Chapter 7: System Security, Disaster Recovery

Planning and Ethics in System

Development
Silas Gebretsadik
MU-MIT

E-mail: [Link]@[Link]
System Security

Security: Policies, procedures and technical measures used to prevent unauthorized access, alteration,
theft, or physical damage to information systems
Controls: Methods, policies, and organizational procedures that ensure safety of organization’s assets;
accuracy and reliability of records; and operational adherence to management standards.
Basic Principles of Information Systems Security
Confidentiality
This principle is applied to information by enforcing rules about who is allowed to know it.
Preserving personal privacy is one of the major objectives of confidentiality.
It prevents the unauthorized disclosure of information and restricts the data access to only those who
are authorized.
System Security…

Basic Principles of Information Systems Security ..

Integrity
In any business organization having IS, the values of data stored and manipulated,
such as maintaining the correct signs and symbols is an important issue of concern.
This issue is referred to integrity within an organization which is the prevention of
the unauthorized modification.
Availability
Availability is referred to as accessibility of information and in usable form when
and where it is required. Sometimes it is also explained as the prevention of
unauthorized withholding of data or resources. Within any organization today
availability of resources and data is an important issue of concern since system
failure is an organizational security issue
System Security…

Why systems are vulnerable

Accessibility of networks
Hardware problems (breakdowns, configuration errors, damage from
improper use or crime)
Software problems (programming errors, installation errors,
unauthorized changes)
Disasters
Use of networks/computers outside of firm’s control
Loss and theft of portable devices
System Security…
Internet vulnerabilities
Network open to anyone
Size of Internet means abuses can have wide impact
Use of fixed Internet addresses with cable or DSL modems creates
fixed targets hackers
Unencrypted VOIP
E-mail, P2P, IM
Interception
Attachments with malicious software
Transmitting trade secrets
System Security…

Wireless security challenges

Radio frequency bands easy to scan
SSIDs (service set identifiers)
 access points
 Eavesdroppers drive by buildings and try to detect SSID and gain access to network and resources
WEP (Wired Equivalent Privacy): Wired Equivalent Privacy (WEP) is a security algorithm for
IEEE 802.11 wireless networks.
 Security standard for 802.11; use is optional
 Uses shared password for both users and access point
 Users often fail to implement WEP or stronger systems
System Security…

Malware (malicious software)

Programs exploiting system vulnerabilities
known as malicious software or malware
Program fragments that need a host program
e.g. viruses, logic bombs, and backdoors
independent self-contained programs
e.g. worms, bots
replicating or not
sophisticated threat to computer systems
System Security…
Malware Terminology
Virus
Worm
Logic bomb
Trojan horse
Backdoor (trapdoor)
Mobile code
Auto-rooter Kit (virus generator)
Spammer and Flooder programs
Keyloggers
Rootkit
Zombie, bot
System Security…
Viruses
 Piece of software that infects programs
 modifying them to include a copy of the virus
 so it executes secretly when host program is run
 specific to operating system and hardware
 taking advantage of their details and weaknesses
 a typical virus goes through phases of:
 Dormant
 Propagation
 Triggering
 execution
 components:
 infection mechanism - enables replication
 trigger - event that makes payload activate
 payload - what it does, malicious or benign
 prepended / postpended / embedded
System Security…

Worms

 replicating program that propagates over net

 using email, remote exec, remote login

 has phases like a virus:

 dormant, propagation, triggering, execution

 propagation phase: searches for other systems, connects to it, copies self to it and runs

 may disguise itself as a system process

Morris Worm

 one of known worms

 released by Robert Morris in 1988

 various attacks on UNIX systems

 cracking password file to use login/password to logon to other systems

System Security…
Bot
 ”Bot” is derived from the word ”robot” and is an automated process that interacts with other network services.
 Bots often automate tasks and provide information or services that would otherwise be conducted by a human being.
 Bots can be used for either good or malicious intent. A malicious bot is self-propagating malware designed to infect a host
and connect back to a central server or servers that act as a command and control (C&C) center for an entire network of
compromised devices, or ”botnet.” With a botnet, attackers can launch broad-based, ”remote-control,” flood-type attacks
against their target(s).
 hard to trace attacks
 characteristics:
 remote control facility
 via IRC(Internet Relay Chat)/HTTP etc
 spreading mechanism
 attack software, vulnerability, scanning strategy
System Security…

