Q1: What is the goal
of information systems security?
Major elements of IS security is when person or organization
seeks to obtain data or other assets illegally, without owner’s permission and
often without owner’s knowledge. Vulnerability is the opportunity for threats
to gain access to individual or organizational assets; for example, when you
buy online, you provide your credit card data, and as data is transmitted over
Internet, it is vulnerable to threats. Safeguard, measure individuals or
organizations take to block threat from obtaining an asset; not always
effective, some threats achieve their goal in spite of safeguards. Target is
the asset desired by threat and sources of security threats. Human error
examples: (1) employee misunderstands operating procedures and accidentally
deletes customer records; (2) employee inadvertently installs an old database
on top of current one while doing backing up; (3) physical accidents, such as
driving a forklift through wall of a computer room. Computer crime is an intentional
destruction or theft of data or other system components Natural disasters are fires,
floods, hurricanes, earthquakes, tsunamis, avalanches, other acts of nature;
includes initial loss of capability and service, and losses recovery costs. Unauthorized
Data Disclosure are common threats associated with unauthorized data
disclosure. Faulty service are problems caused by incorrect system operation Usurpation,
occurs when computer criminals invade a computer system and replace legitimate
programs with their own unauthorized ones that shut down legitimate application
and substitute their own processing to spy, steal and manipulate data, or other
purposes. Denial of service, humans inadvertently shut down a Web server or
corporate gateway router by starting a computationally intensive application. Denial-of-service
attacks first starts with malicious hacker intentionally floods a Web server
with millions of bogus service requests; secondly, user unintentionally shuts
down Web server or corporate gateway router by starting computationally
intensive application. Goal of Information Systems Security finds appropriate
trade-off between risk of loss and cost of implementing safeguards. In addition,
make appropriate trade-offs to protect yourself and your business.
Q2: How big is the
computer security problem?
Right now malicious insiders are an increasing problem. Many
computer crime studies are based on dubious sampling techniques, and some seem
to be written to promote a particular safeguard product.
Q3: How should you
respond to security threats?
Computer security professionals run intrusion detection
systems to detect attacks. An intrusion detection system (IDS) is a computer
program that senses when another computer is attempting to scan or access a
computer or network. IDS logs can record thousands of attempts each day so its
encourage for companies to fix product vulnerabilities. Serve as educational
forum for hackers, developers, manufacturers, and government agencies. Or what
Dan recommends The right to be forgotten, “the right under certain conditions to
ask search engines to remove links with personal information about them.”
Q4: How should
organizations respond to security threats?
Senior management creates company-wide policies and manages
risks: what sensitive data will be stored? How will data be processed? Will
data be shared with other organizations? How can employees and others obtain
copies of data stored about them? How can employees and others request changes
to inaccurate data? Specifics of a policy depend on whether the organization is
governmental or nongovernmental, publically held or private, organization’s
industry, relationship of management to employees, and other factors. An easy
way to remember information systems safeguards is to arrange them according to
the five components of an information system. Understand the legal
requirements, ethical considerations, and business consequences of data
acquisition, storage, and dissemination. Use the knowledge of this class to
demonstrate two possible ways that data could be stolen at a coffee shop. Then formulate
personal principles with regard to data acquisition, storage, and
dissemination. In addition, Large, reputable organizations are likely to
endorse ethical privacy policy, and have strong and effective safeguards to
support that policy. But individuals and small organizations might not.
Q5: How can technical
safeguards protect against security threats?
Technical safeguards involve the hardware and software components
of an information system or single Sign-on for Multiple Systems. Summary of how
SSL/TLS works when you communicate securely with a Web site. Either, your
computer obtains public key of Web site to which it will connect, your computer
generates a key for symmetric encryption, your computer encodes key using Web
site’s public key, then sends encrypted symmetric key to Web site. Also, web
site decodes symmetric key using its private key or your computer and Web site
communicate using symmetric encryption. With asymmetric encryption, two keys
are used; one key encodes the message, and the other key decodes the message.
