• Risk management
  • Risk identification
    • List and classify assets and analyze possible threats
    • Identify vulnerabilities and how they might be exploited
  • Risk assessment
    • Risks need to be calculated and prioritized
  • Risk control
    • Strategies: avoidance, mitigation, transference, and acceptance

• System security involves six separated but interrelated levels

• Physical security
  • Operations center security
    • Each entrance must be equipped with a suitable security device
  • Servers and desktop computers
    • Install locks on server racks to avoid unauthorized placement of keystroke loggers
    • Tamper evident cases and BIOS-level passwords can be used

• Portable computers
  • Select an operating system with strong protection
  • Mark case with company name and address
  • Consider devices that have a built-in fingerprint reader, facial recognition, and use the Universal Security Slot (USS)
  • Back up all vital data before using the computer outside the office and link the system to a tracking software
  • Use location services
  • alert to high-risk situations while traveling
  • Establish stringent password protection policies

• Network security
  • Encrypt network traffic: private key encryption and public key encryption
  • Wireless networks: WPA2 strengthens the level of wireless protection
  • Private networks can be used when speed is necessary
  • Virtual Private Networks (VPN) establish secure connections for a large number of computers

FIGURE 12-22: In a DoS attack, an attacker sends numerous authentication requests with false return addresses. The server tries unsuccessfully to send out authentication approval and is eventually disabled by the floor of requests. More sophisticated DoS attacks are distributed (DDoS), as shown in this figure. Instead of a single computer, the attacker uses an army of botnets (computers unknowingly infected with malware that are difficult to trace) to attack the target.

• Application security
  • Services that are not needed must be disabled
  • Unnecessary or improperly configured service could create a security hole
  • Hardening removes unnecessary accounts, services, and features
  • Application permissions: must be configured to be run by users who have specific rights
  • Input validation helps safeguard data integrity and security

• Patches and updates are used to repair security holes, reduce vulnerabilities, and update the system
• Software logs document all events and help understand past attacks and prevent future intrusions

• File security
  • Encryption: scrambles the contents of a file or document to protect it from unauthorized access
  • Permissions: describe the rights a user has to a particular file or directory on a server
  • User groups: administrators can create user groups and assign file permissions

• User security
  • Identity management: controls and procedures necessary to identify legitimate users and system components
  • Password protection: policies need to specify a set minimum length, complexity, and a limit on invalid attempts
  • Social engineering: intruder uses social interaction to gain unauthorized access to a computer system

• Procedural security (operational security)
  • Policies and controls that ensure secure operations
  • Defines how particular tasks are to be performed
  • Includes safeguarding procedures that would be valuable to an attacker
  • Organization must explain procedures and issue reminders that will make security issues a priority

• Backup policies
  • Backup media: includes tape, hard drives optical and online storage
    • Offsiting: storing backup away from main location
    • Cloud-based storage is growing rapidly
  • Backup types: full, differential, incremental, and continuous
  • Retention periods: backups are stored for a specific time beyond which they are either destroyed or reused

• Business continuity issues
  • disaster recovery plan should be created along with a test plan
    • Often part of a business continuity plan (BCP): defines how critical business functions can continue during a major disruption

• Factors
  • Maintenance increasing steadily
  • Operational costs or times increasing rapidly
  • Software package provides the same or additional services more efficiently
  • New technology offers a way to perform the same or additional functions more efficiently
  • Maintenance changes or additions are difficult and expensive to perform
  • Users request significant new features

• Trends and predictions
  • Cybercrime will increase significantly
  • Smartphones and tablets will become the dominant computing platform
  • Software-as-a-Service will become the norm
  • Cloud computing will become the principal computing infrastructure
  • Insourcing will increase
  • Large enterprises may require suppliers to certify green credentials and sourcing policies

• Cyberethics
  • computers permeate more and more of our lives, the decisions made by IT professionals can have serious implications
  • Situations may arise involving ethical considerations that are not easy to resolve
  • Ethical, social, and legal aspects of IT are topics that today’s systems analyst should be prepared to address