Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Management by David Kroenke Using MIS 5e Chapter 12.

Similar presentations


Presentation on theme: "Information Security Management by David Kroenke Using MIS 5e Chapter 12."— Presentation transcript:

1 Information Security Management by David Kroenke Using MIS 5e Chapter 12

2 Chapter 12-2 Could Someone Be Getting To Our Data? Stealing only from weddings of club members Knowledge: How to access system and database and SQL Access: Passwords on yellow stickies; many copies of key to server building Suspect: Greens keeper guy’s “a techno- whiz,” created report for Anne, knows SQL and how to access database Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

3 Chapter 12-3 Study Questions Q1: What is the goal of information systems security? Q2: How should you respond to security threats? Q3: How should organizations respond to security threats? Q4: What technical safeguards are available? Q5: What data safeguards are available? Q6: What human safeguards are available? Q7: 2022? Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

4 Chapter 12-4 Q1:What Is the Goal of Information Systems Security? Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

5 Chapter 12-5 Examples of Threat/Loss Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

6 Chapter 12-6 Human Error Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

7 Chapter 12-7 What Types of Security Loss Exists? Unauthorized Data Disclosure Pretexting Phishing Spoofing –IP spoofing –Email spoofing Drive-by sniffers Hacking Natural disasters Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

8 Chapter 12-8 Incorrect Data Modification Procedures not followed or incorrectly designed procedures Increasing a customer’s discount or incorrectly modifying employee’s salary Placing incorrect data on company Web site Improper internal controls on systems System errors Faulty recovery actions after a disaster Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

9 Chapter 12-9 Faulty Service Incorrect data modification Systems working incorrectly Procedural mistakes Programming errors IT installation errors Usurpation Denial of service (unintentional) Denial-of-service attacks (intentional) Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

10 Chapter 12-10 Loss of Infrastructure Human accidents Theft and terrorist events Disgruntled or terminated employees Natural disasters Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

11 Chapter 12-11 How Big Is the Computer Security Problem? Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

12 Chapter 12-12 Percent of Security Incidents Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

13 Chapter 12-13 Goal of Information Systems Security Threats can be stopped, or at least threat loss reduced Safeguards are expensive and reduce work efficiency Find trade-off between risk of loss and cost of safeguards Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

14 Chapter 12-14 Using MIS InClass 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts In this exercise, you and a group of your fellow students will investigate phishing attacks. Search the Web for phishing, be aware that your search may bring the attention of an active phisher. Therefore, do not give any data to any site that you visit as part of this exercise! Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

15 Chapter 12-15 Q2:How Should You Respond to Security Threats? Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

16 Chapter 12-16 Q3. How Should Organizations Respond to Security Threats? NIST Handbook of Security Elements Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

17 Chapter 12-17 What Are the Elements of a Security Policy? Elements of Security Policy Managing Risks Risk — threats & consequences we know about Uncertainty — things we do not know that we do not know Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall 1. General statement of organization’s security program 2. Issue-specific policy 3. System-specific policy

18 Chapter 12-18 Risk Assessment and Management Risk Assessment Tangible consequences. Intangible consequences Likelihood Probable loss Risk-Management Decisions Given probable loss, what to protect? Which safeguards inexpensive and easy? Which vulnerabilities expensive to eliminate? How to balance cost of safeguards with benefits of probable loss reduction? Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

19 Chapter 12-19 Ethics Guide: Security Privacy Legal requirements to protect customer data Gramm-Leach-Bliley (GLB) Act (1999) Privacy Act of 1974 Health Insurance Portability and Accountability Act (HIPAA) (1996) Privacy Principles of the Australian Privacy Act of 1988 Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

20 Chapter 12-20 Ethics Guide: Security Privacy What requirements does your university have on data it maintains about you? No federal law Responsibility to provide public access to graduation records Class work, email, exam answers not covered under privacy law Research covered under copyright law, not privacy law Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

21 Chapter 12-21 Q4: What Technical Safeguards Are Available? Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

22 Chapter 12-22 System Access Protocols Kerberos Single sign-on for multiple systems Authenticates users without sending passwords across network. “Tickets” enable users to obtain services from multiple networks and servers. Windows, Linux, Unix employ Kerberos Wireless Access VPNs and special security servers WEP (Wired-Equivalent Privacy) WPA, WPA2 (WiFI Protected Access) Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

23 Chapter 12-23 Basic Encryption Techniques Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

24 Chapter 12-24 Essence of HTTPS (SSL or TLS) Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

25 Chapter 12-25 Malware Types and Spyware and Adware Symptoms Viruses  Payload  Trojan horses  Worms  Beacons Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall Spyware & Adware Symptoms

26 Chapter 12-26 Malware Safeguards 1. Antivirus and antispyware programs 2. Scan frequently 3. Update malware definitions 4. Open email attachments only from known sources 5. Install software updates 6. Browse only reputable Internet neighborhoods Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

27 Chapter 12-27 Bots, Botnets, and Bot Herders Bot  Surreptitiously installed, takes actions unknown and uncontrolled by user  Some very malicious, others annoying Botnet  Network of bots  Bot herder  Serious problems for commerce and national security  Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

28 Chapter 12-28 Q5: What Data Safeguards Are Available? Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

29 Chapter 12-29 Q6: What Human Safeguards Are Available? In-house Staff Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

30 Chapter 12-30 Human Safeguards for Nonemployee Personnel Nonemployee personnel  Least privileged accounts Contract personnel  Specify security responsibilities Public Users  Hardening site Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

31 Chapter 12-31 Account Administration Account Management  Standards for new user accounts, modification of account permissions, removal of unneeded accounts. Password Management  Users should change passwords frequently Help Desk Policies Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

32 Chapter 12-32 Sample Account Acknowledgment Form Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

33 Chapter 12-33 Systems Procedures Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

34 Chapter 12-34 Security Monitoring Functions Activity log analyses  Firewall, DBMS, Web server In-house and external Security testing  Investigation of incidents  Create “honeypots” Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

35 Chapter 12-35 Responding to Security Incidents Human error & Computer crimes  Procedures for how to respond to security problems, whom to contact, data to gather, and steps to reduce further loss Centralized reporting of all security incidents Incident-response plan Emergency procedures Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

36 Chapter 12-36 Disaster Preparedness Tasks Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

37 Chapter 12-37 Q7: 2022? Challenges likely to be iOS and other intelligent portable devices Harder for the lone hacker to find vulnerability to exploit Continued investment in safeguards Continued problem of electronically porous national borders Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

38 Chapter 12-38 Active Review Q1: What is the goal of information systems security? Q2: How should you respond to security threats? Q3: How should organizations respond to security threats? Q4: What technical safeguards are available? Q5: What data safeguards are available? Q6: What human safeguards are available? Q7: 2022? Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

39 Chapter 12-39 Guide: Security Assurance, Hah! Employees who never change password or use some simpleton word like “Sesame” or “MyDogSpot” or something equally absurd Notes with passwords in top drawer of desks Management talks about security risk assurance and should enforce real security Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

40 Chapter 12-40 Guide: The Final, Final Word Routine work will migrate to lower-labor-cost countries Be a symbolic-analytic worker  Abstract thinking  How to experiment  Systems thinking  Collaboration Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

41 Chapter 12-41 Case 12: Moore’s Law, One More Time … Doubling CPU speed helps criminals  Enables more powerful password crackers iOS, Android phones, and millions of mobile devices increase data communications and exponential opportunities for computer criminals. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

42 Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall


Download ppt "Information Security Management by David Kroenke Using MIS 5e Chapter 12."

Similar presentations


Ads by Google