Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Ethical Challenges

Similar presentations


Presentation on theme: "Security and Ethical Challenges"— Presentation transcript:

1 Security and Ethical Challenges
Module V – Management Challenges Security and Ethical Challenges Notes go here!

2 Learning Objectives Identify several ethical issues in how the use of information technologies in business affects employment, individuality, working conditions, privacy crime, health, and solutions to societal problems. Identify several types of security management strategies and defences, and explain how they can be used to ensure the security of business applications of information technology. Propose several ways that business managers and professionals can help to lessen the harmful effects and increase the beneficial effects of the use of information technology.

3 Security and Ethics Major Security Challenges
Section I Security and Ethics Major Security Challenges Serious Ethical Questions Threats to Business and Individuals Real World Case 1- F-Secure, Microsoft, GM, and Verizon: The Business Challenge of Computer Viruses Section I Begins the discussion of security and ethics. Explanations should be made as to the threats to business and individuals exposed to risk of this type. Click the arrow to go to real world case 1-F-Secure, Microsoft, GM, and Verizon: The Business Challenge of Computer Viruses. Click to go to Case 1

4 Security and Ethics Business/IT Security, Ethics, and Society Privacy
Employment Privacy Business/IT Security Ethics and Society Health Crime PATIENTLY ALLOW TIME FOR ANIMATIONS TO WORK Use the animated graphic to identify the universe of issues that surrounding business/IT security, ethics and society. Individuality Working Conditions

5 Social Contract Theory Stakeholder Theory
Security and Ethics Ethical Responsibility Business Ethics Stockholder Theory Social Contract Theory Stakeholder Theory Begin the discussion of business ethics. Compare and contrast the three alternative theories of ethical obligations to the various constituencies in the business world.

6 Security and Ethics Ethical Responsibility
Use the text graphic to explain some of the ethical issues in the corporate world.

7 Security and Ethics Technology Ethics
Use the text graphic to describe the variables in the principles of technology ethics.

8 Security and Ethics Ethical Guidelines
Use the text graphic to describe and explain the AITP standards of professional conduct.

9 Security and Ethics Enron Corporation: Failure in Business Ethics
Drove Stock Prices Higher Never Mentioning Any Weaknesses Promised Much – Delivered Little Finally Admitted Overstated Earnings by $586 Million in 1997 1998 Third Quarter Loss $638 Million – Filed Bankruptcy Greed and Mismanagement Destroyed a Potentially Successful Business Plan The Enron Corporation mini-case as expected addresses the massive failure in business ethics that led to the firm's bankruptcy and demise. In summary, greed and mismanagement destroyed what was described as potentially successful business plan.

10 Security Management Security is 6 to 8% of IT Budget in Developing Countries 63% Have or Plan to Have Position of Chief Privacy or Information Officer in the Next Two Years 40% Have a Chief Privacy Officer and Another 6% Intend One in the Next Two Years 39% Acknowledge that their Systems Have Been Compromised in the Past Year 24% Have Cyber Risk Insurance and 5% Intend to Acquire Such Coverage The detailed points of this slide examine some of the statistics presented in the text regarding firms' dealing with security management issues. Some of the statistics are quite dramatic. This discussion continues on the next slide…

11 Security Management Security Technology Used Antivirus
96% Virtual Private Networks 86% Intrusion-Detection Systems 85% Content Filtering/Monitoring 77% PATIENTLY ALLOW TIME FOR ANIMATIONS TO WORK Use the animated graphic to explain and contrast the security technologies in use today. Public-Key Infrastructure 45% Smart Cards 43% Biometrics 19%

12 Security Management PayPal, Inc. Cybercrime on the Internet
Online Payment Processing Company Observed Questionable Accounts Being Opened Froze Accounts Used to Buy Expensive Goods For Purchasers in Russia Used Sniffer Software and Located Users Capturing PayPal Ids and Passwords More than $100,000 in Fraudulent Charges Crooks Arrested by FBI The PayPal Incorporated mini-case cites an example of cybercrime on the Internet. This on-line payment processing company used software to observe the opening of questionable accounts. These accounts were used to buy expensive goods being sent to Russia. The accounts were frozen and PayPal used Sniffer Software to identify the criminals. The individuals believed themselves to be safe since they were in Russia, however, the FBI used a ruse to draw them out and arrested them on more than $100,000 in fraudulent charges.

