Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Management by David Kroenke

Similar presentations


Presentation on theme: "Information Security Management by David Kroenke"— Presentation transcript:

1 Information Security Management by David Kroenke
Using MIS 5e Chapter 12 Information Security Management by David Kroenke This chapter overviews the major components of information systems security. The threats to data and information systems are increasing and increasingly complex. As a result, the demand for security specialists is predicted to increase by more than 50% between 2008 and 2018.

2 Could Someone Be Getting To Our Data?
Stealing only from weddings of club members Knowledge: How to access system and database and SQL Access: Passwords on yellow stickies; many copies of key to server building Suspect: Greens keeper guy’s “a techno- whiz,” created report for Anne, knows SQL and how to access database Goals Use Fox Lake Country Club to: Underscore the importance of IT management and protection functions. Emphasize the importance of professional IT development. Show the need for background checks on employees who access organizational data. Show the need for employee-termination safeguards. Background This problem started back in Chapter 9 when Anne asked Mike for the BI report about members’ daughters who were prospects for wedding events. Mike hired his grounds keepers, Chris and Jason, to prepare the reports. Mike has passwords written on sticky notes on his monitor. If nothing else, students should learn not to do that, no matter how aggravating it is to remember passwords. Numerous mistakes were made that led to this problem. Laura saw it coming when she first started to work with Fox Lake. Having servers in an unsecured location where many part-time employees and contractors pass through is an invitation for trouble. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

3 Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall
Study Questions Q1: What is the goal of information systems security? Q2: How should you respond to security threats? Q3: How should organizations respond to security threats? Q4: What technical safeguards are available? Q5: What data safeguards are available? Q6: What human safeguards are available? Q7: 2022? We begin by defining the goals of IS security, then address how individuals respond to personal security threats. In Q3, the discussion focuses on how organizations should handle threats. The next three questions address security safeguards: technical safeguards involving hardware and software components; data safeguards and human safeguards related to procedure and people components. The chapter wraps up with predictions about IS security in 2022. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

4 Q1: What Is the Goal of Information Systems Security?
The four major elements of IS security include: Threat — a person or organization that seeks to obtain data or other assets illegally, without the owner’s permission and often without the owner’s knowledge. Vulnerability — an opportunity for threats to gain access to individual or organizational assets. For example, when you buy online, you provide your credit card data, and as that data is transmitted over the Internet, it is vulnerable to threats. Safeguard — a measure that individuals or organizations take to block the threat from obtaining an asset. Safeguards are not always effective. Some threats achieve their goal in spite of safeguards. Target — an asset that is desired by the threat. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

5 Examples of Threat/Loss
In the first example, the threat and target is an Xbox gamer who wants to steal credit card data. When you provide your credit card data for an online transaction, that data is vulnerable as it transits the Internet. However, using https will provide an effective safeguard to counter that threat. In the second example, when sending credit card data via , you have no safeguard against someone “sniffing” Internet traffic. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

6 Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall
Human Error Human Errors and Mistakes — accidental problems caused by both employees and nonemployees. Computer Crime — intentional or malicious violation against data, software or hardware. Natural Events and Disasters — fires, floods, hurricanes, earthquakes, tsunamis, avalanches, other acts of nature, initial loss of capability and service and losses incurred while recovering. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

7 What Types of Security Loss Exists?
Unauthorized Data Disclosure Pretexting Phishing Spoofing IP spoofing spoofing Drive-by sniffers Hacking Natural disasters These are common threats associated with unauthorized date disclosure. Pretexting — the act of creating and using an invented scenario (the pretext) to trick a targeted victim into divulging information. Spoofing — is a term for someone pretending to be someone else. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

8 Incorrect Data Modification
Procedures not followed or incorrectly designed procedures Increasing a customer’s discount or incorrectly modifying employee’s salary Placing incorrect data on company Web site Improper internal controls on systems System errors Faulty recovery actions after a disaster Incorrect data modification can occur through human error when employees follow procedures incorrectly or when procedures have been designed incorrectly. For proper internal control of systems that process financial data or that control inventories of assets, companies should have separation of duties and authorities, and oversight and auditing procedures. System errors Example is the lost-update problem Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

