Using MIS 4e

collarlimabeansSécurité

23 févr. 2014 (il y a 3 années et 8 mois)

103 vue(s)

Information Security Management

Using MIS 4e
Chapter 12

Q1

What are the threats to information security?

Q2

What is senior management’s security role?

Q3

What technical safeguards are available?

Q4

What data safeguards are available?

Q5

What human safeguards are available?

Q6

How should organizations respond to security incidents?

Q7

What is the extent of computer crime?

Q8

2021?

Study Questions

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
2



Human
error and mistakes



Malicious
human activity



Natural
events and disasters.

Security threats

arise from three
sources:

Q1:

What Are the Threats to Information
Security?

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
3


Accidental problems caused by both
employees and nonemployees


Employee misunderstands operating
procedures and accidentally deletes
customer records


Employee, while backing up a database,
inadvertently installs an old database on
top of current one


Poorly written application programs and
poorly designed procedures


Physical accidents, such as driving a
forklift through computer room wall

Human
errors

&
mistakes

Human Errors and Mistakes

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
4

Employees and former employees who intentionally
destroy data or other system components

Hackers who break into a system; virus and worm writers
who infect computer systems

Outside criminals who break into a system to steal for
financial gain

Terrorism

Malicious Human Activity

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
5

Fires, floods, hurricanes, earthquakes, tsunamis,
avalanches, and other acts of nature

Includes initial loss of capability and service, and
losses stemming from actions to recover

Natural Events and Disasters

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
6

What Are the Types of Security Problems?

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
7

Safeguards

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
8

Q2:

What Technical Safeguards Are
Available?

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
9


Password


Smart card


Biometric

Authentication
methods


Microchip embedded with
identifying data


Authentication by PIN

Smart cards


Fingerprints, face scans, retina scans


See
http://
searchsecurity.techtarget.com

Biometric
authentication


Authenticate to network and other
servers

Single sign
-
on for
multiple systems

Identification and Authentication

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
10

Operating system authenticates you to networks and other servers. You
sign on to your local computer and provide authentication data; from
that point on, operating system authenticates you to other networks or
servers.

Kerberos

a system protocol that authenticates users without sending
passwords across computer network.


Uses complicated system of “tickets” to enable users to obtain
services from networks and other servers. Windows, Linux, Unix,
and other operating systems employ kerberos to authenticate
user requests across networks of computers using a mixture of
operating systems

Always protect your passwords!

Single Sign
-
on for Multiple Systems

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
11


Walk or drive around business or residential area
with a wireless computer and locate dozens, or
even hundreds, of wireless networks.

Drive
-
by sniffers


Sophisticated communications equipment use
elaborate techniques that require support of
highly trained communications specialists.

VPNs and special
security servers


Developed a wireless security standard called
Wired Equivalent Privacy (WEP)
. Unfortunately,
WEP has serious flaws.

IEEE 802.11
Committee


Developed and improved wireless security
standards that newer wireless devices use.

Wi
-
Fi Protected Access
(WPA)

and


WPA2


Wireless Access

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
12

Encryption

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
13

Essence of HTTPS (SSL or TLS)

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
14

Most messages, such as
email, are sent over Internet
as plaintext.


“Please deliver shipment
1000 to our Oakdale
facility.” It is possible for a
third party to intercept
email, remove “our
Oakdale facility” and
substitute its own address,
and send message on to
its destination.

Digital signatures

are a
technique for ensuring
plaintext messages are
received without alteration.


Plaintext message is first
hashed. (Hashing is a
method of mathematically
creating a string of bits
(
message digest
) that
characterize the message).
One popular standard,
message digests are 160
bits long.

Digital Signatures

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
15

Using
Digital
Signatures

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
16

Browser
requests
public key
for Bank of
America

CA
responds
with a
digital
certificate

Digital Certificates: How Does Receiver
Obtain True Party’s Public Key?

Certificate authorities

(CAs)

trusted, independent third
-
party
companies supply public keys

Digital certificate is plaintext, can be intercepted and someone
substitutes its own public key for BOA. To prevent that, CA signs
digital certificate with its digital signature.

