Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Management: Information Technology, Infrastructure and Security MBA 8125 Spring 2012 Duane Truex Veda C. Storey Carl Stucke Acknowledgement:: Parts.

Similar presentations

Presentation on theme: "Risk Management: Information Technology, Infrastructure and Security MBA 8125 Spring 2012 Duane Truex Veda C. Storey Carl Stucke Acknowledgement:: Parts."— Presentation transcript:

1 Risk Management: Information Technology, Infrastructure and Security MBA 8125 Spring 2012 Duane Truex Veda C. Storey Carl Stucke Acknowledgement:: Parts of this session are based upon material from Cecil Chua, Deb Dey, Kimball, Dorothy Dennings, Ray Panko, Graeme Payne, Ernst & Young, Gartner Group, Arjan Raven, Jessup and Valacich, J. Steten, Forrester

2 Why Study Security? CompanyCompany IndividualIndividual Identity theft Corporate database attacks 2 Tracking, Spyware Tracking, Spyware Privacy CountryCountry Cyber attacks

3 What are we willing to accept? 3

4 Generalized Security Design Model 4 Targets 1.Physical Hardware, facilities, people 2.Software 3.Data 4.Communications Threats 1. Destruction 2. Modification 3. Disclosure Sources 1.People 2.Mother nature Controls 1.Avoidance 2.Tolerance 3.Mitigation

5 Generalized Security Design Model 5 Targets 1.Physical Hardware, facilities, people 2.Software 3.Data 4.Communications Threats 1. Destruction 2. Modification 3. Disclosure Sources 1.People 2.Mother nature Controls 1.Avoidance 2.Tolerance 3.Mitigation

6 Risk -- (Cost) Benefit Analysis Model 6 E C = P i * ∑C i E v = B i - E C Overall utility of scenarios – Where B i = ∑ j (b i,j X W j ) – Where B i is the expected benefit assigned to a strategy I given its effect on scenario j and where Wj is the weighting given to scenario j Q: What is an inherent weakness in this formulation? Q: Are traditional investment decision metrics adequate?

7 “ By eliminating time and distance, the Internet makes it possible to perform business in ways not previously imaginable.” Ref: Baltzan and Phillips, 2011 New way of doing things Does not meet needs of existing customers Opens new markets/destroys old ones Start in low end; evolve to high-end competitors Produces improved customer product Better / faster / cheaper The Big Picture: Technology Emergence, Impact, Dependency TechnologyTechnology DisruptiveDisruptiveSustainingSustaining 7

8 Agenda 8 Item 1 Information Technology Infrastructure Item 2 Data Set: Sources, Storage, and Challenges Item 3 Risk Management Organizational Perspectives Risk Management Life Cycle Business Impact Analysis The Digital Firms: Where are the Risks? Item 4 Information Security Framework Unauthorized Access and Human Error Four Factors: 1.What you Know 2.What you are 3.What you have 4.Where you are Communication Line Access Corporate Server Protection

9 Agenda (cont’d) 9 Item 5 Attacks Why so many attacks? Attacks Via Social Engineering Item 6 Attackers Who Are They? Spamming Item 7 Management Issues Disasters and business continuity planning Security levels Business value of security Takeaways

10 Information Systems Infrastructure Communication and Collaboration FacilitiesData and Knowledge Services Human Resources Software Hardware Jessup & Valacich, 2008 Item 1: Information Technology Infrastructure 10

11 What? If you were in charge of protecting your data assets, where would you start from a risk management point of view? The Data Set Data Sources and Storage 11 Database Data Sources: Storage:

12 Item 2: Data Set Challenges 12 Business Strategy Rules Processes

13 Agenda Item 3: Risk Management 13

14 Risk Management Cost of Doing Business Risk Avoidance ROI “Risk management is based on the notion that history repeats itself, but not quite.” Peter Bernstein 14


16 Risk Management Life Cycle: Mitigation and Risk Abatement Inventory Assets Who, what, what value, what priority? Analyze/assess/measure How much, how often, how related, what business impact? Mitigate Eliminate, avoid, reduce Transfer Contractual, risk financing, insurance Monitor Results / Initiate Update Identify Risks Who, what, where, when, why, how? Accept Create/Implement BCP Adapted From Start/Update Risk Planning 16

