Download SPIM: Understanding Unwanted Instant Messages - Ethics, Security, and Privacy - Prof. Fais and more Study notes Information Technology in PDF only on Docsity! Information Security – 1 Laying the groundwork for discussion 1 SPIM: Ethics, security, & privacy all in one • What is SPIM? • How is it different from SPAM? • Who is most likely to receive SPIM? • How can you defend against it? • What are the costs of SPIM? 2
General and Application Controls for Protecting Information Systems
Type of Control
General Controls
Description of Purpose
Physical controls
Access controls
Data security controls
Administrative controls
Communications (network) controls
Border security
Firewalls
Virus controls
Intrusion detection
Virtual private networking
Authentication
Authorization
Application Controls
Input controls
Processing controls
Output controls
Physical protection of computer facilities
and resources.
Restriction of unauthorized user access to
computer resources; concerned with user
identification.
Protecting data from accidental or intentional
disclosure to unauthorized persons, or from
unauthorized modification or destruction.
Issuing and monitoring security guidelines.
Major objective is access control.
System that enforces access-control policy
between two networks.
Antivirus software (see www.trendmicra.cam,
www.cert.org, www.pgp.com, www.symantec.com,
www.rsasecurity.com, www.mcatee.com, and
www.iss.net).
Major objective is to detect unauthorized access
to network.
Uses the Internet to carry information within a
company and among business partners but with
increased security by use of encryption,
authentication, and access control.
Major objective is proof of identity.
Permission issued to individuals and groups to do
certain activities with information resources, based
on verified identity.
Prevent data alteration or loss.
Ensure that data are complete, valid, and accurate
when being processed and that programs have
properly executed.
Ensure that the results of computer processing are
accurate, valid, complete, and consistent.
The Difficulties in Protecting Information Resources
Oagq0od0adda
Hundreds of potential threats exist.
Computing resources may be situated in many locations.
Many individuals control information assets.
Computer networks can be outside the organization and difficult to protect,
Rapid technological changes make some controls obsolete as soon as they
are installed.
Many computer crimes are undetected for a long period of time, so it is difficult
to learn from experience.
People tend to violate security procedures because the procedures are inconvenient.
Many computer criminals who are caught go unpunished, so there is no deterrent effect.
The amount of computer knowledge necessary to commit computer crimes is usually
minimal. As a matter of fact, one can learn hacking, for free, on the Internet.
The cost of preventing hazards can be very high. Therefore, most organizations simply
cannot afford to protect against all possible hazards.
It is difficult to conduct a cost-benefit justification for controls before an attack occurs
because it is difficult to assess the value of a hypothetical attack.
Summary • Security is about risk. • Risk • Accept • Limit • Transfer 7