© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management If you don’t do security right, nothing else matters. David Kroenke.

© Pearson Prentice Hall 2009 12-2 Is security relevant? 32% of small and medium businesses in the United States and Canada have been attacked more than four times by cybercriminals in the last three years, 2005-2007. 26% of those attacked took at least a week to recover, a devastating length of time to be offline for small businesses who conduct business and sales via the Web.

© Pearson Prentice Hall 2009 12-3 Is security relevant for small businesses? The Internet safety site Get Safe Online commissioned a report on Internet security and small business. Researchers contacted 1,008 businesses with 1-9 employees and questioned them about their experiences over the last two years. The results are interesting and alarming.Get Safe Online 60% of small businesses would grind to a halt if their PCs were taken down by cyber crime or IT related issues. 44% of small businesses surveyed have been a victim of cyber crime, including internet scams, identity fraud, phishing and data theft. 36% of micro-businesses have suffered from a computer virus. 18% have been victims of phishing, spyware or hackers in the last two years. 19% said they lost revenue as a result of downtime 32% of small and medium businesses in the United States and Canada have been attacked more than four times by cybercriminals in the last three years, 2005-2007. 26% of those attacked took at least a week to recover, a devastating length of time to be offline for small businesses who conduct business and sales via the Web.

© Pearson Prentice Hall 2009 12-4 Is security relevant for small businesses? 66% of businesses surveyed store vital documents on their PCs. 69% also store their customer details on IT equipment. 32% consider themselves to be fully up to date with current PC/internet security issues. Only 5% of small businesses have access to dedicated IT support, internally or externally. 60% of those surveyed said their businesses would grind to a halt if their IT system failed. 49% of small businesses are unable to track who is accessing what information on their PCs. 25% of businesses surveyed did not have measurements in place to safeguard their IT systems. The message of the report is that small businesses are under-prepared and extremely vulnerable to data loss and cyber crime.

© Pearson Prentice Hall 2009 12-5 Is security relevant for large businesses? A new report on computer crime and security reveals that 85% of large US businesses and government agencies detected computer security breaches in the past 12 months. Among just 186 respondents, cybercrime accounted for losses of $378 million. The report came from the Computer Security Institute (CSI), based in San Francisco, which each year produces its "Computer Crime and Security Survey” with the participation of the FBI. It was based on responses from 538 computer security practitioners in US corporations, government agencies, financial institutions, medical institutions and universities. The main findings were: 64% acknowledged financial losses due to computer breaches. 35% percent (186 respondents) were willing and/or able to quantify their financial losses. These 186 respondents reported $378 million in financial losses.

© Pearson Prentice Hall 2009 12-6 Is security relevant for large businesses? As in previous years, the most serious financial losses occurred through theft of proprietary information (34 respondents reported $151 million) and financial fraud (21 respondents reported $93 million). For the fourth year in a row, more respondents (70%) cited their internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (31%). 36% reported the intrusions to law enforcement authorities; a significant increase from 2000, when only 25% reported them. 40% of respondents detected system penetration from the outside. 38% of respondents detected denial of service attacks. 91% detected employee abuse of internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems). 94% detected computer viruses.

© Pearson Prentice Hall 2009 12-7 Study Questions Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime?

© Pearson Prentice Hall 2009 12-8 Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime?

© Pearson Prentice Hall 2009 12-9 Q1 – What are the threats to information security? In order to adequately protect information resources, managers must be aware of  the sources of threats to those resources,  the types of security problems the threats present  how to safeguard against the threats and their problems, and  the consequences of the threats. The three most common sources of threats are:  Human error and mistakes  Malicious human activity  Natural events and disasters.

© Pearson Prentice Hall 2009 12-10 Q1 – What are the threats to information security? The first source of threats to information security are human error and mistakes which stem from the ignorance, negligence, or incompetence of employees and nonemployees. Remember Murphy’s Law: what can go wrong will go wrong - be paranoid about errors and mistakes. They should not happen. You do not expect them to happen. But they do. You try to prevent the following errors and mistakes with training and oversight.  Employees may misunderstand operating procedures and inadvertently cause data to be deleted or processed incorrectly.  Poorly written application programs and poorly designed procedures may allow employees to enter data incorrectly or misuse the system because the system is error-prone.  Employees may make physical mistakes (e.g., cutting electrical power causing a system to crash, not securing data or hardware, leaving passwords on notes).

© Pearson Prentice Hall 2009 12-11 Q1 – What are the threats to information security? The second source of threats to information security are malicious human acts by employees, former employees, and hackers who intentionally destroy data or system components. These malicious human acts include:  Breaking into systems with the intent of stealing, altering or destroying data.  Introducing viruses and worms into a system.  Acts of terrorism.

© Pearson Prentice Hall 2009 12-12 Q1 – What are the threats to information security? The last source of threats to information security are those caused by natural events and disasters. These threats pose problems stemming not just from the initial loss of capability and service but also problems a company may experience as it recovers from the initial problem. The simple solution is to have redundant installations so remote that the following types of natural disasters will not affect both sites.  Fires  Floods  Tornadoes  Hurricanes  Earthquakes

© Pearson Prentice Hall 2009 12-13 Q1 – What are the threats to information security? Fig 12-1 Security Problems and Sources This chart shows some of the security problems a company may experience and the possible sources of the problems.

© Pearson Prentice Hall 2009 12-14 Q1 – What are the threats to information security? Types of malicious activities include:  Pretexting, Spoofing – pretending to be someone else.  Phishing, Email Spoofing – obtaining unauthorized data using pretexting via email.  IP Spoofing – using another site’s IP address as if you were that other site.  Sniffing – intercepting computer communications. With wired networks you need a physical connection. With wireless networks you use drive-by sniffers and search for unprotected wireless networks.  Spyware and adware are sniffing techniques on your PC.  Usurpation – unauthorized programs invade a computer system and replace legitimate programs.  DOS – denial of service attacks which flood a server with fake requests so legitimate traffic cannot get through.  Viruses, Worms, Trojan Horses – software used in spoofing, sniffing, usurpation, and DOS.

© Pearson Prentice Hall 2009 12-15 Q1 – What are the threats to information security? There are three components of a sound organizational security program:  Senior management must establish a security policy and manage risk by balancing costs versus benefits.  Safeguards of various kinds must be established for all five components of an IS plus disaster-recovery.  The organization must plan its incident response before any problems occur by using scenario analyses and brainstorming.

© Pearson Prentice Hall 2009 12-18 Q2 – What is senior management’s security role? Fig 12-3 Elements of Computer Security The NIST Handbook of Security Elements lists the necessary elements of an effective security program, as this figure shows.

© Pearson Prentice Hall 2009 12-19 Q2 – What is senior management’s security role? Senior managers should ensure their organization has an effective security policy that includes these elements:  A general statement of the organization’s security program specifying the goals, the assets, the department responsible, documents, and how enforcement is assured.  Issue-specific policies that ensure the company is complying with laws and regulations.  System-specific policies (e.g., personal use of email and the Internet).

© Pearson Prentice Hall 2009 12-20 Q2 – What is senior management’s security role? Senior managers must also manage risks associated with information systems security.  Risk, in this context, is the likelihood of an adverse occurrence. In IS security, risk refers to the likelihood of threats and consequences we know about.  Management cannot eliminate most known threats directly, but it can reduce the likelihood that known threats will be successful with safeguards.  You can reduce risk, but always at a cost. The amount of risk you must assume, the magnitude of likelihood, varies inversely with the amount of money you spend on security.  Uncertainty refers to the things we do not know that we do not know. Because of uncertainty, risk management will not protect against the unknown threats. This is why we need to brainstorm about threats, use scenario analyses, and be paranoid (i.e., Murphy’s Law).

© Pearson Prentice Hall 2009 12-21 Q2 – What is senior management’s security role? When you’re assessing risks to an information system you must first determine:  What the threats are.  The likelihood of the threats.  The consequences (tangible costs and intangible losses) if they occur. These are the factors you should include in a risk assessment. No safeguard is 100% effective. You always have residual vulnerability. Your probable loss = likelihood x (tangible costs + intangible losses) Fig 12-4 Risk Assessment Factors

© Pearson Prentice Hall 2009 12-22 Q2 – What is senior management’s security role? Safeguard effectiveness is seldom known. Probable loss is uncertain because we do not know what we do not know. In a catastrophe, damage control is not damage elimination. All models will not anticipate surprise events. Decide which risks you can afford to reduce. Each decision carries consequences.  Some risk is easy and inexpensive.  Some risk is expensive and difficult.  Managers have a fiduciary responsibility to the organization to adequately manage risk.

© Pearson Prentice Hall 2009 12-24 Q3 – What technical safeguards are available? Fig 12-5 Technical Safeguards You can establish five technical safeguards for the hardware and software components of an information system, as this figure shows.

© Pearson Prentice Hall 2009 12-25 Q3 – What technical safeguards are available?  The first technical safeguard, identification and authentication includes passwords and PINs (what you know), smart cards (what you have), and biometric authentication (what you are).  Since users must access many different systems, it’s often more secure, and easier, to establish a single sign-on for multiple systems. Kerberos authenticates users using a single sign-on without sending their passwords across the network or internet by using a system of “tickets.”  Wireless systems pose additional threats. Wired Equivalent Privacy (WEP)-first developed Wi-Fi Protected Access (WPA)-more secure Wi-Fi Protected Access (WPA2)-newest and most secure

© Pearson Prentice Hall 2009 12-26 Q3 – What technical safeguards are available? Encryption is the second technical safeguard you can establish for an IS. Senders use a key to encrypt a plaintext message, send the encrypted message, and the recipient uses a key to decrypt the message. You have 5 basic encryption techniques. Fig 12-6 Basic Encryption Techniques

© Pearson Prentice Hall 2009 12-27 Q3 – What technical safeguards are available? You know you are using SSL/TLS when you see “https:// “ in your browser’s address bar. Never send any sensitive data over the Internet unless you see the “s” after “http.” The client verifies that it is communicating with the true Web site, and not with a site that is spoofing the true Web site. The opposite is seldom done where the client is verified by the Web site.

© Pearson Prentice Hall 2009 12-29 Q3 – What technical safeguards are available? Fig 12-7 Digital Signatures for Message Authentication This diagram describes how digital signatures, encrypted message digests, are used to authenticate messages and ensure they aren’t altered during transmission. Hashing is a one-way process of mathematically manipulating the plaintext and puts the result in a bit string in a message digest. You cannot reproduce the message from the message digest. Digital certificates are used in conjunction with digital signatures to prevent spoofing. Certificate Authorities are independent third-party companies that supply public keys used with digital certificates. Browsers contain the public keys for the common CAs in the browser’s program code.

© Pearson Prentice Hall 2009 12-30 Q3 – What technical safeguards are available? Firewalls, are special-purpose programs, on general-purpose computers or on routers, that prevent unauthorized network access.  The diagram shows how perimeter and internal firewalls are special devices that help protect a network.  Packet-filtering firewalls examine each packet entering the network. Firewalls can provide other types of filtering.  Access control lists (ACLs) are used in conjunction with firewalls. ACLs determine which packets can enter a network. The ACLs also control which Web sites users can access. Fig 12-8 Use of Multiple Firewalls

© Pearson Prentice Hall 2009 12-31 Q3 – What technical safeguards are available? Examples of malware include viruses, worms, Trojan horses, spyware, and adware.  Spyware is a program that may be installed on your computer, without your knowledge or permission, to transparently record and report your keystrokes to another computer.  Adware is a benign program that’s also installed without your permission. It resides in your computer’s background, observes your behavior, produces pop-up ads, modifies default settings, modifies search results, and switches the search engine.  If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer. Fig 12-9 Spyware & Adware Symptoms

© Pearson Prentice Hall 2009 12-32 Q3 – What technical safeguards are available? Here are a few ways you can safeguard your computer against malware:  Install antivirus and antispyware programs.  Scan your computer frequently for malware.  Update malware definitions often or use an automatic update process.  Open email attachments only from known, trusted sources and even then be wary. About 90% of all viruses are spread by email attachments because properly configured firewalls only allow email to reach your computer.  Promptly install software updates from legitimate sources like Microsoft for your operating system or McAfee for your spyware programs.  Browse only in reputable Internet neighborhoods. Malware is often associated with rogue Web sites.

© Pearson Prentice Hall 2009 12-33 Q3 – What technical safeguards are available? Fig 12-10 Malware Survey Results The survey results in this chart show how serious the malware problem is and yet how unaware most people are about the effects. You should understand the malware problem, realize how frequently it occurs, and follow safeguards to protect your computer and system from it. The last safeguard is designing secure applications with as few bugs as possible.

© Pearson Prentice Hall 2009 12-35 Q4 – What data safeguards are available? Fig 12-11 Data Safeguards Data safeguards are measures used to protect databases and other data sources. Encrypt sensitive data in the database. Processing encrypted data takes longer. When data are encrypted, a key escrow should have a copy of the encryption key. Always backup data when you cannot recreate the data. Always store the backups at another site where the same disaster cannot hit both sites. Always practice recovery procedures and systematically verify that the backups contain the expected data. Always keep logs showing who did what, when, and why. If data management is outsourced, always physically audit the contractor.

© Pearson Prentice Hall 2009 12-37 Q5 – What human safeguards are available? Human safeguards concern the people and procedure components of an IS. Human safeguards should be coupled with effective procedures to help protect information systems. This figure shows the safeguards for in-house employees. Management attitude about security is crucial. Management must walk the talk. Fig 12-12 Security Policy for In-house Staff

© Pearson Prentice Hall 2009 12-38 Q5 – What human safeguards are available? An organization needs human safeguards for nonemployees whether they are temporary employees, vendors, business partners, or the public. Here are a few suggestions:  Ensure any contracts between the organization and other workers include security policies. Temporary employees should be screened and trained in, at least, an abbreviated manner. Vendor and partner employees and public users cannot be screened, trained, or submitted to compliance testing by the firm. However, contracts can require vendors and partners to perform appropriate screening and security training.  Web sites and physical facilities used by third-party employees and the public should be hardened against misuse or abuse. Hardening is a technical safeguard restricting access and features.  Protect outside users from internal security problems. Your employees should not be able to damage public users or business partners. For example, if your system gets infected with a virus, you should have safeguards in place to stop it from being transmitted to others. If you don’t protect outside users from internal security problems, you will be the defendant in a lawsuit.

© Pearson Prentice Hall 2009 12-39 Q5 – What human safeguards are available? Account administration is the third type of human safeguard and has three components - account management, password management, and help-desk policies.  Account management is performed by IS administrators but account users should notify administrators of the need for these actions. Establishing new accounts Modifying existing accounts Terminating unnecessary accounts.  Password management requires that users Immediately change newly created passwords Change passwords periodically Sign an account acknowledgment form like the one in this figure. Fig 12-13 Sample Account Acknowledgement Form

© Pearson Prentice Hall 2009 12-40 Q5 – What human safeguards are available?  Help-desks have been a source of problems for account administration because of the inherent nature of their work. It is difficult for the help-desk to determine exactly with whom they’re speaking. For example, users call up for a new password without the help-desk having a method for physically identifying who is on the other end of the line. There must be policies in place to provide ways of authenticating users like asking questions which have answers only the user would know. Users have a responsibility to assist the help-desk by responsibly controlling their passwords.

© Pearson Prentice Hall 2009 12-41 Q5 – What human safeguards are available? Effective system procedures can help increase security and reduce the likelihood of computer crime. As this figure shows, procedures should exist for both system users and operations personnel that cover normal, backup, and recovery procedures. System recovery procedure should answer these questions.  How do we proceed/operate when a critical system is not available?  How do we recover/resume when a critical system is restored? Fig 12-14 Systems Procedures Security monitoring is the last human safeguard. It includes:  Activity log analyses  Security testing  Investigating and learning from security incidents

© Pearson Prentice Hall 2009 12-43 Q6 – How should organizations respond to security incidents? Computer disaster – a substantial loss of computing infrastructure caused by acts of users, nature, crime, or terrorist activity. No system is fail-proof. The best way to solve a problem is not to have it. The best safeguard against a disaster is appropriate location. Every organization must have an effective plan for dealing with a loss of computing systems. This figure describes disaster preparedness tasks for every organization, large and small. The last item is very important: an organization should train and rehearse its disaster preparedness plans. Fig 12-15 Disaster Preparedness Tasks You can use hot sites (continuously mirroring operations) or cold sites (must be started upon a failure) as backup and recovery installations.

© Pearson Prentice Hall 2009 12-44 Q6 – How should organizations respond to security incidents? Along with disaster preparedness plans, every organization should think about how it will respond to security incidents that may occur, before they actually happen. You can brainstorm and use scenario analyses to identify potential security incidents. Be paranoid – if it can go wrong, it will go wrong. The figure below lists the major factors that should be included in any incident response plan. Fig 12-16 Factors in Incident Response

© Pearson Prentice Hall 2009 12-46 Q7 – What is the extent of computer crime? The full extent of computer crime is unknown. There is no national census because many organizations are reluctant to report losses for fear of alienating customers, suppliers, and business partners, and losing their confidence and business. Being the object of a computer crime is a symptom of management failure. A 2006 survey estimated that the total annual loss due to computer crime is at least $52.5 billion. This chart shows the dollar loss from the top four sources of computer crime. Fig 12-17 Computer Crime, 2006 FBI/CSI Survey

© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management If you don’t do security right, nothing else matters. David Kroenke.

Similar presentations

Presentation on theme: "© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management If you don’t do security right, nothing else matters. David Kroenke."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management If you don’t do security right, nothing else matters. David Kroenke.

Similar presentations

Presentation on theme: "© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management If you don’t do security right, nothing else matters. David Kroenke."— Presentation transcript:

Similar presentations

About project

Feedback