Information Security Management
Using MIS 4e
Chapter 12
Q1
What are the threats to information security?
Q2
What is senior management’s security role?
Q3
What technical safeguards are available?
Q4
What data safeguards are available?
Q5
What human safeguards are available?
Q6
How should organizations respond to security incidents?
Q7
What is the extent of computer crime?
Q8
2021?
Study Questions
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
2
Human
error and mistakes
Malicious
human activity
Natural
events and disasters.
Security threats
arise from three
sources:
Q1:
What Are the Threats to Information
Security?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
3
•
Accidental problems caused by both
employees and nonemployees
Employee misunderstands operating
procedures and accidentally deletes
customer records
Employee, while backing up a database,
inadvertently installs an old database on
top of current one
•
Poorly written application programs and
poorly designed procedures
•
Physical accidents, such as driving a
forklift through computer room wall
Human
errors
&
mistakes
Human Errors and Mistakes
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
4
Employees and former employees who intentionally
destroy data or other system components
Hackers who break into a system; virus and worm writers
who infect computer systems
Outside criminals who break into a system to steal for
financial gain
Terrorism
Malicious Human Activity
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
5
Fires, floods, hurricanes, earthquakes, tsunamis,
avalanches, and other acts of nature
Includes initial loss of capability and service, and
losses stemming from actions to recover
Natural Events and Disasters
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
6
What Are the Types of Security Problems?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
7
Safeguards
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
8
Q2:
What Technical Safeguards Are
Available?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
9
•
Password
•
Smart card
•
Biometric
Authentication
methods
•
Microchip embedded with
identifying data
•
Authentication by PIN
Smart cards
•
Fingerprints, face scans, retina scans
•
See
http://
searchsecurity.techtarget.com
Biometric
authentication
•
Authenticate to network and other
servers
Single sign
-
on for
multiple systems
Identification and Authentication
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
10
Operating system authenticates you to networks and other servers. You
sign on to your local computer and provide authentication data; from
that point on, operating system authenticates you to other networks or
servers.
Kerberos
—
a system protocol that authenticates users without sending
passwords across computer network.
Uses complicated system of “tickets” to enable users to obtain
services from networks and other servers. Windows, Linux, Unix,
and other operating systems employ kerberos to authenticate
user requests across networks of computers using a mixture of
operating systems
Always protect your passwords!
Single Sign
-
on for Multiple Systems
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
11
•
Walk or drive around business or residential area
with a wireless computer and locate dozens, or
even hundreds, of wireless networks.
Drive
-
by sniffers
•
Sophisticated communications equipment use
elaborate techniques that require support of
highly trained communications specialists.
VPNs and special
security servers
•
Developed a wireless security standard called
Wired Equivalent Privacy (WEP)
. Unfortunately,
WEP has serious flaws.
IEEE 802.11
Committee
•
Developed and improved wireless security
standards that newer wireless devices use.
Wi
-
Fi Protected Access
(WPA)
and
WPA2
Wireless Access
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
12
Encryption
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
13
Essence of HTTPS (SSL or TLS)
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
14
Most messages, such as
email, are sent over Internet
as plaintext.
•
“Please deliver shipment
1000 to our Oakdale
facility.” It is possible for a
third party to intercept
email, remove “our
Oakdale facility” and
substitute its own address,
and send message on to
its destination.
Digital signatures
are a
technique for ensuring
plaintext messages are
received without alteration.
•
Plaintext message is first
hashed. (Hashing is a
method of mathematically
creating a string of bits
(
message digest
) that
characterize the message).
One popular standard,
message digests are 160
bits long.
Digital Signatures
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
15
Using
Digital
Signatures
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
16
Browser
requests
public key
for Bank of
America
CA
responds
with a
digital
certificate
Digital Certificates: How Does Receiver
Obtain True Party’s Public Key?
Certificate authorities
(CAs)
—
trusted, independent third
-
party
companies supply public keys
Digital certificate is plaintext, can be intercepted and someone
substitutes its own public key for BOA. To prevent that, CA signs
digital certificate with its digital signature.
