Download presentation
Presentation is loading. Please wait.
Published byAugustus Jordan Modified over 9 years ago
1
© 2007 Prentice Hall, Inc.1 Using Management Information Systems David Kroenke Information Security Management
2
© 2007 Prentice Hall, Inc.2 Learning Objectives Know the sources of security threats. Understand management’s role for developing a security program. Understand the importance and elements of an organizational security policy. Understand the purpose and operation of technical safeguards.
3
© 2007 Prentice Hall, Inc.3 Learning Objectives (Continued) Understand the purpose and operation of data safeguards. Understand the purpose and operation of human safeguards. Learn techniques for disaster preparedness. Recognize the need for a security incidence- response plan.
4
© 2007 Prentice Hall, Inc.4 Sources of Threats Three sources of security problems are: human error and mistakes, malicious human activity, and natural events and disasters. Human errors and mistakes include accidental problems caused by both employees and nonemployees. An example is an employee who misunderstands operating procedures and accidentally deletes customer records. This category also includes poorly written application programs and poorly designed procedures.
5
© 2007 Prentice Hall, Inc.5 Sources of Threats (Continued) The second source of security problems is malicious human activity. This category includes employees and former employees who intentionally destroy data or other systems components. It also includes hackers who break into a system and virus and worm writers who infect computer systems. Malicious human activity also includes outside criminals who break into a system to steal for financial gain; it also includes terrorism.
6
© 2007 Prentice Hall, Inc.6 Sources of Threats (Continued) Natural events and disasters are the third source of security problems. This category includes fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature. Problems in this category include not only the initial loss of capability and service, but also losses stemming from actions to recover from the initial problem.
7
© 2007 Prentice Hall, Inc.7 Problem Types Five types of security problems are: Unauthorized data disclosure Incorrect data modification Faulty service Denial of service Loss of infrastructure
8
© 2007 Prentice Hall, Inc.8 Figure 11-1 Security Problems and Sources
9
© 2007 Prentice Hall, Inc.9 Unauthorized Data Disclosure Unauthorized data disclosure can occur by human error when someone inadvertently releases data in violation of a policy. An example at a university would be a new department administrator who posts student names, numbers, and grades in a public place. The popularity and efficacy of search engines has created another source of inadvertent disclosure. Employees who place restricted data on Web sites that can be reached by search engines may mistakenly publish proprietary or restricted data over the Web.
10
© 2007 Prentice Hall, Inc.10 Unauthorized Data Disclosure (Continued) Pretexting occurs when someone deceives by pretending to be someone else. A common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card numbers. Phishing is a similar technique for obtaining unauthorized data that uses pretexting via email. The phisher pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, Social Security numbers, account passwords, and so forth.
11
© 2007 Prentice Hall, Inc.11 Unauthorized Data Disclosure (Continued) Spoofing is another term for someone pretending to be someone else. If you pretend to be your professor, you are spoofing your professor. IP spoofing occurs when an intruder uses another site’s IP address as if it were that other site. Email spoofing is a synonym for phishing.
12
© 2007 Prentice Hall, Inc.12 Unauthorized Data Disclosure (Continued) Sniffing is a technique for intercepting computer communications. With wired networks, sniffing requires a physical connection to the network. With wireless networks, no such connection is required. Drive-by sniffers simply take computers with wireless connections through an area and search for unprotected wireless networks. Even protected wireless networks are vulnerable. Other forms of computer crime include breaking into networks to steal data such as customer lists, product inventory data, employee data, and other proprietary and confidential data.
13
© 2007 Prentice Hall, Inc.13 Incorrect Data Modification Incorrect data modification can occur through human error when employees follow procedures incorrectly or when procedures have been incorrectly designed. Examples include incorrectly increasing a customer’s discount or incorrectly modifying an employee’s salary. Hacking occurs when a person gains unauthorized access to a computer system. Examples include reducing account balances or causing the shipment of goods to unauthorized locations and customers.
14
© 2007 Prentice Hall, Inc.14 Faulty Service Faulty service includes problems that result because of incorrect system operation. Faulty service could include incorrect data modification, as previously described. It also could include systems that work incorrectly, by sending the wrong goods to the customer or the ordered goods to the wrong customer, incorrectly billing customers, or sending the wrong information to employees.
