ch12_summerx - Gonzaga Student Web Server

erosjellySécurité

23 févr. 2014 (il y a 3 années et 5 mois)

69 vue(s)

Dr. Chen,
Management Information Systems

Chapter 12

Information Security
Management

Jason C. H. Chen, Ph.D.

Professor of MIS

School of Business Administration

Gonzaga University

Spokane, WA 99258

chen@jepson.gonzaga.edu

1

Dr. Chen,
Management Information Systems

Could Someone Be Getting To Our Data?


Stealing only from weddings of club members


Knowledge: How to access system and database
and SQL


Access: Passwords on yellow
stickies
; many
copies of key to server building


Suspect: Greens keeper guy’s “a techno
-
whiz,”
created report for Anne, knows SQL and how to
access database

2

Dr. Chen,
Management Information Systems

3

Chapter Preview


This chapter describes common sources of security threats and
explains management’s role in addressing those threats. It defines
the major elements of an organizational security policy. It presents
the most common types of technical, data, and human security
safeguards. We then discuss how organizations should respond to
security incidents, and, finally, examine common types of computer
crime.


Primary focus is on management’s responsibility for the
organization’s security policy and for implementing human security
safeguards.


We approach this topic from the standpoint of a major organization
that has professional staff in order to learn the tasks that need to be
accomplished. Both
MRV and
FlexTime

need to adapt the full
-
scale security program to their smaller requirements and more
limited budget.

Dr. Chen,
Management Information Systems

Study Questions

Q1:
What is the goal of information systems
security
?

Q2: How should you respond to security threats?

Q3: How should organizations respond to security
threats?

Q4: What
technical safeguards are available
?

Q5:
What data safeguards are available
?

Q6:
What human safeguards are available
?

Q7: 2022?

4

Dr. Chen,
Management Information Systems

Q1:

What Is the Goal of Information
Systems Security?

5

Dr. Chen,
Management Information Systems

Q1:

What Is the Goal of Information
Systems Security?

The IS Security Threat/Loss Scenario


Threat


i
s a person or organization that seeks to obtain data or other asset
illegal, without the owner’s permission and often without the
owner’s knowledge


Vulnerability


is an opportunity for threats to gain access to individual or
organizational assets


Safeguard


is someone measure that individuals or organizations take to
block the threat from obtaining the asset


Target


is the asset that is desired by the threat


6

Dr. Chen,
Management Information Systems

7

Fig 12
-
1
Threat/Loss Scenario

Dr. Chen,
Management Information Systems

Safeguards

8

Fig
12
-
extra
Security
Safeguards as They Relate to the Five Components


There are three components of a sound organizational security program:


Senior management must establish a security policy and manage risks.


Safeguards of various kinds must be established for all five components
of an IS as the figure below demonstrates.


The organization must plan its incident response before any problems
occur.

Dr. Chen,
Management Information Systems

Examples of Threat/Loss

9

Fig
12
-
2
Examples of Threat/Loss

Dr. Chen,
Management Information Systems

10

What Are the Sources of Threats?


Security threats

arise from three sources:

1.

Human error and mistakes,

2.

Computer crime, and

3.

Natural events and disasters.

Dr. Chen,
Management Information Systems

11

Human Errors and Mistakes


Human errors and mistakes include:


Accidental problems caused by both employees and
nonemployees.


An employee misunderstands operating procedures
and accidentally deletes customer records.


An employee, while backing up a database,
inadvertently installs an old database on top of the
current one.


Category also includes poorly written application
programs and poorly designed procedures.


Physical accidents, such as driving a forklift through the
wall of a computer room.


Dr. Chen,
Management Information Systems

12

Computer Crime


Employees and former employees who
intentionally destroy data or other system
components


Hackers who break into a system; virus and
worm writers who infect computer systems


Outside criminals who break into a system to
steal for financial gain


Terrorism

Dr. Chen,
Management Information Systems

Q/A

13

Which
of the following is most likely to be the
result of hacking?

