Information Systems Security and Control

1
Information Systems Security and Control
2
LEARNING OBJECTIVES

• DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO
  DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL
  PROBLEMS
• COMPARE GENERAL AND APPLICATION CONTROLS

3
LEARNING OBJECTIVES

• DESCRIBE MEASURES TO ENSURE RELIABILITY,
  AVAILABILITY, SECURITY OF E-COMMERCE, DIGITAL
  BUSINESS PROCESSES, SECURITY AND THE INTERNET

4
LEARNING OBJECTIVES

• DESCRIBE IMPORTANT SOFTWARE QUALITY- ASSURANCE
  TECHNIQUES
• DEMONSTRATE IMPORTANCE OF AUDITING INFO SYSTEMS
  SAFEGUARDING DATA QUALITY

5
MANAGEMENT CHALLENGES

• SYSTEM VULNERABILITY ABUSE
• CREATING A CONTROL ENVIRONMENT
• ENSURING SYSTEM QUALITY

6
SYSTEM VULNERABILITY ABUSE

• WHY SYSTEMS ARE VULNERABLE
• HACKERS VIRUSES
• CONCERNS FOR BUILDERS USERS
• SYSTEM QUALITY PROBLEMS

7
THREATS TO INFORMATION SYSTEMS

• HARDWARE FAILURE, FIRE
• SOFTWARE FAILURE, ELECTRICAL PROBLEMS
• PERSONNEL ACTIONS, USER ERRORS
• ACCESS PENETRATION, PROGRAM CHANGES
• THEFT OF DATA, SERVICES, EQUIPMENT
  TELECOMMUNICATIONS PROBLEMS

8
WHY SYSTEMS ARE VULNERABLE

• SYSTEM COMPLEXITY
• COMPUTERIZED PROCEDURES NOT ALWAYS READ OR
  AUDITED
• EXTENSIVE EFFECT OF DISASTER
• UNAUTHORIZED ACCESS POSSIBLE

9
VULNERABILITIES

• RADIATION Allows recorders, bugs to tap system
• CROSSTALK Can garble data
• HARDWARE Improper connections, failure of
  protection circuits
• SOFTWARE Failure of protection features, access
  control, bounds control
• FILES Subject to theft, copying, unauthorized
  access

10
VULNERABILITIES

• USER Identification, authentication, subtle
  software modification
• PROGRAMMER Disables protective features reveals
  protective measures
• MAINTENANCE STAFF Disables hardware devices
  uses stand-alone utilities
• OPERATOR Doesnt notify supervisor, reveals
  protective measures

11
HACKERS COMPUTER VIRUSES

• HACKER Person gains access to computer for
  profit, criminal mischief, personal pleasure
• COMPUTER VIRUS Rogue program difficult to
  detect spreads rapidly destroys data disrupts
  processing memory

12
Who are hackers?

• DISGRUNTLED EMPLOYEES
• Teenage hackers
• Industrial spies
• Foreign governments
• Adventurous network users

13
Hacker Tactics

• Tap into phone lines
• Eavesdropping (on wireless LANs)
• Changing packets
• Capturing and distorting information

14
COMMON COMPUTER VIRUSES

• CONCEPT, MELISSA Word documents, e-mail.
  Deletes files
• FORM Makes clicking sound, corrupts data
• EXPLORE.EXE Attached to e-mail, tries to e-mail
  to others, destroys files
• MONKEY Windows wont run
• CHERNOBYL Erases hard drive, ROM BIOS
• JUNKIE Infects files, boot sector, memory
  conflicts

15
ANTIVIRUS SOFTWARE

• SOFTWARE TO DETECT
• ELIMINATE VIRUSES
• ADVANCED VERSIONS RUN IN MEMORY TO PROTECT
  PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND
  ON INCOMING NETWORK FILES

16
CONCERNS FOR BUILDERS USERS

• DISASTER
• BREACH OF SECURITY
• ERRORS

17
DISASTER

• LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE,
  POWER FAILURE, FLOOD OR OTHER CALAMITY
• FAULT-TOLERANT COMPUTER SYSTEMS Backup systems
  to prevent system failure (particularly On-line
  Transaction Processing)

18
SECURITY

• POLICIES, PROCEDURES, TECHNICAL MEASURES TO
  PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT,
  PHYSICAL DAMAGE TO INFORMATION SYSTEMS

19
Network Security

• A secure network must be able to prevent
  unauthorized users or intruders from accessing,
  corrupting or changing information.
• Source Process Software Corporation
  http//www.process.com/news/whitesec.htp

20
WHERE ERRORS OCCUR

• DATA PREPARATION
• TRANSMISSION
• CONVERSION
• FORM COMPLETION
• ON-LINE DATA ENTRY
• KEYPUNCHING SCANNING OTHER INPUTS

