1. IT Security, Crime, Compliance, and Continuity
Part II. Data and Network Infrastructure
Chapter 5
IT Security, Crime, Compliance, and Continuity

2. 5.1 Protecting Data and Business Operations
IT security: the protection of data, systems, networks, and operations.
Technology defenses are necessary, but they’re not suff icient because protecting data and business operations also involves:
Implementing and enforcing acceptable use policies (AUPs).
Complying with government regulations and laws.
Making data available 24x7 while restricting access.
Promoting secure and legal sharing of information.

3. acceptable use policy (AUP)
An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the Internet. 
Many businesses and educational facilities require that employees or students sign an acceptable use policy before being granted a network ID.
When you sign up with an Internet service provider (ISP), you will usually be presented with an AUP, which states that you agree to adhere to stipulations such as:
Not using the service as part of violating any law
Not attempting to break the security of any computer network or user
Not posting commercial messages to Usenet groups without prior permission
Not attempting to send junk or spam to anyone who doesn't want to receive it
Not attempting to mail bomb a site with mass amounts of in order to flood their server
Users also typically agree to report any attempt to break into their accounts.

4. IT Security Principles

5. Know Your Enemy and Your Risks
IT security risks are business risks
Threats range from high-tech exploits to gain acces s to a company’s networks to non-tech tactics such as stealing laptops or items of value. Common exa mples:
Malware (malicious software): viruses, worms, trojan horse s, spyware, and disruptive or destructive programs
insider error or action, either intentional or unintentional
Fraud
Fire, flood, or other natural disasters

6. IT at Work 5.1 $100 Million Data Breach
May 2006: a laptop and external hard drive belon ging to the U.S. Dept of Veterans Affairs (VA) wer e stolen during a home burglary.
Data on 26.5 million veterans and spouses had b een stored in plaintext.
VA Secretary Jim Nicholson testified before Congr ess that it would cost at least $10 million just to i nform veterans of the security breach.
Total cost of data breach: $100 million

7. Risks Mis Uses Cloud computing Social networks Phishing
Search engine manipulation
Mis Uses
Money laundering
Organized crime
Terrorist financing

8. IT Security Defense-in-Depth Model

9. 5.2 IS Vulnerabilities and Threats
Unintentional
human error
environmental hazards
computer system failure
Intentional
hacking
malware
manipulation

10. Figure 5.4 How a computer virus can spread

11. Malware and Botnet Defenses
Anti-virus software
Firewalls
Intrusion detection systems (IDS)
Intrusion prevention systems (IPS)

12. Top 10 Anti-virus software

13. 5.3 Fraud, Crimes, and Violations
2 categories of crime:
Violent
Nonviolent
Fraud is nonviolent crime because instead of a gun or knife, fraudsters use deception, confidence, and trickery.
Occupational fraud refers to the deliberate misuse of the assets of one’s employer for personal gain.

14. Internal Fraud Prevention and Detection
IT has a key role to play in demonstrating effe ctive corporate governance and fraud preventi on.
Internal fraud prevention measures are based on the same controls used to prevent external intrusions—perimeter defense technologies suc h as firewalls, scanners, and biometric a ccess.
Fraud detection can be handled by intelligent analysis engines using advanced data warehou sing and analytics techniques.

15. 5.4 IT and Network Security
Objectives of a defense strategy
Prevention and deterrence
Detection
Containment
Recovery
Correction
Awareness and compliance

16. Figure 5.6 Major defense controls

17. Major categories of general controls
physical controls
access controls
biometric controls
communication network controls
administrative controls
application controls
endpoint security and control

18. Figure 5.7 Intelligent agents

19. Figure 5.8 Three layers of network security measures

20. PKI (Public Key Infra structure)
A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential . It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

21. Tokens
Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.
Some may store cryptographic keys, such as a digital signature, or biometric data, such as fingerprint details. So

22. Figure 5.9 Where IT security mechanisms are located

23. Authentication
Questions to help authenticate a person: 1. Who are you? Is this person an employee, a partne r, or a customer? Different levels of authentication w ould be set up for different types of people. 2. Where are you? For example, an employee who ha s already used a badge to access the building is less of a risk than an employee logging on from a remot e site. 3. What do you want? Is this person accessing sensiti ve or proprietary information or simply gaining acce ss to benign data?

24. 5.6 Internal Control and Compliance
Internal control (IC) is a process designed to achieve:
reliability of financial reporting
operational efficiency
compliance with laws
regulations and policies
safeguarding of assets

25. Symptoms of Fraud That Can Be Detected by Internal Controls
Missing documents
Delayed bank deposits
Numerous outstanding checks or bills
Employees who do not take vacations
A large drop in profits
A major increase in business with one particular custome r
Customers complaining about double billing
Repeated duplicate payments
Employees with the same address or phone number as a vendor

26. 5.7 Business Continuity and Auditing
An important element in any security system is the bus iness continuity plan, also known as the disaster recov ery plan.
The plan outlines the process by which businesses shou ld recover from a major disaster.
The purpose of a business continuity plan is to keep th e business running after a disaster occurs.
Each business function should have a valid recovery capability plan.
The plan should be written so that it will be effective in case o f disaster, not just in order to satisfy the auditors.

27. Risk-Management Analysis
Expected loss = P1 × P2 × L
where:
P1 = probability of attack
P2 = probability of attack being successful
L = loss occurring if attack is successful
Example:
P1 = .02, P2 = .10, L = $1,000,000
Expected loss from this particular attack is
P1 × P2 × L = 0.02 × 0.1 × $1,000,000 = $2,000

28. Ethical issues
Implementing security programs raises many ethical iss ues.
Handling the privacy versus security dilemma is tough.
Ethical and legal obligations that may require companie s to “invade the privacy” of employees and monitor thei r actions.
Under the doctrine of duty of care, senior managers an d directors should protect the company’s business oper ations.