Risks, Security, and Disaster RecoveryDr. Franklin Asamoa-Baah

ObjectivesDescribe the primary goals of information security and types of risks to ISList the various types of attacks on networked systems and controls required to ensure integrityDescribe the various kinds of security measures that can be taken to protect data and ISOutline the principles of developing a recovery planExplain the economic aspects of information security

Goals of Information SecurityProtecting IT resources is a primary concernSecuring corporate ISs increasingly challengingMajor goals of information securityReduce risk of systems ceasing operationMaintain information confidentialityEnsure integrity of data resourcesEnsure uninterrupted availability of resourcesEnsure compliance with policies

Risks to Information SystemsDowntime: time when IS is not availableExtremely expensive$4 billion lost annually in U.S.

Risks to HardwareMajor causes of damage to machineNatural disastersFireFlood StormsBlackouts and brownoutsBlackout: total loss of electricityBrownout: partial loss of electricityUninterruptible power supply (UPS): backup powerVandalismDeliberate destruction

Risks to Data and ApplicationsData primary concern because uniqueSusceptible toDisruptionDamageTheft

Identity theft: pretending to be another person

Risks to Data and Applications (continued)Risk to dataAlterationDestructionWeb defacementDeliberate alteration or destruction is a prankTarget may be Web site

Risks to Data and Applications (continued)Honeypot: server containing mirrored copy of databaseVirus: spread from computer to computerWorm: spread in network without human interventionTrojan horse: virus disguised as legitimate softwareLogic bomb: cause damage at specific time

Risks to Online OperationsMany hackers try to interrupt business dailyAttacksUnauthorized accessData theftDefacing of Web pagesDenial-of-serviceHijacking

Computer HijackingHijacking: linking computer to public network without consentDone for DDoSDone by installing bot on computerHijackers usually send SPAMBot planted by exploiting security holesInstall e-mail forwarding software

ControlsControls: constraints on user or systemCan secure against risksEnsure nonsensical data is not enteredCan reduce damage

Controls (continued)Figure 14.1: Common controls to protect systems from risks

BackupBackup: duplication of all dataRedundant Arrays of Independent Disks (RAID): set of disks programmed to replicate stored dataData must be routinely transported off-site

Access ControlsAccess controls: require authorized accessPhysical locksSoftware locksThree types of access controlsWhat you knowUser ID and passwordWhat you haveRequire special devicesWhat you arePhysical characteristics

Access Controls (continued)Passwords stored in OS or databaseSecurity card more secure than passwordAllows two-factor accessBiometric: unique physical characteristicFingerprintsRetinal picturesVoiceprints

Atomic TransactionsAtomic transaction: set of indivisible transactions. Either all files are updated or none is updated, and if not, control produces error reportsAll executed or noneEnsure only full entry occursControl against malfunction and fraud

Atomic Transactions (continued)Figure14.2: Atomic transactions ensure updating of all appropriate files.Either all files are updated, or none are updated and the control produces an error message

Audit TrailAudit trail: documented facts that help detect who recorded transactionsSometimes automatically created

Security MeasuresOrganizations can protect against attacksFirewallsAuthenticationEncryptionDigital signaturesDigital certificates

Firewalls and Proxy ServersFirewall: best defenseHardware and softwareBlocks access to computing resourcesRoutinely integrated into routersDMZ: demilitarized zone approachOne end of network connected to trusted network other end to public networkProxy server: represent another serverEmploys firewall

Authentication and EncryptionEncrypt and authenticate messages to ensure securityMessage may not be textImageSoundAuthentication: process of ensuring sender is validEncryption: coding message to unreadable form

Authentication and Encryption (continued)Figure 14.4: Encrypting communications increases security

Authentication and Encryption (continued)Encryption programsPlaintext: original messageCiphertext: coded messageUses mathematical algorithm and keyKey is combination of bits that deciphers ciphertextSymmetric encryption: sender and recipient use same keyAsymmetric encryption: public and private key used

The Downside of Security MeasuresSingle sign-on (SSO): user name/password entered only onceSaves timeEncryption slows down communicationIT specialists must clearly explain implications of security measures

The Business Recovery PlanBusiness recovery plans: plan to recover from disasterNine stepsObtain managements commitmentEstablish planning committeePerform risk assessment and impact analysisPrioritize recovery needsSelect recovery planSelect vendorsDevelop and implement planTest planContinually test and evaluate

The Economics of Information SecuritySecurity analogous to insuranceSpending should be proportional to potential damageAccess minimum rate of system downtime

How Much Security Is Enough Security?Two costs to considerCost of potential damageCost of implementing preventative measureCompanies try to find optimal pointNeed to define what needs to be protectedNever exceed value of protected system

Calculating DowntimeTry to minimize downtimeMission-critical systems must be connected to alternative source of powerMore ISs interfaced with other systemsInterdependent systems have greater downtime

SummaryPurpose of controls and security measures is to maintain functionality of ISsRisks to IS include risks to hardware, data, and networks, and natural disaster and vandalismRisks to data include theft, data alteration, data destruction, defacement of Web sites, and virusesRisk to online systems include denial of service and hijacking

Summary (continued)Controls used to minimize disruptionAccess controls require information to be entered before resources are made availableAtomic transactions ensures data integrityFirewalls protect against Internet attacksEncryption schemes protect messaging on Internet

******************************