CHAPTER 13 Information Security and Controls

CHAPTER 13 Information Security and Controls

CHAPTER 13: Information Security and Controls
13.1 Introduction to Information Security 13.2 Unintentional Threats to Information Systems 13.3 Deliberate Threats to Information Systems 13.4 What Organizations Are Doing to Protect Information Resources 13.5 Information Security Controls Copyright John Wiley & Sons Canada

Copyright John Wiley & Sons Canada
LEARNING OBJECTIVES Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one. Compare and contrast human mistakes and social engineering, and provide a specific example of each one. Discuss the 10 types of deliberate software attacks. Copyright John Wiley & Sons Canada

LEARNING OBJECTIVES (CONTINUED)
Define the three risk mitigation strategies and provide an example of each one in the context of owning a home. Identify the three major types of controls that organizations can use to protect their information resources and provide an example of each one. Copyright John Wiley & Sons Canada

OPENING CASE: CYBER-CRIMINALS USE [SOCIAL] NETWORKS FOR TARGETED ATTACKS CASE 13.1 Cyber-Criminals Use Social Networks for Targeted Attacks The Problem Each infected personal computer in a corporate network represents a potential point of access to valuable intellectual property, such as customer information, patents, and strategic documents. Cybercriminals aggressively take advantage of an unanticipated gap in corporate defences: the use of social networks in corporate settings. Attackers increasingly are using the personal information provided by individuals who communicate on social networks such as Facebook and Twitter. A phishing attack is an attack that acquires sensitive information by masquerading as an authentic . In fact, phishing attacks now are so precisely targeted that they have a new name: spear phishing. In addition to copying and/or stealing sensitive personal and corporate information, attackers combine many zombie computers into botnets, which can contain millions of computers. The attackers then use these botnets to execute cybercrimes. Source: Karen Rouch/Shutterstock Copyright John Wiley & Sons Canada

OPENING CASE The (Attempted) Solution Facebook, the dominant social network and therefore the biggest target, is partnering with Microsoft and security firm McAfee to help filter malicious programs. A Facebook spokesperson claimed that this process should keep compromised accounts to a minimum. He added that Facebook is “constantly working to improve complex systems that quickly detect and block suspicious activity, delete malicious links, and help people restore access to their accounts.” Copyright John Wiley & Sons Canada

OPENING CASE The Results Unfortunately, attackers continue to exploit vulnerabilities in social networking Web sites. Many owners of infected zombie computers do not know that their computers are compromised. The best solution to this problem is for all users of social networks to be extremely careful of what information they post on their pages. Further, all computer users should be very careful when clicking on any link in an , and if they do decide to click on a link, its source should be one that they can trust. Copyright John Wiley & Sons Canada

OPENING CASE Discussion Do social networking sites show due diligence in protecting sensitive, classified information? Are security breaches of social networking sites caused by members’ carelessness, by the sites’ poor security, or by some combination of these factors? How should social networks protect their members more effectively? Does better protection on social networking sites involve technology, policy, or both? Is it possible to secure the Internet? Copyright John Wiley & Sons Canada

OPENING CASE What We Learned From This Case Information security is closely related to information technology, and it raises many significant questions. For example, do social networking sites show due diligence in protecting sensitive, classified information? Keep in mind that the issues involved in information security impact individuals and small organizations, as well as large companies. It’s About Small Business 13.1 shows how a lack of data backup affects a small business. A solid backup plan is critical to information availability. A duplicate backup is easy to keep, but you have to be diligent about backing up your essential files. For a small business, this process is even more important, because any loss of data could mean lost customers and lost revenue. Copyright John Wiley & Sons Canada

IT’S ABOUT BUSINESS 13.1 Thomas Tax Service Thomas Tax Service relied completely on the QuickBooks program to maintain all of his customers’ financial information. One morning the computer motherboard failed and there was no backup. After this incident, a backup plan in place. Each of his three employees received a USB drive to back up their Quick-Books files which are stored in a fireproof safe.. When the employees back up each Friday, QuickBooks erases the oldest backup and creates a new one. Therefore, two safe backups can still be accessed if there is a problem when the new backup is being created. Copyright John Wiley & Sons Canada

