Chapter 12 Information Security Management Jason C. H. Chen, Ph.D. Professor of MIS School of Business Administration Gonzaga University Spokane, WA 99258 chen@jepson.gonzaga.edu

Could Someone Be Getting To Our Data? Stealing only from weddings of club members Knowledge: How to access system and database and SQL Access: Passwords on yellow stickies; many copies of key to server building Suspect: Greens keeper guy’s “a techno-whiz,” created report for Anne, knows SQL and how to access database

Chapter Preview This chapter describes common sources of security threats and explains management’s role in addressing those threats. It defines the major elements of an organizational security policy. It presents the most common types of technical, data, and human security safeguards. We then discuss how organizations should respond to security incidents, and, finally, examine common types of computer crime. Primary focus is on management’s responsibility for the organization’s security policy and for implementing human security safeguards. We approach this topic from the standpoint of a major organization that has professional staff in order to learn the tasks that need to be accomplished. Both MRV and FlexTime need to adapt the full- scale security program to their smaller requirements and more limited budget.

Study Questions Q1: What is the goal of information systems security? Q2: How should you respond to security threats? Q3: How should organizations respond to security threats? Q4: What technical safeguards are available? Q5: What data safeguards are available? Q6: What human safeguards are available? Q7: 2022?

Q1: What Is the Goal of Information Systems Security?

Q1: What Is the Goal of Information Systems Security? The IS Security Threat/Loss Scenario Threat is a person or organization that seeks to obtain data or other asset illegal, without the owner’s permission and often without the owner’s knowledge Vulnerability is an opportunity for threats to gain access to individual or organizational assets Safeguard is someone measure that individuals or organizations take to block the threat from obtaining the asset Target is the asset that is desired by the threat

Fig 12-1 Threat/Loss Scenario

Safeguards There are three components of a sound organizational security program: Senior management must establish a security policy and manage risks. Safeguards of various kinds must be established for all five components of an IS as the figure below demonstrates. The organization must plan its incident response before any problems occur. Fig 12-extra Security Safeguards as They Relate to the Five Components

Examples of Threat/Loss Fig 12-2 Examples of Threat/Loss

What Are the Sources of Threats? Security threats arise from three sources: Human error and mistakes, Computer crime, and Natural events and disasters.

Human Errors and Mistakes Human errors and mistakes include: Accidental problems caused by both employees and nonemployees. An employee misunderstands operating procedures and accidentally deletes customer records. An employee, while backing up a database, inadvertently installs an old database on top of the current one. Category also includes poorly written application programs and poorly designed procedures. Physical accidents, such as driving a forklift through the wall of a computer room.

Computer Crime Employees and former employees who intentionally destroy data or other system components Hackers who break into a system; virus and worm writers who infect computer systems Outside criminals who break into a system to steal for financial gain Terrorism

Q/A Which of the following is most likely to be the result of hacking? A) certain Web sites being blocked from viewing for security reasons B) small amounts of spam in your inbox C) an unexplained reduction in your account balance D) pop-up ads appearing frequently Answer: _____ C

Natural Events and Disasters Fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature Includes the initial loss of capability and service, and losses stemming from actions to recover from the initial problem

Fig 12-3 Security Problems and Sources

What Types of Security Loss Exists? Unauthorized Data Disclosure Pretexting Phishing Spoofing IP spoofing Email spoofing Drive-by sniffers Hacking Natural disasters

Incorrect Data Modification Procedures not followed or incorrectly designed procedures Increasing a customer’s discount or incorrectly modifying employee’s salary Placing incorrect data on company Web site Improper internal controls on systems System errors Faulty recovery actions after a disaster

Faulty Service Incorrect data modification Systems working incorrectly Procedural mistakes Programming errors IT installation errors Usurpation Denial of service (unintentional) Denial-of-service attacks (intentional)

Loss of Infrastructure Human accidents Theft and terrorist events Disgruntled or terminated employees Natural disasters