“Bank of America” (key)

(CA key)

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
17

Computing device that prevents unauthorized network access

May be special
-
purpose computer or program on a general
-
purpose computer

Organizations may have multiple firewalls


Perimeter firewalls outside network


Internal firewalls inside network


Packet
-
filtering
firewalls

examine each part of a message

May filter both incoming and outgoing messages


Encoded rules stating IP addresses allowed into or out of network

Do not connect to the Internet without firewall protection

Firewalls

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
18

Malware Protection

Type

Problems

Malware

Viruses, worms, Trojan horses, spyware, and adware

Virus

Computer program that replicates itself; take unwanted
and harmful actions.

Macro virus

Attach themselves to word, excel, or other types of
document; virus infects every file that the application
creates or processes

Worm

Virus that propagates using the Internet or other computer
network; can choke a network

Spyware

Some capture keystrokes to obtain user names,
passwords, account numbers, and other sensitive
information. Other spyware supports marketing analyses.

Adware

Can slow computer performance

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
19

Symptoms of Adware and Spyware

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
20

Install antivirus and antispyware programs on your
computer

Set up your anti
-
malware programs to scan your computer
frequently

Update malware definitions

Open email attachments only from known sources

Promptly install software updates from legitimate sources

Browse only in reputable Internet neighborhoods

Malware Safeguards

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
21


Computer program surreptitiously installed and takes
actions unknown and uncontrolled by computer’s
owner or administrator


Some steal credit card data, banking data, and e
-
mail
addresses; cause denial
-
of
-
service attacks; pop
-
ups

Bot


Network of bots created and managed by individual or
Organization

Botnet


Organization that controls the botnet Botnets and bot
herders

Bot herder

Bots, Botnets, and Bot Herders

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
22

AOL and the National Cyber Security Alliance
Malware Study

Question

User Response

Actual

Do you have a virus on your
computer?

Yes: 6%

Did not know:

50%

18%

Average (maximum) number on
infected computer

2.4 (213)

How often do you update your
antivirus software?

Last week:

71%

Last month: 2%

More than 6 mos.:

12%

Last

week: 33%

Last month 34%

More than 6 mos.: 12%

Do you think you have adware

or
spyware on your computer?

Yes: 53%

Yes: 80%

Average (maximum) number of
spyware/adware

found on
computer

93 (1,059)

Did you

give permission to install
these on your computer?

Yes: 5%

No: 95%

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
23

Phishing Examples

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
24

You should ensure that any
information system developed for
you and your department includes
security as a requirement

Design Secure Applications

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
25

Q4: What Data Safeguards Are Available?

Data Safeguards

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
26


Least privilege possible

Position
Definitions


Extensive interviews and background
checks for high
-
sensitivity positions

Hiring and
Screening
Employees


Make employees aware of security
policies and procedures

Dissemination and
Enforcement


Establish security policies and
procedures for employee termination.


HR dept. giving IS early notification

Termination

Q5: What Human Safeguards Are Available?

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
27

Security
Policy
for

In
-
House
Staff

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
28


Temporary personnel, vendors, business partner
personnel, and public


Provide accounts and passwords with least
privilege and remove accounts as soon as
possible

Nonemployee
personnel


Require vendors and partners to perform
appropriate screening and security training


Specify security responsibilities particular to
work

Contract


Hardening site to reduce a system’s vulnerability


Use special versions of operating system, lock
down or eliminate operating systems features
and functions not required

Public
safeguard

Human Safeguards for Nonemployee
Personnel

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
29

1.
Senior
-
management involvement

2.
Safeguards of various kinds

3.
Incident response

Components
of
a Security
Program

1.
Establish security policy to set stage
for organization’s response to security
threats.

2.
Manage risk by balancing costs and
benefits of security program

Critical Security
Functions for
S
enior
-
Management

What Are the Components of an
Organization’s Security Program?