A) certain Web sites being blocked from
viewing for security reasons

B) small amounts of spam in your inbox

C) an unexplained reduction in your account
balance

D) pop
-
up ads appearing frequently

Answer
: _____

C

Dr. Chen,
Management Information Systems

14

Natural Events and Disasters


Fires, floods, hurricanes, earthquakes, tsunamis,
avalanches, and other acts of nature


Includes the initial loss of capability and service,
and losses stemming from actions to recover
from the initial problem

Dr. Chen,
Management Information Systems

15

Fig
12
-
3 Security Problems and Sources

Dr. Chen,
Management Information Systems

What Types of Security Loss Exists?

Unauthorized
Data
Disclosure


Pretexting


Phishing


Spoofing


IP spoofing


Email spoofing


Drive
-
by sniffers


Hacking


Natural disasters

16

Dr. Chen,
Management Information Systems

Incorrect Data Modification


Procedures not followed or incorrectly designed
procedures


Increasing a customer’s discount or incorrectly
modifying employee’s salary


Placing incorrect data on company Web site


Improper internal controls on systems


System errors


Faulty recovery actions after a disaster

17

Dr. Chen,
Management Information Systems

Faulty Service


Incorrect data modification


Systems working incorrectly


Procedural mistakes


Programming errors


IT installation errors


Usurpation


Denial of service (unintentional)


Denial
-
of
-
service attacks

(intentional)

18

Dr. Chen,
Management Information Systems

Loss of Infrastructure


Human accidents


Theft and terrorist events


Disgruntled or terminated employees


Natural disasters

19

Dr. Chen,
Management Information Systems

How Big Is the Computer Security Problem?

20

Fig
12
-
4 Sample Arrests and Convictions Reported by the US Department of Justice

Dr. Chen,
Management Information Systems

Percent of Security Incidents

21

Fig
12
-
5
Percent of Security Incidents

Dr. Chen,
Management Information Systems

Goal of Information Systems Security


Threats can be stopped, or at least threat loss
reduced


Safeguards are expensive and
reduce

work
efficiency


Find trade
-
off between risk of loss and cost of
safeguards


22

Dr. Chen,
Management Information Systems

Q2:

How Should You Respond to Security
Threats?

23

Fig
12
-
6 Personal Security Safeguards

Dr. Chen,
Management Information Systems

Q/A

24

Cookies
enables one to access Web
sites without having to sign in every
time.

Answer
: ____

TRUE

Dr. Chen,
Management Information Systems

Q3. How Should Organizations Respond to Security
Threats?


NIST Handbook of Security Elements

25

Fig
12
-
7 Management Guidelines for IS Security

Dr. Chen,
Management Information Systems

What Are the Elements of a Security Policy?

Elements of Security
Policy



Managing Risks


Risk


threats &
consequences we
know about


Uncertainty


things we do not
know that we do not
know

1.
General
statement of
organization’s
security program

2.
Issue
-
specific
policy

3.
System
-
specific
policy

26

Dr. Chen,
Management Information Systems

27

What Are the Elements of a Security Policy?


Security policy has three elements:

1.
A
general statement

of organization’s security program. This
statement becomes the foundation for more specific security
measures. Management specifies the goals of security program and
assets to be protected. Statement designates a department for
managing security program and documents. In general terms, it
specifies how the organization will ensure enforcement of security
programs and policies.

2.
Issue
-
specific policy.

Personal use of computers at work and email
privacy.

3.
System
-
specific policy.

What customer data from order
-
entry
system will be sold or shared with other organizations? Or, what
policies govern the design and operation of systems that process
employee data? Addressing such policies are part of standard
systems development process.


Dr. Chen,
Management Information Systems

Q/A

28

Which
of the following is an example of a system
-
specific security policy?

A) limiting the personal use of an organization's
computer systems

B) deciding what customer data from the order
-
entry
system will be shared with other organizations

C) designating a department for managing an
organization's IS security

D) inspecting an employee's personal email for
compliance with company policy

Answer:
____

B

Dr. Chen,
Management Information Systems

29

How Is Risk Managed?


Risk

likelihood of an adverse occurrence


Management cannot manage threats directly, but can limit
security consequences by creating a backup processing facility at
a remote location.


Companies can reduce risks, but always at a cost. It is
management’s responsibility to decide how much to spend, or
stated differently, how much risk to assume.


Uncertainty

refers to lack of knowledge especially about
chance of occurrence or risk of an outcome or event.


An earthquake could devastate a corporate data center built on a
fault that no one knew about.


An employee finds a way to steal inventory using a hole in the
corporate Web site that no expert knew existed.

