1. Chapter 7 Information Security

2. Chapter Outline 7.1 Introduction to Information Security 7.2 Unintentional Threats to Information Systems 7.3 Deliberate Threats to Information Systems 7.4 What Organizations Are Doing to Protect Information Resources 7.5 Information Security Controls

3. Learning Objectives 1.Give one specific example of each of the five factors that are contributing to the increasing vulnerability of information resources. 2.Compare and contrast human mistakes and social engineering by way of specific examples. 3.Describe negative consequences that might result from at least three different kinds of deliberate attacks on information systems. 4.Assess how you might employ each of the three risk mitigation strategies in the context of your owning a home. 5.Identify the three major types of controls that organizations can use to protect their information resources.

4. Introduction Opening Case: Small Businesses in Danger Which one do think is more secure? Data stored on a personal computer and wireless devices Data stored on corporate computers and servers Which one causes more damage if its security is compromised? © Stockbroker xtra/Age Fotostock America, Inc.

5. 7.1 Introduction to Information Security Security The degree of protection against criminal activity, danger, damage, and/or loss Information security Protecting an organization’s information resources from unauthorized access, use, disclosure, disruption, modification, or destruction Threat (to an information resource) Any danger to which a system may be exposed Exposure (of an information resource) The harm, loss or damage that can result if a threat compromises that resource Vulnerability (of an information resource) The possibility that the system will be harmed by a threat

6. Five Factors Increasing the Vulnerability of Information Resources 1.Networked business environment 2.Smaller, faster, cheaper computers and storage devices 3.Decreasing skills necessary to be a hacker New and easier tools make it very easy to attack the networktools Attacks are becoming increasingly sophisticated 4.Organized crime taking over cybercrimeOrganized crime 5.Lack of management support Hacktivist groups: Anonymous (and LulzSec) HacktivistLulzSec © Sven Taubert/Age Fotostock America, Inc.

7. 7.2 Unintentional Threats to Information Systems Human errors Which department is “the most dangerous”? Why? Carelessness with laptops and portable computing devices Opening questionable e-mails Careless Internet surfing Poor password selection and use Etc. – See Table 7.1 Social engineering Attacker uses social skills to trick a legitimate employee into providing confidential company information such as passwords Typically unintentional human error on the part of an employee, but it is the result of a deliberate action on the part of an attacker Techniques: Tailgating, shoulder surfing Interview with Kevin MitnickKevin Mitnick

8. Figure 7.1 Security Threats

9. 7.3 Deliberate Threats to Information Systems Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information Identity theft Compromises to intellectual property Software attacks Alien software (or pestware) Supervisory control and data acquisition (SCADA) attacks Cyberterrorism and cyberwarfare © Diego Cervo/Age Fotostock America, Inc.

10. Espionage or trespass Individual attempts to gain illegal access to organizational information Competitive intelligence: Legal information gathering Industrial espionage: Crosses the legal boundary Information extortion An attacker demands payment for not stealing the information, for returning stolen information, or for not disclosing information already stolen from a company Sabotage or vandalism Defacing an organization’s Web site Example: Hacking John McCain's MySpace pageHacking John McCain's MySpace page 2600 Hacked sites archives Deliberate Threats

11. Theft of equipment or information Smaller equipment is easier to steal Larger storage means more information lost Dumpster diving: Rummaging through trash to find discarded information Identity theft Deliberate assumption of another person’s identity to access financial information or to frame a person for a crime through Dumpster diving Stealing from databases Phishing: Impersonating a trusted organization in an electronic communication Deliberate Threats

12. Compromises to intellectual property Intellectual property The property created by individuals or corporations Trade secret Company secret, not public information Patent Protects an invention or process for 20 years Copyright Protects ownership of the property for the life of the creator plus 70 years Give examples of intellectual properties protected under each category. Bangkok pirated games Software piracy Deliberate Threats © Creasource/Corbis

13. Deliberate Threats Software attacks Remote attack needing user action Virus: Attaches to a host computer Worm: Can spread by itself Phishing attack: Phishing QuizPhishing Quiz Spear phishing attack: Phishing attack on specific target Remote attack needing no user action Denial-of-service (DoS) attack: Bombarding and crashing a target computer with bogus requests Distributed DoS attack: Using hacked computers (zombies) to perform DoS attack (e.g., Botnet)Botnet Attacks by programmers Trojan horse: Disguised as an innocent program Back door or trap door: Allows unauthorized access to the program or system, bypassing security measures Logic bomb: Dormant until activated at a certain date and time © Stephen Zabel/iStockphoto

14. Deliberate Threats Alien software (or pestware) Programs installed on a computer without user’s consent or knowledge Uses valuable system resources and may report user activities back to the creator Adware: Displays pop-up advertisements on computer screens Spyware: Collects personal information about users without their consent Keystroke logger: Records keystrokes and Web browsing history Use CAPTCHA to authenticate human usersCAPTCHA Screen scraper: Records a continuous “movie” of activities on a screen Spamware: Creates a launchpad for sending out spam e-mails Cookies: Small files stored on a computer containing information about visited Web sites © Manfred Grafweg/Age Fotostock America, Inc.

15. Deliberate Threats Supervisory control and data acquisition (SCADA) attacks SCADA systems control chemical, physical, or transport processes For example: Oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants Cyberterrorism and cyberwarfare Attack via the Internet using a target’s computer systems to cause physical, real-world harm Usually employed to carry out a political agenda Stuxnet Worm

16. 7.4 What Organizations Are Doing to Protect Information Resources The difficulties in protecting information resources (Table 7.3) Risk management © Youri van der Schalk/Age Fotostock America, Inc.