How Big Is the Computer Security Problem? Fig 12-4 Sample Arrests and Convictions Reported by the US Department of Justice

Percent of Security Incidents Fig 12-5 Percent of Security Incidents

Goal of Information Systems Security Threats can be stopped, or at least threat loss reduced Safeguards are expensive and reduce work efficiency Find trade-off between risk of loss and cost of safeguards

Q2: How Should You Respond to Security Threats? Fig 12-6 Personal Security Safeguards

Q/A Cookies enables one to access Web sites without having to sign in every time. Answer: ____ TRUE

Q3. How Should Organizations Respond to Security Threats? NIST Handbook of Security Elements Fig 12-7 Management Guidelines for IS Security

What Are the Elements of a Security Policy? Elements of Security Policy Managing Risks General statement of organization’s security program Issue-specific policy System-specific policy Risk — threats & consequences we know about Uncertainty — things we do not know that we do not know

What Are the Elements of a Security Policy? Security policy has three elements: A general statement of organization’s security program. This statement becomes the foundation for more specific security measures. Management specifies the goals of security program and assets to be protected. Statement designates a department for managing security program and documents. In general terms, it specifies how the organization will ensure enforcement of security programs and policies. Issue-specific policy. Personal use of computers at work and email privacy. System-specific policy. What customer data from order-entry system will be sold or shared with other organizations? Or, what policies govern the design and operation of systems that process employee data? Addressing such policies are part of standard systems development process.

Q/A Which of the following is an example of a system-specific security policy? A) limiting the personal use of an organization's computer systems B) deciding what customer data from the order-entry system will be shared with other organizations C) designating a department for managing an organization's IS security D) inspecting an employee's personal email for compliance with company policy Answer: ____ B

Risk—likelihood of an adverse occurrence How Is Risk Managed? Risk—likelihood of an adverse occurrence Management cannot manage threats directly, but can limit security consequences by creating a backup processing facility at a remote location. Companies can reduce risks, but always at a cost. It is management’s responsibility to decide how much to spend, or stated differently, how much risk to assume. Uncertainty refers to lack of knowledge especially about chance of occurrence or risk of an outcome or event. An earthquake could devastate a corporate data center built on a fault that no one knew about. An employee finds a way to steal inventory using a hole in the corporate Web site that no expert knew existed.

Risk Assessment and Management Tangible consequences Intangible consequences Likelihood Probable loss Risk-Management Decisions Given probable loss, what to protect? Which safeguards inexpensive and easy? Which vulnerabilities expensive to eliminate? How to balance cost of safeguards with benefits of probable loss reduction? 

Factors to Consider in Risk Assessment and Risk Management Decisions When you’re assessing risks to an information system you must first determine: What the threats are. How likely they are to occur. The consequences if they occur. The figure below lists the factors you should include in a risk assessment. Once you’ve assessed the risks to your information system, you must make decisions about how much security you want to pay for. Each risk-management decision carries consequences. Some risk is easy and inexpensive. Some risk is expensive and difficult. Managers have a fiduciary responsibility to the organization to adequately manage risk. Fig 12-Extra Risk Assessment Factors

Factors to Consider in Risk Assessment: Brief Summary Safeguard is any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat. No safeguard is ironclad; there is always a residual risk that it will not protect the assets in all circumstances. Vulnerability is an opening or a weakness in security system. Some vulnerabilities exist because there are no safeguards or because existing safeguards are ineffective. Consequences are damages that occur when an asset is compromised. Consequences can be tangible or intangible. Tangible consequences, those whose financial impact can be measured. Intangible consequences, such as the loss of customer goodwill due to an outage, cannot be measured.

Factors to Consider in Risk Assessment: Brief Summary (Final Two Factors in Risk Assessment) Likelihood is the probability that a given asset will be compromised by a given threat, despite the safeguards. Probable loss is the “bottom line” of risk assessment. To obtain a measure of probable loss, companies multiply likelihood by cost of the consequences. Probable loss also includes a statement of intangible consequences.