IT’S ABOUT BUSINESS 13.1 Discussion Why did Dwight restore his data manually by himself? What are the advantages and disadvantages of Dwight’s backup plan? Copyright John Wiley & Sons Canada

13.1 INTRODUCTION TO INFORMATION SECURITY
Information security refers to all of the processes and policies designed to protect an organization’s information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction. A threat to an information resource is any danger to which a system may be exposed. An information resource’s vulnerability is the possibility that the system will be harmed by a threat. Copyright John Wiley & Sons Canada

INFORMATION SECURITY Five key factors that affect the vulnerability and security organizational information resources: Today’s interconnected, interdependent, wirelessly networked business environment; Smaller, faster, cheaper computers and storage devices; Decreasing skills necessary to be a computer hacker; International organized crime taking over cybercrime; Lack of management support. The first factor is the evolution of the IT resource from mainframe-only to today’s highly complex, interconnected, interdependent, wirelessly networked business environment. The second factor reflects the fact that modern computers and storage devices (e.g., thumb drives or flash drives) continue to become smaller, faster, cheaper, and more portable, with greater storage capacity. The third factor is that the computing skills necessary to be a hacker are decreasing. The fourth factor is that international organized crime is taking over cybercrime. The fifth, and final, factor is lack of management support. For the entire organization to take security policies and procedures seriously, senior managers must set the tone. Copyright John Wiley & Sons Canada

13.2 UNINTENTIONAL THREATS TO INFORMATION SYSTEMS
Information systems are vulnerable to many potential hazards and threats. There are two major categories of threats: unintentional threats deliberate threats Unintentional threats are acts performed without malicious intent that nevertheless represent a serious threat to information security. A major category of unintentional threats is human error. Copyright John Wiley & Sons Canada

SECURITY THREATS Figure 13.1 Security threats. Copyright John Wiley & Sons Canada

HUMAN ERRORS There are two important points to be made about employees. The higher the level of employee, the greater the threat he or she poses to information security. Employees in two areas of the organization pose especially significant threats to information security: human resources and information systems (IS). Other employees include contract labour, consultants, and janitors and guards. Human errors or mistakes by employees pose a large problem as the result of laziness, carelessness, or a lack of awareness concerning information security. This lack of awareness comes from poor education and training efforts by the organization Copyright John Wiley & Sons Canada

HUMAN ERRORS (CONTINUED)
Human mistakes manifest themselves in many different ways: Carelessness with computing devices Opening questionable s Careless Internet surfing Poor password selection and use Carelessness with one’s office Carelessness using unmanaged devices Carelessness with discarded equipment Careless monitoring of environmental hazards Copyright John Wiley & Sons Canada

Social Engineering Techniques: Tailgating Shoulder surfing Impersonation Social engineering is an attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information such as passwords. The most common example of social engineering occurs when the attacker impersonates someone else on the telephone, such as a company manager or an information systems employee. Tailgating is a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. Shoulder surfing occurs when a perpetrator watches an employee’s computer screen over the employee’s shoulder. Copyright John Wiley & Sons Canada

13.3 DELIBERATE THREATS TO INFORMATION SYSTEMS
Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information Identity theft Compromises to intellectual property Software attacks Alien software Supervisory control and data acquisition (SCADA) attacks Cyberterrorism and cyberwarfare Information extortion occurs when an attacker either threatens to steal, or actually steals, information from a company. Sabotage and vandalism are deliberate acts that involve defacing an organization’s Web site, possibly damaging the organization’s image and causing its customers to lose faith in the organization. Copyright John Wiley & Sons Canada

