Using MIS 4e Chapter 12 Information Security Management “Could Someone Be Getting to Our Data?” Someone’s stealing wedding presents, but only from weddings of.

Transcript Using MIS 4e Chapter 12 Information Security Management “Could Someone Be Getting to Our Data?” Someone’s stealing wedding presents, but only from weddings of.

Using MIS 4e Chapter 12

Information Security Management

“Could Someone Be Getting to Our Data?”

Someone’s stealing wedding presents, but only from weddings of club members. Knowledge: About how to access system and database, and maybe knows some SQL.

Access: Mike has yellow stickies with passwords on his monitor; many copies of key to server building.

Knowledge: Greenskeeper guys, “a techno-whiz,” created report for Anne. Knows how to query database, and known to access it prior to Anne’s project (Chapter 9). Scenario video Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-2

Study Questions

Q1 What are the threats to information security?

Q2 What is senior management’s security role?

Q3 What technical safeguards are available?

Q4 What data safeguards are available?

Q5 What human safeguards are available?

Q6 How should organizations respond to security incidents?

Q7 What is the extent of computer crime?

Q8 2021?

Q1: What Are the Threats to Information Security?

Security threats arise from three sources:

• Human error and mistakes • Malicious human activity • Natural events and disasters.

(Tutorial video)

Human Errors and Mistakes Human errors and mistakes include:

•Accidental problems caused by both employees and nonemployees  Employee misunderstands operating procedures and accidentally deletes customer records  Employee, while backing up a database, inadvertently installs an old database on top of current one •Poorly written application programs and poorly designed procedures •Physical accidents, such as driving a forklift through computer room wall Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-5

Malicious Human Activity

Employees and former employees who intentionally destroy data or other system components Hackers who break into a system; virus and worm writers who infect computer systems Outside criminals who break into a system to steal for financial gain Terrorism Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-6

Natural Events and Disasters

Fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature Includes initial loss of capability and service, and losses stemming from actions to recover Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-7

What Are the Types of Security Problems?

What Are the Components of an Organization’s Security Program?

Three Components of a Security Program 1. Senior-management involvement 2. Safeguards of various kinds 3. Incident response Critical Security Functions for S enior Management 1. Establish security policy to set stage for organization’s response to security threats.

Safeguards

Phishing Examples

Q2: What Is Senior Management’s Security Role?

Management sets security policy, and only management can balance costs of a security system against the risk of security threats.

Elements of Information Systems Security— NIST Handbook

What Are the Elements of a Security Policy?

General statement of organization’s security program •Management specifies goals of security program and assets to be protected. •Statement designates a department for managing security program and documents. •Specifies how enforcement of security programs and policies will be ensured.

Issue-specific policy •Personal use of computers at work and email privacy. System-specific policy •What customer data from order-entry system will be sold or shared with other organizations?

•What policies govern design and operation of systems that process employee data? •Addressing such policies are part of standard systems development process.

How Is Risk Managed?

Risk—likelihood of an adverse occurrence • Threats not managed directly, but security consequences limited by creating a backup processing facility at a remote location.

• Can reduce risks, but at a cost. Management responsibility to decide how much to spend, or how much risk to assume.

Uncertainty ---lack of knowledge especially about chance of occurrence or risk of an outcome or event • An earthquake could devastate a corporate data center built on a fault that no one knew about. • An employee finds a way to steal inventory using a vulnerability in corporate website that no expert knew existed.

Risk Assessment Factors

Risk Assessment Factors (cont’d)

Assets

•What are the assets that are to be protected?

•Computer facilities, programs, and sensitive data •Phishing threatens customers, company trademark, and brand •Employee privacy

Threats

Risk Assessment Factors (cont’d)

Safeguard •Any action, device, procedure, technique, or other measure that reduces a system’s vulnerability •Always a residual risk it will not protect assets in all circumstances Vulnerability •Opening or a weakness in security system •Some vulnerabilities exist because there are no safeguards or existing safeguards are ineffective Consequences •Damages when an asset is compromised •Tangible consequences—direct financial impact •Intangible consequences—indirect financial impact Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-18

Risk Assessment Factors (cont’d)

Likelihood • Probability a given asset will be compromised by a given threat, despite safeguards Probable loss • “Bottom line” of risk assessment • Multiply Likelihood by Cost of Consequences • Probable loss includes a statement of intangible consequences Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-19

Risk-Management Decisions

Given probable loss from risk assessment, senior management must decide what to do Some assets can be protected by inexpensive and easily implemented safeguards Some vulnerabilities expensive to eliminate, and management must determine if costs of safeguard worth benefit of probable loss reduction Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-20

Ethics Guide: Security Privacy

Legal requirements to protect customer data. Gramm-Leach-Bliley (GLB) Act (1999) protects consumer financial data stored by financial institutions.