Dr. Chen,
Management Information Systems

Risk Assessment and Management

Risk Assessment


T
angible consequences


Intangible
consequences


Likelihood


Probable loss

Risk
-
Management
Decisions


Given probable loss, what to protect?


Which safeguards inexpensive and easy?


Which vulnerabilities expensive to eliminate?


How to balance cost of safeguards with benefits of
probable loss reduction
?


30

Dr. Chen,
Management Information Systems

Factors to Consider in Risk Assessment and

Risk
M
anagement Decisions

31

Fig
12
-
Extra
Risk Assessment Factors


When you’re assessing risks to an information system you must first
determine:


What the threats are.


How likely they are to occur.


The consequences if they occur.


The figure below lists the factors you should include in a
risk assessment
.


Once you’ve assessed the risks to your information system, you must
make decisions about how much security you want to pay for. Each
risk
-
management

decision
carries consequences.


Some risk is easy and inexpensive.


Some risk is expensive and difficult.


Managers have a fiduciary


responsibility to the organization


to adequately manage risk.

Dr. Chen,
Management Information Systems

32

Factors to Consider in Risk Assessment:

Brief Summary


Safeguard

is any action, device, procedure, technique, or
other measure that reduces a system’s vulnerability to a
threat.


No safeguard is ironclad; there is always a residual risk that it will
not protect the assets in all circumstances.


Vulnerability

is an opening or a weakness in security
system. Some vulnerabilities exist because there are no
safeguards or because existing safeguards are ineffective.


Consequences

are damages that occur when an asset is
compromised. Consequences can be
tangible

or
intangible
.


Tangible consequences,

those whose financial impact can be measured.


Intangible consequences,

such as the loss of customer goodwill due to an
outage, cannot be measured.

Dr. Chen,
Management Information Systems

33

Factors to Consider in Risk Assessment:

Brief
Summary

(Final Two Factors in Risk Assessment)


Likelihood

is the probability that a given asset will be
compromised by a given threat, despite the safeguards.


Probable loss

is the “bottom line” of risk assessment.


To obtain a measure of probable loss, companies
multiply likelihood by cost of the consequences.
Probable loss also includes a statement of intangible
consequences.

Dr. Chen,
Management Information Systems

Q/A

34

Which
of the following is an example of an
intangible consequence?

A) a dip in sales because supplies were not
replenished

B) a loss of customer goodwill due to an outage

C) a drop in production due to plant
maintenance

D) a financial loss due to high input costs

Answer:
____

B

Dr. Chen,
Management Information Systems

Q4:

What Technical Safeguards Are
Available?

35

Fig
12
-
8 Technical Safeguards

Dr. Chen,
Management Information Systems

36

List of Primary Technical Safeguards

You can establish five technical safeguards for the hardware
and software components of an information system as
the
Figure 12
-
8 shows
.


1. Identification
and authentication
includes


(1) passwords
(what you know),


(2) smart
cards (what you have), and


(3) biometric
authentication (what you are).


(4)
Single sign
-
on for multiple
systems (
Kerberos)


Since users must access many different systems, it’s often more
secure, and easier, to establish it


Authenticates users without sending passwords across network.


“Tickets” enable users to obtain services from multiple networks
and servers.


Windows, Linux, Unix employ Kerberos

Dr. Chen,
Management Information Systems

37


Identification and
authentication (cont.)


(5) Wireless
systems pose additional threats.



VPNs and special security
servers


Wired
Equivalent Privacy (WEP)
-
first developed


Wi
-
Fi Protected Access (WPA)
-
more secure


Wi
-
Fi Protected Access (WPA2)
-
newest and most
secure

Note: 4 &5 are for
System Access Protocols

List of Primary Technical Safeguards
(cont.)

Dr. Chen,
Management Information Systems

Q/A

38

T/F

A magnetic strip holds far more
data than a microchip.

Answer:
_______

FALSE

Dr. Chen,
Management Information Systems

2. Encryption

39

Fig
12
-
9
Basic Encryption Techniques


Encryption is the
second safeguard
you can establish for an IS.
The chart below and on the next slide describe each of them.

Asymmetric
encryption is simpler and much faster than asymmetric encryption
.