Symmetric encryption is simpler and much faster than asymmetric encryption. Organizations
normally use multiple firewalls. Perimeter firewall sits outside organizational
network; is first device that Internet traffic encounters. Packet-filtering
firewall examines each part of a message and determines whether to let that
part pass. To make this decision, it examines source address, destination
address(es), and other data. Packet-filtering firewalls can prohibit outsiders
from starting a session with any user behind firewall, prohibit traffic from legitimate,
but unwanted, addresses, such as competitors’ computers, and filter outbound
traffic. No computer should connect to the Internet without firewall
protection. Many ISPs provide firewalls for their customers. By nature, these
firewalls are generic. Large organizations supplement such generic firewalls
with their own. Most home routers include firewalls, and Microsoft Windows has
a built-in firewall as well. Third parties also license firewall products. Payload
is program code that causes unwanted activity. It can delete programs or data,
or modify data in undetected ways. Spyware programs are installed on the user’s
computer without the user’s knowledge or permission. It resides in background
and, unknown to the user, observes user’s actions and keystrokes, monitors
computer activity, and reports the user’s activities to sponsoring
organizations. Some malicious spyware, called key loggers, captures keystrokes
to obtain usernames, passwords, account numbers, and other sensitive
information. Other spyware supports marketing analyses such as observing what
users do, Web sites visited, products examined and purchased, and so forth. Most
adware is benign in that it does not perform malicious acts or steal data. It
does, however, watch user activity and produce pop-up ads. Adware can also
change the user’s default window or modify search results and switch the user’s
search engine. PRIDE with security in mind; PRIDE will store users’ privacy
settings in a database, and it will develop all applications to first read the
privacy settings before revealing any data in exercise reports. Most likely,
PRIDE will design its programs so that privacy data is processed by programs on
servers, which means data need be transmitted over the Internet only when it is
created or modified. SQL injection attack SQL code becomes part of database
commands issued and improper data disclosure, data damage and loss possible
Q6: How can data
safeguards protect against security threats?
Data safeguards protect databases and other organizational
data. Two organizational units are responsible for data safeguards. Data
administration refers to an organization-wide function that is in charge of
developing data policies and enforcing data standards. When organizations store
databases in the cloud, all of the safeguards should be part of the service
contract. Or a trusted party should have a copy of encryption key/key escrow.
Q7: How can human
safeguards protect against security threats?
First thing is to separate duties and authorities, determine
least privileges or document position sensitivity. Then Development of human
safeguards for employees and need to be made aware of the security policies,
procedures, and responsibilities they will have. Companies must establish
security policies and procedures for the termination of employees. Public users
web sites and other openly accessible information systems must have safeguards.
Hardening is a special versions of operating system that lock down or eliminate
operating systems features and functions not required by application. Protect
such users from internal company security problems. Account management is to create
new user accounts, modify existing account permissions, remove unneeded
accounts. Improve your relationship with IS personnel by providing early and
timely notification of needed account changes. Password management is where users
should change passwords every 3 months or less. Help desk management helps set
policy for means of authenticating a user. Definition and use of standardized
procedures reduces likelihood of computer crime and other malicious activity by
insiders. It also ensures system’s security policy is enforced. Security
Monitoring Server activity logs or firewall log of Web activities and honeypots
for computer criminals to attack.
Q8: How should
organizations respond to security incidents?
Every organization should have an incident-response plan as
part of the security program. No organization should wait until some asset has
been lost or compromised before deciding what to do. The plan should include
how employees are to respond to security problems, whom they should contact,
the reports to make, and steps to reduce further loss. Finally, identify
critical personnel and their off-hours contact information
Q9: 2026?
In 2026, APTs more common so the concern about balance of
national security and data privacy could be high. Security on devices will be
improved so the skill level of activity increases substantially. In addition, improved
security at large organizations and big local “electronic” authorities.