Privacy Act of 1974 provides protections to individuals regarding records maintained by U.S. government.

Health Insurance Portability and Accountability Act (HIPAA) (1996) gives individuals right to access health data created by doctors and other health-care providers. HIPAA sets rules and limits on who can read and receive your health information.

Privacy Principles of the Australian Privacy Act of 1988 covers government, health-care data, and records maintained by businesses with revenues in excess of AU$3 million.

Ethics Guide: Security Privacy

Do Dell, Amazon.com, the airlines, and other e-commerce businesses have a legal requirement to protect their customers’ credit card data? Apparently not—at least not in United States.

However, online retailers have an ethical requirement to protect a customer’s credit card and other data. Retailers have a strong business reason to protect customer data. A substantial loss of credit card data would have detrimental effects on sales and brand reputation.

No federal law prohibits U.S. Government from buying information from data accumulators.

Ethics Guide: Security Privacy

What requirements does your university have on data it maintains about you? •State law or university policy may govern records, but no federal law does. Most universities consider it their responsibility to provide public access to graduation records. Anyone can determine when you graduated, your degree and major. •What about your class work? What about papers you write, answers you give on exams? What about email you send to your professor? They are not protected by federal law, and probably not protected by state law.

•If your professor cites your work in research, it is subject to copyright law, but not privacy law. What you write is no longer your personal data, it belongs to the academic community.

•

Q3: What Technical Safeguards Are Available?

Identification and Authentication

Authentication methods Smart cards Biometric authentication •Password •Smart card •Biometric •Microchip embedded with identifying data •Authentication by PIN • Fingerprints, face scans, retina scans • See http:// searchsecurity.techtarget.com

Single Sign-on for Multiple Systems

Operating system authenticates you to networks and other servers. You sign on to your local computer and provide authentication data; from that point on, operating system authenticates you to other networks or servers.

Kerberos —a system protocol that authenticates users without sending passwords across computer network.

 Uses complicated system of “tickets” to enable users to obtain services from networks and other servers. Windows, Linux, Unix, and other operating systems employ kerberos to authenticate user requests across networks of computers using a mixture of operating systems Always protect your passwords!

Wireless Access

Drive-by sniffers •Walk or drive around business or residential area with a wireless computer and locate dozens, or even hundreds, of wireless networks. VPNs and special security servers IEEE 802.11 Committee •Sophisticated communications equipment use elaborate techniques that require support of highly trained communications specialists. •Developed a wireless security standard called Wired Equivalent Privacy (WEP) . Unfortunately, WEP has serious flaws.

Wi-Fi Protected Access (WPA) and WPA2 •Developed and improved wireless security standards that newer wireless devices use.

Encryption

Essence of HTTPS (SSL or TLS)

Digital Signatures

Most messages, such as email, are sent over Internet as plaintext.

• “Please deliver shipment 1000 to our Oakdale facility.” It is possible for a third party to intercept email, remove “our Oakdale facility” and substitute its own address, and send message on to its destination.

Digital signatures are a technique for ensuring plaintext messages are received without alteration.

• Plaintext message is first hashed. (Hashing is a method of mathematically creating a string of bits ( message digest ) that characterize the message). One popular standard, message digests are 160 bits long.

Using Digital Signatures

Digital Certificates: How Does Receiver Obtain True Party’s Public Key?

Certificate authorities (CAs)—trusted, independent third-party companies supply public keys Browser requests public key for Bank of America “Bank of America” (key) (CA key) CA responds with a digital certificate Digital certificate is plaintext, can be intercepted and someone substitutes its own public key for BOA. To prevent that, CA signs digital certificate with its digital signature.

Firewalls

Computing device that prevents unauthorized network access May be special-purpose computer or program on a general purpose computer Organizations may have multiple firewalls •Perimeter firewalls outside network •Internal firewalls inside network • Packet-filtering firewalls examine each part of a message May filter both incoming and outgoing messages •Encoded rules stating IP addresses allowed into or out of network Do not connect to the Internet without firewall protection Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-33

Malware Protection

Type Malware Virus Macro virus Worm Spyware Adware Problems Viruses, worms, Trojan horses, spyware, and adware Computer program that replicates itself; take unwanted and harmful actions.

Attach themselves to word, excel, or other types of document; virus infects every file that the application creates or processes Virus that propagates using the Internet or other computer network; can choke a network Some capture keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Other spyware supports marketing analyses.

