topicviii_is_security_management.pdf

7/29/2019 TopicVIII_IS_Security_Management.pdf

1/36

MIS 601 : Information SystemsManagement

Security and EthicalChallenges

Topic # 8


2/36

Contents:-

Ethical and Security impacts on SocietyEthical responsibilities of Business Professionals

Computer Crime

Internet abuses at work place

Hacking

Software Piracy issues

Computer Viruses and Worms

Cyber Theft


3/36

Ethical and Security impacts onSociety

The use of IT in Business presents a major securitychallenges, poses serious ethical questions andaffects society in significant ways.

But, its important to note that Business/IT has hadbeneficial results as well as detrimental effects on

Society and people in each of these areas.


4/36

Security and Ethical Challenges

SecurityEthics and

Society

Employment Education

ealth

ndividuality

Crime

WorkingCondition


5/36

Computer Crime

Its a growing threat to societycaused by criminal orirresponsible actions ofindividuals who takeadvantages of the widespread

use and vulnerability ofcomputers and the Internet &other networks.


6/36

AITP definition of Computer Crime:

Unauthorized use, access,

modifications and destructions ofhardware, software, data or networkresources.

Unauthorized release of Information

Unauthorized copying of software

Denying an end user access tohis/her own hardware, software,data or Network Resources

Using or Conspiring to usecomputer or network resources toillegally obtain information ortangible property.


7/36

Types of Computer Crimes


8/36

Cyber Theft

Many computer Crimes involve the theft of money.Mostly cyber thefts involve an insider from theorganisation.

g

Russian Hacker Vladimir Levin CITIBANK11 millions


9/36

Software Piracy

This is the major form of SoftwareTheft.

Software Publishers Associationis an industry association ofSoftware Developers used inmajor Corporations in the States.

NASSCOM in India.

Software packages are protectedby the Computer Software Piracyand Counterfeiting AmendmentLaw in the USA.


10/36

Case Example: RIAA vs NAPSTER

Recording IndustryAssociation of America(RIAA)

It won its suit againstNapster in 2002.

Napster went out of businessin USA in 2002.

Peer to Peer musicsharing


11/36


These are the most destructiveexample of Computer Crime.

Virus:

is a program code that cannotwork without being inserted into

another program.

Worm:

is a distinct program that can rununaided


12/36



13/36

Computer Viruses

Resident Virus:

These viruses reside in theBoot sector of the ComputerHard disk. They can be copiedfrom there to any other floppydisk etc inserted into theinfected computer.

.Exe Virus:

These viruses come attachedwith files such as a WordsDocument (with Macro) or anyother EXE files.


14/36

Security Management of ITList of Contents:-

Need for Security Management?Properties of Secure Communications.

Security management Techniques:-

Encryption

Symmetric Encryption

Asymmetric Encryption

Firewalls

Virus Defenses


15/36

Security Management of IT

The Goal of Security Management is the accuracyintegrity and safety of all Information systemProcesses & resources.

The objectives of Security Management is to :-

Reduce Errors

Reduce Frauds

Minimize Losses in Information Systems


16/36

Network and Internet Security:

Following are the desirableproperties of Secure Communications:-

Confidentiality

Authentication

Message Integrity and NonRepudiation

Availability and Access Control


17/36

Security ManagementTechniques

Encryption Fire Walls

VirusDefenses


18/36

Encryption :

Encryption has become an important way toprotect data.

Passwords, messages, files etc are transmitted inscrambled format and unscrambled by computer.

Encryption involves using special mathematicalalgorithms or keys to transform digital data into ascrambled code before they are transmitted and todecode the data when they are received at theother end.


19/36

Encryption :


20/36

Symmetric Encryption Algorithm

This is also called as Conventional encryption orsingle key encryption

This was first used by Julius Caesar.

The algorithm has five ingredients:-

1. Plaintext

2. Encryption Algorithm

3. Secret Key

4. Ciphertext

5. Decryption algorithm


21/36

INS 601 ISM 8th June 2011Vishwesh Akre



22/36


Symmetric algorithm remains the most popularand widely used of the two algorithms.

t has two requirements:-

A Strong Encryption Algorithm.

