Chapter 12

Information Security Management

We Have to Design It for Privacy and Security.

Tension between Maggie and Ajit regarding terminology to use with Dr. Flores Common problem for techies when talking with business professionals Use too much technical language

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-2

PRIDE Design for Security

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-3

Study Guide
Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats?

Q6: How can data safeguards protect against security threats?

Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2023?

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-4

Q1: What Is the Goal of Information Systems Security?

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-5

Examples of Threat/Loss

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-6

What Are the Sources of Threats?

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-7

What Types of Security Loss Exist?

Unauthorized Data Disclosure Pretexting Phishing Spoofing IP spoofing Email spoofing Drive-by sniffers Hacking Natural disasters

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-8

Incorrect Data Modification

Procedures not followed or incorrectly designed

Increasing a customers discount or incorrectly modifying employees salary

Placing incorrect data on company Web site

Improper internal controls on systems

System errors Faulty recovery actions after a disaster

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-9

Faulty Service
Incorrect data modification Systems working incorrectly Procedural mistakes Programming errors IT installation errors

Usurpation
Denial of service (unintentional)

Denial-of-service attacks (intentional)

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-10

Loss of Infrastructure
Human accidents Theft and terrorist events Disgruntled or terminated employee Natural disasters Advanced Persistent Threat (APT) or cyberwarfare

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-11

Q2: How Big Is the Computer Security Problem?

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-12

VerizonSecret Service Findings 2011

Data-loss security incidents reached all-time high, but number of data records lost fell dramatically for second year in a row. Data theft is most successful at small and medium-sized businesses.

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-13

VerizonSecret Service Findings 2011 (cont'd)

Four most frequent computer crimes: 1. Criminal activity against servers 2. Viruses 3. Code insertion 4. Data loss on user computer

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-14

Types of Attacks Experienced

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-15

Intrusion Detection System (IDS)

Computer program senses when another computer attempting to scan disk or otherwise access computer When I run an IDS on a computer on the public Internet, ... I get more than 1,000 attempts, mostly from foreign countries. There is nothing you can do about it except use reasonable safeguards.

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-16

Q3: How Should You Respond to Security Threats?

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-17

InClass 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts
In this exercise, you and a group of your fellow students will investigate phishing attacks. Search the Web for phishing, be aware that your search may get the attention of an active phisher. Therefore, do not give any data to any site you visit as part of this exercise!

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-18

Ethics Guide: Securing Privacy

The best way to solve a problem is not to have it. Resist providing sensitive data. Dont collect data you dont need.

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-19

Q4: How Should Organizations Respond to Security Threats?

Establish a company-wide security policy. Should stipulate: What sensitive data to store How it will process that data If data will be shared with other organizations How employees and others can obtain copies of data stored about them How employees and others can request changes to inaccurate data What employees can do with own mobile devices at work What non-organizational activities employees can take with employee-owned equipment

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-20

Security Safeguards as They Relate to the Five IS Components

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-21

Q5: How Can Technical Safeguards Protect Against Security Threats?

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-22

Essence of HTTPS (SSL or TLS)

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-23

Firewalls

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-24

Malware Types and Spyware and Adware Symptoms

Viruses Payload Trojan horses Worms Beacons Spyware & Adware Symptoms

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-25

Malware Safeguards
1. Use antivirus and antispyware programs.

2. Scan frequently.
3. Update malware definitions. 4. Open email attachments only from known sources. 5. Install software updates. 6. Browse only reputable Internet neighborhoods.

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-26

Design for Secure Applications

SQL injection attack
User enters SQL statement into a form instead of a name or other data. Improperly designed form accepts this code and makes it part of a database command that it issues. Result: Improper data disclosure and data damage and loss possible Properly designed applications make injections ineffective.

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-27

Q6: How Can Data Safeguards Protect Against Security Threats?

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-28

Q7: How can Human Safeguards Protect Against Security Threats?

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-29

Account Administration
Account Management Standards for new user accounts, modification of account permissions, removal of unneeded accounts Password Management Users should change passwords frequently Help Desk Policies

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-30

Sample Account Acknowledgment Form

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-31

Systems Procedures

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-32

Q8: How Should Organizations Respond to Security Incidents?

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-33

Q9: 2023
APTs more common, inflicting serious damage Security mobile devices improved Improved security procedures and employee training Criminals focus on less protected mid-sized and smaller organizations, and individuals Electronic lawlessness by organized gangs Electronic sheriffs patrol electronic borders

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-34

Guide: Metasecurity
What are the security problems? What are the managers responsibilities for controls over the security system?

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-35

Guide: The Final, Final Word

Routine work will migrate to low labor-cost countries. Be a symbolic-analytic worker Abstract thinking How to experiment Systems thinking Collaboration

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-36

Active Review
Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2023?

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-37

Case 12: Moores Law, One More Time

Doubling CPU speed helps criminals Enables more powerful password crackers iOS, Android phones, and millions of mobile devices increase data communications and exponential opportunities for computer criminals.

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-38

Copyright 2014 Pearson Education, Inc. Publishing as Prentice Hall

12-39