15
© 2007 Prentice Hall, Inc.15 Faulty Service (Continued) Usurpation occurs when unauthorized programs invade a computer system and replace legitimate programs. Faulty service can also result from mistakes made during the recovery from natural disasters.
16
© 2007 Prentice Hall, Inc.16 Denial of Service Human error in following procedures or a lack of procedures can result in denial of service. For example, humans can inadvertently shut down a Web server or corporate gateway router by starting a computationally intensive application. Denial-of-service attacks can be launched maliciously. A malicious hacker can flood a Web server, for example, with of millions of bogus services requests that so occupy the server that it cannot service legitimate requests. Natural disasters may cause systems to fail, resulting in denial of service.
17
© 2007 Prentice Hall, Inc.17 Loss of Infrastructure Human accidents can cause loss of infrastructure. Examples are a bulldozer cutting a conduit of fiber-optic cables and the floor buffer crashing into a rack of Web servers. Theft and terrorist events also cause loss of infrastructure. A disgruntled, terminated employee can walk off with corporate data servers, routers, or other crucial equipment. Natural disasters present the largest risk for infrastructure loss. A fire, flood, earthquake, or similar event can destroy data centers and all they contain.
18
© 2007 Prentice Hall, Inc.18 The Security Program A security has three components: Senior management involvement: Senior management must establish the security policy This policy sets the stage for the organization to respond to threats. Senior management must manage risk by balancing the costs and benefits of the security program. Safeguards of various kinds. Safeguards are protections against security threats. Safeguards involve computer hardware and software, data, procedures and people.
19
© 2007 Prentice Hall, Inc.19 The Security Program (Continued) A security has three components: (continued) Incident response A security program consists of the organization’s planned response to security incidents.
20
© 2007 Prentice Hall, Inc.20 Figure 11-2 Security Safeguards as They Relate to the Five Components
21
© 2007 Prentice Hall, Inc.21 The NIST Handbook of Security Elements When you manage a department, you have the responsibility for information security in that department, even if no one tells you that you do. Security can be expensive. Computer security should have an appropriate cost- benefit ratio. Cost can be direct, such as labor costs; and they can be intangible, such as employee or customer frustration Managers should assign specific tasks to specific people or specific job functions.
22
© 2007 Prentice Hall, Inc.22 The NIST Handbook of Security Elements (Continued) There is no magic bullet for security. Security is a continuing need, and every company must periodically evaluate its security program. Social factors put some limits on security programs.
23
© 2007 Prentice Hall, Inc.23 Figure 11-3 Elements of Computer Security Source: National Institute of Standards and Technology, Introduction to Computer Security; The NIST Handbook, Publication 800-12, p.9.
24
© 2007 Prentice Hall, Inc.24 Security Policy A security policy has three elements: A general statement of the organization’s security program. Management specifies the goals of the security program and the assets to be protected. A department is designated for managing the organization’s security program and documents. Issue-specific policy For example, management might formulate a policy on personal use of computers at work and email privacy.
25
© 2007 Prentice Hall, Inc.25 Security Policy (Continued) A security policy has three elements: (continued) System-specific policy is concerned with specific information systems. For example, what customer data from the order entry system will be sold or shared with other organizations?
26
© 2007 Prentice Hall, Inc.26 Risk Management Risk is the likelihood of an adverse occurrence. Management cannot manage threats directly, but it can manage the likelihood that threats will be successful. Companies can reduce risks, but always at a cost. Uncertainty refers to the things we don’t know that we don’t know.
27
© 2007 Prentice Hall, Inc.27 Figure 11-4 Risk Assessment
28
© 2007 Prentice Hall, Inc.28 Risk-Management Decisions After reviewing the risk assessment, senior management must decide what to do. Companies can protect some assets by use of inexpensive and easily implemented safeguards. Installing virus protection software is an example. Some vulnerability is expensive to eliminate, and management must determine if the costs of the safeguard are worth the benefit of probable loss reduction.
29
© 2007 Prentice Hall, Inc.29 Figure 11-5 Technical Safeguards
30
© 2007 Prentice Hall, Inc.30 Identification and Authentication Every information system today should require users to sign in with a user name and password. The user name identifies the user (the process of identification), and the password authenticates the user (the process of authentication)
31
© 2007 Prentice Hall, Inc.31 Smart Cards A smart card is a plastic card similar to a credit card, which has a microchip. The microchip is loaded with identifying data.