17. Table 7.3 The Difficulties in Protecting Information Resources

18. Risk Management Risk The probability that a threat will impact an information resource Risk management Identify, control, and minimize the impact of threats Risk analysis Prioritize assets (probability x value) Compare cost of security breach vs. cost of control Risk mitigation Organization takes concrete actions against risk Implement controls and develop recovery plan Three strategies: 1.Risk acceptance: Accept the potential risk, continue operating with no controls, and absorb any damages that occur 2.Risk limitation: Limit the risk by implementing controls that minimize the impact of threat 3.Risk transference: Transfer the risk by using other means to compensate for the loss, such as purchasing insurance

19. Frederic Lucano/Stone/Getty Images, Inc. 7.5 Information Security Controls Defense mechanisms to protect information assets The three major types: 1.Physical controls 2.Access controls 3.Communications controls

20. Figure 7.2 Location of Defense Mechanisms

21. Physical Controls Prevent unauthorized individuals from gaining access to a company’s facilities Examples: Walls, doors, fencing, gates, locks, badges, security guards, alarm systems Pressure sensors, temperature sensors, motion detectors Physical controls can be inconvenient to employees What are examples of physical controls implemented at your work or university?

22. Access Controls Restrict unauthorized user access to computer resources Authentication: Proof of identity Uses something the user… Is: Biometrics a person’s innate physical characteristicsBiometrics Has: ID cards, smart ID cards, and tokens Does: Voice, signature, and gait recognitiongait recognition Knows: Password and passphrasepassphrase Authorization: Permission to do certain activities

23. Communications Controls Protect the movement of data across networks Firewalls Enforce access-control policy to prevent certain information from moving between untrusted and private networks Anti-malware systems (AV) Identify and eliminate malicious software Whitelisting and Blacklisting Whitelisting: Allows acceptable software to run Blacklisting: Allows everything to run unless it is on the blacklist

24. Figure 7.3 Firewalls © Dmitry Rukhlenko-Fotolia.com (b) Organization with two firewalls and demilitarized zone (a) Basic firewall for home computer

25. Communications Controls Encryption Converting an original message into a form that can only be read by the intended receiver Public key encryption (asymmetric encryption; Figure 7.4) Public key encryption Digital certificate (Figure 7.5) Virtual private networking (VPN) Use logins and encryption to establish secure, private connection on a public network like the Internet (Figure 7.6) Secure socket layer (Transport layer security [TLS]) An encryption standard for secure transactions such as credit card purchases and online banking Verisign Employee monitoring systems Monitor employees’ computers, e-mail, and Internet activities Examples: SpectorSoft WebsenseSpectorSoftWebsense

26. Figure 7.4 How Public Key Encryption Works (Omnisec AG.) Courtesy of Brad Prince

27. Figure 7.5 How Digital Certificates Work Sony and Dell, business partners, use a digital certificate from VeriSign for authentication

28. Figure 7.6 Virtual Private Network and Tunneling “Virtual” network due to lack of separate physical existence Tunneling encrypts each data packet to be sent and places each encrypted packet inside another packet

29. Business Continuity Planning Provides guidance on how to keep the business operating after a disaster occurs Three possible strategies: 1.Hot site A fully configured computer facility, with all services, communications links, and physical plant operations 2.Warm site Has similar services and options as the hot site May not include the actual applications the company runs May include servers but not user workstations 3.Cold site Provides physical location and utilities without no computer hardware or user workstations What factors should organizations consider when selecting from these strategies?

30. Information Systems Auditing Examination of information systems including inputs, outputs, and processing to ensure that they work properly Types of auditors and audits Internal auditors Part of accounting internal auditing External auditors Review internal audit results and perform independent information systems audit ISACA.org

31. Information Systems Auditing How is auditing executed? Auditing around the computer Verify processing by checking for known outputs or specific inputs Best used in systems with limited outputs Auditing through the computer Inputs, outputs, and processing are checked Auditors review program logic and test data Auditing with the computer Use a combination of client data, auditor software, and client and auditor hardware

32. What’s in IT for ME? Accounting Accountants are professionally responsible for reducing risk, ensuring compliance, eliminating fraud, and increasing transaction transparency Finance Sarbanes-Oxley requires CFO to ensure accuracy and security of information and information systems Marketing Marketing managers must protect customers’ data or risk upsetting customers and causing public relations problems Production/Operations Management IT security breaches both locally and at business partners could disrupt operations Human Resources Management HR managers must secure confidential employee data MIS MIS provides security infrastructure to protects information assets

33. Closing Case 1: Compliance The Problem The Solutions The Results Questions Describe the GRC problem that all organizations face. What is the relationship between information technology and the GRC problem? Provide specific examples of this relationship. In the examples in this case, all the organizations used external vendors to help them achieve GRC compliance. Why did these organizations use external vendors? Why didn’t they manage the GRC problem in house? Support your answer with examples.

34. Closing Case 2: Computer Espionage The Problem Possible Solutions The Results Questions If the security experts are correct and organizations have no way to fully protect their information assets, then what should an organization do to protect those assets? Go to Wikipedia (www.wikipedia.org) and look up “mutually assured destruction.” Apply what you learn there to this case. That is, does cyberwarfare fit in the “mutually assured destruction” category? Why or why not?