17 Risk Management: Business Impact Analysis (BIA) Cash flow Competition Lost sales Interest expense Shareholder confidence Legal/contractual obligations Penalties Company viability Customer service Canceled orders Cost to business Insurance issues Regulatory requirements Productivity 17

18 Risk Management The Digital Firm: Where Are The Risks? Source: Laudon & Laudon Multiple Failure Points Human Error Performance / Capacity Outsourced Service Providers Natural Disasters Downtime (planned/unplanned) Security Incidents Links to Third Parties 18

19 Agenda Item 4: Information Security 19 Item 4 Information Security Framework Unauthorized Access and Human Error Four Factors: What you Know What you are What you have Where you are Communication Line Access Corporate Server Protection

20 Information Security Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems. Source: Laudon & Laudon Primary Issues Confidentiality – no “data spills” Integrity Availability Sample Question: Why is “availability” considered a primary issue of information security? 20

21 Information Security: Framework for Understanding Challenges in Organizations Source: Laudon & Laudon Question: What is the major use of this framework? 21

22 Unauthorized Access & Human Error Strong passwords; change frequently Use additional authentication – something you know, you have, you are, where you are Encrypt data Install anti-virus, anti-spyware, and firewall Minimize data stored on client Limit data access to need to know basis Software Bugs – Updates and patches Input mistakes – Application controls ( ) SPAM and Phish 22

23 Factor One: What You Know Attacks against a weak link: passwords Brute Force Attack  Try every combination possible  Defeated by long passwords Default Password Attack  Check if user never changed password from default  Defeated by changing password Dictionary Attack  Dictionary of common passwords  Name, Common words, Famous people, Domain specific Good passwords – Minimum Length – 8 characters – Passwords should use: Lowercase Uppercase Numbers Special characters such as !@#$%^&*(){}[] – My favorite song is “Sing to the Wind”. Password: “mFSI!19202023” 23

24 Fingerprint Scan Retinal Scan Biometric examples are from Kelly Rainer. Iris Scan Signature Recognition Speech Recognition Facial Recognition Factor Two: What You Are 24

25 Factor Three: What You Have Hardware TokenSmart ID Card 25

26 GPS Factor Four: Where You Are 26

27 Communications Line Access Secure physical communications lines Encrypt communications Authenticate sender & receiver Use digital signatures to prevent alteration and identify sender ( ) 27

28 Corporate Server Protection Limit external access – use firewalls – use anti-virus software – use “patches” for server software – use intrusion detection software Limit data/functions on servers Encrypt data on servers 28

29 Agenda: Attacks and Attackers 29 Attacks Why so many attacks? Attacks Via Social Engineering Types of Attacks Virus Denial of Service Attacks Item 6 Attackers Who Are They? Spamming Item 5

30 Why So Many Attacks? Today’s Systems Internet Growth Attackers Organized – Teach each other and novices – Exchange tools and information Attackers Develop Better Tools – Build on each other’s work – Build on work of security community Attacks Easy, Low Risk, Hard to Trace – Investigations difficult; often international Lack of Security Awareness, Expertise, or Priorities –.0025 percent of revenue spent on information security [Forrester] Organized Crime involved! 30

31 Attacks via Social Engineering Acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of an inappropriate trust relationship with insiders. Manipulation of human beings to obtain information or confidence pertaining to the security of networked computer systems (with malicious intent) We are the weakest link…. 31 Kevin Mitnick “The World’s Most Famous Hacker”