32
© 2007 Prentice Hall, Inc.32 Biometric Authentication Biometric authentication uses personal physical characteristics such as fingerprints, facial features, and retinal scans to authenticate users. Biometric authentication provides strong authentication, but the required equipment is expensive. Biometric authentication is in the early stages of adoption.
33
© 2007 Prentice Hall, Inc.33 Single Sign-on for Multiple Systems Today’s operating systems have the capability to authenticate you to networks and other servers. You sign on to your local computer and provide authentication data; from that point on, your operating system authenticates you to another network or server, which can authenticate you to yet another network and server, and so forth. A system called Kerberos authenticates users without sending their passwords across the computer network.
34
© 2007 Prentice Hall, Inc.34 Wireless Access Drive-by sniffers can walk or drive around business or residential neighborhoods with a wireless computer and locate dozens, or even hundreds, of wireless networks. The IEEE 802.11 Committee, the group that develops and maintains wireless standards, first developed a wireless security standard called Wired Equivalent Privacy (WEP).
35
© 2007 Prentice Hall, Inc.35 Wireless Access (Continued) Unfortunately, WEP was insufficiently tested before it was deployed, and it has serious flaws. The IEEE 802.11 committee developed improved wireless security standards known as WPA (Wi-Fi Protected Access) and a newer, better version, called WPA2. Only newer wireless devices can use these techniques.
36
© 2007 Prentice Hall, Inc.36 Encryption Senders use a key to encrypt a plaintext message and then send the encrypted message to a recipient, who then uses a key to decrypt the message. With symmetric encryption, both parties use the same key. With asymmetric encryption, the parties use two keys, one that is public and one that is private.
37
© 2007 Prentice Hall, Inc.37 Encryption (Continued) Secure Socket Layer (SSL) is a protocol that uses both asymmetric and symmetric encryption. With SSL, asymmetric encryption transmits a symmetric key. Both parties then use that key for symmetric encryption for the balance of that session. SSL version 1.0 had problems, most of which were removed in version 3.0, which is the version Microsoft endorsed. A later version, with more problems fixed, was renamed Transport Layer Security (TLS).
38
© 2007 Prentice Hall, Inc.38 Figure 11-6 Basic Encryption Techniques
39
© 2007 Prentice Hall, Inc.39 Digital Signatures Digital signatures ensure that plaintext messages are received without alterations. The plaintext message is first hashed. Hashing is a method of mathematically manipulating the message to create a string of bits that characterize the message. The bit string, called the message digest, has a specified, fixed length, regardless of the length of the plaintext. Hashing is a one-way process. Hashing techniques are designed so that if someone changes any part of a message, rehashing the changed message will create a different message digest.
40
© 2007 Prentice Hall, Inc.40 Digital Signatures (Continued) Authentication programs use message digests to ensure that plaintext messages have not been altered. The idea is to create a message digest for the original message and send the message and the message digest to the receiver. The receiver hashes the message it received and compares the resulting message digest to the message digest that was sent with the message. If the two message digests are the same, then the receiver knows that the message was not altered.
41
© 2007 Prentice Hall, Inc.41 Figure 11-7 Digital Signatures for Message Authentication Source: Ray Panko, Corporate Computer and Network Security, 1 st Edition, © 2004. Reprinted by permission of Pearson Education, Inc., Upper Saddle River, NJ
42
© 2007 Prentice Hall, Inc.42 Digital Certificates When using public keys, a message recipient must know that it has the true party’s public key. To solve this problem, trusted, independent third- party companies, called certificate authorities (CAs), supply public keys Thus, for your browser to obtain the public key for Bank of America, either to conduct a secure session using SSL/TLS or to authenticate a digital signature, your browser will obtain Bank of America’s public key from a certificate authority.
43
© 2007 Prentice Hall, Inc.43 Digital Certificates (Continued) Your browser will receive a digital certificate from the CA that contains among other data, the name of Bank America and Bank of America’s public key. Your browser will verify the name and then use that public key. The CA signs the digital certificate with its digital signature.
44
© 2007 Prentice Hall, Inc.44 Firewalls A firewall is a computing device that prevents unauthorized network access. It can be a special- purpose computer or a program on a general- purpose computer or on a router Organizations normally use multiple firewalls. A perimeter firewall sits outside the organization network; it is the first device that Internet traffic encounters. Some organizations employ internal firewalls inside the organizational network in addition to the perimeter firewall.