ESPIONAGE OR TRESPASS Competitive intelligence: legal information-gathering techniques. Example: studying a company’s Web site Industrial espionage crosses the legal boundary. Example: theft of confidential data Espionage or trespass occurs when an unauthorized individual attempts to gain illegal access to organizational information. Copyright John Wiley & Sons Canada

THEFT OF EQUIPMENT OR INFORMATION
Small, powerful device with increased storage such as laptops, BlackBerry® units, personal digital assistants, smart phones, digital cameras, thumb drives, and iPods are becoming easier to steal and easier for attackers to use to steal information. Example: dumpster diving, involves the practice of rummaging through commercial or residential trash to find information that has been discarded. Copyright John Wiley & Sons Canada

IDENTITY THEFT Identity Theft Techniques: stealing mail or dumpster diving; stealing personal information in computer databases; infiltrating organizations that store large amounts of personal information (e.g., data aggregators such as Acxiom) impersonating a trusted organization in an electronic communication (phishing). Click on this link in the slide for to review The Office of the Privacy Commissioner of Canada instructions for businesses and individuals to help reduce their risk of identity theft. Copyright John Wiley & Sons Canada

COMPROMISES TO INTELLECTUAL PROPERTY
Trade secret: intellectual work that is a company secret and is not based on public information. Patent: grants the holder exclusive rights on an invention or process for 20 years. Copyright: provides creators of intellectual property with ownership of the property for life of the creator plus 70 years. Piracy: copying a software program without making payment to the owner. Intellectual property. Property created by individuals or corporations which is protected under trade secret, patent, and copyright laws Copyright John Wiley & Sons Canada

SOFTWARE ATTACKS Remote attacks requiring user action: virus, worm, phishing attack, speak phishing attack Remote attacks needing no user action: denial-of-service attack, distributed denial-of-service attack Attacks by a programmer developing a system: Trojan horse, back door, logic bomb Click on the links in this slide for more information on phishing and denial-of-service attacks. See Table 13.2 in the textbook for descriptions of each type of software attacks Copyright John Wiley & Sons Canada

IT’S ABOUT BUSINESS 13.2 Virus Attack Hits the University of Exeter In January 2010, the University of Exeter, in England, became the target of a massive virus attack. The virus attack, which exploited computers running Microsoft Windows® Vista Service Pack 2, caused the university to temporarily take its entire network offline. The interactive teaching boards in all classrooms became inoperable, so professors could not use PowerPoint presentations or access the Internet in class. Perhaps the most serious problem was that they lost access to the university’s Virtual Learning Environment (VLE). It took three days to clean infected computers and bring the network back into operation. As of May 2011, no one had identified the perpetrators or determined how they managed to infect the university network. Copyright John Wiley & Sons Canada

IT’S ABOUT BUSINESS 13.2 Discussion What other actions could the university have taken to prevent the attack? What actions should the university now perform to prevent future attacks? Copyright John Wiley & Sons Canada

ALIEN SOFTWARE Adware: software that causes pop-up advertisements to appear on your screen. Spyware: collects personal information about users without their consent. Keystroke loggers (keyloggers) Screen scrapers (screen grabbers) Spamware: un-solicited , usually advertising for products and services. Cookies: small amounts of information that Web sites store on your computer, temporarily or more or less permanently. Alien software (or pestware) is clandestine software that is installed on your computer through duplicitous methods. Keystroke loggers, also called keyloggers, record both your individual keystrokes and your Internet Web browsing history. Screen scrapers, or screen grabbers records a continuous “movie” of a screen’s contents rather than simply recording keystrokes. Copyright John Wiley & Sons Canada