32 Social Engineering Tactics & Defenses Area of RiskHacker TacticCombat Strategy Phone (Help Desk) Impersonation and persuasion Train employees/help desk to never give out passwords or other confidential info by phone Building entranceUnauthorized physical access Tight badge security, employee training, and security officers present OfficeShoulder surfing Don’t type in passwords with anyone else present (or if you must, do it quickly!) Phone (Help Desk) Impersonation on help desk calls All employees should be assigned a PIN specific to help desk support Office Wandering through halls looking for open offices Require all guests to be escorted Mail roomInsertion of forged memosLock & monitor mail room Machine room/Phone closet Attempting to gain access, remove equipment, and/or attach a protocol analyzer to grab confidential data Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment Phone & PBXStealing phone toll access Control overseas & long-distance calls, trace calls, refuse transfers DumpstersDumpster diving Keep all trash in secured, monitored areas, shred important data, erase magnetic media Intranet-Internet Creation & insertion of mock software on intranet or internet to snarf passwords Continual awareness of system and network changes, training on password use OfficeStealing sensitive documents Mark documents as confidential & require those documents to be locked General- Psychological Impersonation & persuasion Keep employees on their toes through continued awareness and training programs Sarah Granger, SecurityFocus 32

33 Attacks Virus – Piece of code embedded in e-mail attachment Denial of Service – Generate large number of useless service requests – Overload and system crash 33

34 Attackers: Who are they? 34

35 Attackers: Who are they? Kid down the street? Professional, working for your competitors? Foreign intelligence agency? Ex-employee? Disgruntled co- worker? “Professional” funded by organized crime “It’s really just a bunch of really smart kids trying to prove themselves. I know I was.” – Splurge, sm0ked crew “It’s power at your fingertips. You can control all these computers from the government, from the military, from large corporations. … That’s power; it’s a power trip.” – anonymous “You do get a rush from doing it – definitely.” “I’m like your nosy neighbor on steroids, basically.” – Raphael Gray (aka Curador) [stole and posted 26,000 credit card numbers] Source: Dorothy Denning 35

36 Spammers are winning: And it's not even close Size of Problem – Approximately 150 billion messages/day Approximately 2 million email messages / second approximately 78% spam – Mobile Spam Defense – Software – Can Spam Act 2003: [Forbids “deceptive subject lines, headers, return addresses, etc. as well as the harvesting of email addresses from websites. It requires businesses that send spam to maintain a do-not-spam list and to include a posting mailing address in that message.] 36

37 Agenda: Management Issues 37 Item 7 Management Issues Disasters and business continuity planning Developing Security Service levels Business value of security Takeaways Management Concerns Strategic Alignment and business Priorities Components for a Successful Information Security Program Management Responsibilities

38 Management Challenges: Disasters (Can and Cannots) Cannot – prevent natural disaster – prevent all human-initiated disaster Can – create business continuity / disaster recovery plans – choose where people, process, and technology located Power outages, fires, floods 38

39 Disaster Recovery and Business Continuity Planning Question: What is a disaster? -- 10 users out of service for 1 hour not a disaster (unless one is the CEO … ) – 1,000,000 users out of service for 24 hours is disaster Source: A.P. Snow Disaster Recovery: Levels of Backup Hot backup – Backup of complete system at another site – Data, operating components of hardware and software Cold backup – Backup of data only – No transaction can be processed during downtime Warm backup – Somewhere in the middle – Smaller system with full backup of data – Transactions processed, but more slowly Pros/cons of each … 39

40 Distribute IS Architectures and Distribute Organizations to become Resilient Remove single point of failure so risk spread out geographically Depends on – redundancy of human capital necessary to run OR – ability to transition to backup site False security if personnel lost in outage, or loss of transportation or communication systems for transfer of operations Reliability demands for telecommunication services increase dramatically Redundancy requirements shift to network services 1/5 Network 1/5 x 100% 40 Ref. A. Snow

41 Management Issues: Attack Challenges and Trends Growing number of attacks (and attackers!) Attacks – Fast, propagate over network – Random – Growing power / sophistication – Automated – Malicious Human / Social Behavior – Always connected – Widespread use of e-mail and instant messaging – Wireless access 41

42 Again, why is this happening? Information systems – Complex – Interact with each other – Bugs Integrated systems of digital enterprise very, very difficult to secure Humans are imperfect… 42

43 Management Issues: Delivering a Security Service Level Attack Resistance: What % of known attacks are we vulnerable to? When did we last check? Process Improvement: How many machines are involved in each virus incident? How many weeks between critical patch issued and implemented? Efficiency/effectiveness: What is our security spending as a % of revenue? What % of downtime is due to security incidents? Internal Crunchiness: What % of our software, people and suppliers have been reviewed for security? What % of critical data is “strongly” protected? Source: Gartner 43

