Information Security Management Chapter 11 Information Security Management

Agenda Security Threats Security Program Sources Problems Senior Management’s Security Role Technical Safeguard Data Safeguard Human Safeguard Disaster Preparedness Incident Response

Sources of Security Threats Human error and mistakes Employees and non-employees Accidental problems Poorly written application programs Poorly designed procedures Malicious human activity Employees, former employees, hackers, and outside criminals Intentionally destroy data or other systems components Steal for financial gain Terrorism Natural events and disasters Acts of nature Loss of capability, service, and recovery

Problems of Security Threats Unauthorized data disclosure Incorrect data modification Faulty service Denial of service Loss of infrastructure

Unauthorized Data Disclosure Pretexting: someone pretending to be someone else Phishing: someone pretending a legitimate company and obtaining confidential data by email Spoofing: IP spoofing and Email spoofing Sniffing: intercepting computer communication Drive-by sniffers: intercepting unprotected wireless network

Incorrect Data Modification Human error employees follow procedures incorrectly procedures have been incorrectly designed Hacking

Faulty Service Incorrect system operation Usurpation Human procedure mistake Usurpation Unauthorized program in a computer system

Denial of Service Human error Malicious hacker Natural disasters

Loss of Infrastructure Human accidents Theft and terrorist events Natural disasters

Security Program Senior management involvement Security policy Cost and benefit analysis Safeguards of various kinds Technical protection: hardware and software Data protection: data Human protection: people and procedure Incident response Program response to security incident

Security Elements By National Institute of Standards and Technology (NIST) Support the mission of the organization An integral element of sound management Cost effective Explicit security responsibilities and accountability Comprehensive and integrated approach Periodically reassessing Constrained by social factor

Senior Management Role Security policy General policy: goals and assets Issue-specific policy: computer and email usage System-specific policy: specific information systems Risk management and assessment Assets and vulnerability Threats Likelihood of an adverse occurrence Consequences Safeguard and cost Probable loss

Technical Safeguard Identification and authentication Encryption Digital signature Firewall Malware protection Design secure application

Identification and Authentication User name Authentication Pass word (what you know) Smart card (what you have) Biometric authentication: fingerprints, facial features, retinal scans (what you are) Single sign-on for multiple systems (Kerberos) Wireless: WPA (Wi-Fi Protected Access) and WPA2

Encryption Symmetric encryption: one key Asymmetric encryption: public key and private key Secure Socket Layer (SSL) and Transport Layer Security (TLS): only client verify true Web site Digital signature Hashing Message digest (check digits) Digital certificate and certificate authorities

Firewall Definition Device Type A computing device to prevent unauthorized network access Device A special-purpose computer A program on a general-purpose computer or on a router Type Perimeter firewall Internal firewall Packet-filtering firewall Access control list (ACL)

Use of Multiple Firewalls

Malware Malware: viruses, worms, Trojan horses, spyware, and adware Spyware: programs installed without the user’s knowledge for spying Adware: installed without the user’s permission for observing user behavior and popping up ads

Spyware and Adware Symptoms Slow system start up Sluggish system performance Many pop-up ads Browser homepage changes, taskbar, and other interfaces Unusual hard disk activity

Malware Safeguard Install antivirus and antispyware programs Scan computer frequently Update malware definitions Open email attachments only from known sources Promptly install software updates from legitimate sources Browse only in reputable Internet neighborhoods

Data Safeguard Specifying user rights and responsibilities User account and password Store sensitive data in encrypted form Regular backup and practice recovery Backup copy at remote location Reside in locked, controlled-access facilities

Human Safeguard for Employee Position definition Job tasks and responsibilities Least possible privilege Documenting security sensitivity for each position Hiring and Screening Interviews, references, and background investigations Dissemination and enforcement Security policies, procedures, and responsibilities awareness Training Security responsibility, accountability, and compliance Termination Termination policies and procedures Remove accounts and passwords Recover keys for encrypted data

Human Safeguard for Non Employee Temporary personnel, vendors, partner personnel, and the public Require vendors and partners to perform appropriate screening and security training Harden (extraordinary measures to reduce a system’s vulnerability) the Web site or other facility against attack

Account Administration User accounts Creation of new user accounts, modification of existing account permissions, and removal of unneeded accounts Password Change password Use proper password Help-desk policies and procedures for user’s forgetting password

Systems Procedures Users and operations personnel Procedures for normal, backup, and recovery operations

Systems Monitoring Log analysis Security testing Investigating and learning from security incident In-house IT personal and outside security consultants Updating security: new technology and requirement

Disaster Preparedness Locate infrastructure in safe location Identify mission-critical systems Identify resources needed to run those systems Prepare remote backup facility Hot sites: providing remote processing centers run by commercial disaster-recovery services Cold site: providing office space, but customers themselves provide and install the equipment needed to continue operations Train and rehearse

Incident Response Have a plan Critical personnel and off-hours contact information Centralized reporting Prepare specific response for speed Practice

Discussion Ethic guide (343a-b) Problem solving (351a-b) Address the proper ethic issues of a online retailer related to its customer’s information. Problem solving (351a-b) Address the security issues of hiring a white hat hacker. Security guide (357a-b) Address the meta security issues of any organization. Reflection guide (361a-b) Address the future of IT and IS five years latter.

Case Study Case 11-1 Antiphishing Tactics (365-366): 2 only

Points to Remember Security Threats Security Program Sources Problems Senior Management’s Security Role Technical Safeguard Data Safeguard Human Safeguard Disaster Preparedness Incident Response