13 Security Management Hacking Cyber Theft Unauthorized Use of Work
Computer Crime Hacking Cyber Theft Unauthorized Use of Work Piracy of Intellectual Property Computer Viruses and Worms Other forms of computer crime are addressed including hacking, unauthorized use of systems and copyright as well as computer viruses and worms.

14 Security Management Examples of Common Hacking
Use the text graphic to explain the common forms of system hacking.

15 Security Management Recourse Technologies: Insider Computer Crime
Link Between Company Financial Difficulty and Insider Computer Crimes Use of “Honey Pots” Filled with Phony Data to Attract Hackers Software Catches Criminal Activity in Seconds Crime Exposed and Stopped The Recourse Technologies mini-case addresses a discovered link between financial difficulty or hard times in a company with the level of insider crime. They filled their computer with "Honey Pots" filled with phony data designed to attract hackers. Once a hacker reaches the data software reports the criminal activity in seconds. On many occasions the source of the criminal activity was an insider.

16 Security Management Internet Abuses in the Workplace
Use the text graphic to define and discuss the nature of Internet abuses in the workplace.

17 Security Management Network Monitoring Software
Most firms use network monitoring software now to exert some control over their system use. The screen shot is an example of such network monitoring software.

18 Security Management AGM Container Controls: Stealing Time and Resources The Net Contains Many Productivity Distractions Remedies Include Monitoring Internet Use and Blocking Sites Unrelated to Work Importance of Telling Employees About Monitoring Use of Software Monitoring Provided Rebuttal Answers To Web Use Discussions The AGM Container Controls mini-case examines a setting where the theft of time and resources existed. The net contains many productivity distracting links. Remedies to the problem include monitoring, use and blocking sites. The case emphasized the importance of telling employees that the monitoring was on-going.

19 Security Management Copying Music CDs: Intellectual Property Controversy RIAA Crack Down on Music Piracy Web Sites Fighting Back 140 Million Writable Drives In Use Billions of Blank CDs Sold While Music CD Sales Are Going Down Pirates Reluctant to Go Away The issue of this slide is one of copying music CDs violating intellectual property rights. A discussion is made of the recording industry association crack down on music piracy. Many Websites are fighting back altering techniques to try to avoid being caught. The case states that there are 140 million writable drives in use with billions of blank CDs sold while music CD sales are decreasing.

20 Security Management Facts About Recent Computer Viruses and Worms
Use the text graphic to explain the nature and consequences of the presence of worms and viruses. This discussion continues in a case on the next slide.

21 Security Management University of Chicago: The Nimda Worm
Nimda Worm Launch Sept. 18, 2001 Mass Mailing of Malicious Code Attacking MS-Windows Took Advantage of Back Doors Previously Left Behind In Four Hours the University of Chicago’s Web Servers were Scanned by 7,000 Unique IP Addresses Looking for Weaknesses Many Servers Had to Be Disconnected The University of Chicago mini-case describing their experience with Nimda Worm launch Sept. 18,2001. Within hours many servers were seriously impacted and had to be disconnected.

22 Privacy Issues Privacy on the Internet
Right to Privacy Privacy on the Internet Acxiom, Inc. Challenges to Consumer Privacy Acxiom – 30 Years Amassing Massive Database Sells Data to Subscribers Use by Telemarketers and Credit Firms Introduce the concepts of privacy as it relates to systems and the Internet. Define privacy rights and explain why it is no jealousy guarded. The Acxiom, Inc. mini-case describes the immense volume of data this company possesses after thirty years of development. They sell their data to a wide variety of entities including telemarketers, credit firms, even government entities. The risk of exposure is quite significant.