9 Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall
Faulty Service Incorrect data modification Systems working incorrectly Procedural mistakes Programming errors IT installation errors Usurpation Denial of service (unintentional) Denial-of-service attacks (intentional) Faulty service — problems caused by incorrect system operation Usurpation occurs when computer criminals invade a computer system and replace legitimate programs with their own unauthorized ones that shut down legitimate applications and substitute their own processing to spy, steal and manipulate data, or for other purposes Denial of service. For example, humans can inadvertently shut down a Web server or corporate gateway router by starting a computationally intensive application. Denial-of-service attacks occur when a malicious hacker floods a Web server, for example, with millions of bogus service requests. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

10 Loss of Infrastructure
Human accidents Theft and terrorist events Disgruntled or terminated employees Natural disasters Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

11 How Big Is the Computer Security Problem?
We do not know the full extent of losses due to computer security threats. In the 2009 report, CSI stated that it had no estimate of the total loss to computer crime experienced by its survey respondents. Only 144 of the 522 responding organizations provided cost data on losses to computer crime. Furthermore, some losses are difficult to quantify. US Department of Justice publishes a list of computer crime news on its site at Here is a sample of arrests and convictions reported by the U.S. Department of Justice. Also, the Computer Security Institute publishes its survey results (http://gocsi.com). An intrusion detection system (IDS) is a computer program that senses when another computer is attempting to scan the disk or otherwise access a computer. A computer on the public Internet can have more than 1,000 attempts, mostly from foreign countries. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

12 Percent of Security Incidents
This chart shows the trend in computer crime incidents over the past 10 years. Note the percent of companies reporting incidents, not the cost of the loss. For the cost of lost data that CSI did receive, financial fraud had the highest average cost, yet it has the lowest frequency. Financial fraud (12% of respondents) had the highest average incident cost at $463,100, and losses due to bots averaged $345,600. Laptop theft declined from around 70% in 1999 to 44% in 2008. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

13 Goal of Information Systems Security
Threats can be stopped, or at least threat loss reduced Safeguards are expensive and reduce work efficiency Find trade-off between risk of loss and cost of safeguards There is no way to control or eliminate threats from computer criminals, nor can we stop earthquakes or tornadoes. Human error is constant. However, the cost of threat loss can be reduced by creating appropriate safeguards. But, safeguards are expensive to create and maintain. They reduce work efficiency by making common tasks more difficult and increase labor costs. The goal for individuals and organizations is to find an appropriate trade-off between the risk of loss and cost of implementing safeguards. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

14 Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall
Using MIS InClass 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts In this exercise, you and a group of your fellow students will investigate phishing attacks. Search the Web for phishing, be aware that your search may bring the attention of an active phisher. Therefore, do not give any data to any site that you visit as part of this exercise! Goal: To learn the fundamentals of phishing. To learn some precautionary measures you can take in an attempt to reduce the potential of being conned by phishing scams. Lessons: Never click on hyperlinks within messages Use anti-spam filter software Use anti-virus software Use a personal firewall Keep software updated (especially operating systems and browsers) Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

15 Q2: How Should You Respond to Security Threats?
This slide lists recommended personal security safeguards, and with the possible exception of cookie clearing (discussed below), all of them are low cost and easy to implement. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

16 Q3. How Should Organizations Respond to Security Threats?
NIST Handbook of Security Elements Elements of Information Systems Security — NIST Handbook There is no “one size fits all” solution to security problems. When you manage a department you have a responsibility for information security in that department. Computer security should have an appropriate cost-benefit ratio. Managers should assign specific security tasks to specific people or specific job functions. Understand that computer system owners have security responsibilities outside their own departments and organizations. There is no magic bullet for security. No single safeguard, such as a firewall, a virus-protection program, or increased employee training, will provide effective security. Security programs must be periodically evaluated. Social limitations: Employees resent physical searches. Customers do not want retinas scanned before placing an order. Computer security conflicts with personal privacy, and a balance may be hard to achieve. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

