Ethical & Social ImplicationsOverviewWhat is Security?Slide 4Slide 5Slide 6Industry with most threatsMost vulnerable industries:Top Vulnerabilities That Affect All SystemsTypes of security breachesTypes of Security BreachesComputer virusesTypes of ThreatsHuman threats are caused by:Example: Theft and distribution to unauthorized personsExample: Intentional corruptionExample: Disgruntled EmployeeExample: “Melissa” creatorExample: Program corruptionSoftware issues: Buffer overflowApplication SecurityTop 10 application security defects:Solutions for application securitySolutions for security:Vulnerability testingTrack changesSecurity PolicySecurity Infrastructure investmentProtect against internal threatsControl physical access to your server roomGovernment resourcesClosing RemarksEthical & Social ImplicationsInformation SecurityOverviewThe security environment in which the information systems will operate includes assets, threats, and security measures. There are four basic categories of corporate assets: physical, intellectual (software), personnel, transactions and services.What is Security?AuthenticationIs someone who he or she says he or she is? Is some object (such as a program) what it says it is? Does a message come from where it says it comes from? Can someone deny something he or she did (nonrepudiation)?What is Security?AuthorizationWhat is a specific person or group of people allowed to do? What is a specific program allowed to do?What is Security?Encryption Who is allowed to see what information?What is Security?System ProtectionVirus protectionFirewalls and proxiesDOSMinimize accidental failuresIndustry with most threatsDatabase software developers in the banking and finance industries reported more security breaches than database developers in any other industry polled in a recent survey.Most vulnerable industries:27 percent of the developers surveyed in the banking and financial services industries said they had experienced a security breach in the past year.18 percent in the medical and health care industry and telecommunications database developers said they had experienced a security breach.12% in electronic commerce and other internet companies experienced breaches. 9% in the government and military sector.Top Vulnerabilities That Affect All Systems Default installs of operating systems and applicationsAccounts with No Passwords or Weak PasswordsNon-existent or Incomplete BackupsLarge number of open portsNot filtering packets for correct incoming and outgoing addressesNon-existent or incomplete loggingTypes of security breachesSecurity breaches are classified under three general definitions: a computer virus, a human error, or an unauthorized break-in.Types of Security BreachesTheft of assetsImproper use of assetsUse of assets for other than business purposesUnauthorized disclosure of informationIntentional corruption of intellectual assetsComputer virusesComputer viruses caused companies an average of $61,729 last year, according to the Computer Security Institute. Denial of service attacks cost companies an average of $108,717. The total annual loss last year for all forms of computer crime? More than $265 million.Types of ThreatsInternalIntentionalUnintentionalExternalMost people believe that the origin of security events and loss comes from evil hackers, but by far the largest number and impact of security-related events originate within the organization.Human threats are caused by: careless people who leave the password to peer or use easy-to-crack passwords, insert incorrect data to a database or programs dishonest people who insert false, incorrect information to the information system and computer programs, take advantage of flaws in manual or computerized procedures, take advantage of access to privileged information, infect the information infrastructure with viruses. disgruntled employees who destroy computer programs, pass user password to strangers, corrupt system information. hackers who read sensitive information through remote access to information, replicate and disseminate sensitive information, intercept sensitive information and infect information with viruses.Example: Theft and distribution to unauthorized personsAccording to court document, Turner and Williams each admitted that while employed by Chase Financial Corporation they knowingly and with the intent to further a scheme to defraud Chase Manhattan Bank and Chase Financial Corporation, accessed one or more computer systems without authorization or in excess of their authorized access on said computer systems, thereby obtaining credit card account numbers and other customer account information pertaining to approximately 68 accounts, which they were not authorized to access in connection with their duties at Chase Financial Corporation. They admitted that the aggregate credit limits for the targeted accounts totaled approximately $580,700.00.They further admitted that after fraudulently obtaining said information, they distributed and transmitted it to one or more individuals via facsimile transmission, who, in turn, used the credit card accounts and other financial information to fraudulently obtain goods and services valued at approximately $99,636.08, without the knowledge or consent of the account holders, Chase Manhattan Bank or Chase Financial Corporation.Example: Intentional corruptionOn February 1, 2002, EITELBERG stopped working at MP. On April 11, 2002, an MP employee accessed the MP database containing customer orders, and found that the records of all of MP's orders had disappeared. The computer records at MP allegedly indicated that an individual accessed the MP computer system using a password from at or about 9:21 P.M. until at or about 9:46 P.M. on April 10, 2002, and that orders in the database were deleted during this computer session. Phone records indicated that between February 27, 2002, more than three weeks after EITELBERG stopped work at MP, and April 10, 2002, the phone line registered to the wife of EITELBERG, and located at the EITELBERG residence was used to call MP's modem connection approximately 13 times, including the call made at or about 9:24 P.M. on April 10, 2002.Example: Disgruntled EmployeeAs CTO, BLUM had access to all computer system passwords and information necessary to operate Askit's computer networks.