23 Privacy Issues Computer Profiling Computer Matching Privacy Laws
Right to Privacy Computer Profiling Computer Matching Privacy Laws Computer Libel and Censorship Spamming Flaming Right to privacy issues should be discussed in view of system usage for profiling, matching and other legitimate uses as well as for negative applications that create enormous nuisance problems.

24 Privacy Issues Employment Challenges Working Conditions
Other Challenges Employment Challenges Working Conditions Individuality Issues Health Issues Other challenges to privacy are discussed in the area of employment, individuality, and health issues.

25 Privacy Issues Ergonomics
Use the text graphic to explain ergonomic issues as they impact the user/operator. Cite examples of each where possible. This discussion continues on the next slide...

26 Privacy Issues Job Stress Cumulative Trauma Disorders (CTDs)
Ergonomics Job Stress Cumulative Trauma Disorders (CTDs) Carpal Tunnel Syndrome Human Factors Engineering Societal Solutions Continue the discussion of ergonomic issues describing each of the physical ailments presented in the text and how society is attempting to address solutions to the problem.

27 Security Management of Information Technology
Section II Security Management of Information Technology Business Value of Security Management Protection for all Vital Business Elements Real World Case 2- Geisinger Health Systems and Du Pont: Security Management of Data Resources and Process Control Networks Section II Introduces the study of security management of IT. The business value of security management should be described. Click the arrow to real world case 2-Geisinger Health Systems and Du Pont: security management of data resources and process control networks. Click to go to Case 2

28 Security Management of Information Technology
Tools of Security Management Use the text graphic to outline the tools of security management that make up the balance of this chapter.

29 Security Management of Information Technology
Providence Health and Cervalis: Security Management Issues Need for Security Management Caused by Increased Use of Links Between Business Units Greater Openness Means Greater Vulnerabilities Better Use of Identifying, Authenticating Users and Controlling Access to Data Theft Should Be Made as Difficult as Possible The Providence Health and Cervalis mini-case addresses security management issues. The emphasis on this case points out that the demand for increased links between business units forces more vulnerabilities to security risk. The conclusion was that access to data theft should be made as difficulty as possible.

30 Security Management of Information Technology
Internetworked Security Defenses Encryption Public Key Private Key Graphically… Begin the discussion of data encryption using public key/private key techniques. Define the terms. Continue the discussion using the graphic on the next slide…

31 Security Management of Information Technology
Encryption Use the text graphic to conclude the discussion of public key/private key encryption for data security management purposes.

32 Security Management of Information Technology
Firewalls External Firewall Blocks Outsiders 1 2 Internal Firewall Blocks Restricted Materials 3 4 5 Intranet Server Host System Use of Passwords and Browser Security 3 Performs Authentication and Encryption Firewall 4 Router Router 1 Careful Network Interface Design 5 PATIENTLY ALLOW TIME FOR ANIMATIONS TO WORK Use the animated graphic to show how appropriately placed and configured firewalls can protect a system from Internet-based intrusion. 2 Internet Firewall 4 Intranet Server

33 Security Management of Information Technology
Barry Nance: Testing PC Firewall Security Worldwide Search for Active IP Addresses Sophisticated Probes Scan Any Home or Work Location Personal Firewalls Help Block Intruders Firewalls Generally Good at Protecting Computers from Most Hacking Efforts The Barry Nance mini-case addresses an attempt to test firewall security. Sophisticated probes scan IP addresses worldwide seeking content worthy of capture. Personal firewalls do a generally good job protecting computers from most hacking efforts.

34 Security Management of Information Technology
MTV Networks: Denial of Service Defenses MTV.com Website Targeted for Distributed Denial of Service (DDOS) Attacks During Fall Peak Periods Some People Try to Crash MTV Sites Parent Viacom Installed Software to Filter out DDOS Attacks Website Downtime Reduced The MTV Network mini-case describes their solution to Denial of Service attacks made on their systems particularly during peak fall periods. MTV parent Viacom installed software to filter out such attacks and Website downtime was significantly reduced.