45
© 2007 Prentice Hall, Inc.45 Firewalls (Continued) A packet-filtering firewall examines each packet and determines whether to let the packet pass. Packet-filtering firewalls can prohibit outsiders from starting a session with any user behind the firewall. They can also disallow traffic from particular sites, such as known hacker addresses. They can also prohibit traffic from legitimate, but unwanted addresses, such as competitors’ computers. Firewalls can filter outbound traffic as well.
46
© 2007 Prentice Hall, Inc.46 Firewalls (Continued) A firewall has an access control list (ACL), which encodes the rules stating which packets are to be allowed and which are to be prohibited. No computer should connect to the Internet without firewall protection. Many ISPs provide firewalls for their customers.
47
© 2007 Prentice Hall, Inc.47 Figure 11-8 Use of Multiple Firewalls
48
© 2007 Prentice Hall, Inc.48 Malware Protection The term malware has several definitions. Our focus will be on the broadest one: malware is viruses, worms, Trojan horses, spyware, and adware.
49
© 2007 Prentice Hall, Inc.49 Spyware and Adware Spyware programs are installed on the user’s computer without the user’s knowledge. Spyware resides in the background and, unknown to the user, observes the user’s actions and keystrokes, monitors computer activity, and reports the user’s activities to sponsoring organizations.
50
© 2007 Prentice Hall, Inc.50 Spyware and Adware (Continued) Adware is similar to spyware in that it is installed without the user’s permission and resides in the background and observes user behavior. Most adware is benign in that it does not perform malicious acts or steal data. Adware produces pop-up ads and can also change the user’s default window or modify search results and switch the user’s search engine.
51
© 2007 Prentice Hall, Inc.51 Figure 11-9 Spyware and Adware Symptoms
52
© 2007 Prentice Hall, Inc.52 Malware Safeguards Install antivirus and antispyware programs on your computer. Set up your anti-malware programs to scan your computer frequently. Update malware definitions. Open email attachments only from known sources.
53
© 2007 Prentice Hall, Inc.53 Malware Safeguards (Continued) Promptly install software updates from legitimate sources. Browse only in reputable Internet neighborhoods.
54
© 2007 Prentice Hall, Inc.54 Malware Is a Serious Problem America Online (AOL) and the National Cyber Security Alliance conducted a malware study using Internet users in 2004. They asked the users a series of questions and then, with the users permission, they scanned the users computers to determine how accurately the users understood malware problems on their own computers.
55
© 2007 Prentice Hall, Inc.55 Figure 11-10 Malware Survey Results Source: AOL/NCSA Online Safety Study, October 2004, stayssafeonline.info/news/safety-study-V04.pdf (accessed March 2005).
56
© 2007 Prentice Hall, Inc.56 Data Safeguards Data safeguards are measures used to protect databases and other organizational data.. The organization should protect sensitive data by storing it in encrypted form. Such encryption uses one or more keys in ways similar to that described for data communication encryption. Backup copies of the database contents should be made periodically.
57
© 2007 Prentice Hall, Inc.57 Data Safeguards (Continued) The organization should store at least some of the database backup copies off premises, possibly in a remote location. IT personnel should periodically practice recovery, to ensure that the backups are valid and that effective recovery procedures exist. The computers that run the DBMS and all devices that store database data should reside in locked, controlled-access facilities.
58
© 2007 Prentice Hall, Inc.58 Figure 11-11 Data Safeguards
59
© 2007 Prentice Hall, Inc.59 Human Safeguards–Position Definitions Effective human safeguards begin with definitions of job tasks and responsibilities. Given appropriate job descriptions, user accounts should be defined to give users the least possible privilege needed to perform their jobs. The security sensitivity should be documented for each position.
60
© 2007 Prentice Hall, Inc.60 Human Safeguards–Hiring and Screening Security considerations should be part of the hiring process. When hiring for high-sensitive positions, however, extensive screening interviews, references, and high background investigations are appropriate. This also applies to employees who are promoted into sensitive positions.