Q/A Which of the following is an example of an intangible consequence? A) a dip in sales because supplies were not replenished B) a loss of customer goodwill due to an outage C) a drop in production due to plant maintenance D) a financial loss due to high input costs Answer: ____ B

Q4: What Technical Safeguards Are Available? Fig 12-8 Technical Safeguards

List of Primary Technical Safeguards You can establish five technical safeguards for the hardware and software components of an information system as the Figure 12-8 shows. 1. Identification and authentication includes (1) passwords (what you know), (2) smart cards (what you have), and (3) biometric authentication (what you are). (4) Single sign-on for multiple systems (Kerberos) Since users must access many different systems, it’s often more secure, and easier, to establish it Authenticates users without sending passwords across network. “Tickets” enable users to obtain services from multiple networks and servers. Windows, Linux, Unix employ Kerberos

List of Primary Technical Safeguards (cont.) Identification and authentication (cont.) (5) Wireless systems pose additional threats. VPNs and special security servers Wired Equivalent Privacy (WEP)-first developed Wi-Fi Protected Access (WPA)-more secure Wi-Fi Protected Access (WPA2)-newest and most secure Note: 4 &5 are for System Access Protocols

Q/A T/F A magnetic strip holds far more data than a microchip. Answer: _______ FALSE

2. Encryption Encryption is the second safeguard you can establish for an IS. The chart below and on the next slide describe each of them. Asymmetric encryption is simpler and much faster than asymmetric encryption. Answer: FALSE Fig 12-9 Basic Encryption Techniques

Essence of HTTPS (SSL or TLS) Fig 12-10 The Essence of HTTPS (SSL or TLS)

Which of the following observations concerning Secure Socket Layer (SSL) is true? A) It uses only asymmetric encryption. B) It is a useful hybrid of symmetric and asymmetric encryption techniques. C) It works between Levels 2 and 3 of the TCP-OSI architecture. D) It is a stronger version of HTTPS. Answer:____ B You are transferring funds online through the Web site of a reputed bank. Which of the following displayed in your browser's address bar will let you know that the bank is using the SSL protocol? A) http B) www C) https D) .com Answer: ____ C

3. Firewalls Firewalls, the third technical safeguard, are computing devices that prevent unauthorized network access. They should be installed and used with every computer that’s connected to any network, especially the Internet. The diagram shows how perimeter and internal firewalls are special devices that help protect a network. Packet-filtering firewalls are programs on general-purpose computers or on routers that examine each packet entering the network. Fig (extra) Use of Multiple Firewalls

Symptoms of Adware and Spyware This slide is for lecture Malware Protection is the fourth technical safeguard. We’ll concentrate on spyware and adware here. Spyware are programs that may be installed on your computer without your knowledge or permission. Adware is a benign program that’s also installed without your permission. It resides in your computer’s background and observes your behavior. If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer. Fig 12-8 Spyware & Adware Symptoms

4. Malware Protection Malware Protection (fourth technical safeguard): Spyware - resides in background, unknown to user; observes user’s actions and keystrokes, monitors computer activity, and reports user’s activities to sponsoring organizations. Some captures keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Some support marketing analyses, observing what users do, Web sites visited, products examined and purchased, and so forth. Adware - does not perform malicious acts or steal data. It watches user activity and produces pop-up ads. Adware can change user’s default window or modify search results and switch user’s search engine. Beacons – tiny files that gather demographic information (e.g., gender, age income). The information is refreshed in real time and sold to other company.

4. Malware Types and Spyware and Adware Symptoms (cont.) Spyware & Adware Symptoms Viruses Payload Trojan horses Worms Beacons If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer. Fig 12-11 Spyware & Adware Symptoms

Malware Safeguards Antivirus and antispyware programs Scan frequently Update malware definitions Open email attachments only from known sources Install software updates Browse only reputable Internet neighborhoods

Bots, Botnets, and Bot Herders Surreptitiously installed, takes actions unknown and uncontrolled by user or administrator Some very malicious, others annoying Botnet a network of bots created and managed by an individual or organization that infects networks with a bot program Bot herder individual or organization that controls the botnet Serious problems for commerce and national security It is believed that a unit of the North Korean Army served as a bot herder for a botnet that caused denial of service attacks on Web servers in South Korea and in the United States in July, 2009.