35 Security Management of Information Technology
Defending Against Denial of Service Attacks Use the text graphic to discuss alternatives for defending against Denial of Service attacks.

36 Security Management of Information Technology
Sonalysts, Inc.: Corporate Monitoring e-Sniff Monitoring Device Searches by Key Word or Records of Web Sites Visited 82% of Businesses Monitor Web Use Close to 100% of Workers Register Some Improper Use The Sonalysts, Inc. mini-case gives an example of corporate monitoring. Their e-Sniff monitoring device examined by key word and also made records of Websites visited. The case states that 82% of businesses monitor Web use. The case reports that close to 100% of workers registered some improper use. It also presented a situation where a particular use appeared to be improper turned out to be quite legitimate. The summary was don't jump to conclusions.

37 Security Management of Information Technology
TrueSecure and 724 Inc.: Limitations of Antivirus Software Much Software Was Unable to Stop Nimda Worm Software Alone is Often Not Enough to Clean System Until Better Software is Developed, A Complete System Disconnect and Purge May Be the Only Solution The TrueSecure and 724 Inc. mini-case discussed limitations of anti-virus software. It states that much software was unable to stop the Nimda Worm and that software alone is not enough to clean the system. In many cases a complete system disconnect and purge may be the only solution.

38 Security Management of Information Technology
Example Security Suite Interface The screen shot is an example of Security Suite Interface-McAfee.com. Functions of the suite can be identified from the screen shot.

39 Security Management of Information Technology
Other Security Measures Security Codes Multilevel Password System Smart Cards Backup Files Child, Parent, Grandparent Files System Security Monitors Biometric Security Other security measures are described including the use of security codes, passwords, smartcards, and biometic applications. Multiple backup redundancy is encouraged. The use of system security monitors provide another feedback in case of violation-and example is on the next slide.

40 Security Management of Information Technology
Example Security Monitor The screen shot is an example of a security monitor system used to monitor system usage.

41 Security Management of Information Technology
Evaluation of Biometric Security Use the text graphic to lead a discussion evaluating the effectiveness of biometric techniques.

42 Security Management of Information Technology
Computer Failure Controls Fault Tolerant Systems Fail-Over Fail-Safe Fail-Soft Disaster Recovery Discuss and define the alternative types of computer failure controls presented in the text. Stress the importance of a disaster recovery plan in case of crisis.

43 Security Management of Information Technology
Methods of Fault Tolerance Use the text graphic to describe the methods of fault tolerance. Emphasis the threats to each specific layer and the method used to protect the environment.

44 Security Management of Information Technology
Visa International: Fault Tolerant Systems Only 100% Uptime is Acceptable Only 98 Minutes of Downtime in 12 Years 1 Billion Transactions Worth $2 Trillion in Transactions a Year 4 Global Processing Centers Multiple Layers of Redundancy and Backup Software Testing and Art Form The Visa International mini-case describes their fault tolerance systems where downtime is totally unacceptable. Visa has experienced only 98 minutes of downtime in 12 years. They process billions of transactions representing trillions of dollars worldwide and have implemented massive backup and redundant systems because their data is so vital. They have developed software testing to an art form.

45 Systems Controls and Audits
Information System Controls Garbage-In, Garbage-Out (GIGO) Auditing IT Security Audit Trails Control Logs Introduce the concept of systems controls and audits. Emphasis should be placed on auditing IT security, development of audit trails, and maintenance of control logs for longitudinal consistency.