17 What Are the Elements of a Security Policy?
Elements of Security Policy Managing Risks General statement of organization’s security program Issue-specific policy System-specific policy Risk — threats & consequences we know about Uncertainty — things we do not know that we do not know Security policy is a general statement of the organization’s security program. It becomes the foundation for more specific security measures throughout the organization. Specifies goals of the security program and assets to be protected; designates a department for managing organization’s security; defines what it means to be secure for a system; addresses constraints on functions and flow among them; establishes constraints on access by external systems, programs and data access by people. Issue-specific policy defines: Personal use of computers at work and privacy. System-specific policy identifies: What customer data from order-entry system will be sold or shared with other organizations? What policies govern design and operation of systems that process employee data? Risk — likelihood of an identifiable possible adverse occurrence; “known unknowns.” Threats cannot be managed directly, but security consequences can be limited by creating a backup processing facility at a remote location. Risks can be reduced, but at a cost. Management’s responsibility is to decide how much to spend and how much risk to assume. Uncertainty — ”unknown unknowns” Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

18 Risk Assessment and Management
Tangible consequences. Intangible consequences Likelihood Probable loss Risk-Management Decisions Given probable loss, what to protect? Which safeguards inexpensive and easy? Which vulnerabilities expensive to eliminate? How to balance cost of safeguards with benefits of probable loss reduction?  Companies estimate the costs of tangible consequences and simply list intangible consequences. Given probable loss from risk assessment, senior management must decide what to do. Some assets can be protected by inexpensive and easily implemented safeguards. Some vulnerabilities can be expensive to eliminate, and management must determine if costs of safeguard are worth benefit of probable loss reduction. Tangible consequences are those whose financial impact can be measured. The costs of intangible consequences, such as the loss of customer goodwill due to an outage, cannot be measured. The final two factors in risk assessment are likelihood and probable loss. Likelihood — the probability that a given asset will be compromised by a given threat, despite the safeguards Probable loss — the “bottom line” of risk assessment Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

19 Ethics Guide: Security Privacy
Legal requirements to protect customer data Gramm-Leach-Bliley (GLB) Act (1999) Privacy Act of 1974 Health Insurance Portability and Accountability Act (HIPAA) (1996) Privacy Principles of the Australian Privacy Act of 1988 GOALS Understand the legal requirements, ethical considerations, and business consequences of data acquisition, storage, and dissemination. Help students formulate personal principles with regard to data acquisition, storage, and dissemination. Legal requirements to protect customer data Gramm-Leach-Bliley (GLB) Act (1999) protects consumer financial data stored by financial institutions. Privacy Act of 1974 provides protections to individuals regarding records maintained by U.S. government. Health Insurance Portability and Accountability Act (HIPAA) (1996) gives individuals the right to access health data created by doctors and other health-care providers. HIPAA sets rules and limits on who can read and receive your health information Privacy Principles of the Australian Privacy Act of 1988 covers government, health-care data, and records maintained by businesses with revenues in excess of AU$3 million. BOTTOM LINE Every business professional has a responsibility for security. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

20 Ethics Guide: Security Privacy
What requirements does your university have on data it maintains about you? No federal law Responsibility to provide public access to graduation records Class work, , exam answers not covered under privacy law Research covered under copyright law, not privacy law State law or university policy may govern those records, but no federal law does. Most universities consider it their responsibility to provide public access to graduation records. Anyone can determine when you graduated, your degree and major. What about your class work? What about papers you write, your answers on exams? What about you send to your professor? They are not protected by federal law, and probably not protected by state law. If your professor cites your work in research, it is subject to copyright law, but not privacy law. What you write is no longer your personal data; it belongs to the academic community. Instructors might mention Family Educational Rights and Privacy Act (FERPA) here, although it’s not in the textbook. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

21 Q4: What Technical Safeguards Are Available?
Primary technical safeguards include: Identification and Authentication Smart cards Biometric authentication Single Sign-on for Multiple Systems Firewall: A computing device that prevents unauthorized network access; it can be a special-purpose computer, or a program on a general-purpose computer or router Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

22 System Access Protocols
Kerberos Single sign-on for multiple systems Authenticates users without sending passwords across network. “Tickets” enable users to obtain services from multiple networks and servers. Windows, Linux, Unix employ Kerberos Wireless Access VPNs and special security servers WEP (Wired-Equivalent Privacy) WPA, WPA2 (WiFI Protected Access) Kerberos authenticates users across a mixture of computer networks without sending their passwords across those networks. VPNs and special security servers Sophisticated communications equipment use elaborate techniques that require support of highly trained communications specialists. IEEE Committee developed a wireless security standard called Wired Equivalent Privacy (WEP). Unfortunately, WEP has serious flaws. Wi-Fi Protected Access (WPA) and WPA2 are improved wireless security standards used by newer wireless devices. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