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
30

Administration of user accounts, passwords, and
help
-
desk policies and procedures


Creation of new user accounts,
modification of existing account
permissions, removal of unneeded
accounts


Improve your relationship with IS personnel
by providing early and timely notification of
need for account changes

Account
Management


Users should change passwords every 3
months or perhaps more frequently

Password
Management

Account Administration

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
31

User signs statement like this

National Institute of Standards and
Technology (NIST) Recommendation

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
32


User’s birthplace, mother’s
maiden name, or last four
digits of an important
account number

Means of
authenticating
a user

If you ever receive notification that your
password was reset when you did not request
such a reset, immediately contact IS security.
Someone has compromised your account.

Help Desk Policies

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
33

Systems Procedures

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
34

Q2:

What Is Senior Management’s Security
Role?

Management sets security
policy, and only management
can balance costs of a security
system against the risk of
security threats.

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
35

Elements of Information Systems Security

NIST Handbook

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
36


Management specifies goals of security program
and assets to be protected.


Statement designates a department for managing
security program and documents.


Specifies how enforcement of security programs
and policies will be ensured.

General statement
of organization’s
security program


Personal use of computers at work and email
privacy.

Issue
-
specific
policy


What customer data from order
-
entry system will
be sold or shared with other organizations?


What policies govern design and operation of
systems that process employee data?


Addressing such policies are part of standard
systems development process.

System
-
specific
policy

What Are the Elements of a Security Policy?

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
37

Risk

likelihood of an
adverse occurrence


Threats not managed
directly, but security
consequences limited by
creating a backup
processing facility at a
remote location.


Can reduce risks, but at a
cost. Management
responsibility to decide how
much to spend, or how much
risk to assume.

Uncertainty

---
lack of
knowledge especially about
chance of occurrence or risk
of an outcome or event


An earthquake could
devastate a corporate data
center built on a fault that no
one knew about.


An employee finds a way to
steal inventory using a
vulnerability in corporate
website that no expert knew
existed.

How Is Risk Managed?

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
38

Risk Assessment Factors

12
-
39

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Assets

Consequences

Threats

Likelihood

Safeguards

Probable loss

Vulnerability

Given probable loss from risk assessment, senior
management must decide what to do

Some assets can be protected by inexpensive and
easily implemented safeguards

Some vulnerabilities expensive to eliminate, and
management must determine if costs of safeguard
worth benefit of probable loss reduction

Risk
-
Management Decisions


Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
40

Legal requirements to protect customer data.

Gramm
-
Leach
-
Bliley (GLB) Act (1999) protects consumer financial data
stored by financial institutions.

Privacy Act of 1974 provides protections to individuals regarding
records maintained by U.S. government.

Health Insurance Portability and Accountability Act (HIPAA) (1996)
gives individuals right to access health data created by doctors and
other health
-
care providers. HIPAA sets rules and limits on who can
read and receive your health information.

Privacy Principles of the Australian Privacy Act of 1988 covers
government, health
-
care data, and records maintained by businesses
with revenues in excess of AU$3 million.

Ethics Guide: Security Privacy

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
41

Do Dell, Amazon.com, the airlines, and other e
-
commerce businesses
have a legal requirement to protect their customers’ credit card data?
Apparently not

at least not in United States.

However, online retailers have an ethical requirement to protect a
customer’s credit card and other data.

Retailers have a strong business reason to protect customer data. A
substantial loss of credit card data would have detrimental effects on
sales and brand reputation.

No federal law prohibits U.S. Government from buying information
from data accumulators.

Ethics Guide: Security Privacy

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
42


State law or university policy may govern
records, but no federal law does. Most
universities consider it their responsibility to
provide public access to graduation records.
Anyone can determine when you graduated,
your degree and major.


What about your class work? What about
papers you write, answers you give on
exams? What about email you send to your
professor? They are not protected by federal
law, and probably not protected by state law.


If your professor cites your work in research,
it is subject to copyright law, but not privacy
law. What you write is no longer your
personal data, it belongs to the academic
community.

What
requirements
does your
university
have on data
it maintains
about you?

Ethics Guide: Security Privacy

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
43


Firewall logs


DBMS log
-
in records


Web server logs

Activity log analyses


In
-
house and external security
professionals

Security testing


How did the problem occur?

