecipientScrambledmessage
Public key
Private key
Internet controls: Authentication• Digital signatures
– Not fully developed yet, some governmental approval
– Unique digital code attached to message to identify user, like a signature
• Digital certificates– Uses a third party (ex. Verisign) to guarantee identity
of user
Do your controls work well?
• Use an MIS audit.– “Identifies all the controls that govern individual
information systems and assesses their effectiveness.”
• The audit:– Lists and ranks all the control weaknesses, – Estimates the probability of occurrence, and – Assesses financial & organizational impact of each
threat.