Download Information Systems Security and more Slides Management Information Systems in PDF only on Docsity!
Topic 5:
Information Systems
Security
ISIT224 Management Information Systems
- Identify the factors that contribute to the increasing
vulnerability of information systems
- Discuss the common types of security threats
- Risk management process
- Identify the types of security controls
- Physical controls
- Access controls
- Communication (network) controls Lecture Outline 2
Security Threats 5
The be displaypicture e (^) d.can't Internet Security Challenges
- Network open to anyone
- Size of Internet means abuses can have wide impact
- E.g., the use of fixed Internet addresses with cable / DSL modems creates fixed targets for hackers
- E.g., unencrypted VOIP creates targets for hackers interception
- E.g., e-mail, P2P, IM
- Attachments with malicious software
- Got interception when transmitting trade secrets 6
Wireless Security Challenges The service set identifiers (SSIDs) identifying the access points in a Wi-Fi network are broadcast multiple times (as illustrated by the orange sphere) and can be picked up fairly easily by intruders’ sniffer programs. 8
The be displaypicture e (^) d.can't Wireless Security Challenges
- War driving
- Eavesdroppers drive by buildings and try to detect SSID and gain access to network and resources
- Once access point is breached, intruder can gain access to networked drives and files
- Rogue access points
- A wireless access point installed on a wired enterprise network without authorization from the network administrator
- Experiment at the RSA Conference 2017 in San Francisco
- à Implement a Wireless Intrusion Prevention System (WIPS) with automatic prevention turned on 9
Software Attacks
- Worm: replicate, or spread, by itself (without requiring another computer program) - Have network awareness: use shared drives and shared folders to propagate from one machine to another - Once on a machine, it will use up all the CPU cycles, memory, bandwidth, and thereby, slow down the machine and the networks on which that machine is operating
- Trojan horse: with a hidden intent to open backdoors
- Appear in the form of (e.g., a beautiful screensaver that you want to download), once on your machine, deletes files and opens up a backdoor for hackers to take administrative control of your machine
- Typically cannot self-replicate; relies on tricking users 11
- Botnets: a network of infected computers by worms or Trojan horses, which can then be used to launch simultaneous attacks - Users are first tricked into installing some form of worms help the malware propagate to other network machines - Trojan horse opens up a backdoor for the attacker to control these machines
- Are often employed by attackers to spread spam and to launch distributed denial of service attacks (DDoS attack) on a target machine Software Attacks 12
- Phishing
- An attempt to trick you into giving up your personal information by pretending to be someone you know
- Spear Phishing
- Target a specific person or organization by personalizing the message
- E.g., information of ourselves disclosed online through Facebook or through e-commerce sites Identity Theft 14
Identity Theft 91% of cyber attacks in 2017 started with a phishing email. 15
- How to crack it: try out all possible combinations of characters and words - Brute-Force Attack - Repeated guessing - Prevention: limit attempts per period - Dictionary Attack - Use dictionary words - Prevention: use non-words, digits, special characters Password Cracks 17
- Occurs when an individual or computer program
fraudulently clicks an online ad without any
intention of learning more about the advertiser or
making a purchase.
- Pay-per-click online advertising Click Fraud 18
Protection Mechanisms
- Goal of risk management
- To identify, control, and minimize the impact of threats
- To reduce risk to acceptable levels
- Security risk
- The probability that a security threat will impact an information systems
- Risk management process
- Risk analysis
- Risk mitigation
- Controls evaluation Security Risk Management 21