Symptoms of Adware and Spyware

Malware Safeguards

Install antivirus and antispyware programs on your computer Set up your anti-malware programs to scan your computer frequently Update malware definitions Open email attachments only from known sources Promptly install software updates from legitimate sources Browse only in reputable Internet neighborhoods Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-36

Bots, Botnets, and Bot Herders

Bot Botnet • Computer program surreptitiously installed and takes actions unknown and uncontrolled by computer’s owner or administrator • Some steal credit card data, banking data, and e-mail addresses; cause denial-of-service attacks; pop-ups • Network of bots created and managed by individual or Organization Bot herder • Organization that controls the botnet Botnets and bot herders Pose potentially serious problems to commerce and national security Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-37

AOL and the National Cyber Security Alliance Malware Study

Question Do you have a virus on your computer?

Average (maximum) number on infected computer How often do you update your antivirus software?

Do you think you have adware or spyware on your computer?

Average (maximum) number of spyware/adware found on computer Did you give permission to install these on your computer?

User Response Yes: 6% Did not know: 50% Last week: 71% Last month: 2% More than 6 mos.: 12% Yes: 53% Yes: 5% No: 95% Actual 18% 2.4 (213) Last week: 33% Last month 34% More than 6 mos.: 12% Yes: 80% 93 (1,059) Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-38

Design Secure Applications You should ensure that any information system developed for you and your department includes security as a requirement

Q4: What Data Safeguards Are Available?

Q5: What Human Safeguards Are Available?

Position Definitions •Least privilege possible Hiring and Screening Employees Dissemination and Enforcement •Extensive interviews and background checks for high-sensitivity positions •Make employees aware of security policies and procedures Termination •Establish security policies and procedures for employee termination.

Security Policy for In-House Staff

Human Safeguards for Nonemployee Personnel

Nonemployee personnel •Temporary personnel, vendors, business partner personnel, and public •Provide accounts and passwords with least privilege and remove accounts as soon as possible Contract •Require vendors and partners to perform appropriate screening and security training •Specify security responsibilities particular to work Public safeguard •Hardening site to reduce a system’s vulnerability •Use special versions of operating system, lock down or eliminate operating systems features and functions not required Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-43

Account Administration

Administration of user accounts, passwords, and help-desk policies and procedures Account Management • Creation of new user accounts, modification of existing account permissions, removal of unneeded accounts • Improve your relationship with IS personnel by providing early and timely notification of need for account changes Password Management • Users should change passwords every 3 months or perhaps more frequently Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-44

National Institute of Standards and Technology (NIST) Recommendation

Help Desk Policies

Means of authenticating a user • User’s birthplace, mother’s maiden name, or last four digits of an important account number If you ever receive notification that your password was reset when you did not request such a reset, immediately contact IS security. Someone has compromised your account.

Systems Procedures

Security Monitoring Functions

Activity log analyses •Firewall logs •DBMS log-in records •Web server logs Security testing •In-house and external security professionals Investigation of incidents •How did the problem occur? Learn from incidences •Indication of potential vulnerability and needed corrective actions Review and update security and safeguard policies Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-48

Security Monitoring

Activity log analyses •Firewalls produce logs of their activities, including lists of all dropped packets, infiltration attempts, and unauthorized access attempts from within firewall. •DBMS products produce logs of successful and failed log ins. •Web servers produce logs of web activities. •Operating systems in personal computers can produce logs of log ins and firewall activities.

Security testing •Use in-house personnel and outside security consultants to conduct testing Investigating and learning from security incident Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-49

Q6: How Should Organizations Respond to Security Incidents?

Backup processing centers in geographically removed site Create backups for critical resources Contract with “hot site” or “cold site” provider • Hot site provides all equipment needed to continue operations there • Cold site provides space but you have set up and install equipment • www.ragingwire.com/managed_services?=recovery Periodically train and rehearse cutover of operations Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-50

Disaster-Recovery Backup Sites

• Disaster ― Substantial loss of infrastructure caused by acts of nature, crime, or terrorism Appropriate location Fire-resistant buildings Avoid Places prone to floods, earthquakes, tornadoes, hurricanes, avalanches, car/truck accidents, unobtrusive buildings, basements, backrooms, physical perimeter Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-51

Disaster-Recovery Backup Sites

Hot site

•Utility company that can take over another company’s processing with no forewarning •Hot sites are expensive; organizations pay $250,000 or more per month for such services

Cold sites

•Provide computers and office space •Cheaper to lease, but customers install and manage systems themselves •Total cost, including all customer labor and other expenses, might not cost less than a hot site Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-52

Incident-Response Plan

Q7: What Is the Extent of Computer Crime?

Computer Security Institute survey http://gocsi.com

(2009) (registration required) Only 144 of 522 responding organizations provided cost of loss data (2009) Financial fraud had highest average incident cost of $463,100 and losses due to bots averaged $345,600 Some losses are difficult to quantify.