21
WHERE ERRORS OCCUR

• VALIDATION
• PROCESSING / FILE MAINTENANCE
• OUTPUT
• TRANSMISSION
• DISTRIBUTION

22
SYSTEM QUALITY PROBLEMS

• SOFTWARE DATA
• BUGS Program code defects or errors
• MAINTENANCE Modifying a system in production
  use can take up to 50 of analysts time
• DATA QUALITY PROBLEMS Finding, correcting
  errors costly tedious

23
COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE
24
CREATING A CONTROL ENVIRONMENT

• CONTROLS Methods, policies, procedures to
  protect assets accuracy reliability of
  records adherence to management standards
• GENERAL CONTROLS
• APPLICATION CONTROLS

25
GENERAL CONTROLS

• IMPLEMENTATION Audit system development to
  assure proper control, management
• SOFTWARE Ensure security, reliability of
  software
• PHYSICAL HARDWARE Ensure physical security,
  performance of computer hardware

26
GENERAL CONTROLS

• COMPUTER OPERATIONS Ensure procedures
  consistently, correctly applied to data storage,
  processing
• DATA SECURITY Ensure data disks, tapes protected
  from wrongful access, change, destruction
• ADMINISTRATIVE Ensure controls properly
  executed, enforced
• SEGREGATION OF FUNCTIONS Divide responsibility
  from tasks

27
APPLICATION CONTROLS

• INPUT
• PROCESSING
• OUTPUT

28
INPUT CONTROLS

• INPUT AUTHORIZATION Record, monitor source
  documents
• DATA CONVERSION Transcribe data properly from
  one form to another
• BATCH CONTROL TOTALS Count transactions prior to
  and after processing
• EDIT CHECKS Verify input data, correct errors

29
PROCESSING CONTROLS

• ESTABLISH THAT DATA IS COMPLETE, ACCURATE
  DURING PROCESSING
• RUN CONTROL TOTALS Generate control totals
  before after processing
• COMPUTER MATCHING Match input data to master
  files

30
OUTPUT CONTROLS

• ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE,
  PROPERLY DISTRIBUTED
• BALANCE INPUT, PROCESSING, OUTPUT TOTALS
• REVIEW PROCESSING LOGS
• ENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTS

31
SECURITY AND THE INTERNET

• ENCRYPTION Coding scrambling messages to deny
  unauthorized access
• AUTHENTICATION Ability to identify another party
• MESSAGE INTEGRITY
• DIGITAL SIGNATURE
• DIGITAL CERTIFICATE

32
SECURITY AND THE INTERNET
PUBLIC KEY ENCRYPTION
33
SECURITY AND THE INTERNET

• DIGITAL WALLET Software stores credit card,
  electronic cash, owner ID, address for e-commerce
  transactions
• SECURE ELECTRONIC TRANSACTION Standard for
  securing credit card transactions on Internet

34
SECURITY AND THE INTERNET
ELECTRONIC PAYMENT SYSTEMS

• CREDIT CARD-SET Protocol for payment security
• ELECTRONIC CASH Digital currency
• ELECTRONIC CHECK Encrypted digital signature
• SMART CARD Chip stores e-cash
• ELECTRONIC BILL PAYMENT Electronic funds
  transfer

35
Internet firewalls

• Firewall fireproof wall that prevents the
  spread of fire
• Computer analogy serves as a gateway to block
  the transmission of certain types of traffic
  (Software based)
• Creates a single access point between internal
  and external network

36
DEVELOPING A CONTROL STRUCTURE

• COSTS Can be expensive to build complicated to
  use
• BENEFITS Reduces expensive errors, loss of time,
  resources, good will
• RISK ASSESSMENT Determine frequency of
  occurrence of problem, cost, damage if it were to
  occur

37
MIS AUDIT

• IDENTIFIES CONTROLS OF INFORMATION SYSTEMS,
  ASSESSES THEIR EFFECTIVENESS
• TESTING Early, regular controlled efforts to
  detect, reduce errors
• WALKTHROUGH
• DEBUGGING
• DATA QUALITY AUDIT Survey samples of files for
  accuracy, completeness

38
Basic Security Principles

• Authentication
• Access Control
• Privacy
• Integrity
• Non-repudiation

39
Authentication

• Validate user ID
• Prove that you are who you say you are
• Three methods
• PIN
• Token
• Biometrics

40
Access Control

• Once a user has been authenticated electronic
  credentials are issued which provide
  application-level privileges to the user
• Access privileges are determined by security
  policy
• BENCHMARK Single sign-on

41
Privacy

• Guarantee confidentiality of information sent
  between trusted parties
• Implemented primarily through encryption
  techniques

42
Integrity

• Ensures that the message or data has not been
  modified since its origination
• Also enabled through specific form of encryption
• Digital Signature