EXAMPLE OF CAPTCHA Companies have attempted to counter keyloggers by switching to other forms of identifying users. For example, at some point all of us have been forced to look at wavy, distorted letters and type them correctly into a box. That string of letters is called a CAPTCHA, and it is a test. The point of CAPTCHA is that computers cannot (yet) accurately read those distorted letters. Companies have attempted to counter keyloggers by switching to other forms of identifying users. For example, at some point all of us have been forced to look at wavy, distorted letters and type them correctly into a box. That string of letters is called a CAPTCHA, and it is a test. The point of CAPTCHA is that computers cannot (yet) accurately read those distorted letters. Copyright John Wiley & Sons Canada

SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) ATTACKS
SCADA systems are used to monitor or to control chemical, physical, and transport processes used in: oil refineries water and sewage treatment plants electrical generators nuclear power plants SCADA refers to a large-scale, distributed measurement and control system. Essentially, SCADA systems provide a link between the physical world and the electronic world. Click on the link in this slide to review wireless SCADA solutions. Copyright John Wiley & Sons Canada

IT’S ABOUT BUSINESS 13.3 The Stuxnet Worm Stuxnet, discovered in July 2010, is a worm that targets SCADA systems. In particular, Stuxnet targets Siemens SCADA systems that are configured to control and monitor specific industrial processes. The worm fakes the sensor signals that control industrial processes so that an infected system does not shut down when it behaves abnormally. Stuxnet heralds a frightening new era in cyberwarfare. Experts studying Stuxnet have concluded that the worm is so complex that only a nation state would have the capabilities to produce it. Click on the link in this slide to read more about Stutnex Cyberterrorism and cyberwarfare refer to malicious acts in which attackers use a target’s computer systems, particularly via the Internet, to cause physical, real-world harm or severe disruption, usually to carry out a political agenda. Copyright John Wiley & Sons Canada

IT’S ABOUT BUSINESS 13.3 Discussion Describe the implications of the precisely targeted nature of the Stuxnet attack. Analyze the statement: “Nations use malware such as the Stuxnet worm when their only alternative is to go to war.” Cyberterrorism and cyberwarfare refer to malicious acts in which attackers use a target’s computer systems, particularly via the Internet, to cause physical, real-world harm or severe disruption, usually to carry out a political agenda. Copyright John Wiley & Sons Canada

13.4 WHAT ORGANIZATIONS ARE DOING TO PROTECT INFORMATION RESOURCES
Companies are developing software and services that deliver early warnings of trouble on the Internet. Early-warning systems are proactive, scanning the Web for new viruses and alerting companies to the danger. Copyright John Wiley & Sons Canada

DIFFICULTIES IN PROTECTING INFORMATION RESOURCES
100’s of threats Many locations of computing resources Access to information assets Difficult to protect remote networks Rapid technological changes Crimes go undetected for long periods of time Violation of security procedures Minimal knowledge needed to commit crimes High costs of prevention Difficult to conduct a cost-benefit justification See Table 13.3 for full descriptions of the difficulties in protecting information resources Copyright John Wiley & Sons Canada

RISK MANAGEMENT Risk management consists of three processes: risk analysis risk mitigation controls evaluation Organizations spend a great deal of time and money protecting their information resources through the process of risk management. A risk is the probability that a threat will impact an information resource. The goal of risk management is to identify, control, and minimize the impact of threats. Copyright John Wiley & Sons Canada

RISK ANALYSIS Risk Analysis involves three steps: assessing the value of each asset being protected estimating the probability that each asset will be compromised comparing the probable costs of the asset’s being compromised with the costs of protecting that asset Copyright John Wiley & Sons Canada

RISK MITIGATION The three most common risk mitigation strategies: Risk acceptance: Accept the potential risk, continue operating with no controls, and absorb any damages that occur. Risk limitation: Limit the risk by implementing controls that minimize the impact of the threat. Risk transference: Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance. Risk mitigation has two functions: (1) implementing controls to prevent identified threats from occurring, and (2) developing a means of recovery should the threat become a reality. Copyright John Wiley & Sons Canada

CONTROLS EVALUATION The organization identifies security deficiencies and calculates the cost of implementing. If the costs of implementing a control are greater than the value of the asset being protected, the control is not cost effective. Click here to review risk management solutions. Copyright John Wiley & Sons Canada