“Bank of America” (key)
(CA key)
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
17
Computing device that prevents unauthorized network access
May be special
-
purpose computer or program on a general
-
purpose computer
Organizations may have multiple firewalls
•
Perimeter firewalls outside network
•
Internal firewalls inside network
•
Packet
-
filtering
firewalls
examine each part of a message
May filter both incoming and outgoing messages
•
Encoded rules stating IP addresses allowed into or out of network
Do not connect to the Internet without firewall protection
Firewalls
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
18
Malware Protection
Type
Problems
Malware
Viruses, worms, Trojan horses, spyware, and adware
Virus
Computer program that replicates itself; take unwanted
and harmful actions.
Macro virus
Attach themselves to word, excel, or other types of
document; virus infects every file that the application
creates or processes
Worm
Virus that propagates using the Internet or other computer
network; can choke a network
Spyware
Some capture keystrokes to obtain user names,
passwords, account numbers, and other sensitive
information. Other spyware supports marketing analyses.
Adware
Can slow computer performance
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
19
Symptoms of Adware and Spyware
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
20
Install antivirus and antispyware programs on your
computer
Set up your anti
-
malware programs to scan your computer
frequently
Update malware definitions
Open email attachments only from known sources
Promptly install software updates from legitimate sources
Browse only in reputable Internet neighborhoods
Malware Safeguards
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
21
•
Computer program surreptitiously installed and takes
actions unknown and uncontrolled by computer’s
owner or administrator
•
Some steal credit card data, banking data, and e
-
mail
addresses; cause denial
-
of
-
service attacks; pop
-
ups
Bot
•
Network of bots created and managed by individual or
Organization
Botnet
•
Organization that controls the botnet Botnets and bot
herders
Bot herder
Bots, Botnets, and Bot Herders
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
22
AOL and the National Cyber Security Alliance
Malware Study
Question
User Response
Actual
Do you have a virus on your
computer?
Yes: 6%
Did not know:
50%
18%
Average (maximum) number on
infected computer
2.4 (213)
How often do you update your
antivirus software?
Last week:
71%
Last month: 2%
More than 6 mos.:
12%
Last
week: 33%
Last month 34%
More than 6 mos.: 12%
Do you think you have adware
or
spyware on your computer?
Yes: 53%
Yes: 80%
Average (maximum) number of
spyware/adware
found on
computer
93 (1,059)
Did you
give permission to install
these on your computer?
Yes: 5%
No: 95%
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
23
Phishing Examples
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
24
You should ensure that any
information system developed for
you and your department includes
security as a requirement
Design Secure Applications
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
25
Q4: What Data Safeguards Are Available?
Data Safeguards
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
26
•
Least privilege possible
Position
Definitions
•
Extensive interviews and background
checks for high
-
sensitivity positions
Hiring and
Screening
Employees
•
Make employees aware of security
policies and procedures
Dissemination and
Enforcement
•
Establish security policies and
procedures for employee termination.
•
HR dept. giving IS early notification
Termination
Q5: What Human Safeguards Are Available?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
27
Security
Policy
for
In
-
House
Staff
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
28
•
Temporary personnel, vendors, business partner
personnel, and public
•
Provide accounts and passwords with least
privilege and remove accounts as soon as
possible
Nonemployee
personnel
•
Require vendors and partners to perform
appropriate screening and security training
•
Specify security responsibilities particular to
work
Contract
•
Hardening site to reduce a system’s vulnerability
•
Use special versions of operating system, lock
down or eliminate operating systems features
and functions not required
Public
safeguard
Human Safeguards for Nonemployee
Personnel
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
29
1.
Senior
-
management involvement
2.
Safeguards of various kinds
3.
Incident response
Components
of
a Security
Program
1.
Establish security policy to set stage
for organization’s response to security
threats.
2.