5. Design Secure Applications Design secure application is the last (fifth) technical safeguard. You should ensure that any information system developed for you and your department includes security as one of the application requirements.

Q5: What Data Safeguards Are Available? Data safeguards are measures used to protect databases and other organizational data. An organization should follow the safeguards listed in this figure. Remember, data and the information from it are one of the most important resources an organization has. Fig 12-12 Data Safeguards

Some Important Data Safeguards Should protect sensitive data by storing it in encrypted form When data are encrypted, a trusted party should have a copy of encryption key. This safety procedure is called key escrow Periodically create backup copies of database contents DBMS and all devices that store database data should reside in locked, controlled-access facilities Physical security was a problem that MRV had when it lost its data. Organizations may contract with other companies to manage their databases, inspect their premises, and interview its personnel to make sure they practice proper data protections.

Q6: Human Safeguards for Employees Human safeguards for employees are some of the most important safeguards an organization can deploy. They should be coupled with effective procedures to help protect information systems. This figure shows the safeguards for in-house employees. Fig 12-13 Human Safeguards for Employees (In-house Staff)

Human Safeguards for Nonemployee Personnel Least privileged accounts Contract personnel Specify security responsibilities Public Users Hardening site Require vendors and partners to perform appropriate screening and security training Specify security responsibilities for work to be performed

Account Administration Account Management Standards for new user accounts, modification of account permissions, removal of unneeded accounts. Password Management Users should change passwords frequently Help Desk Policies

Account Administration Account management (administration) is the third type of human safeguard and has three components—account management, password management, and help-desk policies. Account management focuses on Standards for new user accounts, modification of account permissions, removal of unneeded accounts Password management requires that users Immediately change newly created passwords Change passwords periodically Help Desk Policies Fig 12-14 Sample Account Acknowledgement Form

Systems Procedures Effective system procedures can help increase security and reduce the likelihood of computer crime. As this figure shows, procedures should exist for both system users and operations personnel that cover normal, backup, and recovery procedures. Security monitoring is the last human safeguard. It includes: Activity log analyses Security testing Investigating and learning from security incidents. Fig 12-15 Systems Procedures

Security Monitoring Functions Activity log analyses Firewall, DBMS, Web server In-house and external Security testing Investigation of incidents Create “honeypots”

Responding to Security Incidents Human error & Computer crimes Procedures for how to respond to security problems, whom to contact, data to gather, and steps to reduce further loss Centralized reporting of all security incidents Incident-response plan (see next slide) Emergency procedures

Incident-Response Plan Along with disaster preparedness plans, every organization should think about how it will respond to security incidences that may occur, before they actually happen. The figure below lists the major factors that should be included in any incident response. Fig 12 (extra) Factors in Incident Response

Major Disaster-Preparedness Tasks No system is fail-proof. Every organization must have an effective plan for dealing with a loss of computing systems. This figure describes disaster preparedness tasks for every organization, large and small. The last item that suggests an organization train and rehearse its disaster preparedness plans is very important. Fig 12-16 Disaster Preparedness Tasks

Disaster-Recovery Backup Sites Hot site Utility company that can take over another company’s processing with no forewarning. Hot sites are expensive; organizations pay $250,000 or more per month for such services. Cold sites Provide computers and office space. They are cheaper to lease, but customers install and manage systems themselves. The total cost of a cold site, including all customer labor and other expenses, might not necessarily less than the cost of a hot site.

Q7: 2022? Challenges likely to be iOS and other intelligent portable devices Harder for the lone hacker to find vulnerability to exploit Continued investment in safeguards Continued problem of electronically porous national borders

End of Chapter 12