Answer:

FALSE

Dr. Chen,
Management Information Systems

Essence of HTTPS (SSL or TLS)

40

Fig
12
-
10 The
Essence of HTTPS (SSL or TLS)

Dr. Chen,
Management Information Systems

41

Which
of the following observations concerning Secure Socket
Layer (SSL) is true?

A) It uses only asymmetric encryption.

B) It is a useful hybrid of symmetric and asymmetric encryption
techniques.

C) It works between Levels 2 and 3 of the TCP
-
OSI architecture.

D) It is a stronger version of HTTPS.

Answer
:____

You
are transferring funds online through the Web site of a
reputed bank. Which of the following displayed in your
browser's address bar will let you know that the bank is
using the SSL protocol
?

A) http

B) www

C) https

D) .com

Answer
: ____

B


C

Dr. Chen,
Management Information Systems

3.
Firewalls


Firewalls,
the third technical safeguard
, are
computing devices
that
prevent
unauthorized network access.
They
should be
installed and used with every computer that’s connected to any
network, especially the Internet.


The diagram shows how perimeter and internal firewalls are special
devices that help protect a network.


Packet
-
filtering firewalls are programs on general
-
purpose computers
or on routers that examine each packet entering the network.

Fig (extra) Use of Multiple Firewalls

42

Dr. Chen,
Management Information Systems

Symptoms of Adware and Spyware

43

Fig 12
-
8 Spyware & Adware Symptoms


Malware Protection is the
fourth
technical safeguard
. We’ll
concentrate on spyware and adware
here.


Spyware are programs that may be
installed on your computer without
your knowledge or permission
.


Adware is a benign program that’s also
installed without your permission. It
resides in your computer’s background
and observes your behavior.


If your computer displays any of the
symptoms in this figure, you may have one
of these types of malware on your
computer.

This slide is
for lecture

Dr. Chen,
Management Information Systems

44

4. Malware Protection


Malware Protection (
fourth technical
safeguard)
:


Spyware

-

resides in background, unknown to user; observes user’s
actions and keystrokes, monitors computer activity, and reports
user’s activities to sponsoring organizations. Some captures
keystrokes to obtain user names, passwords, account numbers, and
other sensitive information. Some support marketing analyses,
observing what users do, Web sites visited, products examined and
purchased, and so forth.


Adware

-

does not perform malicious acts or steal data. It watches
user activity and produces pop
-
up ads. Adware can change user’s
default window or modify search results and switch user’s search
engine.


Beacons



tiny files that gather demographic information (e.g.,
gender, age income). The information is refreshed in real time and
sold to other company.

Dr. Chen,
Management Information Systems

4. Malware Types and
Spyware and
Adware Symptoms (cont.)


Viruses


Payload


Trojan horses


Worms


Beacons

Spyware & Adware Symptoms

45

Fig
12
-
11
Spyware & Adware
Symptoms

If your computer
displays any of the
symptoms in this figure,
you may have one of
these types of malware
on your computer.

Dr. Chen,
Management Information Systems

Malware Safeguards

1.
Antivirus and antispyware programs

2.
Scan frequently

3.
Update malware definitions

4.
Open email attachments only from known
sources

5.
Install software updates

6.
Browse only reputable Internet neighborhoods

46

Dr. Chen,
Management Information Systems

Bots, Botnets, and Bot Herders


Bot


Surreptitiously installed, takes actions unknown and uncontrolled by
user or administrator


Some very malicious, others annoying


Botnet


a network of bots created and managed by an individual or
organization that infects networks with a bot program


Bot herder


individual
or organization that controls the
botnet


Serious problems for commerce and national security


It
is believed that a unit of the North Korean Army served as a bot
herder for a botnet that caused denial of service attacks on Web
servers in South Korea and in the United States in July, 2009
.

47

Dr. Chen,
Management Information Systems

48

5. Design Secure Applications


Design secure application
is the
last (
fifth)
technical
safeguard
.


You should ensure that any information system
developed for you and your department includes
security as one of the application requirements.

Dr. Chen,
Management Information Systems

Q5: What Data Safeguards Are Available?

49

Fig
12
-
12
Data Safeguards


Data safeguards are measures used to protect
databases and other
organizational data.


An
organization should follow the safeguards listed in this figure.


Remember, data and the information from it are one of the most
important resources an organization has.