23 Basic Encryption Techniques
Encryption concepts are summarized in Figure 12-9. A key is a number used to encrypt the data. It is called a key because it unlocks a message, but it is a number used with an encryption algorithm and not a physical thing like the key to your apartment. Encryption is the process of transforming clear text into coded, unintelligible text for secure storage or communication. Considerable research has gone into developing encryption algorithms (procedures for encrypting data) that are difficult to break. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

24 Essence of HTTPS (SSL or TLS)
Most secure communication over the Internet uses a protocol called https. With HTTPS, data are encrypted using a protocol called the Secure Socket Layer (SSL), also known as Transport Layer Security (TLS). SSL/TLS uses a combination of public key/private key and symmetric encryption. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

25 Malware Types and Spyware and Adware Symptoms
Spyware & Adware Symptoms Viruses Payload Trojan horses Worms Beacons The payload is the program code that causes unwanted activity. It can delete programs or data, or modify data in undetected ways. Beacons are tiny files that gather demographic information, use a single code to identify users by age, gender, location, likely income, and online activity. A beacon code can contain your favorite movies, whether you read the online news, your shopping habits, your online dating habits, and what type of research you conduct on the computer. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

26 Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall
Malware Safeguards Antivirus and antispyware programs Scan frequently Update malware definitions Open attachments only from known sources Install software updates Browse only reputable Internet neighborhoods Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

27 Bots, Botnets, and Bot Herders
Surreptitiously installed, takes actions unknown and uncontrolled by user Some very malicious, others annoying Botnet Network of bots Bot herder Serious problems for commerce and national security Bot — New catch-all term that refers to any type of virus, worm, Trojan Horse, spyware, adware, or other program not installed and controlled by the computer’s owner or manager Computer program surreptitiously installed that takes actions unknown and uncontrolled by computer’s owner or administrator. Some steal credit card data, banking data, and addresses, cause denial-of-service attacks or pop-ups, and other annoyances. Botnet: a network of bots created and managed by an individual or organization that infects a network with a bot program. The individual or organization that controls the botnet is called a bot herder. These are potentially serious problems for businesses and national security. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

28 Q5: What Data Safeguards Are Available?
Data safeguards are measures used to protect databases and other organizational data. This figure summarizes some important data safeguards. Key escrow: When data are encrypted, a trusted party should have a copy of the encryption key. For cloud data storage, organizations need to ensure that the security requirements of the data match the security measures provided by the cloud vendor. Most vendors have public auditors to prepare a SAS 70 report and some vendors have obtained an ISO certification as well. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

29 Q6: What Human Safeguards Are Available?
In-house Staff Human safeguards involve the people and procedure components of information systems. Human safeguards result when authorized users follow appropriate procedures for system use and recovery. Restricting access to authorized users requires effective authentication methods and careful user account management. Appropriate security procedures must be designed into every information system, and users should be trained on the importance and use of those procedures. Hiring and Screening Employees — Extensive interviews and background checks for high-sensitivity positions Dissemination and Enforcement — Make employees aware of security policies and procedures Termination — Establish security policies and procedures for employee termination; HR department giving IS early notification Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

30 Human Safeguards for Nonemployee Personnel
Least privileged accounts Contract personnel Specify security responsibilities Public Users Hardening site Nonemployee personnel Temporary personnel, vendors, business partner personnel, and public Provide accounts and passwords with the least privileges and remove those accounts as soon as possible Contract Require vendors and partners to perform appropriate screening and security training Specify security responsibilities that are particular to the work Public users Hardening site to reduce a system’s vulnerability. Use special versions of operating system, lock down or eliminate operating systems features and functions not required Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

31 Account Administration
Account Management Standards for new user accounts, modification of account permissions, removal of unneeded accounts. Password Management Users should change passwords frequently Help Desk Policies Account management Create new user accounts, modify existing account permissions, remove unneeded accounts. Improve your relationship with IS personnel by providing early and timely notification of needed account changes. Password management Users should change passwords every 3 months or less. Help desk management Set policy for means of authenticating a user. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