46 Systems Controls and Audits
Processing Controls Software Controls Hardware Controls Firewalls Checkpoints Input Controls Output Controls Security Codes Encryption Data Entry Screens Error Signals Control Totals Security Codes Encryption Control Totals Control Listings End User Feedback PATIENTLY ALLOW TIME FOR ANIMATIONS TO WORK Use the animated graphics to demonstrate where control systems exist and how they relate to each other. Storage Controls Security Codes Encryption Backup Files Library Procedures Database Administration

47 Summary Ethical and Societal Dimensions
Ethical Responsibility in Business Security Management

48 KEY TERMS Antivirus software Audit trail Auditing business systems
Backup files Biometric security Business ethics Computer crime Computer matching Computer monitoring Computer virus Denial of service Disaster recovery Encryption Ergonomics Ethical and Societal Impacts of business/IT Employment Health Individuality Societal Solutions Working Conditions Ethical foundations Fault tolerant Firewall Flaming Hacking Information system controls Intellectual property piracy Passwords Privacy issues Responsible professional Security management Software piracy Spamming System security monitor Unauthorized use

49 Optional Case Studies Real World Case 1 Real World Case 2
F-Secure – Microsoft GM and Verizon: The Business Challenge of Computer Viruses Click to go to Case 1 Real World Case 2 Geisinger Health Systems and DuPont: Security Management of Data Resources and Process Control Networks Click to go to Case 2 Real World Case 3 Banner Health – Arlington County and Others: Security Management of Windows Software Click to go to Case 3 Real World Case 4 Online Resources – Lehman Brothers and Others: Managing Network Security Systems Click to go to Case 4

50 Enterprise and Global Management of Information Technology
Next... Enterprise and Global Management of Information Technology Chapter 12

51 Case 1 F-Secure – Microsoft GM and Verizon: The Business Challenge of Computer Viruses 1- What security measures should companies, business professionals, and consumers take to protect their systems from being damaged by computer worms and viruses? Return to Chapter 11 Return to Cases Page

52 Businesses Need Better Procedures for Security Updating
Case 1 F-Secure – Microsoft GM and Verizon: The Business Challenge of Computer Viruses Discussion Points Would Include: Businesses Should “Get Serious” About Cyber Security Stop Relying on Microsoft 's Backbone Businesses Need Better Procedures for Security Updating Businesses Should Update Security Defenses Discussion points would include: Businesses should “get serious” about cyber security. Businesses should stop relying on just one outfit – Microsoft – to provide the backbone of the computing and Internet world. Businesses need to come up with better procedures for frequently updating their computers with the latest security patches to programs and inoculations against new viruses. Businesses should review and update their use of security defenses – encryption of data, use of firewalls, use of denial of service defenses, monitoring, and focusing attention on the issue of security codes.

53 Case 1 F-Secure – Microsoft GM and Verizon: The Business Challenge of Computer Viruses 2- What is the business and ethical responsibility of Microsoft in helping to prevent the spread of computer viruses? Have they met this responsibility? Why or why not?

54 Discussion Points Would Include:
Case 1 F-Secure – Microsoft GM and Verizon: The Business Challenge of Computer Viruses Discussion Points Would Include: Microsoft (95% Market Share) Must Ensure Software is Hostile to Hackers Must Write Better Software Microsoft and Others Must make Security Higher Priority The Responsibility of Security is the User Not Bender Discussion points would include: Microsoft with a 95% market share has an obligation to ensure that its software is sufficiently hostile to hackers. Microsoft has an obligation to make more fundamental changes in the way it designs programs – Microsoft has to write better software. Microsoft and other software companies have placed a high priority on getting products out quickly and loading them with features, rather than attending to security. Security is the responsibility of the user and not the vendor such as Microsoft.