Trojan horses
Software program that appears to be benign but then does something other than expected.
SQL injection attacks
Hackers submit data to Web forms that exploits site’s unprotectedsoftware and sends rogue SQL
query to database
Spyware
Small programs install themselves surreptitiously on computers to monitor user Web surfing
activity and serve up advertising
Key loggers
Record every keystroke on computer to steal serial numbers, passwords, launch Internet attacks
General controls
Identification and Authentication
User Authentication
 fundamental security building block
 basis of access control & user accountability
 is the process of verifying an identity claimed by or for a system entity
 has two steps:
 identification - specify identifier
 verification - bind entity (person) and identifier
 distinct from message authentication
Means of User Authentication
 four means of authenticating user’s identity
 password, PIN
 key, token, smartcard
 static biometrics - e.g. fingerprint, retina
 dynamic biometrics - e.g. voice, sign
 can use alone or combined, all can provide user authentication
General controls…
Identification and Authentication …
Password Authentication
 widely used user authentication method
 user provides name/login and password
 system compares password with that saved for specified login
 authenticates ID of user logging and
 that the user is authorized to access system
 determines the users privileges
Passwords
 Sequence of characters
 Examples: 10 digits, a string of letters, etc.
 Generated randomly, by user, by computer with user input
 Sequence of words
 Examples: pass-phrases
 Algorithms
 Examples: challenge-response, one-time passwords
General controls…
Identification and Authentication ..
Passwords .. Dictionary attack
General controls…
Identification and Authentication ..

Token Authentication

 Object user possesses to authenticate, e.g.

 embossed card

 magnetic stripe card

 memory card

 smartcard

Biometric Authentication

 authenticate user based on one of their physical characteristics

 Automated measurement of biological, behavioral features that identify a person

 Fingerprints: optical or electrical techniques

 Maps fingerprint into a graph, then compares with database

 Measurements imprecise, so approximate matching algorithms used

 Voices: speaker verification or recognition

 Verification: uses statistical techniques to test hypothesis that speaker is who is claimed (speaker dependent)

 Recognition: checks content of answers (speaker independent)

General controls…

Identification and Authentication ..

Biometric Authentication ..
Can use several other characteristics
Eyes: patterns in irises unique
 Measure patterns, determine if differences are random; or correlate images using statistical tests
Faces: image, or specific characteristics like distance from nose to chin
 Lighting, view of face, other noise can hinder this
Keystroke dynamics: believed to be unique
 Keystroke intervals, pressure, duration of stroke, where key is struck
 Statistical tests used
General controls…
Identification and Authentication …
Biometric Authentication…
General controls…

Administrative controls
Ensure organizational policies, procedures and standards and enforced
Segregation of functions to reduce errors and fraud
Supervision of personal to ensure policies and procedures are being
adhered to
Application controls
Unique to each computerized application
Include input, processing, and output controls
General controls…
Administrative controls ..

Input controls

 Data is accurate and consistent on entry

 Direct keying of data, double entry or automated input

 Data conversion, editing and error handling

 Field validation on entry

 Input authorization and auditing

 Checks on totals to catch errors

Processing controls

 Data is accurate and complete on processing

 Checks on totals to catch errors

 Compare to master records to catch errors

 Field validation on update

Output controls
Disaster recovery plan

 Runs business in event of computer outage

 Load balancing: Distributes large number of requests for access among multiple servers.
 Mirroring: Duplicating all processes and transactions of server on backup server to prevent any interruption in
service.
 Clustering: Linking two computers together so that a second computer can act as a backup to the primary
computer or speed up processing
Firewalls
 Prevent unauthorized users from accessing private networks
 Two types: proxies and stateful inspection
 Intrusion Detection System
 Monitors vulnerable points in network to detect and deter unauthorized intruders
Ethics in System Development

Treat the money like it’s your own

 If you make financial decisions as if it were your own money you’ll always make the best decisions you can for your client.

Care for your community

 Your project affects a diverse range of stakeholders. Know who they are and how you will change their lives. And know
how you will explain your project to your families and friends.

Account for the full product life cycle

 Todays new product is tomorrows landfill. Understand the true cost of ownership by full lifecycle costing, from sourcing
materials to disposal.

Do the best you can

 When you turn up for work, remind yourself that you are there to do

the best job you can. Be active, creative and efficient.

Ethics in System Development…

Deal fairly with your suppliers

Honesty all the time

 Never lie by omission.

 Never lie by vagueness.

 Never lie by delaying.

 Never lie by clutter.

 Never lie by jargon.

 Never lie!!

Help others along

 Projects are not just delivered by teams. They are delivered by communities, workforces and professions. You have a place
in these groups; there is always someone to learn from and someone to help along. Share what you know and receive help
when you need it.
Ethics in System Development…

Don’t waste resources

The End of The course!!!
Thanks for your attention
If you have any question?