Information Security Management Chapter 12 Information Security Management

This Could Happen to You: “Could Someone Be Getting to Our Data?” Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system ,access database, and maybe some SQL. Access: Mike has yellow stickies with passwords on his monitor; copies of key to server building. Knowledge: Greenskeeper guy, “a techno-whiz,” created report for Anne. Knows how to query database, and known to access it prior to Anne’s project. (ch. 9) Scenario video Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Study Questions Q1: What are the sources and types of security threats? Q2: What are the elements of a security program? Q3: How can technical safeguards protect against security threats? Q4: How can data safeguards protect against security threats? Q5: How can human safeguards protect against security threats? Q6: What is necessary for disaster preparedness? Q7: How should organizations respond to security incidents? How does the knowledge in this chapter help Fox Lake and you? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Q1: What Are the Sources and Types of Security Threats Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Unauthorized Data Disclosure Unauthorized data disclosure—inadvertent release of data in violation of policy Pretexting—pretending to be someone else via phone call Phishing—pretexting using email Spoofing—disguising as a different IP address or different email sender IP spoofing—impersonating another computing system Email spoofing—synonym for phishing Sniffing—intercepting computer communications Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Incorrect Data Modifications Human errors Incorrect entries and information Procedural problems Incorrect data modifications Systems errors (lost-update problem) Hacking Unauthorized system access Faulty recovery actions Human procedural mistakes Errors in installation of hardware, software programs, or data Usurpation Unauthorized programs invade computer system and replace legitimate programs Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Denial of Service (DOS) Inadvertently shut down web server, gateway router with computationally intensive application Example: OLAP application that uses operational DBMS blocks order-entry transaction Human error Malicious attacks flood web server with millions of requests for web pages Computer worms Natural disasters Denial of service Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Loss of Infrastructure Bulldozer cutting fiber-optic cable, floor buffer bangs web server Water line breaks or fire damage hardware Accidental Disgruntled employee steals equipment Damages computer center Theft and terrorists Floods, tornadoes, hurricanes, fire, earthquakes Natural disasters Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts In this exercise, you and a group of your fellow students will be asked to investigate phishing attacks. If you search the web for phishing, be aware that your search may bring the attention of an active phisher. Therefore, do not give any data to any site that you visit as part of this exercise! Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d) 1. To learn the fundamentals of phishing, visit the following site: www.microsoft.com/protect/fraud/phishing/symptoms.aspx. To see recent examples of phishing attacks, visit: www.fraudwatchinternational.com/phishing/ Using examples from these web sites, describe how phishing works. Explain why a link that appears to be legitimate, such as www.microsoft.mysite.com may, in fact, be a link to a phisher’s site. List five indicators of a phishing attack. Write an email that you could send to a friend or relative who is not well versed in technical matters that explains what phishing is and how your friend or relative can avoid it. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d) 2. Suppose you received the email in Figure 1 and mistakenly clicked See more details here. When you did so, you were taken to the web page shown in Figure 2. List every phishing symptom that you find in these two figures and explain why it is a symptom. How would you learn that your organization is being attacked? What steps should your organization take in response to the attack? What liability, if any, do you think your organization has for damages to customers that result from a phishing attack that carries your brand and trademarks? 3. Suppose you work for an organization that is being phished. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d) 4. Summarize why phishing is a serious problem to commerce today. 5. Describe actions that industry organizations, companies, governments, or individuals can take to help to reduce phishing. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Q2: What Are the Elements of a Security Program? Must establish security policy Manage risk Balancing costs and benefits of security measures Senior management involvement Protections against security threats Safeguards Priority plan for security incidents Incident response Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Security Safeguards as They Relate to the Five Components Effective security programs balance safeguards Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Q3: How Can Technical Safeguards Protect Against Security Threats? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Identification and Authentication Password Smart card Biometric Authentication methods Microchip embedded with identifying data Authentication by PIN Smart cards Fingerprints, face scans, retina scans See http://searchsecurity.techtarget.com Biometric authentication Authenticate to network and other servers Single sign-on for multiple systems Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Encryption Terminology Encryption algorithms Key—a number used to encrypt the data Symmetric encryption Asymmetric encryption—public/private key HTTPS Secure Sock Layer (SSL) Transport Layer Security (TLS) Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Encryption—SSL/TLS Figure 12-4 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Do not connect to Internet without firewall protection! Firewalls Computing device that prevents unauthorized network access May be special-purpose computer or program on a general-purpose computer Organizations may have multiple firewalls Perimeter firewalls outside network Internal firewalls inside network Packet-filtering firewalls examine each part of a message May filter both incoming and outgoing messages Encoded rules stating IP addresses allowed in or out of network Do not connect to Internet without firewall protection! Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Use of Multiple Firewalls Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Spyware programs Adware More on threats Malware Protection Click for latest viruses, malware threats Spyware programs Similar to spyware without malicious intent Watches users activity, produces pop-up ads, changes window, modifies search results Can slow computer performance Remove with anti-spyware, anti-adware programs Adware More on threats Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Click for latest viruses, malware threats Malware Protection Type Problems Malware Viruses, worms, Trojan horses, spyware, and adware Virus Computer program that replicates itself; take unwanted and harmful actions Macro virus Attach themselves to word, excel, or other types of document; virus infects every file an application creates or processes Worm Virus propagates using Internet or other computer network; can choke a network Spyware Some capture keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Other spyware supports marketing analyses. Adware Can slow computer performance Click for latest viruses, malware threats Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Spyware and Adware Symptoms Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Malware Safeguards Install antivirus and anti-spyware programs on your computer Set up your anti-malware programs to scan your computer frequently Update malware definitions Open email attachments only from known sources Promptly install software updates from legitimate sources Browse only in reputable Internet neighborhoods Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Q4: How Can Data Safeguards Protect Against Security Threats? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Q5: How Can Human Safeguards Protect Against Security Threats? Least privilege possible Position Definitions Extensive interviews and background checks for high-sensitivity positions Hiring & Screening Employees Make employees aware of security policies and procedures Dissemination & Enforcement Establish security policies and procedures for employee termination HR dept. giving IS early notification Termination Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