13.5 INFORMATION SECURITY CONTROLS
General controls apply to more than one functional area. Example: passwords Application controls are specific to one application. Example: approval of payroll wage rates Purpose of controls: safeguard assets, optimize the use of the organization’s resources and prevent or detect errors or fraud. Controls that protect information assets are called defence mechanisms or countermeasures. Security controls are designed to protect all of the components of an information system, including data, software, hardware, and networks. Copyright John Wiley & Sons Canada

13.5 INFORMATION SECURITY CONTROLS (CONTINUED)
Figure 13.2 Where defence mechanisms are located Figure 13.2 illustrates the three categories of general controls: physical controls, access controls, and communications controls. Copyright John Wiley & Sons Canada

CATEGORIES OF GENERAL CONTROLS
Physical: walls, doors, fencing, gates, locks, badges, guards, alarm systems, pressure sensors, and motion detectors. Access Controls: can be physical or logical Communication: firewalls, anti-malware systems, whitelisting and blacklisting, encryption, virtual private networks (VPNs), secure socket layer (SSL), and employee monitoring systems. Physical controls prevent unauthorized individuals from gaining access to a company’s facilities. Access controls restrict unauthorized individuals from using information resources. Logical controls are implemented by software. For example: limit users to acceptable login times Communications controls (also called network controls) secure the movement of data across networks. identity Copyright John Wiley & Sons Canada

AUTHENTICATION To authenticate (identify) authorized personnel, an organization can use one or more of the following types of methods: something the user is (biometrics) something the user has something the user does something the user knows Click here to watch a video on Canada Immigration use of biometrics Authentication confirms the identity of the person requiring access. After the person is authenticated (identified), the next step is authorization Something the User Is - Also known as biometrics, these access controls examine a user's innate physical characteristics. Something the User Has - These access controls include regular ID cards, smart cards, and tokens. Something the User Does - These access controls include voice and signature recognition. Something the User Knows - These access controls include passwords and passphrases. A password is a private combination of characters that only the user should know. A passphrase is a series of characters that is longer than a password but can be memorized easily. Copyright John Wiley & Sons Canada

BASIC GUIDELINES FOR CREATING STRONG PASSWORDS
Difficult to guess Long rather than short Uppercase letters, lowercase letters, numbers, and special characters Do not use recognizable words Do not use the name of anything or anyone familiar (family names or names of pets) Do not use a recognizable string of numbers (Social Insurance Number or a birthday) A passphrase is a series of characters that is longer than a password but is still easy to memorize. To identify authorized users more efficiently and effectively, organizations frequently implement more than one type of authentication, a strategy known as multifactor authentication. Single-factor authentication, which is notoriously weak, commonly consists simply of a password. Two-factor authentication consists of a password plus one type of biometric identification (e.g., a fingerprint). Three-factor authentication is any combination of three authentication methods. In most cases, the more factors the system utilizes, the more reliable it is. Copyright John Wiley & Sons Canada

AUTHORIZATION Authorization determines which actions, rights, or privileges the person has, based on his or her verified identify. Privilege Least privilege A privilege (also known as user profile) is a collection of related computer system operations that a user is authorized to perform. Companies typically base authorization policies on the principle of least privilege, which posits that users be granted the privilege for an activity only if there is a justifiable need for them to perform that activity. Copyright John Wiley & Sons Canada

IT’S ABOUT BUSINESS 13.4 Information Security at City National Bank and Trust City National Bank and Trust in its rapid growth in branches and customer service offerings, coupled with the global increase in malicious software, has placed the bank’s networks and its employees at much greater risk. The bank selected M86 Security for its strong content-filtering capabilities and its capability to dynamically set and modify security policies. They quickly applied policy-based standards throughout its network that included configured the system to block messages with attached batch, executable, and .zip files and preventing employees from downloading potentially dangerous files and accessing offensive Web sites. With this level of control, the IT group can apply basic security policies to all employees and feel secure that employees cannot accidentally download malware. Questions 1. Why is it so important for organizations to establish enterprise-wide security policies? 2. Are the bank’s policies too stringent? Why or why not? Support your answer. Copyright John Wiley & Sons Canada

