Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Management

Published byAugusta Page Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security Management"— Presentation transcript:

1 Information Security Management
Chapter 12 Information Security Management

2 This Could Happen to You: “Could Someone Be Getting to Our Data?”
Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system ,access database, and maybe some SQL. Access: Mike has yellow stickies with passwords on his monitor; copies of key to server building. Knowledge: Greenskeeper guy, “a techno-whiz,” created report for Anne. Knows how to query database, and known to access it prior to Anne’s project. (ch. 9) Scenario video Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

3 Study Questions Q1: What are the sources and types of security threats? Q2: What are the elements of a security program? Q3: How can technical safeguards protect against security threats? Q4: How can data safeguards protect against security threats? Q5: How can human safeguards protect against security threats? Q6: What is necessary for disaster preparedness? Q7: How should organizations respond to security incidents? How does the knowledge in this chapter help Fox Lake and you? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

4 Q1: What Are the Sources and Types of Security Threats
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

5 Unauthorized Data Disclosure
Unauthorized data disclosure—inadvertent release of data in violation of policy Pretexting—pretending to be someone else via phone call Phishing—pretexting using Spoofing—disguising as a different IP address or different sender IP spoofing—impersonating another computing system spoofing—synonym for phishing Sniffing—intercepting computer communications Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

6 Incorrect Data Modifications
Human errors Incorrect entries and information Procedural problems Incorrect data modifications Systems errors (lost-update problem) Hacking Unauthorized system access Faulty recovery actions Human procedural mistakes Errors in installation of hardware, software programs, or data Usurpation Unauthorized programs invade computer system and replace legitimate programs Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

7 Denial of Service (DOS)
Inadvertently shut down web server, gateway router with computationally intensive application Example: OLAP application that uses operational DBMS blocks order-entry transaction Human error Malicious attacks flood web server with millions of requests for web pages Computer worms Natural disasters Denial of service Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

8 Loss of Infrastructure
Bulldozer cutting fiber-optic cable, floor buffer bangs web server Water line breaks or fire damage hardware Accidental Disgruntled employee steals equipment Damages computer center Theft and terrorists Floods, tornadoes, hurricanes, fire, earthquakes Natural disasters Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

9 Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts
In this exercise, you and a group of your fellow students will be asked to investigate phishing attacks. If you search the web for phishing, be aware that your search may bring the attention of an active phisher. Therefore, do not give any data to any site that you visit as part of this exercise! Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

10 Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d) 1. To learn the fundamentals of phishing, visit the following site: To see recent examples of phishing attacks, visit: Using examples from these web sites, describe how phishing works. Explain why a link that appears to be legitimate, such as may, in fact, be a link to a phisher’s site. List five indicators of a phishing attack. Write an that you could send to a friend or relative who is not well versed in technical matters that explains what phishing is and how your friend or relative can avoid it. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

11 Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d) 2. Suppose you received the in Figure 1 and mistakenly clicked See more details here. When you did so, you were taken to the web page shown in Figure 2. List every phishing symptom that you find in these two figures and explain why it is a symptom. How would you learn that your organization is being attacked? What steps should your organization take in response to the attack? What liability, if any, do you think your organization has for damages to customers that result from a phishing attack that carries your brand and trademarks? 3. Suppose you work for an organization that is being phished. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

12 Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d) 4. Summarize why phishing is a serious problem to commerce today. 5. Describe actions that industry organizations, companies, governments, or individuals can take to help to reduce phishing. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

13 Q2: What Are the Elements of a Security Program?
Must establish security policy Manage risk Balancing costs and benefits of security measures Senior management involvement Protections against security threats Safeguards Priority plan for security incidents Incident response Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

14 Security Safeguards as They Relate to the Five Components
Effective security programs balance safeguards Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

15 Q3: How Can Technical Safeguards Protect Against Security Threats?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

16 Identification and Authentication
Password Smart card Biometric Authentication methods Microchip embedded with identifying data Authentication by PIN Smart cards Fingerprints, face scans, retina scans See Biometric authentication Authenticate to network and other servers Single sign-on for multiple systems Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

