1. Information Security Management Chapter 12

2. 12-2 “We Have to Design It for Privacy and Security.” Tension between Maggie and Ajit regarding terminology to use with Dr. Flores Common problem for techies when talking with business professionals –Use too much technical language

3. 12-3 PRIDE Design for Security

4. 12-4 Study Questions Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents?

5. 12-5 Q1:What Is the Goal of Information Systems Security?

6. 12-6 Examples of Threat/Loss

7. 12-7 What Are the Sources of Threats?

8. Unauthorized data disclosureUnauthorized data disclosure—inadvertent release of data in violation of policy PretextingPretexting—pretending to be someone else via phone call PhishingPhishing—pretexting using email; email spoofing SpoofingSpoofing—disguising as a different IP address or different email sender, web spoofing IP spoofingIP spoofing—impersonating another computing system Email spoofingEmail spoofing—synonym for phishing Drive-by SniffingDrive-by Sniffing—intercepting computer communications Unauthorized Data Disclosure 12-8 Hacking, natural disasters, etc.

9. 12-9 Incorrect Data Modification Procedures not followed or incorrectly designed procedures Increasing a customer’s discount or incorrectly modifying employee’s salary Placing incorrect data on company Web site Improper internal controls on systems System errors Faulty recovery actions after a disaster

10. 12-10 Faulty Service Incorrect data modification Systems working incorrectly Procedural mistakes Programming errors IT installation errors Usurpation Denial of service (unintentional) Denial-of-service attacks (intentional)

11. 12-11 Loss of Infrastructure Human accidents Theft and terrorist events Disgruntled or terminated employee Natural disasters Advanced Persistent Threat (APT) or cyberwarfare

12. 155% increase in mobile malware apps from 2010 to 2011 Apps for snooping – track location, record phone calls, save and display chats and messages. “jailbreak” targeted at App Store of iPhone Sniffer programs to access Wi-Fi networks unauthorized. Kaspersky, Lookout, DroidSecurity, Sandboxing Performing a remote wipe of offending apps Mobile Security 12-12

13. 12-13 Q2: How Big Is the Computer Security Problem?

14. 12-14 Verizon–Secret Service Findings 2011 Number of data-loss security incidents reached all-time high, but number of data records lost fell dramatically for second year in a row Data theft most successful at small and medium-sized businesses

15. 12-15 Verizon–Secret Service Findings 2011 (cont'd) Four most frequent computer crimes 1.Criminal activity against servers 2.Viruses 3.Code insertion 4.Data loss on user computer

16. 12-16 Types of Attacks Experienced

17. 12-17 Intrusion Detection System (IDS) Computer program that senses when another computer is attempting to scan disk or otherwise access a computer “When I run an IDS on a computer on the public Internet,... I get more than 1,000 attempts, mostly from foreign countries. There is nothing you can do about it except use reasonable safeguards.”

18. 12-18 Q3: How Should You Respond to Security Threats?

19. 12-19 Q4: How Should Organizations Respond to Security Threats? Establish a company-wide security policy –What sensitive data to store –How it will process that data –Will data be shared with other organizations –How employees and others can obtain copies of data stored about them

20. 12-20 Q4: How Should Organizations Respond to Security Threats? (cont'd) –How employees and others can request changes to inaccurate data –What employees can do with their own mobile devices at work –What non-organizational activities employees can take with employee-owned equipment

21. 12-21 Security Safeguards as They Relate to the Five IS Components

22. 12-22 Q5: How Can Technical Safeguards Protect Against Security Threats?