IT’S ABOUT BUSINESS 13.4 Discussion Why is it so important for organizations to establish enterprise-wide security policies? Are the bank’s policies too stringent? Why or why not? Support your answer. Questions 1. Why is it so important for organizations to establish enterprise-wide security policies? 2. Are the bank’s policies too stringent? Why or why not? Support your answer. Copyright John Wiley & Sons Canada

COMMUNICATIONS CONTROLS
Firewalls Anti-malware systems Whitelisting and blacklisting Encryption Virtual private networks (vpns) Secure socket layer (SSL) Employee monitoring systems Click on the links in this slide to visit industry websites offering communications controls and to view videos. Communications controls (also called network controls) secure the movement of data across networks. Anti-malware systems, also called antivirus, or AV, software, are software packages that attempt to identify and eliminate viruses and worms (known as malware), and other malicious software. Whitelisting permits acceptable software to run and either prevents any other software from running or lets new software run in a quarantined environment until the company can verify its validity. Blacklisting states types of software that are not allowed to run in the company environment. Secure socket layer, now called transport layer security (TLS), is an encryption standard used for secure transactions such as credit card purchases and online banking. Copyright John Wiley & Sons Canada

COMMUNICATIONS CONTROLS (CONTINUED)
A firewall is a system that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company’s network. Figure 13.3a illustrates a basic firewall for a home computer. In this case, the firewall is implemented as software on the home computer. Figure 13.3b shows an organization that has implemented an external firewall, which faces the Internet, and an internal firewall, which faces the company network. A demilitarized zone (DMZ) is located between the two firewalls. Figure 13.3 (a) Basic firewall for home computer. (b) Organization with two firewalls and demilitarized zone. Copyright John Wiley & Sons Canada

Figure 13.4 The power of encryption. Encryption is the process of converting an original message into a form that cannot be read by anyone except the intended receiver. Public-key encryption—also known as asymmetric encryption—uses two different keys: a public key and a private key A digital certificate is an electronic document attached to a file that certifies that the file is from the organization it claims to be from and has not been modified from its original Copyright John Wiley & Sons Canada

Organizations doing business over the Internet require a more complex system. In such cases, a third party, called a certificate authority, acts as a trusted intermediary between companies. The certificate authority issues digital certificates and verifies the integrity of the certificates. A digital certificate is an electronic document attached to a file that certifies that the file is from the organization it claims to be from and has not been modified from its original format. Figure 13.5 How digital certificates work. Sony and Dell, business partners, use a digital certificate from VeriSign for authentication. Copyright John Wiley & Sons Canada

VPNs have several advantages: allow remote users to access the company network provide flexibility organizations can impose their security policies through VPNs A virtual private network (VPN) is a private network that uses a public network (usually the Internet) to connect users. Tunneling encrypts each data packet to be sent and places each encrypted packet inside another packet Figure 13.6 Virtual private network and tunneling. Copyright John Wiley & Sons Canada

EMPLOYEE MONITORING SYSTEM
Employee Monitoring Systems examples: SpectorSoft Websense Employee monitoring systems, monitor their employees’ computers, activities, and Internet surfing activities. Clicking on the names of the two organizations above will take you to each company’s home page. Copyright John Wiley & Sons Canada