17 Encryption Terminology
Encryption algorithms Key—a number used to encrypt the data Symmetric encryption Asymmetric encryption—public/private key HTTPS Secure Sock Layer (SSL) Transport Layer Security (TLS) Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

18 Encryption—SSL/TLS Figure 12-4
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

19 Do not connect to Internet without firewall protection!
Firewalls Computing device that prevents unauthorized network access May be special-purpose computer or program on a general-purpose computer Organizations may have multiple firewalls Perimeter firewalls outside network Internal firewalls inside network Packet-filtering firewalls examine each part of a message May filter both incoming and outgoing messages Encoded rules stating IP addresses allowed in or out of network Do not connect to Internet without firewall protection! Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

20 Use of Multiple Firewalls
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

21 Spyware programs Adware More on threats Malware Protection
Click for latest viruses, malware threats Spyware programs Similar to spyware without malicious intent Watches users activity, produces pop-up ads, changes window, modifies search results Can slow computer performance Remove with anti-spyware, anti-adware programs Adware More on threats Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

22 Click for latest viruses, malware threats
Malware Protection Type Problems Malware Viruses, worms, Trojan horses, spyware, and adware Virus Computer program that replicates itself; take unwanted and harmful actions Macro virus Attach themselves to word, excel, or other types of document; virus infects every file an application creates or processes Worm Virus propagates using Internet or other computer network; can choke a network Spyware Some capture keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Other spyware supports marketing analyses. Adware Can slow computer performance Click for latest viruses, malware threats Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

23 Spyware and Adware Symptoms
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

24 Malware Safeguards Install antivirus and anti-spyware programs on your computer Set up your anti-malware programs to scan your computer frequently Update malware definitions Open attachments only from known sources Promptly install software updates from legitimate sources Browse only in reputable Internet neighborhoods Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

25 Q4: How Can Data Safeguards Protect Against Security Threats?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

26 Q5: How Can Human Safeguards Protect Against Security Threats?
Least privilege possible Position Definitions Extensive interviews and background checks for high-sensitivity positions Hiring & Screening Employees Make employees aware of security policies and procedures Dissemination & Enforcement Establish security policies and procedures for employee termination HR dept. giving IS early notification Termination Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

27 How Can Human Safeguards Protect Against Security Threats? (cont’d)
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

28 How Can Human Safeguards Protect Against Security Threats? (cont’d)
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

29 Account Administration
Administration of user accounts, passwords, and help-desk policies and procedures Creation of new user accounts, modification of existing account permissions, removal of unneeded accounts. Improve your relationship with IS personnel by providing early and timely notification of need for account changes. Account Management Users should change passwords every three months or more frequently. Password Management Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

30 National Institute of Standards and Technology (NIST) Recommendation
User signs statement like this. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

31 Systems Procedures Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

32 Security Monitoring Functions
Firewall logs DBMS log-in records Web server logs Activity log analyses In-house and external security professionals Security testing How did the problem occur? Investigation of incidents Indication of potential vulnerability and needed corrective actions Learn from incidences Review and update security and safeguard policies Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

33 Q6: What Is Necessary for Disaster Preparedness?
Substantial loss of infrastructure caused by acts of nature, crime, or terrorism Appropriate location Avoid places prone to floods, earthquakes, tornadoes, hurricanes, avalanches, car/truck accidents Not in unobtrusive buildings, basements, backrooms, physical perimeter Fire-resistant buildings Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

34 Q6: What Is Necessary for Disaster Preparedness? (cont’d)
Backup processing centers in geographically removed site Create backups for critical resources Contract with “hot site” or “cold site” provider Hot site provides all equipment needed to continue operations there Cold site provides space but you set up and install equipment Periodically train and rehearse cutover of operations Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