61
© 2007 Prentice Hall, Inc.61 Human Safeguards–Dissemination and Enforcement Employees need to be made aware of the security policies, procedures, and responsibilities they will have. Employee security training begins during new- employee training with the explanation of general security policies and procedures. Enforcement consists of three interdependent factors: responsibility, accountability, and compliance.
62
© 2007 Prentice Hall, Inc.62 Human Safeguards–Termination Companies must establish security policies and procedures for the termination of employees. Standard human resources policies should ensure that system administrators receive notification in advance of the employee’s last day, so that they can remove accounts and passwords. The need to recover keys for encrypted data and any other special security requirements should be part of the employee’s out-processing.
63
© 2007 Prentice Hall, Inc.63 Figure 11-12 Security Policy for In-House Staff
64
© 2007 Prentice Hall, Inc.64 Human Safeguards for Nonemployee Personnel Business requirements may necessitate opening information systems to nonemployee personnel- temporary personnel, vendors, partner personnel (employees of business partners), and the public. In the case of temporary, vendor, and partner personnel, the contracts that govern the activity should call for security measures appropriate to the sensitivity of the data and IS resource involved.
65
© 2007 Prentice Hall, Inc.65 Human Safeguards for Nonemployee Personnel (Continued) Companies should require vendors and partners to perform appropriate screening and security training. The best safeguard from threats from public users is to harden the Web site or other facility against attack as much as possible. Hardening a site means to take extraordinary measures to reduce a system’s vulnerability.
66
© 2007 Prentice Hall, Inc.66 Human Safeguards for Nonemployee Personnel (Continued) Hardened sites use special versions of the operating system, and they lock down or eliminate operating systems features and functions that are not required by the application.
67
© 2007 Prentice Hall, Inc.67 Account Administration The administration of user accounts, passwords, and help-desk policies and procedures are important components of the security system.
68
© 2007 Prentice Hall, Inc.68 Account Management Account management concerns the creation of new user accounts, the modification of existing account permissions, and the removal of unneeded accounts. Information system administrators perform all of these tasks, but account users have the responsibilities to notify the administrators of the need for these actions.
69
© 2007 Prentice Hall, Inc.69 Password Management Passwords are the primary means of authentication. Passwords are important not just for access to the user’s computer, but also for authentication to other networks and servers to which the user may have access. Because of the importance of passwords, NIST recommends that employees be required to sign statements known as account acknowledgement forms.
70
© 2007 Prentice Hall, Inc.70 Password Management (Continued) When an account is created, users should immediately change the password they are given to a password of their own. Well-constructed systems require the user to change the password on first use. Some systems will require a password change every 3 months or perhaps more frequently.
71
© 2007 Prentice Hall, Inc.71 Figure 11-13 Sample Account Acknowledgment Form Source: National Institute of Standards and Technology, Introduction to Computer Security: The NIST Handbook, Publication 800-12, p. 114.
72
© 2007 Prentice Hall, Inc.72 Help-Desk Policies Many systems give the help-desk representative a means of authenticating the user. Typically, the help-desk information system has answers to questions that only the true user would know such as: User’s birthplace Mother’s maiden name Last four digits of an important account number
73
© 2007 Prentice Hall, Inc.73 Figure 11-14 System Procedures
74
© 2007 Prentice Hall, Inc.74 System Procedures Procedures exist for both users and operations personnel. For each type of user, the company should develop procedures for normal, backup, and recovery operations. Normal-use procedures should provide safeguards appropriate to the sensitivity of the information system.
75
© 2007 Prentice Hall, Inc.75 System Procedures (Continued) Backup procedures concern the creation of backup data to be used in the event of failure. Where as operations personnel have the responsibility for backing up system databases and other systems data, departmental personnel have the need to back up data on their own computers. Systems analysts should develop procedures for system recovery.
76
© 2007 Prentice Hall, Inc.76 System Monitoring Important monitoring functions are activity log analyses, security testing, and investigating and learning from security incidents. Many information system programs produce activity logs. Firewalls produce logs of their activities, including lists of all dropped packets, infiltration attempts, and unauthorized access attempts from within the firewall. DBMS products produce logs of successful and failed log- ins.
77
© 2007 Prentice Hall, Inc.77 System Monitoring (Continued) Web servers produce voluminous logs of Web activities. The operating systems in personal computers can produce logs of log-ins and firewall activities. An important security function is to analyze activity logs for threats patterns, successful and unsuccessful attacks, and evidence of security vulnerabilities.