BUSINESS CONTINUITY PLANNING, BACKUP, AND RECOVERY
In the event of a major disaster, organizations can employ several strategies for business continuity including: hot sites warm sites cold sites off-site data storage The purpose of the business continuity plan is to keep the business operating after a disaster occurs. A hot site is a fully configured computer facility, with all services, communications links, and physical plant operations that duplicates computing resources, peripherals, telephone systems, applications, and work stations. A warm site provides many of the same services and options as the hot site but typically does not include the actual applications the company needs. A cold site provides only rudimentary services and facilities, such as a building or room with heating, air conditioning, and humidity control Off-site data storage is a service that allows companies to store valuable data in a secure location geographically distant from the company’s data centre. Copyright John Wiley & Sons Canada

INFORMATION SYSTEMS AUDITING
Types and examples of auditors: External: public accounting firm Government: Canada Revenue Agency Internal: work for specific organizations Specialist: IS auditors In an IS environment, an audit is an examination of information systems, their inputs, outputs, and processing. External auditors, also referred to as independent auditors, work at a public accounting firm, auditing primarily financial statements. Government auditors work for the provincial or federal auditors general offices. Internal auditors work for specific organizations, and may have the Certified Internal Auditor (CIA) designation. Specialist auditors can be from a variety of fields. Information systems auditors, for example, may work for any of the above organizations, and may have a Certified Information Systems Auditor (CISA) designation. Copyright John Wiley & Sons Canada

CHAPTER CLOSING There are five factors that contribute to the increasing vulnerability of information resources such as smaller, faster, cheaper computers and storage devices. Human mistakes are unintentional errors. Social engineering is an attack where the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information. Copyright John Wiley & Sons Canada

CHAPTER CLOSING (CONTINUED)
There are ten types of deliberate attacks to information systems such as espionage. The three risk mitigation strategies are risk acceptance, risk limitation and risk transference. Information systems are protected with a wide variety of controls such as security procedures, physical guards, and detection software. Copyright John Wiley & Sons Canada

CLOSING CASE CASE 13.2 Passwords Are No Longer Enough The Problem We bank online, track our finances online, do our taxes online, and store our photos, our documents, and our data online. Further, we typically link our online accounts, with out addresses acting as universal user names, a problem that becomes worse as the number of our online accounts increases. Companies want the creation of an account to appear both private and simple. The problem with this scenario is that it makes security impossible. No matter how unique or complex you make them, passwords can no longer protect you. Copyright John Wiley & Sons Canada

CLOSING CASE The Solution(s) Common actions people take to prevent hackers from discovering their passwords include creating strong passwords, multifactor authentication, and biometric systems (fingerprint readers and iris scanners). Unfortunately, no matter how strong your password is or how secure your multifactor authentication is, they can still be compromised. Furthermore, biometric systems have very little (if any) infrastructure support, and fingerprints and iris scans can be stolen. Copyright John Wiley & Sons Canada

CLOSING CASE The Result The ultimate problem with passwords is that they are a single point of failure, open to many types of attack. In the future, online identity verification will no longer be a password-based system; instead, the password will be only one part of a multifactor process. Biometrics will undoubtedly have an important role to play in future authentication systems; in fact, some devices might require a biometric confirmation just to use them. Fortunately, we don’t have to wait until the future to protect ourselves. There are actions you can take; for example: using two-factor authentication whenever it’s available; providing totally false answers to your security questions; cleaning up your online presence; and creating a unique, secure address you never use for communications, and use it only for password recoveries. Copyright John Wiley & Sons Canada

CLOSING CASE Discussion Examine the strength of the passwords that you use. How vulnerable are your passwords to guessing? To brute-force hacking? Does the security burden fall primarily on the user? On the company that the user is doing business with? On both? Support your answer. Is it possible to ever have complete security in your online transactions? Why or why not? Explain your answer. Copyright John Wiley & Sons Canada

CHAPTER 13 Information Security and Controls

Similar presentations

Presentation on theme: "CHAPTER 13 Information Security and Controls"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

CHAPTER 13 Information Security and Controls

Similar presentations

Presentation on theme: "CHAPTER 13 Information Security and Controls"— Presentation transcript:

Similar presentations

About project

Feedback