35 Q7: How Should Organizations Respond to Security Incidents?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

36 How Does the Knowledge in This Chapter Help Fox Lake and You?
Knowledge in Chapter 11 and Chapter 12 could help Jeff and Mike better protect Fox Lake computing infrastructure. Mike would have known to protect his passwords better. Would have known the dangers of having someone like Jason producing reports for Anne. If you work in a small business, take Fox Lake example to heart. Remembering these problems, you can do a better job of protecting your computing assets. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

37 Active Review Q1: What are the sources and types of security threats?
Q2: What are the elements of a security program? Q3: How can technical safeguards protect against security threats? Q4: How can data safeguards protect against security threats? Q5: How can human safeguards protect against security threats? Q6: What is necessary for disaster preparedness? Q7: How should organizations respond to security incidents? How does the knowledge in this chapter help Fox Lake and you? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

38 Ethics Guide: Metasecurity
Securing the security system Accounting controls Storage of file accounts & passwords Use temporary keys Encourage reporting of flaws Encryption and keys Do you trust them? What do you do with them when they’ve completed their check of system? Using “white hats,” experts, consultants Source code control Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

39 Guide: The Final, Final Word
Future business professionals must be able to assess, evaluate, and apply emerging information technology to business. You need to know how to innovate use of technology and how to collaborate, reason abstractly, think in terms of systems, and willing to experiment. Take time to do exercises at the end of this piece and use those answers in your job interviews! Use what you’ve learned in this class to obtain the job you truly want! Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

40 Case Study 12: The ChoicePoint Attack
ChoicePoint provides motor vehicle reports, claim histories, and similar data to automobile insurance industry, general business, and government agencies. Offers data for volunteer and job-applicant screening and data to assist in location of missing children. ChoicePoint has over 4,000 employees, and its 2007 revenue was $982 million. ChoicePoint was victim of a spoofing attack in which unauthorized individuals posed as legitimate customers and obtained personal data on more than 145,000 individuals. Example of authentication failure, not a network break in. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

41 ChoicePoint Attack (cont’d)
If ChoicePoint had quietly shut down data access for illegitimate businesses, no one would have known. However . . . 145,000 customers whose identities were compromised would be unknowing victims of identity theft, but thefts could have been tracked back to ChoicePoint. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

42 ChoicePoint Attack (cont’d)
Firewalls and other safeguards were not overcome. Criminals spoofed legitimate businesses by obtaining valid California business licenses. Undetected for months until unusual processing activity was detected. Contacted police and cooperated in attempt to apprehend the criminals. Resulted in public relations nightmare, considerable expense, class-action lawsuit, Senate investigation, and 20% drop in share price. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

43 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America. Copyright © 2012 Pearson Education, Inc.   Publishing as Prentice Hall

Download ppt "Information Security Management"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Let’s Talk About Cyber Security

Let’s Talk About Cyber Security
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security.” Copyright © 2014 Pearson Education, Inc. Publishing.

Information Security Management Chapter “We Have to Design It for Privacy and Security.” Copyright © 2014 Pearson Education, Inc. Publishing.
Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,

Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,
What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.

What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.

Information Security Management Chapter “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management David Kroenke.

© Pearson Prentice Hall Using MIS 2e Chapter 12 Information Security Management David Kroenke.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Management

Information Security Management
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1 Management Information Systems Information Security Management Chapter 12.

1 Management Information Systems Information Security Management Chapter 12.
McGraw-Hill © 2008 The McGraw-Hill Companies, Inc. All rights reserved. Chapter 8 Threats and Safeguards Chapter 8 PROTECTING PEOPLE AND INFORMATION Threats.

McGraw-Hill © 2008 The McGraw-Hill Companies, Inc. All rights reserved. Chapter 8 Threats and Safeguards Chapter 8 PROTECTING PEOPLE AND INFORMATION Threats.
1 Using Management Information Systems David Kroenke Information Security Management Chapter 11.

1 Using Management Information Systems David Kroenke Information Security Management Chapter 11.

Similar presentations

Ads by Google