32 Sample Account Acknowledgment Form
Employees required to sign statements similar to this. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

33 Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall
Systems Procedures The definition and use of standardized procedures reduces the likelihood of computer crime and other malicious activity by insiders. It also ensures system’s security policy is enforced. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

34 Security Monitoring Functions
Activity log analyses Firewall, DBMS, Web server In-house and external Security testing Investigation of incidents Create “honeypots” Activity log analyses: Firewall logs DBMS log-in records Web server logs Security testing In-house and external security professionals Investigation of incidents Learn from incidences Review and update security and safeguard policies Honeypots False targets for computer criminals to attack Looks like an unprotected Web site, but has programs that determine the attacker’s IP address Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

35 Responding to Security Incidents
Human error & Computer crimes Procedures for how to respond to security problems, whom to contact, data to gather, and steps to reduce further loss Centralized reporting of all security incidents Incident-response plan Emergency procedures Human error: When users realize they or others have made serious errors. Who should be contacted? What data should be gathered? Computer crime: Procedures for how to respond to security problems. Who should be contacted? What data should be gathered? What steps to take to reduce further loss? Incident-response plan should identify critical personnel and their off-hours contact information. Emergency procedures need to be created for the response to natural disasters. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

36 Disaster Preparedness Tasks
Create backups for critical resources at a remote processing center. A hot site is a utility company that can take over another company’s processing with no forewarning. Hot sites are expensive; organizations pay $250,000 or more per month for such services. Cold sites provide computers and office space where customers install and manage systems themselves. Train and rehearse cutover of operations from the primary center to the backup. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

37 Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall
Q7: 2022? Challenges likely to be iOS and other intelligent portable devices Harder for the lone hacker to find vulnerability to exploit Continued investment in safeguards Continued problem of electronically porous national borders It will become harder and harder for a lone hacker to find some vulnerability to exploit because of increased security in operating systems and other software, and because of improved security procedures and employee training. Cloud vendors and major organizations will continue to invest in safeguards. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

38 Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall
Active Review Q1: What is the goal of information systems security? Q2: How should you respond to security threats? Q3: How should organizations respond to security threats? Q4: What technical safeguards are available? Q5: What data safeguards are available? Q6: What human safeguards are available? Q7: 2022? Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

39 Guide: Security Assurance, Hah!
Employees who never change password or use some simpleton word like “Sesame” or “MyDogSpot” or something equally absurd Notes with passwords in top drawer of desks Management talks about security risk assurance and should enforce real security GOALS Remind students to protect their passwords and to manage their employees to protect passwords as well. Discuss differences between a contrarian position and a contrarian, and assess the proper role for each. A contrarian position is a posture on an idea, a concept, a strategy, or a tactic that runs counter to the accepted perception, belief, or line of thinking. Contrarian positions can be right or wrong. Value of a contrarian position is not whether it is right or wrong, but that it causes people to reevaluate their thinking on some topic. A contrarian is someone who always takes the opposing position. Contrarians take a particular joy in conflict and opposition, but are predictable because they choose whatever side no one else seems to be on. They can become a nuisance and tiresome. WRAP UP We’ve considered numerous contrarians and contrarian positions in this text. We’ve learned a lot from them and helped us focus our thinking. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

40 Guide: The Final, Final Word
Routine work will migrate to lower-labor-cost countries Be a symbolic-analytic worker Abstract thinking How to experiment Systems thinking Collaboration GOAL Inspire students to use their learning from this class to find, create, and manage innovative applications of information systems and technology. WRAP UP The best is yet to come! What that best is, what happens next, will be in large measure up to you! We started this book with a firing and we’re ending it, we hope, with a hiring yours! Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

41 Case 12: Moore’s Law, One More Time …
Doubling CPU speed helps criminals Enables more powerful password crackers iOS, Android phones, and millions of mobile devices increase data communications and exponential opportunities for computer criminals. What can we learn from these seven scenarios? Very cheap storage enables criminals to inexpensively store millions of common passwords, multiple-language dictionary words; gigabytes of data from snooping. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

42 Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall


Download ppt "Information Security Management by David Kroenke"

Similar presentations


Ads by Google