CHAPTER OUTLINE Ethical Issues in Information Systems Threats to Information Security Protecting Information Resources 2 Ethical Issues in Information Systems Issues and standards of conduct pertaining to the use of information systems ID: 644601
Download Presentation The PPT/PDF document "CHAPTER 3 Information Privacy and Securi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
CHAPTER 3
Information Privacy and SecuritySlide2
CHAPTER OUTLINE
Ethical Issues in Information Systems
Threats to Information Security
Protecting Information Resources
2Slide3
Ethical Issues in Information Systems
Issues and standards of conduct pertaining to the use of information systems
1986 – Richard O. Mason article
3Slide4
Threats to Information Privacy
Data aggregators and digital dossiers (linking personal information in multiple databases)
Could this happen to you?
Electronic Surveillance
4
Information on Internet Bulletin Boards, Blog Sites, and Social Networking SitesSlide5
Threats to Information Security
Issues:
Confidentiality, Integrity, Availability (CIA)
Natural causes vs. human causes
Outsider threats vs. insider threats
e.g., the Gucci case, the FDA case
Protection vs. convenience
5Slide6
Major Categories of IS Security Threats
Accidents and natural disasters
Unauthorized Access
Thefts, eavesdropping, masquerading, etc.
Computer Malware
Viruses, worms, Trojan horses, spyware, adware, etc.
Spamming and phishing
Cyber warfare
Denial of service (
DoS
) attacks, online vandalism, etc.
6Slide7
Example: Password Security
Calculated guessing
Brute force attacks
Exhaustive search until a match is found
How long
would it take?
Shoulder surfing
Social engineering
7Slide8
Example: Denial of Service (DoS) Attacks
Attackers prevent legitimate users from accessing services
Targets include servers and communication circuits
The Estonian Attack
Distributed DoS attacks
Use compromised computers (zombies or botnets) to launch massive attacks
8Slide9
Protecting Information Resources
IS Security Audits (Risk Analysis)
Indentify information assets
Prioritize assets to be protected
9
There is always risk!
And then there
is
real risk
!Slide10
Risk Mitigation Strategies
Risk limitation – Implement countermeasures (controls)
Risk acceptance – Prepared to absorb damages
Risk transfer – Transfer risks to a third partySlide11
Sample Risk Limitation Worksheet
1. Disaster recovery plan
2. Halon fire system/sprinklers
3. Not on or below ground level
4. UPS on servers
5. Contract guarantees from IXCs
6. Extra backbone fiber laid between servers
7. Virus checking software present
8. Extensive user training on viruses
9. Strong password software
10. Extensive user training on security
11. Application Layer firewall
Threats
Assets (w/ priority)
Disruption and Disaster
Fire Flood Power Circuit Virus
Loss Failure
Unauthorized Access
External Internal Eavesdrop
Intruder Intruder
(92) Mail Server
1,2 1,3 4 5, 6 7, 8
9, 10, 11 9, 10
(90) Web Server
1,2 1,3 4 5, 6 7, 8
9, 10, 11 9, 10
(90) DNS Server
1,2 1,3 4 5, 6 7, 8
9, 10, 11 9, 10
(50) Computers on 6
th
floor
1,2 1,3 7, 8
10, 11 10
(50) 6
th
floor LAN circuits
1,2 1,3
(80) Building A Backbone
1,2 1,3 6
(100) Database Server
9 9
… … …
… … …
… … …
Countermeasures
1,2 1,3 4 5, 6 7, 8
11Slide12
Access Control Mechanisms
Physical Controls
Chain and locks
Network Controls
Firewalls
Virtual Private Networks (VPNs)
Employee monitoring systems
Authentication and Encryption techniques
12Slide13
Firewall Architecture for Large Organizations
13Slide14
Virtual Private Network and Tunneling
14Slide15
Employee Monitoring System
15Slide16
Authentication Techniques
Something you know
Strong password
CAPTCHASomething you haveSmart cards / keys
Hardware authentication
Something you are or you do
Biometrics
16Slide17
Encryption Techniques
Mathematical manipulation of digital data to provide
Confidentiality
– only intended recipient can read a message
Authentication
– proving one’s identity
Information Integrity
– assurance of unaltered message
Nonrepudiation
– using digital signatures to prevent disputes between parties exchanging messages
17Slide18
Every encryption method has two parts: a mathematical procedure and a key
Example procedure — shift in alphabetical order by
N
letters
Example key —
N
= 4
Plaintext
Encryption
Ciphertext
Decryption
Plaintext
“TAKEOVER”
“XEOISZIV”
“TAKEOVER”
Procedure +
Key
Procedure +
Key
Transmitted
The Encryption Concept
18Slide19
Encryption: Key Length
The key is a value that may be “guessed” by exhaustive search (brute force attacks)
A large key makes exhaustive search very difficult or virtually impossible
If key length is n bits, 2n tries may be needed
Weak key: up to 56 bits
Strong key: 128 bits or longer
Key size
(bits)
Number of
Alternative Keys
Time Required at
10
6
tries/sec
Time Required at 10
12
tries/sec
56
2
56
= 7.2 x 10
16
1,142 years
10 hours
128
2
128
= 3.4 x 10
38
5.4 x 10
24
years
5.4 x 10
18
years
19Slide20
Common Encryption Techniques
Symmetric (private) key encryption system
Sender and recipient use the same key
Key distribution and management problems
Asymmetric (public) key encryption system
Each individual has a pair of keys
Public key – freely distributed
Private key – kept secret
20Slide21
How Public Key Encryption Works
21
Decrypt
EncryptSlide22
E-Commerce Security
Certificate Authority
Third party – trusted middleman
Verifies trustworthiness of a Web site
Checks for identity of a computer
Provides public keys
Secure Sockets Layer (SSL)
Developed by Netscape
Standard technique for secure e-commerce transactions (
https
)
22