78
© 2007 Prentice Hall, Inc.78 System Monitoring (Continued) Companies should test their security programs. Both in-house personnel and outside security consultants should conduct such testing. Security incidents need to be investigated. New technology changes the security landscape, and new threats arise. Security, like quality, is an ongoing process.
79
© 2007 Prentice Hall, Inc.79 Disaster Preparedness The best safeguard against disaster is appropriate location. If possible, place computing centers, Web farms, and other computer facilities in locations not prone to floods, earthquakes, hurricanes, tornados, or avalanches. Even in these locations, place infrastructure in unobtrusive buildings, basements, backrooms, and similar locations well within the physical perimeter of the organization. Locate computing infrastructure in fire-resistant buildings designed to house expensive and critical equipment.
80
© 2007 Prentice Hall, Inc.80 Disaster Preparedness (Continued) Even at a good location, disasters do occur. Some businesses prepare backup processing centers in locations geographically removed from the primary processing site. Organizations create backups for the critical resources at the remote processing centers.
81
© 2007 Prentice Hall, Inc.81 Disaster Preparedness (Continued) Hot sites are remote processing centers run by commercial disaster-recovery services. For a monthly fee, they provide all the equipment needed to continue operations following a disaster. Cold sites provide office space, but customers themselves provide and install the equipment needed to continue operations. Preparing a backup facility is very expensive; however, the costs of establishing and maintaining that facility are a form of insurance.
82
© 2007 Prentice Hall, Inc.82 Figure 11-15 Disaster Preparedness
83
© 2007 Prentice Hall, Inc.83 Incident Response Every organization should have an incident-response plan as part of the security program. No organization should wait until some asset has been lost or compromised before deciding what to do. The plan should include how employees are to respond to security problems: Whom they should contact The reports they should make The steps they can take to reduce further loss
84
© 2007 Prentice Hall, Inc.84 Incident Response (Continued) The plan should provide centralized reporting of all security incidents. The incident-response plan should identify critical personnel and their off-hours contact information.
85
© 2007 Prentice Hall, Inc.85 Figure 11-16 Factors in incident Response
86
© 2007 Prentice Hall, Inc.86 Summary Computer threats come from human errors and mistakes, malicious human activity, and natural disaster. Five types of security problems are unauthorized data disclosure, incorrect data modification, faulty service, denial of service, and loss of infrastructure. Management has two critical security functions: establishing a security policy and managing security risk.
87
© 2007 Prentice Hall, Inc.87 Summary (Continued) A security policy consists of a program policy statement (why, what, who, and how), an issue- specific policy, and a systems-specific policy. Risk is the likelihood of an adverse occurrence. Management must assess assets, threats, safeguards, vulnerability, consequences, likelihood, and probable loss to decide what security safeguards to implement.
88
© 2007 Prentice Hall, Inc.88 Summary (Continued) Safeguards are classified into technical, data, and human categories. Disaster preparedness safeguards include asset location, identification of mission-critical systems, and the preparation of remote backup facilities. Organizations should prepare for security incidents ahead of time by developing a plan, ensuring centralized reporting, defining responses to specific threats, and practicing the plan.
89
© 2007 Prentice Hall, Inc.89 Key Terms and Concepts Access control list (ACL) Accounting controls Adware Asymmetric encryption Authentication Biometric authentication Certificate authority (CA) Cold site Denial of service Digital certificate Digital signatures Drive-by-sniffer Email spoofing Encryption Firewall Gramm-Leach-Bliley (GLB) Act Hacking Hardening Hashing Health Insurance Portability and Accountability Act (HIPPA) Hot site Identification Internal firewall IP spoofing
90
© 2007 Prentice Hall, Inc.90 Key Terms and Concepts (Continued) Kerberos Key escrow Malware Malware definitions Message digest Packet-filtering firewall Perimeter firewall Personal identification number (PIN) Phishing Pretexting Privacy Act of 1974 Risk Safeguard Secure Socket Layer (SSL) Security policy Security program Smart card Sniffing Spoofing Spyware Symmetric encryption Technical safeguard Technical Layer Security (TLS)
91
© 2007 Prentice Hall, Inc.91 Key Terms and Concepts (Continued) Uncertainty Usurpation Vulnerability White-hat hacker Wi-Fi Protected Access (WPA, WPA2) Wired Equivalent Privacy (WEP)
92
© 2007 Prentice Hall, Inc.92 Problem Solving Guide–Testing Security The combination of bias and dissimilar worldviews means that security systems cannot be tested by the people who build them, or at least not only by the people who built the system. Therefore, many companies hire outsiders to test the security of their systems. White hat hackers are people who break into networks for the purpose of helping the organization that operates the network.