43
Non-repudiation

• System provides hopefully legally-binding proof
  that the transaction occurred to prevent any
  party to the transaction from later denying
  participation.
• 3 levels necessary
• Origin
• Submission
• Receipt

44
Encryption 101

• Symmetric encryption (1-key)
• Shared Secret
• Asymmetric encryption (2-keys)
• Public Key
• Private Key

45
Asymmetric Encryption
1. Generate public and private key pair
2. Publish public key to repository
3. Retrieve public key from repository
4. Encrypt message using public key
5. Send encrypted message over non- secure
channels
6. Decrypt message using private key
46
Digital Certificate

• Adds an additional level of security to public
  key cryptography
• A digital certificate is an encrypted file that
  links an identity to a given public key
• Issued by trusted third parties called
  Certificate Authorities

47
Digital Signature

• Ensures that the document
• Originated as represented
• Has not been altered from its original form
• Plays an important role in non-repudiation

48
Symmetric Encryption

• or conventional / private-key / single-key
• sender and recipient share a common key
• all classical encryption algorithms are
  private-key
• was only type prior to invention of public-key in
  1970s

49
Basic Terminology

• plaintext - the original message
• ciphertext - the coded message
• cipher - algorithm for transforming plaintext to
  ciphertext
• key - info used in cipher known only to
  sender/receiver
• encipher (encrypt) - converting plaintext to
  ciphertext
• decipher (decrypt) - recovering ciphertext from
  plaintext
• cryptography - study of encryption
  principles/methods
• cryptanalysis (codebreaking) - the study of
  principles/ methods of deciphering ciphertext
  without knowing key
• cryptology - the field of both cryptography and
  cryptanalysis

50
Symmetric Cipher Model
51
Private-Key Cryptography

• traditional private/secret/single key
  cryptography uses one key
• shared by both sender and receiver
• if this key is disclosed communications are
  compromised
• also is symmetric, parties are equal
• hence does not protect sender from receiver
  forging a message claiming is sent by sender

52
Public-Key Cryptography

• probably most significant advance in the 3000
  year history of cryptography
• uses two keys a public a private key
• asymmetric since parties are not equal
• uses clever application of number theoretic
  concepts to function
• complements rather than replaces private key
  crypto

53
Public-Key Cryptography

• public-key/two-key/asymmetric cryptography
  involves the use of two keys
• a public-key, which may be known by anybody, and
  can be used to encrypt messages, and verify
  signatures
• a private-key, known only to the recipient, used
  to decrypt messages, and sign (create) signatures
• is asymmetric because
• those who encrypt messages or verify signatures
  cannot decrypt messages or create signatures

54
Public Key Infrastructure (PKI)

• consists of protocols, services, and standards
  supporting interoperable applications of public
  key cryptography
• Source A Guide to Security Technologies A
  Primer for IT Professionals. RSA Security, Inc.
  Bedford, MA.

55
Public-Key Cryptography
56
Why Public-Key Cryptography?

• developed to address two key issues
• key distribution how to have secure
  communications in general without having to trust
  a KDC with your key
• digital signatures how to verify a message
  comes intact from the claimed sender
• public invention due to Whitfield Diffie Martin
  Hellman at Stanford Uni in 1976
• known earlier in classified community

57
Public-Key Cryptosystems
58
Public-Key Applications

• can classify uses into 3 categories
• encryption/decryption (provide secrecy)
• digital signatures (provide authentication)
• key exchange (of session keys)
• some algorithms are suitable for all uses, others
  are specific to one

59
Security of Public Key Schemes

• like private key schemes brute force exhaustive
  search attack is always theoretically possible
• but keys used are too large (gt512bits)
• security relies on a large enough difference in
  difficulty between easy (en/decrypt) and hard
  (cryptanalyse) problems
• more generally the hard problem is known, its
  just made too hard to do in practise
• requires the use of very large numbers
• hence is slow compared to private key schemes

60
RSA

• by Rivest, Shamir Adleman of MIT in 1977
• best known widely used public-key scheme
• based on exponentiation in a finite (Galois)
  field over integers modulo a prime
• nb. exponentiation takes O((log n)3) operations
  (easy)
• uses large integers (eg. 1024 bits)
• security due to cost of factoring large numbers
• nb. factorization takes O(e log n log log n)
  operations (hard)

61
References

• Understanding Public Key Infrastructure (PKI),
  Technology White Paper. RSA Security Bedford,
  MA.
• Digital Signature Overview, presentation by
  Keren Cummins, Digital Signature Trust Co.
• Access Certificates for Electronic Services,
  presentation by Mr. Daniel Turissini, Operational
  Research Consultants (http//hydra.gsa.gov/aces/fo
  rum/3turissini.ppt)
• A Guide to Security Technologies A Primer for
  IT Professionals. RSA Security Bedford, MA.
• Cryptography and Network Security , William
  Stallings, Third Edition.