23. Password Smart card Biometric Authentication methods Microchip embedded with identifying data Authentication by PIN Smart cards Fingerprints, face scans, retina scans See http://searchsecurity.techtarget.comhttp://searchsecurity.techtarget.com Biometric authentication Authenticate to network and other servers Single sign-on for multiple systems Identification and Authentication (Access) 12-23

24. Encryption algorithmsEncryption algorithms ( DES, 3DES, AES, blowfish, idea) Key—a number used to encrypt the data Symmetric encryption Asymmetric encryptionAsymmetric encryption—public/private key HTTPSHTTPS (HTTP + SSL/TLS) Secure Sock Layer (SSLSecure Sock Layer (SSL) (Predecessor of TLS) Transport Layer Security (TLS)Transport Layer Security (TLS) (DC, Privacy, PKE) Encryption Terminology 12-24

25. 12-25 Encryption: Essence of HTTPS (SSL or TLS)

26. 12-26 Firewalls

27. 12-27 Malware Types and Spyware and Adware Symptoms Viruses  Payload  Trojan horses  Worms  Beacons Spyware & Adware Symptoms

28. 12-28 Malware Safeguards 1.Install antivirus and antispyware programs 2.Scan frequently 3.Update malware definitions 4.Open email attachments only from known sources 5.Install software updates from legitimate sources 6.Browse only reputable Internet neighborhoods

29. 12-29 Design for Secure Applications SQL injection attack –Occurs when user enters SQL statement into a form instead of a name or other data –Accepted code becomes part of database commands issued –Improper data disclosure, data damage and loss possible –Well designed applications make injections ineffective

30. 12-30 InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts In this exercise, you and a group of your fellow students will investigate phishing attacks. Search the Web for phishing, be aware that your search may bring the attention of an active phisher. Therefore, do not give any data to any site that you visit as part of this exercise!

31. 12-31 Q6: How Can Data Safeguards Protect Against Security Threats?

32. 12-32 Q7: How can Human Safeguards Protect Against Security Threats?

33. 12-33 Account Administration Account Management  Standards for new user accounts, modification of account permissions, removal of unneeded accounts Password Management  Users should change passwords frequently Help Desk Policies

34. 12-34 Sample Account Acknowledgment Form

35. 12-35 Systems Procedures Data recovery; online recovery - the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally.

36. Firewall logs DBMS log-in records Web server logs Activity log analyses In-house and external security professionals Security testing How did the problem occur? Investigation of incidents Indication of potential vulnerability and needed corrective actions Learn from incidences Review and update security and safeguard policies Security Monitoring Functions 12-36

37. 12-37 What Is Necessary for Disaster Preparedness? Disaster ―Substantial loss of infrastructure caused by acts of nature, crime, or terrorism Appropriate location ―Avoid places prone to floods, earthquakes, tornadoes, hurricanes, avalanches, car/truck accidents ―Not in unobtrusive buildings, basements, backrooms, physical perimeter ―Fire-resistant buildings

38. 12-38 Hamina Data Center http://www.google.co m/about/datacenters /locations/hamina/ http://www.google.co m/about/datacenters /locations/hamina/ http://www.youtube.c om/watch?v=VChOEv KicQQ http://www.youtube.c om/watch?v=VChOEv KicQQ High-tech cooling system Google’s Data Center in Finland

39. What Is Necessary for Disaster preparedness? (cont’d) 12-39 Backup processing centers in geographically removed site Create backups for critical resources Contract with “hot site” or “cold site” provider Hot site provides all equipment needed to continue operations there Cold site provides space but you set up and install equipment www.ragingwire.com/managed_services?=recovery Periodically train and rehearse cutover of operations Cloud Backup: a service that provides users with a system for the backup and storage of computer files. A form of cloud computing backupcomputer files

40. 12-40 Q8: How Should Organizations Respond to Security Incidents?

41. 12-41 How Does the Knowledge in this Chapter Help You? Aware of threats to computer security as an individual, business professional and employee Know trade-offs of loss risks and cost of safeguards Ways to protect your computing devices and data Understand technical, data, and human safeguards Understand how organizations should respond to security incidents

42. 12-42 Guide: Metasecurity What are the security problems? What are the managers’ responsibilities for controls over the security system?

43. 12-43 Guide: The Final, Final Word Routine work will migrate to lower-labor-cost countries Be a symbolic-analytic worker  Abstract thinking  How to experiment  Systems thinking  Collaboration