55 Case 1 F-Secure – Microsoft GM and Verizon: The Business Challenge of Computer Viruses 3- What are several possible reasons why some companies (like GM) were seriously affected by computer viruses, while others (like Verizon) were not? Return to Chapter 11 Return to Cases Page

56 Reasons Would Include:
Case 1 F-Secure – Microsoft GM and Verizon: The Business Challenge of Computer Viruses Reasons Would Include: Undue Dependence on Microsoft for Quality Software GM Ignored Security until It was Too Late Companies Paid More Attention to Bottom Line than Security Reasons would include: Undue dependence on Microsoft to provide quality software. Some companies such as GM ignored the security issue until it became so big that they could not ignore it any more. Some companies watched their bottom line more than watching security trends – a low priority to spend money to provide frequent updates of security patches and inoculations against new viruses. CONTINUED… Return to Chapter 11 Return to Cases Page

57 Reasons Would Include:
Case 1 F-Secure – Microsoft GM and Verizon: The Business Challenge of Computer Viruses Reasons Would Include: Undue Dependence on Microsoft for Quality Software GM Ignored Security until It was Too Late Companies Paid More Attention to Bottom Line than Security Inadequate Planning for Improving Security Reasons would include: Undue dependence on Microsoft to provide quality software. Some companies such as GM ignored the security issue until it became so big that they could not ignore it any more. Some companies watched their bottom line more than watching security trends – a low priority to spend money to provide frequent updates of security patches and inoculations against new viruses. CONTINUATION… Inadequate planning for improving security features of their system. Return to Chapter 11 Return to Cases Page

58 Case 2 Geisinger Health Systems and DuPont: Security Management of Data Resources and Process Control Networks 1- What are several possible reasons why some companies (like GM) were seriously affected by computer viruses, while others (like Verizon) were not? Return to Chapter 11 Return to Cases Page

59 Key Components of a Security System:
Case 2 Geisinger Health Systems and DuPont: Security Management of Data Resources and Process Control Networks Discussion Points Would Include: Key Components of a Security System: Understanding Workflow Assessing Risk Educating Users MvChart needed Installed on Hardware Separate from EMK system Discussion points would include: Understanding workflow, assessing risk and educating users are all key components of their security system. Security needs dictated that the database that powers MvChart be installed on hardware separate from the EMK system. CONTINUATION…

60 Biometric and Proximity Devices Streamline Secure Network Access
Case 2 Geisinger Health Systems and DuPont: Security Management of Data Resources and Process Control Networks Discussion Points Would Include: Biometric and Proximity Devices Streamline Secure Network Access Requiring Caregivers Access to Patient Information via the Internet Using: Electronic Token Identification A Virtual Private Network Other Encryption Methods Discussion points would include: Understanding workflow, assessing risk and educating users are all key components of their security system. Security needs dictated that the database that powers MvChart be installed on hardware separate from the EMK system. CONTINUED… Evaluating and considering biometric and proximity devices as ways to streamline secure network access. Requiring caregivers accessing patient information via the Internet to use electronic token identification in addition to a virtual private network or other encryption method.

61 Case 2 Geisinger Health Systems and DuPont: Security Management of Data Resources and Process Control Networks 2- What security measures is Du Pont taking to protect their process control networks? Are these measures adequate? Explain your evaluation.

62 Case 2 Geisinger Health Systems and DuPont: Security Management of Data Resources and Process Control Networks Discussion Points Would Include: Du Pont Co.-The Critical Manufacturing Processes, will Isolate Process Systems from Business systems by: Not Connecting our Networks, Or it will Add Firewalls to Control Access Discussion points would include: On all of the critical manufacturing processes, Du Pont Co. is either going to totally isolate the process systems from the business systems by not connecting our networks, or it is going to put in firewalls to control access. CONTINUATION…

63 Discussion Points Would Include:
Case 2 Geisinger Health Systems and DuPont: Security Management of Data Resources and Process Control Networks Discussion Points Would Include: A Team-IT Staffers, Process-Control Engineers, and Manufacturing Employees was Established to: Discern Control Devices Critical to Manufacturing, Safety and Continuity of Production Identify Assets of – Hardware, Data, and Software Applications Testing Fixes and Workarounds for Specific Machines Recognizing Precise Vulnerabilities Differ by Environment Determining how to Separate Networks Discussion points would include: On all of the critical manufacturing processes, Du Pont Co. is either going to totally isolate the process systems from the business systems by not connecting our networks, or it is going to put in firewalls to control access. CONTINUATION… A team comprising three groups of IT staffers, process-control engineers, and manufacturing employees was established to: Discern which control devices are critical to manufacturing, safety and continuity of production. Identify the assets of each – hardware, data, and software applications – then research relevant vulnerabilities. Testing fixes and workarounds to see which ones might work for which machines. Recognizing that precise vulnerabilities differ by environment – water treatment process differs from vessels under high-temperature and high-pressure conditions. Determining how to separate networks and where process-control firewall appliances should go.

