1. IT Security, Crime, Compliance, and Continuity
Part II. Data and Network Infrastructure
Chapter 5
IT Security, Crime, Compliance, and Continuity

2. Chapter 5 Outline
5.1 Protecting Data and Business Operations 5.2 IS Vulnerabilities and Threats 5.3 Fraud, Crimes, and Violations 5.4 Information Assurance and Risk Management 5.5 Network Security 5.6 Internal Control and Compliance 5.7 Business Continuity and Auditing

3. 5.1 Protecting Data and Business Operations
IT security: the protection of data, systems, networks, and operations.
Technology defenses are necessary, but they’re not sufficient because protecting data and business operations also involves:
Implementing and enforcing acceptable use policies (AUPs).
Complying with government regulations and laws.
Making data available 24x7 while restricting access.
Promoting secure and legal sharing of information.

4. acceptable use policy (AUP)
An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the Internet. 
Many businesses and educational facilities require that employees or students sign an acceptable use policy before being granted a network ID.
When you sign up with an Internet service provider (ISP), you will usually be presented with an AUP, which states that you agree to adhere to stipulations such as:
Not using the service as part of violating any law
Not attempting to break the security of any computer network or user
Not posting commercial messages to Usenet groups without prior permission
Not attempting to send junk or spam to anyone who doesn't want to receive it
Not attempting to mail bomb a site with mass amounts of in order to flood their server
Users also typically agree to report any attempt to break into their accounts.

5. IT Security Principles

6. Know Your Enemy and Your Risks
IT security risks are business risks
Threats range from high-tech exploits to gain access to a company’s networks to non-tech tactics such as stealing laptops or items of value. Common examples:
Malware (malicious software): viruses, worms, trojan horses, spyware, and disruptive or destructive programs
insider error or action, either intentional or unintentional
Fraud
Fire, flood, or other natural disasters

7. IT at Work 5.1 $100 Million Data Breach
May 2006: a laptop and external hard drive belonging to the U.S. Dept of Veterans Affairs (VA) were stolen during a home burglary.
Data on 26.5 million veterans and spouses had been stored in plaintext.
VA Secretary Jim Nicholson testified before Congress that it would cost at least $10 million just to inform veterans of the security breach.
Total cost of data breach: $100 million

8. Risks Mis Uses Cloud computing Social networks Phishing
Search engine manipulation
Mis Uses
Money laundering
Organized crime
Terrorist financing

9. IT Security Defense-in-Depth Model

10. 5.2 IS Vulnerabilities and Threats
Unintentional
human error
environmental hazards
computer system failure
Intentional
hacking
malware
manipulation

11. Figure 5.4 How a computer virus can spread

12. Malware and Botnet Defenses
Anti-virus software
Firewalls
Intrusion detection systems (IDS)
Intrusion prevention systems (IPS)

13. Top 10 Anti-virus software

14. 5.3 Fraud, Crimes, and Violations
2 categories of crime:
Violent
Nonviolent
Fraud is nonviolent crime because instead of a gun or knife, fraudsters use deception, confidence, and trickery.
Occupational fraud refers to the deliberate misuse of the assets of one’s employer for personal gain.

15. Internal Fraud Prevention and Detection
IT has a key role to play in demonstrating effective corporate governance and fraud prevention.
Internal fraud prevention measures are based on the same controls used to prevent external intrusions—perimeter defense technologies such as firewalls, scanners, and biometric access.
Fraud detection can be handled by intelligent analysis engines using advanced data warehousing and analytics techniques.

16. 5.4 IT and Network Security
Objectives of a defense strategy
Prevention and deterrence
Detection
Containment
Recovery
Correction
Awareness and compliance

17. Figure 5.6 Major defense controls
Copyright 2012 John Wiley & Sons, Inc.

18. Major categories of general controls
physical controls
access controls
biometric controls
communication network controls
administrative controls
application controls
endpoint security and control

19. Figure 5.7 Intelligent agents

20. Figure 5.8 Three layers of network security measures

21. PKI (Public Key Infra structure)
A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential . It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

22. Tokens
Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.
Some may store cryptographic keys, such as a digital signature, or biometric data, such as fingerprint details. So

23. Figure 5.9 Where IT security mechanisms are located

24. Authentication
Questions to help authenticate a person: 1. Who are you? Is this person an employee, a partner, or a customer? Different levels of authentication would be set up for different types of people. 2. Where are you? For example, an employee who has already used a badge to access the building is less of a risk than an employee logging on from a remote site. 3. What do you want? Is this person accessing sensitive or proprietary information or simply gaining access to benign data?

25. 5.6 Internal Control and Compliance
Internal control (IC) is a process designed to achieve:
reliability of financial reporting
operational efficiency
compliance with laws
regulations and policies
safeguarding of assets

26. Symptoms of Fraud That Can Be Detected by Internal Controls
Missing documents
Delayed bank deposits
Numerous outstanding checks or bills
Employees who do not take vacations
A large drop in profits
A major increase in business with one particular customer
Customers complaining about double billing
Repeated duplicate payments
Employees with the same address or phone number as a vendor

27. 5.7 Business Continuity and Auditing
An important element in any security system is the business continuity plan, also known as the disaster recovery plan.
The plan outlines the process by which businesses should recover from a major disaster.
The purpose of a business continuity plan is to keep the business running after a disaster occurs.
Each business function should have a valid recovery capability plan.
The plan should be written so that it will be effective in case of disaster, not just in order to satisfy the auditors.

28. Risk-Management Analysis
Expected loss = P1 × P2 × L
where:
P1 = probability of attack
P2 = probability of attack being successful
L = loss occurring if attack is successful
Example:
P1 = .02, P2 = .10, L = $1,000,000
Expected loss from this particular attack is
P1 × P2 × L = 0.02 × 0.1 × $1,000,000 = $2,000

29. Ethical issues
Implementing security programs raises many ethical issues.
Handling the privacy versus security dilemma is tough.
Ethical and legal obligations that may require companies to “invade the privacy” of employees and monitor their actions.
Under the doctrine of duty of care, senior managers and directors should protect the company’s business operations.