What is the loss of a denial of service attack on a website? If website unavailable for 24 hours, what potential sales, prospects, or employees have been lost? What reputation problem was created for organization? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-54

Percentage of Security Incidents

Insert Figure 12-16 here (

new

Security Incident Trends

Number of virus attacks steadily decreased, indicating success of antivirus programs.

Financial fraud remained relatively stable, affecting approximately 12% of respondents.

Laptop theft declined from around 70% in 1999 to 44% in 2008.

Financial fraud had highest average incident cost— $463,100—and losses due to bots averaged $345,600.

Q8: 2021?

Skill level of cat-and-mouse activity is likely to increase substantially.

Increased security in operating systems and other software, improved security procedures and employee training will make it harder and harder for a lone hacker to find some vulnerability to exploit.

Q8: 2021? (cont’d)

Next challenges likely to be iPhones, iPads, and other mobile devices. Security on these needs to be improved.

Organized criminals, primarily bot herders, terrorists or elements of renegade governments, inflicting a new type of cyber warfare on other nations  Trojan horse called Zeus v3 emptied accounts of thousands of British bank customers Cyber warfare among nations Number of computer security jobs to increase by 27% by 2016 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-58

Guide: Security Assurance, Hah!

Employees who never change password or use some simpleton word like “Sesame” or “MyDogSpot” or something equally absurd.

Notes with passwords in top drawer of desks.

If you enter a system with a readily available password, is that even breaking in? Or is it more like opening a door with a key you were given?

Management should stop talking about security risk assurance and start talking about and enforcing real security.

Guide: The Final, Final Word

Stay alert to new technology-based opportunities Watch for “second wave” opportunities Enroll in a database class or systems development class, security class, even if you’re not an IS major Look for novel applications of IS technology in emerging business environment Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-60

Active Review

Q1 What are the threats to information security?

Q2 What is senior management’s security role?

Q3 What technical safeguards are available?

Q4 What data safeguards are available?

Q5 What human safeguards are available?

Q6 How should organizations respond to security incidents?

Q7 What is the extent of computer crime?

Q8 2021?

Using MIS 4e Chapter 12 Information Security Management “Could Someone Be Getting to Our Data?” Someone’s stealing wedding presents, but only from weddings of.

Transcript Using MIS 4e Chapter 12 Information Security Management “Could Someone Be Getting to Our Data?” Someone’s stealing wedding presents, but only from weddings of.

Using MIS 4e Chapter 12

Information Security Management

“Could Someone Be Getting to Our Data?”

Study Questions

Q1: What Are the Threats to Information Security?

Security threats arise from three sources:

(Tutorial video)

Human Errors and Mistakes Human errors and mistakes include:

Malicious Human Activity

Natural Events and Disasters

What Are the Types of Security Problems?

What Are the Components of an Organization’s Security Program?

Safeguards

Phishing Examples

Q2: What Is Senior Management’s Security Role?

Management sets security policy, and only management can balance costs of a security system against the risk of security threats.

Elements of Information Systems Security— NIST Handbook

What Are the Elements of a Security Policy?

How Is Risk Managed?

Risk Assessment Factors

Risk Assessment Factors (cont’d)

Assets

Threats

Risk Assessment Factors (cont’d)

Risk Assessment Factors (cont’d)

Risk-Management Decisions

Ethics Guide: Security Privacy

Ethics Guide: Security Privacy

Ethics Guide: Security Privacy

Q3: What Technical Safeguards Are Available?

Identification and Authentication

Single Sign-on for Multiple Systems

Wireless Access

Encryption

Essence of HTTPS (SSL or TLS)

Digital Signatures

Using Digital Signatures

Digital Certificates: How Does Receiver Obtain True Party’s Public Key?

Firewalls

Malware Protection

Symptoms of Adware and Spyware

Malware Safeguards

Bots, Botnets, and Bot Herders

AOL and the National Cyber Security Alliance Malware Study

Design Secure Applications You should ensure that any information system developed for you and your department includes security as a requirement

Q4: What Data Safeguards Are Available?

Q5: What Human Safeguards Are Available?

Security Policy for In-House Staff

Human Safeguards for Nonemployee Personnel

Account Administration

National Institute of Standards and Technology (NIST) Recommendation

Help Desk Policies

Systems Procedures

Security Monitoring Functions

Security Monitoring

Q6: How Should Organizations Respond to Security Incidents?

Disaster-Recovery Backup Sites

Disaster-Recovery Backup Sites

Hot site

Cold sites

Incident-Response Plan

Q7: What Is the Extent of Computer Crime?

Percentage of Security Incidents

Security Incident Trends

Q8: 2021?

Q8: 2021? (cont’d)

Guide: Security Assurance, Hah!

Guide: The Final, Final Word

Active Review

Directory