64 Case 2 Geisinger Health Systems and DuPont: Security Management of Data Resources and Process Control Networks 3- What are several other steps Geisinger and Du Pont could take to increase the security of their data and network resources? Explain the value of your proposals. Return to Chapter 11 Return to Cases Page

65 Case 2 Geisinger Health Systems and DuPont: Security Management of Data Resources and Process Control Networks Discussion Points Would Include: Include the Concepts Presented in the Chapter Material and Additional Considerations That You Have Located on the Internet Students discussion should include the concepts presented in the chapter material and additional considerations they are able to locate on the Internet. Return to Chapter 11 Return to Cases Page

66 Case 3 Banner Health Arlington County and Others: Security Management of Windows Software 1- What security problems are typically remedied by Microsoft’s security patches for Windows? Why do such problems arise in the first place? Return to Cases Page

67 Vulnerability to Computer Viruses (Worms)
Case 3 Banner Health Arlington County and Others: Security Management of Windows Software Discussion Points Would Include: Vulnerability to Computer Viruses (Worms) Microsoft’s Push to Deliver New Versions That have not been tested and/or Designed Properly to Reduce Vulnerability Discussion points would include: Vulnerability to computer viruses (worms). Microsoft’s push to deliver to the market new versions that have not been tested and/or designed properly to reduce vulnerability.

68 Case 3 Banner Health Arlington County and Others: Security Management of Windows Software 2- What challenges does the process of applying Windows patches pose for many businesses? What are some limitations of the patching process?

69 Patching Required Companies to Drop Everything with Finite Resources
Case 3 Banner Health Arlington County and Others: Security Management of Windows Software Discussion Points Would Include: Patching Required Companies to Drop Everything with Finite Resources Larger Companies Need Time to Properly Test Companies Faced with Limited Scope for Downtime Discussion points would include: Companies have to drop everything else to go take care of patching with a finite amount of resources to do it. Companies, especially larger and more distributed ones, need time to properly test each patch before they can deploy them since patches haven’t always worked or have broken the applications they were meant to protect. Often companies are faced with a limited scope for downtime in which to deploy patches.

70 Case 3 Banner Health Arlington County and Others: Security Management of Windows Software 3- Does the business value of applying Windows patches outweigh its costs, limitations, and the demands it places on the IT function? Why or why not? Return to Cases Page

71 Discussion Points Would Include:
Case 3 Banner Health Arlington County and Others: Security Management of Windows Software Discussion Points Would Include: Exploit-Proof Code Patching is Best Strategy Microsoft’s Windows Update Patch Management Program Has a Critical Shortcoming Could Fool Users-They have Been Properly Patched Users are Really Vulnerable-Patch not Fixed Users have Reported Patches don't Always Deploy Properly Discussion points would include: In the absence of completely error- and exploit-proof code patching is the best strategy. Microsoft’s Windows Update patch management program has a critical shortcoming that, in some cases, could fool users into thinking they have been properly patched against some vulnerabilities when in fact they have not. Some users have reported that patches didn’t always deploy properly. CONTINUED… Return to Cases Page