93
© 2007 Prentice Hall, Inc.93 Problem Solving Guide–Testing Security (Continued) White-hat hackers report the problems they find and suggest solutions-or at least they are supposed to. A second problem concerns results: “Never ask a question for which you don’t want the answer” If the problems found are severe and widespread, they may be too expensive to fix Or, they may require more attention than management is able to supply
94
© 2007 Prentice Hall, Inc.94 Security Guide–Metasecurity Metasecurity is security about security “How do we secure the security system?” The accounting profession has dealt with some of these problems for decades and has developed a set of procedures and standards know as accounting controls. In general, these controls involve procedures that provide checks and balances, independent reviews of activity logs, control of critical assets, and so forth. Properly designed and implemented, such controls will catch the help-desk representative performing unauthorized account transfers.
95
© 2007 Prentice Hall, Inc.95 Security Guide–Metasecurity (Continued) Many computer networks threats are new, proper safeguards are under development, and some threats are not yet known. The safeguards for some problems have unexpected consequences. Ironically, the answers for many metasecurity problems lie in openness. Encryption experts generally agree that any encryption algorithm that relies on secrecy is ultimately doomed, because the secret will get out.
96
© 2007 Prentice Hall, Inc.96 Security Guide–Metasecurity (Continued) WEP was unwisely deployed before it was tested, and thousands upon thousands of wireless networks are vulnerable as a result. Hardware and software are only part of the problem. Metasecurity extends to the data, procedures, and people components as well.
97
© 2007 Prentice Hall, Inc.97 Ethics Guide–Security Privacy Some organizations have legal requirements to protect the customer data they collect and store, but the laws may be more limited than you think: Gramm-Leach-Bliley (GLB) Act Privacy Act of 1974 Health Insurance Portability and Accountability Act (HIPAA) Most consumers would say, however, that online retailers have an ethical requirement to protect a customer’s credit card.
98
© 2007 Prentice Hall, Inc.98 Ethics Guide–Security Privacy (Continued) What requirements does your university have on the data it maintains about you? State Law or university policy may govern those records, but no federal law does. What you write is no longer your personal data; it belongs to the academic community. You can ask your professor what she intends to do with your coursework, emails, and office conversations, but none of those data are protected by law.
99
© 2007 Prentice Hall, Inc.99 Ethics Guide–Security Privacy (Continued) The bottom line: Be careful with your personal data. Large, reputable organizations are likely to endorse an ethical privacy policy and to have strong and effective safeguards to effectuate that policy but individuals and small organizations may not. If in doubt, ask.
100
© 2007 Prentice Hall, Inc.100 The managers talk about threats, and safeguards, and risk, and uncertainty, and all the things they want us to do to improve security “Has any manager ever watched people work in this department?” “Walk through the cubicles and watch what is happening” “I’ll bet half the employees have never changed their password” “Or, open the top drawer of any of my coworkers desks and guess what you’ll find” “I’ve mentioned this to Martha several times, but nothing ever happens” “What we need is a good scare. We need someone to break into the system using one of those passwords and do some damage” Opposing Forces Guide–Security Assurance, Hah!
101
© 2007 Prentice Hall, Inc.101 Reflection Guide–The Final, Final Word I believe that, today, computer communications and data storage are free-or so close to free that the cost is not worth mentioning. Free communication and data storage will cause fundamental changes in the business environment.
102
© 2007 Prentice Hall, Inc.102 Reflection Guide–The Final, Final Word (Continued) I suspect the rate of technology development will slow in the next five years. Businesses are still digesting the technology that already exists. Businesses are configuring themselves to take advantage of the new opportunities. Fiber-optic will come to my home (and yours) when telecom companies buy today’s dark fiber for pennies on the dollar and light it up. With fiber-optic cable to my house, goodbye video store! Hello DK Enterprises-Internet broadcaster of my music library and sailing photos
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.