Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using MIS 2e Chapter 12: Information Security Management David Kroenke This presentation has been modified from the original and should be downloaded from.

Similar presentations


Presentation on theme: "Using MIS 2e Chapter 12: Information Security Management David Kroenke This presentation has been modified from the original and should be downloaded from."— Presentation transcript:

1 Using MIS 2e Chapter 12: Information Security Management David Kroenke This presentation has been modified from the original and should be downloaded from the Course Documents area in Blackboard

2 Study Questions Q0 – What are concerns for personal security? Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime? Chapter 12: Information Security Management 12-2

3 Identity theft is the manipulation of, or improperly accessing, another person’s identifying information, such as social security number, mother’s maiden name, or personal identification number (rather than account number) in order to fraudulently establish credit or take over a deposit, credit or other financial account for benefit. Thieves gain access to personal data via:  A stolen wallet or purse  Stealing or diverting mail  Rummaging through trash  Fraudulently obtaining a credit report  From personal information on the Internet  From a business by conning or bribing an employee who has access to confidential data Q0 – What are concerns for personal security (identity theft)? Chapter 12: Information Security Management 12-3

4 Dear Customer, Our records show that your account has been inactive for more than 3 months. In order to confirm your membership with us and to avoid temporarily suspending your account, we will transfer a random amount between 0.25 USD and 0.99 USD to your debit card. This is a new security measure put in place by our company to protect your account against unauthorized charges cancellation. To complete this process please, follow the link below: Click Here to Validate Your Account Your identity has now been stolen! Thank you for providing me with access to all of your personal records Q0 – What are concerns for personal security (identity theft)? Chapter 12: Information Security Management 12-4

5 Beware of “Innocent” Documents  Q0 – What are concerns for personal security (identity theft)? Chapter 12: Information Security Management 12-5

6 If you are a victim:  Notify Credit Bureaus and review your credit reports.  File a report with your local police or the police in the community where the identity theft took place.  Contact Fraud Department of Creditors.  File a complaint with the FTC.  Close any accounts that have been opened fraudulently There are laws to protect you  Fair Credit Reporting Act (FCRA) Establishes procedures for resolving billing errors on your credit report.  Truth in Lending Act Limits your liability for unauthorized credit card charges to $50 per card.  The Fair Credit Billing Act (FCBA) Establishes procedures for resolving billing errors on your credit card accounts.  Fair Debt Collection Practices Act Prohibits debt collectors from using unfair or deceptive practices to collect overdue bills. Q0 – What are concerns for personal security (identity theft)? Chapter 12: Information Security Management 12-6

7 Q0 – What are concerns for personal security (backup)? It’s not a question of if it will happen, but when; hard disks die, viruses infect a computer, files are lost due to human error, and so on. The essence of a backup strategy is to decide who does the backup, what files to back up and how (incremental versus full backup), when to do the backup and where to keep the backup files; i.e., who, what, how, when, and where. Our strategy is simple –back up anything you cannot afford to lose (i.e., your data), do it every time the data changes, and store the files away offsite from your computer. Chapter 12: Information Security Management 12-7

8 Q1 – What are the threats to information security? Fig 12-1 Security Problems and Sources Chapter 12: Information Security Management 12-8

9 Q1 – What are the threats to information security (sources)? Human error stems from employees and nonemployees.  They may misunderstand operating procedures and inadvertently cause data to be deleted.  Poorly written application programs and poorly designed procedures may allow employees to enter data incorrectly or misuse the system.  Employees may make physical mistakes like unplugging a piece of hardware that causes the system to crash. Malicious human activity results from employees, former employees, and hackers who intentionally destroy data or system components.  Breaking into systems with the intent of stealing or destroying data.  Introducing viruses and worms into a system.  Acts of terrorism.  White-hat hackers are hired by organizations to test security systems Natural events and disasters pose problems stemming not just from the initial loss of capability and service but also problems a company may experience as it recovers from the initial problem. Chapter 12: Information Security Management 12-9

10 Chapter 12: Information Security Management An analyst at a major company searched its servers for documents called "passwords.doc“ and found 40 such documents. Any malcontent employee with a minimal amount of computer know-how could unlock those documents and ravage the company's most sensitive applications. An MCI financial analyst's laptop was stolen from his car, which was parked in his home garage. That laptop contained the names and Social Security numbers of 16,500 current and former employees. A former Morgan Stanley executive, apparently with no more use for his Blackberry, sold the device on eBay for a whopping $ The surprised buyer soon found out that the Blackberry still contained hundreds of confidential Morgan Stanley s. Unsuspecting employees continually give out names, addresses, and other confidential information to outsiders who target well-meaning users over the phone and/or the Internet to obtain private information and/or passwords. Q1 – What are the threats to information security (Human Error)? 12-10