Dr. Chen,
Management Information Systems

50

Some Important Data Safeguards


Should protect sensitive data by storing it in encrypted form


When data are encrypted, a trusted party should have a
copy of encryption key. This safety procedure is called
key escrow


Periodically create backup copies of database contents


DBMS and all devices that store database data should
reside in locked, controlled
-
access facilities


Physical security was a problem that MRV had when it
lost its data.


Organizations may contract with other companies to
manage their databases, inspect their premises, and
interview its personnel to make sure they practice proper
data protections.

Dr. Chen,
Management Information Systems

Q6:
Human Safeguards for Employees

51


Human safeguards
for employees are
some of the most
important safeguards
an organization can
deploy.


They should be
coupled with
effective procedures
to help protect
information systems.


This figure shows the
safeguards for in
-
house employees.

Fig
12
-
13 Human Safeguards for Employees (
In
-
house
Staff
)

Dr. Chen,
Management Information Systems

Human Safeguards for Nonemployee
Personnel


Nonemployee personnel


Least privileged accounts


Contract personnel


Specify security
responsibilities


Public Users


Hardening
site


Require
vendors and partners to perform appropriate
screening and security training


Specify
security responsibilities for work to be
performed

52

Dr. Chen,
Management Information Systems

Account Administration


Account
Management


S
tandards for new user
accounts,

modification of
account
permissions,
removal
of unneeded accounts.


Password Management


U
sers
should change passwords
frequently


Help Desk Policies

53

Dr. Chen,
Management Information Systems

54

Account Administration


Account management (administration) is the third type of
human safeguard and has three components

account
management, password management, and help
-
desk policies.


Account management focuses on


Standards
for new user accounts, modification of account
permissions, removal of unneeded accounts


Password management
requires that users


Immediately change
newly created passwords


Change passwords
periodically



Help Desk
Policies

Fig
12
-
14 Sample
Account Acknowledgement Form

Dr. Chen,
Management Information Systems

Systems Procedures

55


Effective system procedures can help increase security and reduce
the likelihood of computer crime. As this figure shows, procedures
should exist for both system users and operations personnel that
cover normal, backup, and recovery procedures.

Fig
12
-
15
Systems Procedures


Security monitoring is
the last human
safeguard. It includes:


Activity log analyses


Security testing


Investigating and
learning from security
incidents.

Dr. Chen,
Management Information Systems

Security Monitoring Functions


Activity log
analyses


Firewall, DBMS, Web server


In
-
house and external
Security testing


Investigation of
incidents


Create “honeypots



56

Dr. Chen,
Management Information Systems

Responding to Security Incidents


Human error & Computer crimes


Procedures for how to respond to security problems,
whom to contact, data to gather, and steps to reduce
further loss


Centralized reporting of all security incidents


Incident
-
response plan (see next slide)


Emergency procedures

57

Dr. Chen,
Management Information Systems

Incident
-
Response Plan

58


Along with disaster preparedness plans, every organization should
think about how it will respond to security incidences that may
occur, before they actually happen. The figure below lists the major
factors that should be included in any incident response.


Fig
12 (extra)
Factors in Incident Response

Dr. Chen,
Management Information Systems

59

Major Disaster
-
Preparedness Tasks


No system is fail
-
proof. Every organization must have an effective
plan for dealing with a loss of computing systems. This figure
describes disaster preparedness tasks for every organization, large
and small. The last item that suggests an organization train and
rehearse its disaster preparedness plans is very important.

Fig
12
-
16
Disaster Preparedness Tasks

Dr. Chen,
Management Information Systems

60

Disaster
-
Recovery Backup Sites


Hot site


Utility company that can take over another
company’s processing with no forewarning.



Hot sites are expensive; organizations pay $250,000
or more per month for such services.


Cold sites


Provide computers and office space. They are
cheaper to lease, but customers install and manage
systems themselves.


The total cost of a cold site, including all customer
labor and other expenses, might not necessarily less
than the cost of a hot site.


Dr. Chen,
Management Information Systems

Q7: 2022?


Challenges likely to be iOS and other intelligent
portable devices


Harder for the lone hacker to find vulnerability
to exploit


Continued investment in safeguards


Continued problem of electronically porous
national borders

61

Dr. Chen,
Management Information Systems


End of Chapter 12

62