How Can Human Safeguards Protect Against Security Threats? (cont’d) Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

How Can Human Safeguards Protect Against Security Threats? (cont’d) Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Account Administration Administration of user accounts, passwords, and help-desk policies and procedures Creation of new user accounts, modification of existing account permissions, removal of unneeded accounts. Improve your relationship with IS personnel by providing early and timely notification of need for account changes. Account Management Users should change passwords every three months or more frequently. Password Management Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

National Institute of Standards and Technology (NIST) Recommendation User signs statement like this. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Systems Procedures Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Security Monitoring Functions Firewall logs DBMS log-in records Web server logs Activity log analyses In-house and external security professionals Security testing How did the problem occur? Investigation of incidents Indication of potential vulnerability and needed corrective actions Learn from incidences Review and update security and safeguard policies Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Q6: What Is Necessary for Disaster Preparedness? Substantial loss of infrastructure caused by acts of nature, crime, or terrorism Appropriate location Avoid places prone to floods, earthquakes, tornadoes, hurricanes, avalanches, car/truck accidents Not in unobtrusive buildings, basements, backrooms, physical perimeter Fire-resistant buildings Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Q6: What Is Necessary for Disaster Preparedness? (cont’d) Backup processing centers in geographically removed site Create backups for critical resources Contract with “hot site” or “cold site” provider Hot site provides all equipment needed to continue operations there Cold site provides space but you set up and install equipment www.ragingwire.com/managed_services?=recovery Periodically train and rehearse cutover of operations Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Q7: How Should Organizations Respond to Security Incidents? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

How Does the Knowledge in This Chapter Help Fox Lake and You? Knowledge in Chapter 11 and Chapter 12 could help Jeff and Mike better protect Fox Lake computing infrastructure. Mike would have known to protect his passwords better. Would have known the dangers of having someone like Jason producing reports for Anne. If you work in a small business, take Fox Lake example to heart. Remembering these problems, you can do a better job of protecting your computing assets. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Active Review Q1: What are the sources and types of security threats? Q2: What are the elements of a security program? Q3: How can technical safeguards protect against security threats? Q4: How can data safeguards protect against security threats? Q5: How can human safeguards protect against security threats? Q6: What is necessary for disaster preparedness? Q7: How should organizations respond to security incidents? How does the knowledge in this chapter help Fox Lake and you? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Ethics Guide: Metasecurity Securing the security system Accounting controls Storage of file accounts & passwords Use temporary keys Encourage reporting of flaws Encryption and keys Do you trust them? What do you do with them when they’ve completed their check of system? Using “white hats,” experts, consultants Source code control Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Guide: The Final, Final Word Future business professionals must be able to assess, evaluate, and apply emerging information technology to business. You need to know how to innovate use of technology and how to collaborate, reason abstractly, think in terms of systems, and willing to experiment. Take time to do exercises at the end of this piece and use those answers in your job interviews! Use what you’ve learned in this class to obtain the job you truly want! Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Case Study 12: The ChoicePoint Attack ChoicePoint provides motor vehicle reports, claim histories, and similar data to automobile insurance industry, general business, and government agencies. Offers data for volunteer and job-applicant screening and data to assist in location of missing children. ChoicePoint has over 4,000 employees, and its 2007 revenue was $982 million. ChoicePoint was victim of a spoofing attack in which unauthorized individuals posed as legitimate customers and obtained personal data on more than 145,000 individuals. Example of authentication failure, not a network break in. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

ChoicePoint Attack (cont’d) If ChoicePoint had quietly shut down data access for illegitimate businesses, no one would have known. However . . . 145,000 customers whose identities were compromised would be unknowing victims of identity theft, but thefts could have been tracked back to ChoicePoint. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

ChoicePoint Attack (cont’d) Firewalls and other safeguards were not overcome. Criminals spoofed legitimate businesses by obtaining valid California business licenses. Undetected for months until unusual processing activity was detected. Contacted police and cooperated in attempt to apprehend the criminals. Resulted in public relations nightmare, considerable expense, class-action lawsuit, Senate investigation, and 20% drop in share price. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America. Copyright © 2012 Pearson Education, Inc.   Publishing as Prentice Hall