Manage risk by balancing costs and
benefits of security program
Critical Security
Functions for
S
enior
-
Management
What Are the Components of an
Organization’s Security Program?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
30
Administration of user accounts, passwords, and
help
-
desk policies and procedures
•
Creation of new user accounts,
modification of existing account
permissions, removal of unneeded
accounts
•
Improve your relationship with IS personnel
by providing early and timely notification of
need for account changes
Account
Management
•
Users should change passwords every 3
months or perhaps more frequently
Password
Management
Account Administration
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
31
User signs statement like this
National Institute of Standards and
Technology (NIST) Recommendation
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
32
•
User’s birthplace, mother’s
maiden name, or last four
digits of an important
account number
Means of
authenticating
a user
If you ever receive notification that your
password was reset when you did not request
such a reset, immediately contact IS security.
Someone has compromised your account.
Help Desk Policies
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
33
Systems Procedures
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
34
Q2:
What Is Senior Management’s Security
Role?
Management sets security
policy, and only management
can balance costs of a security
system against the risk of
security threats.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
35
Elements of Information Systems Security
—
NIST Handbook
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
36
•
Management specifies goals of security program
and assets to be protected.
•
Statement designates a department for managing
security program and documents.
•
Specifies how enforcement of security programs
and policies will be ensured.
General statement
of organization’s
security program
•
Personal use of computers at work and email
privacy.
Issue
-
specific
policy
•
What customer data from order
-
entry system will
be sold or shared with other organizations?
•
What policies govern design and operation of
systems that process employee data?
•
Addressing such policies are part of standard
systems development process.
System
-
specific
policy
What Are the Elements of a Security Policy?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
37
Risk
—
likelihood of an
adverse occurrence
•
Threats not managed
directly, but security
consequences limited by
creating a backup
processing facility at a
remote location.
•
Can reduce risks, but at a
cost. Management
responsibility to decide how
much to spend, or how much
risk to assume.
Uncertainty
---
lack of
knowledge especially about
chance of occurrence or risk
of an outcome or event
•
An earthquake could
devastate a corporate data
center built on a fault that no
one knew about.
•
An employee finds a way to
steal inventory using a
vulnerability in corporate
website that no expert knew
existed.
How Is Risk Managed?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
38
Risk Assessment Factors
12
-
39
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Assets
Consequences
Threats
Likelihood
Safeguards
Probable loss
Vulnerability
Given probable loss from risk assessment, senior
management must decide what to do
Some assets can be protected by inexpensive and
easily implemented safeguards
Some vulnerabilities expensive to eliminate, and
management must determine if costs of safeguard
worth benefit of probable loss reduction
Risk
-
Management Decisions
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
40
Legal requirements to protect customer data.
Gramm
-
Leach
-
Bliley (GLB) Act (1999) protects consumer financial data
stored by financial institutions.
Privacy Act of 1974 provides protections to individuals regarding
records maintained by U.S. government.
Health Insurance Portability and Accountability Act (HIPAA) (1996)
gives individuals right to access health data created by doctors and
other health
-
care providers. HIPAA sets rules and limits on who can
read and receive your health information.
Privacy Principles of the Australian Privacy Act of 1988 covers
government, health
-
care data, and records maintained by businesses
with revenues in excess of AU$3 million.
Ethics Guide: Security Privacy
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
41
Do Dell, Amazon.com, the airlines, and other e
-
commerce businesses
have a legal requirement to protect their customers’ credit card data?
Apparently not
—
at least not in United States.
However, online retailers have an ethical requirement to protect a
customer’s credit card and other data.
Retailers have a strong business reason to protect customer data. A
substantial loss of credit card data would have detrimental effects on
sales and brand reputation.
No federal law prohibits U.S. Government from buying information
from data accumulators.
Ethics Guide: Security Privacy
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
42
•
State law or university policy may govern
records, but no federal law does. Most
universities consider it their responsibility to
provide public access to graduation records.
Anyone can determine when you graduated,
your degree and major.
•
What about your class work? What about
papers you write, answers you give on
exams? What about email you send to your
professor? They are not protected by federal
law, and probably not protected by state law.
•
If your professor cites your work in research,
it is subject to copyright law, but not privacy
law. What you write is no longer your
personal data, it belongs to the academic
community.
What
requirements
does your
university
have on data
it maintains
about you?
Ethics Guide: Security Privacy
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
43
•
Firewall logs
•
DBMS log
-
in records
•
Web server logs
Activity log analyses
•
In
-
house and external security
professionals
Security testing
•
How did the problem occur?