11 Chapter 12: Information Security Management “CIOs can spend millions on firewalls, intrusion detection systems and whatever else their security vendors are selling, but when that VP of marketing decides to sync his work laptop with his unsecured home PC—and there's no policy or training to make him think twice—your million-dollar security efforts become worthless.” Q1 – What are the threats to information security (Malicious Activity)? Pretexting is the practice of getting your information under false pretenses; a common scam involves a telephone caller who pretends to be from a credit card company. Phishing is a similar technique that uses pretexting via ; the phisher pretends to be a legitimate company and sends an requesting confidential data, such as Social Security numbers Spoofing is another term for pretexting; i.e., someone pretending to be someone else. Sniffing is a technique for intercepting computer communications. With wired networks, sniffing requires a physical connection to the network. With wireless networks, no such connection is required; drive-by sniffers simply take computers with wireless connections through an area and search for unprotected wireless networks. Hacking is the act of breaking into a computer system 12-11

12 Q2 – What is senior management’s security role? Senior managers should ensure their organization has an effective security policy that includes these elements:  A general statement of the organization’s security program  Issue-specific policies like personal use of and the Internet  System-specific policies that ensure the company is complying with laws and regulations. Senior managers must also manage risks associated with information systems security.  Risk is the likelihood of an adverse occurrence.  When you’re assessing risks to an information system you must first determine: What the threats are. How likely they are to occur. The consequences if they occur.  You can reduce risk but always at a cost. The amount of money you spend on security influences the amount of risk you must assume. Chapter 12: Information Security Management 12-12

13 Q2 – What is senior management’s security role (Safeguards)? Appropriate safeguards must be established for all five components of an information system Chapter 12: Information Security Management 12-13

14 Q3 – What technical safeguards are available (identification and authentication)? Chapter 12: Information Security Management 12-14

15 Every information system today should require users to sign in with a user name and password.  The user name identifies the user (the process of identification), and the password authenticates the user (the process of authentication) Three types of authentication methods  What you know; e.g. a password such as MwbiJu14  What you have; e.g., a smart card which is a plastic card similar to a credit card, which has a microchip and is loaded with identifying data.  What you are; e.g., biometric authentication which uses personal physical characteristics such as fingerprints, facial features, and retinal scans to authenticate users) Q3 – What technical safeguards are available (identification and authentication)? Chapter 12: Information Security Management 12-15

16 Senders use a key to encrypt a plaintext message and then send the encrypted message to a recipient, who uses a key to decrypt it. Consider a simple encryption scheme where each letter is transposed by a constant (known as the key)  “Go Canes” becomes “Hp Dboft” (using key of 1)  “Go Canes” becomes “Iq Ecpgu” (using key of 2) In this example:  Only 25 keys are possible which is too limited  This a symmetric key system because the same key is used to encrypt and decrypt a message. Both sender and recipient must keep the key secret which becomes a problem when too many people use the same key In practice:  Web browsers use possible keys (39-digit number)  Two different keys are used to encrypt and decrypt a message (an asymmetric key). The public key is freely distributed; the private key is kept secret Q3 – What technical safeguards are available (encryption)? Chapter 12: Information Security Management 12-16

17 Most secure communication over the Internet uses a protocol called HTTPS. With HTTPS, data are encrypted using a protocol called the Secure Socket Layer/Transport Layer Security (SSL/TLS). Q3 What technical safeguards are available? Chapter 12: Information Security Management

18 Q3 – What technical safeguards are available (encryption)? Chapter 12: Information Security Management 12-18

19 Q3 – What technical safeguards are available (Digital Signature)? Digital signatures ensure that plaintext messages are received without alteration. The plaintext message is first hashed; i.e., mathematically converted to a bit string of bits (message digest) that contain the message. Chapter 12: Information Security Management 12-19

20 The message was unaltered, but how are you sure of who sent it? A digital certificate (the electronic file that is the equivalent of an “online passport”) can be appended to the message to ensure the identity of the sender. The certificate is issued by a trusted third party knows as a certification authority (CA) such as The certificate contains the name of the holder, a serial number, expiration dates, a copy of the certificate holder's public key It also contains the digital signature of the certificate- issuing authority so that a recipient can verify that the certificate is real. Q3 – What technical safeguards are available (Digital Certificate)? Chapter 12: Information Security Management 12-20

