This document discusses managing system security for information systems in organizations. It notes that defending against hundreds of potential threats is not a simple or inexpensive task due to factors like distributed computing resources, networks spanning outside the organization, rapid technological changes, and people sometimes violating security procedures. The objectives of defense strategies are outlined as prevention and deterrence of future attacks, early detection of attacks, recovery from damage, and correcting underlying problems. Several case studies on denial-of-service attacks, viruses, human error, and phishing are presented to illustrate lessons like all information being vulnerable and attackers using multiple methods. Risks to information systems are categorized as human errors, environmental hazards, computer system failures, cybercrime, and intentional threats. Finally, security
2. • Cost of investment.
• Hundreds of potential threats exists.
• All resource, data, software, processes can be at
risk at any time.
WHY IS IT
IMPORTANT TO
MANAGE SYSTEM
SECURITY?
DEFENDING IS NOT A SIMPLE OR INEXPENSIVE TASK.
3. • Cost of investment.
• Hundreds of potential threats exists.
• All resource, data, software, processes can be at
risk at any time.
• Computing resources may be distributed.
• Networks and architectures may span outside the
organization.
• Many individuals involved in managing data assets.
• Rapid technological changes cause security
controls to be obsolete.
• Computer crimes can be undetected for long
periods of time.
• People tend to violate security procedures.
4. WHAT ARE THE OBJECTIVES OF
DEFENSE STRATEGIES?
4
1. PREVENTION & DETERRENCE
• To prevent future attacks
2. DETECTION
• For early realisation / alert
3. RECOVERY
• To fix damaged systems
4. CORRECTION
• To eliminate the problem
5. CASE STUDY: DOS ATTACK
Case: The biggest eCommerce sites were hit by DOS
attacks from an attacker using a method called Denial-
of-Service (DOS) attack.
Damage: Estimated to be about USD 5-10 billion.
Results: The alleged attacker from the Philippines, was
not prosecuted as he did not break any law in the
country.
Date: 6 Feb 2000
What Is It: DOS attack “hammers” a website with too
many requests for information and ultimately clogs the
system; causing it to fail.
6. CASE STUDY: VIRUS ATTACK
Case: An American programmer planted a virus to be
automatically activated two days after his name was
deleted from the payroll file (HR records).
Damage: The virus eliminated 168,000 payroll records
which resulted in a one-month delay in processing
payroll cheques.
Results: Donald Burleston was found guilty of a third
degree felony and was fined USD5,000.
Date: Unknown
What Is It: Virus are programs created to harm the
integrity of a system.
7. CASE STUDY: HUMAN ERROR
Case: The U.S. Social Security Service discovered an
error in the program used to calculate retirement
benefits. This error had been in the system for over 20
years.
Damage: The system shortchanged 700,000 people of
over USD850 million.
Results: It took three years to fix the problem.
Date: Unknown
What Is It: A mistake caused by human’s negligence or
oversight.
8. CASE STUDY: PHISHING
Case: A group installed an ATM in a busy shopping mall
in Hartford, Connecticut. Customers using the machine
were shown the message “Sorry, no transactions
possible” after inserting their cards and pin no.
Damage: Using counterfeit cards, the group netted
about USD100,000.
Results: N/A
Date: Unknown
What Is It: A method to disguise itself as the “real thing”
to “fish” for data.
10. LESSONS TO LEARN
FROM THE CASE STUDIES,
• All information resources are vulnerable to
attacks, not just the server.
• Many countries do not have sufficient cyberlaws.
• Protection of networked systems are complex.
• Attackers can zero-in to a single individual or
multiple companies without discrimination.
• Attackers use multiple methods.
• Even though these attacks are common, it’s still
difficult and expensive to defend.
12. HUMAN ERRORS
• Design of hardware or systems.
• Negligence or oversight during
programming, testing or
authorisation.
• Lack of knowledge or experience.
• Greed.
1
13. ENVIRONMENTAL
HAZARDS
• Earthquakes, floods, fire, lightning strikes
and any natural disaster.
• Also includes defective aircond, cooling
systems, radioactive fallout and etc.
• Smoke, heat and water damage resulting
from environmental changes and hazards.
2
14. COMPUTER SYSTEM
FAILURES
• Poor design.
• Use of defective materials.
• Lack of quality control.
• Inadequate specification by the buyer.
3
15. CYBER CRIME
• Attackers are typically known as hackers;
outsiders that penetrates the system without
permission, or, insiders that misuse their
authorization.
• Data tampering - inserts false data (e.g.
wages, stock count, etc).
• DOS attack - hammering a website with
more requests than it can handle.
• Programming fraud - programming
techniques used to modify a computer
program (virus, worm, trojan horse, spoofing,
phishing).
4
16. INTENTIONAL
THREATS
• Targeted theft of data.
• Deliberate manipulation of data
and systems.
• Strikes, riots, sabotage and
terrorist attacks.
• Destruction from virus attacks.
• Computer abuses and crimes.
5
17. HOW TO CONTROL &
SECURE
INFORMATION
SYSTEMS?
ALSO KNOWN AS SECURITY MEASURES
18. HOW TO CONTROL & SECURE
INFORMATION SYSTEMS?
ALSO KNOWN AS SECURITY MEASURES
• Physical access control
• Power generator
• Uninterruptible power
supply (UPS)
• Surge protector
• Humidity control
• Temperature control
• Water detector
• Raised floors
• Fire extinguisher
• Alarm systems
• CCTV
• Transaction logs
• Audit Trails (around, through,
with the computer)
• Encryption
• Archiving
• Anti-Virus
• Firewall
• Documentation / User
Manuals
• Separation of Functions