Security

If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? = * 1,000,000 customers * 12 months = $48,000!!!!! Nice income supplement. Standard Example

Computer Crime  Computer crime losses estimated between $15-$300 Billion annually.  “The playground bullies are learning how to type” -- Forbes Magazine.

BUT, crime is not the only security area!  Three main concerns:  evil (crime)  system limitations  Carelessness / Stupidity

The First Line of Defense - People n Organizations must enable employees, customers, and partners to access information electronically n The biggest issue surrounding information security is not a technical issue, but a people issue n 33% of security incidents originate within the organization –Insiders – legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident

The First Line of Defense - People n The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan –Information security policies – identify the rules required to maintain information security –Information security plan – details how an organization will implement the information security policies

The First Line of Defense - People n Five steps to creating an information security plan: 1.Develop the information security policies 2.Communicate the information security policies 3.Identify critical information assets and risks – Firewall – hardware and/or software that guards a private network by analyzing the information leaving and entering the network – Intrusion detection software (IDS) – searches out patterns in network traffic to indicate attacks and quickly respond to prevent harm 4.Test and reevaluate risks 5.Obtain stakeholder support

The First Line of Defense - People n Hackers frequently use “social engineering” to obtain password –Social engineering – using one’s social skills to trick people into revealing access credentials or other information valuable to the attacker

The Second Line of Defense - Technology n Three primary information security areas: 1.Authentication and authorization 2.Prevention and resistance 3.Detection and response

AUTHENTICATION AND AUTHORIZATION n Authentication – a method for confirming users’ identities n The most secure type of authentication involves a combination of the following: 1.Something the user knows such as a user ID and password 2.Something the user has such as a smart card or token 3.Something that is part of the user such as a fingerprint or voice signature

Something the User Knows such as a User ID and Password n This is the most common way to identify individual users and typically contains a user ID and a password n This is also the most ineffective form of authentication n Over 50 percent of help-desk calls are password related

Something the User Has such as a Smart Card or Token n Smart cards and tokens are more effective than a user ID and a password –Tokens – small electronic devices that change user passwords automatically –Smart card – a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing

Something That Is Part of the User such as a Fingerprint or Voice Signature n This is by far the best and most effective way to manage authentication –Biometrics – the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting n Unfortunately, this method can be costly and intrusive

PREVENTION AND RESISTANCE n Downtime can cost an organization anywhere from $100 to $1 million per hour n Technologies available to help prevent and build resistance to attacks include: 1.Content filtering 2.Encryption 3.Firewalls

Content Filtering n Organizations can use content filtering technologies to filter and prevent e- mails containing sensitive information from transmitting and stop spam and viruses from spreading. –Content filtering – occurs when organizations use software that filters content to prevent the transmission of unauthorized information –Spam – a form of unsolicited

ENCRYPTION n If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it –Encryption – scrambles information into an alternative form that requires a key or password to decrypt the information

SENDER SCRAMBLED MESSAGE RECIPIENT Encrypt with public key Decrypt with private key PUBLIC KEY ENCRYPTION SECURITY AND THE INTERNET

FIREWALLS n One of the most common defenses for preventing a security breach is a firewall –Firewall – hardware and/or software that guards a private network by analyzing the information leaving and entering the network

FIREWALLS n Sample firewall architecture connecting systems located in Chicago, New York, and Boston

DETECTION AND RESPONSE n If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage n Antivirus software is the most common type of detection and response technology

DETECTION AND RESPONSE n Some of the most damaging forms of security threats to e-business sites include: –Malicious code – includes a variety of threats such as viruses, worms, and Trojan horses –Hoaxes – attack computer systems by transmitting a virus hoax, with a real virus attached –Spoofing – the forging of the return address on an so that the message appears to come from someone other than the actual sender –Sniffer – a program or device that can monitor data traveling over a network

Providing Security - Procedural  Keep an electronic audit trail  Separate duties.  Never allow too much power to one individual. In ES, don’t allow the expert to update the knowledge base.  Continually asses threats, risks, exposures, and vulnerabilities.  Have standard procedures and documentation.  Strict authorization requirements.

Providing Security - Procedural  Outside audits.  “Security is everybody’s business” -- give awards, etc.  Have a disaster recovery plan. Lacked by 60% of all businesses!  Use intelligent systems capability of firm to flag problems.

Providing Security - Physical  All hard drives will eventually crash. This fact should be your first to consider. Everything else doesn’t count if you’ve forgotten this.  Secure systems physically.  Separate systems physically.  Have off site storage.  Backups -files more than programs.  Fault tolerance - UPS.  Don’t let your corporate knowledge get lost. This is WAY more important for DSS than TPS… should figure 2:1 on physical security procedures.