Investigation of
incidents
•
Indication of potential vulnerability and
needed corrective actions
Learn from
incidences
Review and update security and safeguard policies
Security Monitoring Functions
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
44
•
Firewalls produce logs of their activities, including lists
of all dropped packets, infiltration attempts, and
unauthorized access attempts from within firewall.
•
DBMS products produce logs of successful and failed
log ins.
•
Web servers produce logs of web activities.
•
Operating systems in personal computers can produce
logs of log ins and firewall activities.
Activity log
analyses
•
Use in
-
house personnel and outside security
consultants to conduct testing
Security
testing
Investigating and learning from security incident
Security Monitoring
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
45
Q6: How Should Organizations Respond
to Security Incidents?
Backup processing centers in geographically removed
site
Create backups for critical resources
Contract with
“backup
site”
provider
•
Hot site provides all equipment needed to continue operations
there
‡
Cold site provides space but you have set up and install equipment
‡
www.ragingwire.com/managed_services?=recovery
Periodically train and rehearse cutover of operations
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
46
12
-
47
Disaster
-
Recovery Backup Sites
•
Disaster
―
Substantial loss of
infrastructure caused by acts
of nature, crime, or terrorism
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Appropriate location
Fire
-
resistant buildings
Avoid
Places prone to floods,
earthquakes, tornadoes,
hurricanes, avalanches,
car/truck accidents,
unobtrusive buildings,
basements, backrooms,
physical perimeter
Incident
-
Response Plan
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
48
Computer Security Institute survey
(2009)
http://gocsi.com
(registration required)
Only 144 of 522 responding organizations provided cost of loss
data (2009)
Financial fraud had highest average incident cost of $463,100
and losses due to bots averaged $345,600
Some losses are difficult to quantify.
What is the loss of a denial of service attack on a website? If
website unavailable for 24 hours, what potential sales,
prospects, or employees have been lost? What reputation
problem was created for organization?
Q7: What Is the Extent of Computer Crime?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
49
Percentage of Security Incidents
Insert Figure 12
-
16 here (
new
)
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
50
Number of virus attacks steadily decreased, indicating
success of antivirus programs.
Financial fraud remained relatively stable, affecting
approximately 12% of respondents.
Laptop theft declined from around 70% in 1999 to 44%
in 2008.
Financial fraud had highest average incident cost
—
$463,100
—
and losses due to bots averaged $345,600.
Security Incident Trends
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
51
Skill level of cat
-
and
-
mouse activity is likely to
increase substantially.
Increased security in operating systems and other
software, improved security procedures and
employee training will make it harder and harder
for a lone hacker to find some vulnerability to
exploit.
Q8: 2021?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
52
Next challenges likely to be iPhones, iPads, and other
mobile devices. Security on these needs to be improved.
Organized criminals, primarily bot herders, terrorists or elements
of renegade governments, inflicting a new type of cyber warfare
on other nations
Trojan horse called Zeus v3 emptied accounts of thousands
of British bank customers
Cyber warfare among nations
Number of computer security jobs to increase by
27% by 2016
Q8: 2021? (cont’d)
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
53
Employees who never change password or use some simpleton
word like “Sesame” or “MyDogSpot” or something equally
absurd.
Notes with passwords in top drawer of desks.
If you enter a system with a readily available password, is that
even breaking in? Or is it more like opening a door with a key you
were given?
Management should stop talking about security risk assurance
and start talking about and enforcing real security.
Guide: Security Assurance, Hah!
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
54
Stay alert to new technology
-
based opportunities
Watch for “second wave” opportunities
Enroll in a database class or systems development class,
security class, even if you’re not an IS major
Look for novel applications of IS technology in emerging
business environment
Guide: The Final, Final Word
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
55
Active Review
Q1
What are the threats to information security?
Q2
What is senior management’s security role?
Q3
What technical safeguards are available?
Q4
What data safeguards are available?
Q5
What human safeguards are available?
Q6
How should organizations respond to security incidents?
Q7
What is the extent of computer crime?
Q8
2021?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12
-
56
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο