Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.

Similar presentations


Presentation on theme: "Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology."— Presentation transcript:

1 Information Security Management Chapter 12

2 12-2 “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology to use with Dr. Flores Common problem for techies when talking with business professionals –Use too much technical language Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

3 12-3 PRIDE Design for Security Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

4 12-4 Study Guide Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2023? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

5 12-5 Q1: What Is the Goal of Information Systems Security? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

6 12-6 Examples of Threat/Loss Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

7 12-7 What Are the Sources of Threats? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

8 12-8 What Types of Security Loss Exist? Unauthorized Data Disclosure –Pretexting –Phishing –Spoofing  IP spoofing  spoofing –Drive-by sniffers –Hacking –Natural disasters Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

9 12-9 Incorrect Data Modification Procedures not followed or incorrectly designed Increasing a customer’s discount or incorrectly modifying employee’s salary Placing incorrect data on company Web site Improper internal controls on systems System errors Faulty recovery actions after a disaster Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

10 12-10 Faulty Service Incorrect data modification Systems working incorrectly Procedural mistakes Programming errors Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall IT installation errors Usurpation Denial of service (unintentional) Denial-of-service attacks (intentional)

11 12-11 Loss of Infrastructure Human accidents Theft and terrorist events Disgruntled or terminated employee Natural disasters Advanced Persistent Threat (APT) or cyberwarfare Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

12 12-12 Q2: How Big Is the Computer Security Problem? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

13 12-13 Verizon–Secret Service Findings 2011 Data-loss security incidents reached all-time high, but number of data records lost fell dramatically for second year in a row. Data theft is most successful at small and medium-sized businesses. Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

14 12-14 Verizon–Secret Service Findings 2011 (cont'd) Four most frequent computer crimes: 1.Criminal activity against servers 2.Viruses 3.Code insertion 4.Data loss on user computer Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

15 12-15 Types of Attacks Experienced Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

16 12-16 Intrusion Detection System (IDS) Computer program senses when another computer attempting to scan disk or otherwise access computer “When I run an IDS on a computer on the public Internet,... I get more than 1,000 attempts, mostly from foreign countries. There is nothing you can do about it except use reasonable safeguards.” Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

17 12-17 Q3: How Should You Respond to Security Threats? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

18 12-18 InClass 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts In this exercise, you and a group of your fellow students will investigate phishing attacks. Search the Web for phishing, be aware that your search may get the attention of an active phisher. Therefore, do not give any data to any site you visit as part of this exercise! Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

19 12-19 Ethics Guide: Securing Privacy “The best way to solve a problem is not to have it.” –Resist providing sensitive data. –Don’t collect data you don’t need. Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

20 12-20 Q4: How Should Organizations Respond to Security Threats? Establish a company-wide security policy. Should stipulate: –What sensitive data to store –How it will process that data –If data will be shared with other organizations –How employees and others can obtain copies of data stored about them –How employees and others can request changes to inaccurate data –What employees can do with own mobile devices at work –What non-organizational activities employees can take with employee-owned equipment Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

21 12-21 Security Safeguards as They Relate to the Five IS Components Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

22 12-22 Q5: How Can Technical Safeguards Protect Against Security Threats? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

23 12-23 Essence of HTTPS (SSL or TLS) Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

24 12-24 Firewalls Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

25 12-25 Malware Types and Spyware and Adware Symptoms Viruses  Payload  Trojan horses  Worms  Beacons Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Spyware & Adware Symptoms

26 12-26 Malware Safeguards 1.Use antivirus and antispyware programs. 2.Scan frequently. 3.Update malware definitions. 4.Open attachments only from known sources. 5.Install software updates. 6.Browse only reputable Internet neighborhoods. Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

27 12-27 Design for Secure Applications SQL injection attack –User enters SQL statement into a form instead of a name or other data. –Improperly designed form accepts this code and makes it part of a database command that it issues. –Result: Improper data disclosure and data damage and loss possible –Properly designed applications make injections ineffective. Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

28 12-28 Q6: How Can Data Safeguards Protect Against Security Threats? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

29 12-29 Q7: How can Human Safeguards Protect Against Security Threats? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

30 12-30 Account Administration Account Management –Standards for new user accounts, modification of account permissions, removal of unneeded accounts Password Management –Users should change passwords frequently Help Desk Policies Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

31 12-31 Sample Account Acknowledgment Form Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

32 12-32 Systems Procedures Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

33 12-33 Q8: How Should Organizations Respond to Security Incidents? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

34 12-34 Q9: 2023 APTs more common, inflicting serious damage Security mobile devices improved Improved security procedures and employee training Criminals focus on less protected mid-sized and smaller organizations, and individuals Electronic lawlessness by organized gangs Electronic sheriffs patrol electronic borders Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

35 12-35 Guide: Metasecurity What are the security problems? What are the managers’ responsibilities for controls over the security system? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

36 12-36 Guide: The Final, Final Word Routine work will migrate to low labor-cost countries. Be a symbolic-analytic worker –Abstract thinking –How to experiment –Systems thinking –Collaboration Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

37 12-37 Active Review Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2023? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

38 12-38 Case 12: Moore’s Law, One More Time … Doubling CPU speed helps criminals –Enables more powerful password crackers iOS, Android phones, and millions of mobile devices increase data communications and exponential opportunities for computer criminals. Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

39 12-39 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall


Download ppt "Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology."

Similar presentations


Ads by Google