CSE1IS Information Systems Week 12 Lecture 2 Systems Control and Security

S.C.&R. Chapter 10, pp. 494-504

SDLC: Phase 5: Systems Operation and Support

1. Overview:

• Systems Operation, Support, and Security is the final phase in the systems development life cycle (SDLC)
• You will be supporting a functioning information system
• You continuously will assess and improve the system, and you will be alert to any signs of obsolescence
• You will also address multi-level security issues
• Generally, things that require attention include:
  • altering of data
  • destruction or unauthorised changing of programs
  • illegal copying of software
  • theft of computer time and resources
  • illegal accessing of confidential data
  • theft by altering computer records

2. Security:

Taken very seriously. See: AusCERT (the national Computer Emergency Response Team for Australia), in particular:

2006 Australia Computer Crime and Security Survey

The design of appropriate security features for an information system is an important part of any IS development project. You should be concerned with :  

• Physical Security i.e. the security of the equipment
• Logical Security i.e. the security of the `software'
• Behavioral Security i.e. the work practices associated with system use

• people (accidental or otherwise)
• nature (fire, flood and other natural disasters)
• software (threats for software viruses)

2.1 Physical Security:

Physical security involves the physical protection of the system, particularly the hardware on which it runs.

• Computer Room:
  • controlling access to a computer facility i.e. identity cards, sign-in sign-out procedures
  • installation of warning devices (i.e. smoke  detectors, close circuit TV monitors etc.) and an appropriate disaster plan
  • the provision of backup power facilities,  in case of power failure.
  • the availability of an alternative site in case of a disaster.
• Servers and Desktops:
  • keystroke logger
  • passwords
  • tamper-evident cases
• Notebook Computers:
  • engraved labels
  • ensure logon password is required
  • physical precautions whilst travelling
  • backup the data regularly .

The extent to which these are implemented depends on the potential risk, workplace requirements and the importance of the facility to the organisation.

2.2 Network Security:

• computers require a network interface card (NIC)
• encrypt data, especially passwords (may default to plain text)
• online E-Commerce applications especially need to use secure pages for credit card details
• eg. Public Key Encryption
  • Public Key is used to encrypt data
  • Private Key, only held at the server, is used to decrypt the data
• eg. Internet browsers
  • Secure Sockets Layer (SSL2 and SSL3) is an encrypted protocol for transferring data between the client and server.
  Transport Layer Security (TLS) is a newer protocol
  • Certificates can be created or purchased containing different encryption/decryption methods
• Wireless Networks:
  • often shipped with open access
• use Wi-Fi Protected Access (WPA-best) or Wired Equivalent Privacy (WEP) to set a password for access to the wireless network
  - set password in receiver
  - then client must provide the password to access the network
• encryption important on all data
• Private Network:
  • connection between computers with no outside access
• Virtual Private Networks (VPN):
  • uses public network, usually the Internet
  • using encryption and network keys so that only computers on the VPN can be seen and accessed
  • secure connections
• Proxy Server:
  • a server that sits between a client, or LAN, and the Internet
    eg. between the La Trobe LAN and the Internet
  • can be used to filter in/out network traffic
  • can provide a cache for the LAN ==> improves performance
  • can collate statistics of usage by users on the LAN
• Firewalls:
  • filter network traffic according to a set of rules
  • i.e. only allows connections to certain ports and IP addresses
  • installed in proxy servers, web servers and client computers
  • can detect Denial of Service attacks
    - then ignore the attacking computer
• Guard against Viruses and Worms (definitions from webopedia.com):
  • Virus: A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are manmade. A simple virus that can make a copy of itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems.
  • Worm: A program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer's resources and possibly shutting the system down.
  • Update virus protection and install operating system updates regularly

2.3 Application Security:

• Web Server or even clients connected to the Internet
  • Security holes, say using ftp protocol/ports
• Access to application:
  • Username and password
  • Administrator – super-user
  • Permissions
• Input validation
• Patches and updates for third-party software
  • Patches
  • Third-party software
  • Automatic update servic

2.4 File Security:

• only those requiring access should be able to access a file
  • including programmers during development
• special requirements for web servers
• use standard operating system permissions
  • individual user access
  • group access
• Virus checking

2.5 User Security:

• Identification:
  • usually username and password
• password compromise
  - secure passwords have minimum length and must contain chars + numbers
• periodic changing of passwords
• includes employees during development
• separation of duties
  • sensitive program modules should be developed in pieces by different employees
  • rotation of employees
• user resentment
• guard against software theft

3. General Controls:

Logical security and software controls are concerned with the protection of the software and stored data from accidental and deliberate corruption. They include:

• the design controls to access the software (systems) such as passwords or authorization codes.
• the provision concurrency controls for database protection.
• the encryption of sensitive data during data communication.
• the prevention of  unauthorized copying of software.
• the protection of software and hardware from computer `viruses'
• the monitoring of  user sessions.
• the establishment of audit trails. In other words the ability to `track' transactions as they are processed.
• prevent outsiders from accessing an organization's private data resources and for controlling what outside resources its own users have access to (`firewall')

4. Behavioural Security

Behavioural security ensures that the work practices associated with system use are not a security threat. The following issues may be important.

• You may need to implement security clearances for new employees.
• You may need to ensure that operational and security policies are updated and distributed on a regular basis
• You might consider conducting random checks to ensure that the correct procedures are being strictly adhered to.
• You might need to implement strict procedures regarding the shredding and disposal of sensitive documents.
• Investigation of employees whose lifestyle appears to have altered

5. Disaster Planning:

• A breach of security (deliberately, by mistake or by natural disaster) is inevitable. Senior management and systems designer need to design and implement a policy to minimise loss during a breach.
• Tested backup facilities are essential in the event of computer system shutdown.
  • eg. Bendigo Bank's Data Recovery Centre
• Possible causes of system failure due to physical dangers and prevention methods include ...
  • Fire and smoke damage prevention - sprinkler system.
  • Protection against water accumulating in the computer facility (flood) - wires and equipment (electrical) should be elevated and sealed.
  • Loss of data and program backups
  • Air-conditioning malfunction (allowing temperature and/or humidity increase, dusty atmosphere) - backups?
• All procedures associated with a computerised information system should be documented. (System, program, operation and user, disaster plan).
• All documentation should be updated each time a change is made. A library of previous document versions should be kept for ensuring current versions are being used.
• What if your network uses the public telephone system and the part you are using goes down?

6. Database Security:

• securing a database from system failures involves designing:-
  • error recovery,
  • backup and system access procedures to safeguard data
• error recovery procedures address how to recover from an abnormal program termination or hardware failure that could corrupt the database
• unauthorised access is prevented by defining access authorisations in the database definition and by designing system log-on procedures
  • database access requires separate username/password
• a good Database Mangement System (DBMS) package provides these controls

References:

• Shelly, Cashman & Rosenblatt, Systems Analysis and Design, 6th Edition,  Course Technology, 2006.

NOTE: this webpage has not been brought up to WCAG 1.0 standard nor does it contain validated HTML