Investigation of
incidents


Indication of potential vulnerability and
needed corrective actions

Learn from
incidences

Review and update security and safeguard policies

Security Monitoring Functions

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
44


Firewalls produce logs of their activities, including lists
of all dropped packets, infiltration attempts, and
unauthorized access attempts from within firewall.


DBMS products produce logs of successful and failed
log ins.


Web servers produce logs of web activities.


Operating systems in personal computers can produce
logs of log ins and firewall activities.

Activity log
analyses


Use in
-
house personnel and outside security
consultants to conduct testing

Security
testing

Investigating and learning from security incident

Security Monitoring

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
45


Q6: How Should Organizations Respond

to Security Incidents?

Backup processing centers in geographically removed
site

Create backups for critical resources

Contract with
“backup
site”
provider


Hot site provides all equipment needed to continue operations
there


Cold site provides space but you have set up and install equipment


www.ragingwire.com/managed_services?=recovery

Periodically train and rehearse cutover of operations

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
46

12
-
47


Disaster
-
Recovery Backup Sites


Disaster


Substantial loss of
infrastructure caused by acts
of nature, crime, or terrorism

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Appropriate location

Fire
-
resistant buildings

Avoid

Places prone to floods,
earthquakes, tornadoes,
hurricanes, avalanches,
car/truck accidents,

unobtrusive buildings,
basements, backrooms,
physical perimeter

Incident
-
Response Plan

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
48

Computer Security Institute survey

(2009)

http://gocsi.com

(registration required)


Only 144 of 522 responding organizations provided cost of loss
data (2009)

Financial fraud had highest average incident cost of $463,100
and losses due to bots averaged $345,600

Some losses are difficult to quantify.

What is the loss of a denial of service attack on a website? If
website unavailable for 24 hours, what potential sales,
prospects, or employees have been lost? What reputation
problem was created for organization?

Q7: What Is the Extent of Computer Crime?

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
49

Percentage of Security Incidents

Insert Figure 12
-
16 here (
new
)

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
50

Number of virus attacks steadily decreased, indicating
success of antivirus programs.

Financial fraud remained relatively stable, affecting
approximately 12% of respondents.

Laptop theft declined from around 70% in 1999 to 44%
in 2008.

Financial fraud had highest average incident cost

$463,100

and losses due to bots averaged $345,600.

Security Incident Trends

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
51

Skill level of cat
-
and
-
mouse activity is likely to
increase substantially.

Increased security in operating systems and other
software, improved security procedures and
employee training will make it harder and harder
for a lone hacker to find some vulnerability to
exploit.

Q8: 2021?

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
52

Next challenges likely to be iPhones, iPads, and other
mobile devices. Security on these needs to be improved.

Organized criminals, primarily bot herders, terrorists or elements
of renegade governments, inflicting a new type of cyber warfare
on other nations


Trojan horse called Zeus v3 emptied accounts of thousands
of British bank customers

Cyber warfare among nations

Number of computer security jobs to increase by
27% by 2016

Q8: 2021? (cont’d)

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
53

Employees who never change password or use some simpleton
word like “Sesame” or “MyDogSpot” or something equally
absurd.

Notes with passwords in top drawer of desks.

If you enter a system with a readily available password, is that
even breaking in? Or is it more like opening a door with a key you
were given?

Management should stop talking about security risk assurance
and start talking about and enforcing real security.

Guide: Security Assurance, Hah!

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
54

Stay alert to new technology
-
based opportunities

Watch for “second wave” opportunities

Enroll in a database class or systems development class,
security class, even if you’re not an IS major

Look for novel applications of IS technology in emerging
business environment

Guide: The Final, Final Word

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
55

Active Review


Q1

What are the threats to information security?

Q2

What is senior management’s security role?

Q3

What technical safeguards are available?

Q4

What data safeguards are available?

Q5

What human safeguards are available?

Q6

How should organizations respond to security incidents?

Q7

What is the extent of computer crime?

Q8

2021?

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12
-
56