Sender and receiver must haveobtained the keys in a secure manner.

Example of Algorithm

DES (Digital Encryption Standard)

1977 (56 bit Key)


23/36

Asymmetric Encryption Algorithm

Also called as Public Key Encryption . Was proposed by Diffie and Hellman (1976).

It is called Asymmetric Encryptionalgorithm because of use of different keys forEncryption and Decryption respectively.

Example:RSA Public Key Encryption algorithmdeveloped by RON RIVEST, ADI SHAMIR andLEN ADLEMAN at MIT in 1978


24/36


Six Ingredients of Public KeyAlgorithm :

Plaintext

Encryption Algorithm

Public Key

Private Key

Ciphertext

Decryption Algorithm


25/36


Essential Steps:. Each user generates a pair of keys to be used forencryption and decryption of messages.

. Each user places one of the two keys in a publicregister. This is the Public Key. The other key is keptsecret. That is called as Private Key.

. If one user wants to send message to another user, heencrypts the message using the public key of theintended recipient.

. The recipient decrypts the message using his privatekey.


26/36

INS 601 ISM 8th June 2011Vishwesh Akre



27/36


mportant Characteristics:It is computationally infeasible todetermine the decryption key given only theknowledge of the cryptographic algorithmand the encryption key.

For most public key schemes, either of thetwo related keys can be used forencryption, the other can be used fordecryption.


28/36

Firewalls

A network firewall can be a communication processor(like router) or a dedicated server along with firewallsoftware.

A firewall serves as a Gatekeeper system that protectsa companys internets and other computer networks fromintrusion by providing a filter and a safe transfer point foraccess to & from the Internet and other networks.

It screens all network traffic for proper passwords orother security codes and allows unauthorizedtransmissions in & out of the network.


29/36

Firewalls

Company PCs

Internal company data servers

Internet

Internal Firewall

External Firewa

Examines eachpacket anddiscards sometypes of requests.

Prevents usersFrom accessing

Sensitive data


30/36

Firewall types

External Firewalls keeps out unauthorized Internet users.Internal Firewalls prevents users from accessing sensitiveHuman Resources or Firewall Data.

Passwords and Browser Security features control accessto specific Intranet resources.

Intranet server features provide authentication andencryption where applicable.

Network Interface Software is carefully crafted to avoidcreating security holes to back end resources.


31/36

Types of Firewalls


32/36

TCP / IP The Internet BackboneProtocolsArchitecture

SMTP, HTTP, FTP,TFTP,TELNET

TCP, UDP

IP, ICMP, ARP, RARP

Network AccessProtocols


33/36

Packet Filtering Firewall

Packet Filters operate by first parsing packetheaders and then applying filtering rules from anAdministrator specified set of rules to determinewhether :-

To Drop Data Packet?

To let Data Packet Pass?

iltering decisions are based on :- IP source or destination address

TCP or UDP source and destination port

ICMP message types


34/36

Application Gateway (Firewall)

An Application Firewall is an application specific serverthrough which all applications data (inbound & outbound)must pass.

Multiple Application Gateways may run on same host, buteach Gateway is a separate server with its ownprocesses.

Organisations may often have multiple ApplicationFirewalls:- Firewall Gateway for HTTP Firewall Gateway for FTP

Firewall Gateway for Email


35/36

Virus Defenses

Many companies are building defenses againstspread of viruses by centralising thedistribution & updating of antivirus software asresponsibilities of IS departments.

Other companies are outsourcing VirusProtection responsibilities to ISP or SecurityManagement Companies.


36/36

Virus DefensesSome Virus Security Products

Trend Micro (PC cillin)McAfee (VirusScan)

Symantec (Norton Antivirus)

Security Suites:

These are software's which integrate Virus Protectionwith Firewalls, Web Security & Content BlockingFeatures.

ZoneAlarm Security Suite 2005

Norton Internet Security 2004

topicviii_is_security_management.pdf

Documents