21 A firewall is a computing device that prevents unauthorized network access. It can be a special-purpose computer or a program on a general-purpose computer or on a router Organizations normally use multiple firewalls. A perimeter firewall sits outside the organization network; it is the first device that Internet traffic encounters.  Some organizations employ internal firewalls inside the organizational network in addition to the perimeter firewall. A packet-filtering firewall examines each packet and determines whether to let the packet pass.  Packet-filtering firewalls can prohibit outsiders from starting a session with any user behind the firewall.  They can also disallow traffic from particular sites, such as known hacker addresses.  They can also prohibit traffic from legitimate, but unwanted addresses, such as competitors’ computers. Firewalls can filter outbound traffic as well. Q3 – What technical safeguards are available (Firewall)? Chapter 12: Information Security Management 12-21

22 Q3 – What technical safeguards are available (Firewall)? Fig 12-8 Use of Multiple Firewalls Chapter 12: Information Security Management 12-22

23 Chapter 12: Information Security Management Malware (malicious software) is software that seeks to disrupt or damage a computer system. Our definition is on the broadest use of the tem and includes viruses, worms, Trojan horses, spyware, and adware.  A computer virus is a program that replicates itself  A Trojan horse is a virus masquerading as a useful program or file  A worm is a virus that propagates itself using the Internet or other computer network Spyware is software that is installed on the user’s computer without the user’s knowledge. It resides in the background and, unknown to the user, observes the user’s actions and keystrokes, monitors computer activity, and reports the user’s activities to sponsoring organizations Q3 – What technical safeguards are available (Malware)? 12-23

24 Chapter 12: Information Security Management Adware is similar to spyware in that it is installed without the user’s permission and resides in the background and observes user behavior.  Most adware is benign in that it does not perform malicious acts or steal data.  Adware produces pop-up ads and can also change the user’s default window or modify search results and switch the user’s search engine. Malware Safeguards  Install antivirus and antispyware programs on your computer.  Scan your computer frequently.  Update malware definitions.  Open attachments only from known sources.  Promptly install software updates from legitimate sources.  Browse only in reputable Internet neighborhoods Q3 – What technical safeguards are available (Malware)? 12-24

25 Chapter 12: Information Security Management AOL/NCSA Online Safety Study, October 204, stayssafeonline.info/news/safety-study-V04.pdf Q3 – What technical safeguards are available (Malware)? 12-25

26 Q4 – What data safeguards are available? To protect databases and other data sources, an organization should follow various safeguards which include the following: Determine data rights and responsibilities Enforce rights by user accounts and passwords Encrypt sensitive data Establish backup and recovery procedures Establish physical security Remember, data and the information from it are one of the most important resources an organization has. Chapter 12: Information Security Management 12-26

27 Chapter 11: Information Security Management 27 Q5 – What human safeguards are available (employee/non-employee)?

28 Position Definitions (employee)  Effective human safeguards begin with definitions of job tasks and responsibilities. User accounts should be defined to give users the least possible privilege needed to perform their jobs.  At least two individuals should be required to authorize disbursements (over a specified amount)  The security sensitivity should be documented for each position.  Security considerations should be part of the hiring process; when hiring for high-sensitive positions, extensive screening interviews, references, and high background investigations are appropriate. Dissemination and Enforcement (employee)  Employees need to be made aware of the security policies, procedures, and responsibilities they will have.  Employee security training begins during new-employee training with the explanation of general security policies and procedures.  Enforcement consists of three interdependent factors: responsibility, accountability, and compliance. Chapter 12: Information Security Management 12-28

29 Chapter 11: Information Security Management 29 Q5 – What human safeguards are available (employee/non-employee)? Termination (employee)  Companies must establish security policies and procedures for the termination of employees.  Standard human resources policies should ensure that system administrators receive notification in advance of the employee’s last day, so that they can remove accounts and passwords.  The need to recover keys for encrypted data and any other security requirements should be part of the employee’s out-processing. Non-employee personnel  Business requirements may necessitate opening information systems to non-employees such as temporary workers, vendors, and/or partner personnel (employees of business partners)  In the case of temporary, vendor, and partner personnel, the contracts that govern the activity should call for security measures appropriate to the sensitivity of the data and IS resource involved.  Companies should require vendors and partners to perform appropriate screening and security training.