44 Cost of inadequate security legal liability Value of security protect own information assets protect assets of customers, employees, business partners assure business continuity Management Issues: Business Value of Security 44

45 Security and privacy Compliance Legal Can you ensure secure operations? Who has access to my data, and how is it stored and communicated? What data do you collect about me, and how is it used? Can you help me achieve compliance? What about laws and regulations that impact operation? Is my data subject to any local regulations? Who is responsible (liability) when things go wrong? Intellectual property issue: ownership and rights to use How is the data used and stored? For how long? TopicSpecific concerns Entire contents © 2009 Forrester Research, Inc. All rights reserved. Takeaway: Management Concerns What should you be concerned about? 45

46 46 Takeaway: Information Security Management: Strategic Alignment and Business Priorities Process Technology Organization Strategic Objectives Business Environment Tactical Issues Business Priorities CostTime Information Security Architecture Methodology Step 1 Step 2Step 3 Business Requirements Analysis Assessment of Current As- is and To-Be Architecture Information Security Roadmap Development

47 Takeaway: 10 Essential Components for a Successful Information Security Program 1. Make sure the CEO “owns” the information security program. 2. Assign senior-level staff with responsibility for information security. 3. Establish a cross-functional information security governance board. 4. Establish metrics to manage the program. 5. Implement an ongoing security improvement plan. 6. Conduct an independent review of the information security program. 7. Layer security at gateway, server, and client. 8. Separate your computing environment into “zones.” 9. Start with basics and then improve the program. 10. Consider information security an essential investment for your business. 47

48 Takeaway: Management Responsibilities Policies and Procedures Education and Training – Strong authentication (e.g., 8 character password) – Social Engineering (recognize, handle) Techniques – Access control (need to know) / authentication (multi-factor: know, have, am, location) – Filtering (firewall) ; intrusion detection – Data encryption (code data transmitted over a link or stored) – Anti-virus software Process – Continuous evaluation / investment – Business Continuity Planning Vulnerability Assessment & Audit – Third-party consultant – Standards (ISO 17799 see, and, ISO 27001,CoBIT, PCI, … ) Based on Kimball 48

49 Conclusion Risk management – Essential aspect of successful business operation Security problems – Real and growing – Plan for tomorrow’s threat environment Security measures – Multiple protection measures – Ongoing update and evaluation – People greatest risk (and greatest asset) Hope for Future... Hope for Future... – Increased security awareness / priority – Growing number of security experts – Laws to facilitate investigations – International cooperation to fight cyber crime 49

50 Appendices 50

51 Other Resources CERT Podcasts CyberCIEGE Movies The Executive Guide to Information Security: Threats, Challenges, and Solutions (Symantec Press)The Executive Guide to Information Security: Threats, Challenges, and Solutions (Symantec Press). 51

52 Web Server DB Web Client HTTP request (cleartext or SSL) HTTP reply (HTML, Javascript, etc) SQL Database (Also see ) Web app Firewall DMZ Sample Firewall Configuration

53 Intrusion Detection Systems DMZ Servers Data Center Users Internet Corporate Office Business Partner Intranet/Internal Protection Protects Data Centers and Critical Systems from Internal Threats Internet Protection Complements FW and VPN by Monitoring Traffic for Malicious Activity Internet Protection Complements FW and VPN by Monitoring Traffic for Malicious Activity Extranet Protection Monitors Partner Traffic Where “Trust” is Implied But Not Assured Remote Access Protection Hardens Perimeter Control by Monitoring Remote Users Server Farm Protection Protects e-Business Servers from Attack and Compromise Also see

54 High-availability facilities feature sturdy construction, air conditioning, backup generators, fire suppression systems, access control, and intrusion detection systems. Source:

Download ppt "Risk Management: Information Technology, Infrastructure and Security MBA 8125 Spring 2012 Duane Truex Veda C. Storey Carl Stucke Acknowledgement:: Parts."

Similar presentations

Ads by Google