72 Discussion Points Would Include:
Case 3 Banner Health Arlington County and Others: Security Management of Windows Software Discussion Points Would Include: Exploit-Proof Code Patching is Best Strategy Microsoft’s Windows Update Patch Management Program Has a Critical Shortcoming Could Fool Users-They have Been Properly Patched Users are Really Vulnerable-Patch not Fixed Users have Reported Patches don't Always Deploy Properly Microsoft Patches have Serious Security Vulnerability Discussion points would include: In the absence of completely error- and exploit-proof code patching is the best strategy. Microsoft’s Windows Update patch management program has a critical shortcoming that, in some cases, could fool users into thinking they have been properly patched against some vulnerabilities when in fact they have not. Some users have reported that patches didn’t always deploy properly. CONTINUATION… There exists some serious security vulnerabilities concerning the Microsoft patches that could easily be spoofed. Return to Cases Page

73 Case 4 Online Resources – Lehman Brothers and Others: Managing Network Security Systems 1- What is the function of each of the network security tools identified in this case? Visit the websites of security firms Check Point and NetForensics to help you answer. Return to Cases Page

74 Discussion Points Would Include:
Case 4 Online Resources – Lehman Brothers and Others: Managing Network Security Systems Discussion Points Would Include: Network Intrusion-Detection Systems Firewalls Anti-Virus Tools Automating the Process Gathering Consolidating Correlating Prioritizing Data from Security Event Collecting Data from Individual Security Systems “Normalizing” Data to Quickly Identify Potential Attacks Discussion points would include: Network intrusion-detection systems Firewalls Anti-virus tools Automating the process of gathering, consolidating, correlating and prioritizing data from various segments of the security event management suite. Collecting data from individual security systems installed by a business and “normalizing” the data to permit easier and quicker identification of potential attacks to the business and sending out alert messages.

75 Case 4 Online Resources – Lehman Brothers and Others: Managing Network Security Systems 2- What is the value of security information management software to a company? Use the companies in this case as examples.

76 Discussion Points Would Include:
Case 4 Online Resources – Lehman Brothers and Others: Managing Network Security Systems Discussion Points Would Include: Provides a Single Place To Get Information Automated Gathering, Consolidating, and Correlating Data Into a Usable Format to Analyze Used to Establish Priorities Permits Businesses to React Faster to Activity Reduces the Number of False Alerts Allows Companies to Drill Down into Attach Details Discussion points would include: Provides a single place where the business can go to get information needed to management security. Automated the process of gathering, consolidating, and correlating the data into a usable format that can be analyzed and used to establish prioritizes based upon the severity and the importance of the system that is vulnerable. Permits businesses to react faster to activity that indicates an attack. Reduces the number of false alerts. Allows companies to drill down into the details of an attack and quickly build a composite of events leading up to a security incident.

77 Case 4 Online Resources – Lehman Brothers and Others: Managing Network Security Systems 3- What can smaller firms who cannot afford the cost of such software do to properly manage and use the information about security from their network security systems? Give several examples. Return to Cases Page

78 Discussion Points Would Include:
Case 4 Online Resources – Lehman Brothers and Others: Managing Network Security Systems Discussion Points Would Include: Plan for Having Periodic Audits of IT Security Review/Update Regularly Control Features of IT Regularly Change Passwords-To Access System Develop a Backup Plan and Implement Discussion points would include: Plan for having periodic audits of IT security. Review and update regularly the control features related to IT. Regularly change passwords allowing access to the system’ Develop a backup plan and implement. CONTINUATION… Return to Cases Page

79 Discussion Points Would Include:
Case 4 Online Resources – Lehman Brothers and Others: Managing Network Security Systems Discussion Points Would Include: Plan for Having Periodic Audits of IT Security Review/Update Regularly Control Features of IT Regularly Change Passwords-To Access System Develop a Backup Plan and Implement Develop Plan for Disaster Recovery Discussion points would include: Plan for having periodic audits of IT security. Review and update regularly the control features related to IT. Regularly change passwords allowing access to the system’ Develop a backup plan and implement. CONTINUED… Plan for disaster recovery by developing procedures to be used when a system is attacked. Return to Cases Page


Download ppt "Security and Ethical Challenges"

Similar presentations


Ads by Google