30 Q5 – What human safeguards are available (Account administration)? Account administration has three components—account management, password management, and help-desk policies.  Account management focuses on Establishing new accounts Modifying existing accounts Terminating unnecessary accounts.  Password management requires that users Immediately change newly created passwords Change passwords periodically Sign an account acknowledgment form  Help-desks have been a source of problems for account administration because of the inherent nature of their work. It is difficult for the help-desk to determine exactly with whom they’re speaking. Users call up for a new password without the help-desk having a method of definitively identifying who is on the other end of the line. There must be policies in place to provide ways of authenticating users like asking questions only the user would know the answers to. Chapter 12: Information Security Management 12-30

31 Q5 – What human safeguards are available? Effective system procedures can help increase security and reduce the likelihood of computer crime. As this figure shows, procedures should exist for both system users and operations personnel that cover normal, backup, and recovery procedures. Chapter 12: Information Security Management 12-31

32 Chapter 11: Information Security Management 32 Important monitoring functions are activity log analyses, security testing, and investigating and learning from security incidents. Many information system programs produce activity logs.  Firewalls produce logs of their activities, including lists of all dropped packets, infiltration attempts, and unauthorized access attempts from within the firewall.  DBMS products produce logs of successful and failed log-ins.  Web servers produce voluminous logs of Web activities.  The operating systems in personal computers can produce logs of log-ins and firewall activities. An important security function is to analyze activity logs for threats patterns, successful and unsuccessful attacks, and evidence of security vulnerabilities; i.e., none of the logs have any value unless they are looked at. Q5 – What human safeguards are available (Security Monitoring)?

33 Q6 – How should organizations respond to incidents (disaster preparedness)? No system is fail-proof. Every organization must have an effective plan for dealing with a loss of computing systems.  Locate infrastructure in safe location  Identify mission-critical systems  Identify resources needed to run those systems  Prepare remote backup facilities Hot sites are remote processing centers run by commercial disaster-recovery services. For a monthly fee, they provide all the equipment needed to continue operations following a disaster. Cold sites provide office space, but customers themselves provide and install the equipment needed to continue operations. A backup facility is very expensive, but the costs of maintaining that facility are a form of insurance. Every organization should think about how it will respond to security incidences that may occur, before they actually happen.  Have plan in place  Centralized reporting  Practice! Chapter 12: Information Security Management 12-33

34 Chapter 12: Information Security Management Computer crime: Commission of illegal acts through the use of a computer or against a computer system is on the increase. Computer abuse: Unethical but not necessarily illegal acts. 82% of unauthorized access incidents came from inside the organization according to a 1998 survey of 1600 companies by PricewaterhouseCoopers Q7 – What is the extent of computer crime? 12-34

35 Q7 – What is the extent of computer crime? The full extent of computer crime is unknown.  There is no national census because many organizations are reluctant to report losses for fear of alienating customers, suppliers, and business partners.  A 2006 survey estimated that the total loss due to computer crime is at least $52.5 billion. This chart shows the top four sources of computer crime and the total dollar loss (2006 FBI/CSI Survey). Chapter 12: Information Security Management 12-35

36 Summary Computer threats come from human error, malicious human activity, and natural disaster. Five types of security problems are unauthorized data disclosure, incorrect data modification, faulty service, denial of service, and loss of infrastructure. Management has three critical security functions: establishing a security policy, educating employees about security, and managing security risk. Security safeguards are classified into technical, data, and human categories. Disaster preparedness safeguards include asset location, identification of mission-critical systems, and the preparation of remote backup facilities. Organizations should prepare for security incidents ahead of time by developing a plan, ensuring centralized reporting, defining responses to specific threats, and practicing the plan. Chapter 12: Information Security Management 12-36

37 Review: Select the appropriate term for each item 1. Combination of hardware and/or software designed to keep unwanted users out of a system Firewall 2. Sending an claiming to be a legitimate enterprise in an attempt to get confidential information Phishing 3. In addition to numbers, upper-, and lower-case letters, one of these should be in every password Special character 4. Software installed on a user’s computer without the user’s knowledge which monitor’s user’s activity Spyware 5. Agency that issues digital certificates Certificate authority 6. Ensures a message has not been altered Digital signature 7. Uses a public key and a private key Asymmetric encryption 8. Pretending to be someone else Spoofing 9. A technique to intercept computer communications Sniffing Phishing – Spyware – Certificate Authority – Asymmetric encryption – Spoofing – Sniffing – Special character – Digital signature – Firewall Chapter 12: Information Security Management 12-37


Download ppt "Using MIS 2e Chapter 12: Information Security Management David Kroenke This presentation has been modified from the original and should be downloaded from."

Similar presentations


Ads by Google