chapter 12 information security management. someone’s stealing wedding presents, but only from...
TRANSCRIPT
Chapter 12
Information Security Management
Someone’s stealing wedding presents, but only from weddings of club members.
Knew how to access system ,access database, and maybe some SQL.
Access: Mike has yellow stickies with passwords on his monitor; copies of key to server building.
Knowledge: Greenskeeper guy, “a techno-whiz,” created report for Anne. Knows how to query database, and known to access it prior to Anne’s project. (ch. 9)
Scenario video
This Could Happen to You: “Could Someone Be Getting to Our Data?”
12-2Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Q1: What are the sources and types of security threats?
Q2: What are the elements of a security program?
Q3: How can technical safeguards protect against security threats?
Q4: How can data safeguards protect against security threats?
Q5: How can human safeguards protect against security threats?
Q6: What is necessary for disaster preparedness?Q7: How should organizations respond to security
incidents?How does the knowledge in this chapter help Fox Lake and you?
Study Questions
12-3Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Q1: What Are the Sources and Types of Security Threats
12-4Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Unauthorized Data Disclosure
12-5Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
• Incorrect entries and information• Procedural problems
Human errors
• Systems errors (lost-update problem)
Incorrect data modifications
• Unauthorized system accessHacking
• Human procedural mistakes•Errors in installation of hardware, software programs, or data
Faulty recovery actions
Incorrect Data Modifications
12-6Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Usurpation•Unauthorized programs invade computer system and replace legitimate programs
• Inadvertently shut down web server, gateway router with computationally intensive application
• Example: OLAP application that uses operational DBMS blocks order-entry transaction
Human error
• Malicious attacks flood web server with millions of requests for web pages
• Computer worms• Natural disasters
Denial of service
Denial of Service (DOS)
12-7Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
• Bulldozer cutting fiber-optic cable, floor buffer bangs web server
• Water line breaks or fire damage hardware
Accidental
• Disgruntled employee steals equipment
• Damages computer center
Theft and terrorists
• Floods, tornadoes, hurricanes, fire, earthquakes
Natural disasters
Loss of Infrastructure
12-8Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts
12-9Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d)
12-10Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
2. Suppose you received the email in Figure 1 and mistakenly clicked See more details here. When you did so, you were taken to the web page shown in Figure 2. List every phishing symptom that you find in these two figures and explain why it is a symptom.
a. How would you learn that your organization is being attacked?
b. What steps should your organization take in response to the attack?
c. What liability, if any, do you think your organization has for damages to customers that result from a phishing attack that carries your brand and trademarks?
3. Suppose you work for an organization that is being phished.
Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d)
12-11Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
4. Summarize why phishing is a serious problem to commerce today.
5. Describe actions that industry organizations, companies, governments, or individuals can take to help to reduce phishing.
Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d)
12-12Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
•Must establish security policy•Manage riskBalancing costs and benefits of security measures
Senior managemen
t involvement
•Protections against security threats
Safeguards
•Priority plan for security incidents
Incident response
Q2: What Are the Elements of a Security Program?
12-13Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Effective security programs balance safeguards
Security Safeguards as They Relate to the Five Components
12-14Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Q3: How Can Technical Safeguards Protect Against Security Threats?
12-15Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
• Password• Smart card• Biometric
Authentication methods
• Microchip embedded with identifying data
• Authentication by PINSmart cards
• Fingerprints, face scans, retina scans
• See http://searchsecurity.techtarget.com
Biometric authenticatio
n
• Authenticate to network and other servers
Single sign-on for
multiple systems
Identification and Authentication
12-16Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Encryption Terminology
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-17
• Figure 12-4
Encryption—SSL/TLS
12-18Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Computing device that prevents unauthorized network accessMay be special-purpose computer or program on a general-purpose computer
Organizations may have multiple firewalls•Perimeter firewalls outside network•Internal firewalls inside network•Packet-filtering firewalls examine each part of a message
May filter both incoming and outgoing messages•Encoded rules stating IP addresses allowed in or out of networkDo not connect to Internet without firewall
protection!
Firewalls
12-19Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Use of Multiple Firewalls
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Use of Multiple Firewalls
12-20
• Click for latest viruses, malware threats
Spyware programs
• Similar to spyware without malicious intent
• Watches users activity, produces pop-up ads, changes window, modifies search results
• Can slow computer performance• Remove with anti-spyware, anti-
adware programs
Adware
More on threats
Malware Protection
12-21Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Malware Protection
12-22Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Type Problems
MalwareViruses, worms, Trojan horses, spyware, and adware
VirusComputer program that replicates itself; take unwanted and harmful actions
Macro virusAttach themselves to word, excel, or other types of document; virus infects every file an application creates or processes
WormVirus propagates using Internet or other computer network; can choke a network
Spyware
Some capture keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Other spyware supports marketing analyses.
Adware Can slow computer performance
Click for latest viruses, malware threats
Spyware and Adware Symptoms
12-23Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Install antivirus and anti-spyware programs on your computer
Set up your anti-malware programs to scan your computer frequently
Update malware definitions
Open email attachments only from known sources
Promptly install software updates from legitimate sources
Browse only in reputable Internet neighborhoods
Malware Safeguards
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-24
Q4: How Can Data Safeguards Protect Against Security Threats?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Data Safeguards
12-25
•Least privilege possiblePosition
Definitions•Extensive interviews and background checks for high-sensitivity positions
Hiring & Screening Employees
•Make employees aware of security policies and procedures
Dissemination & Enforcement
•Establish security policies and procedures for employee termination
•HR dept. giving IS early notification
Termination
Q5: How Can Human Safeguards Protect Against Security Threats?
12-26Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
How Can Human Safeguards Protect Against Security Threats? (cont’d)
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-27
How Can Human Safeguards Protect Against Security Threats? (cont’d)
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-28
Administration of user accounts, passwords, and help-desk policies and procedures
• Creation of new user accounts, modification of existing account permissions, removal of unneeded accounts.
• Improve your relationship with IS personnel by providing early and timely notification of need for account changes.
Account Management
• Users should change passwords every three months or more frequently.
Password Management
Account Administration
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-29
User signs statement like this.
National Institute of Standards and Technology (NIST) Recommendation
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-30
Systems Procedures
12-31Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
•Firewall logs•DBMS log-in records•Web server logs
Activity log analyses
•In-house and external security professionalsSecurity testing
•How did the problem occur? Investigation of incidents
•Indication of potential vulnerability and needed corrective actions
Learn from incidences
Review and update security and safeguard policies
Security Monitoring Functions
12-32Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
12-33
Q6: What Is Necessary for Disaster Preparedness?
• Disaster― Substantial loss of
infrastructure caused by acts of nature, crime, or terrorism
• Appropriate location― Avoid places prone to floods,
earthquakes, tornadoes, hurricanes, avalanches, car/truck accidents
― Not in unobtrusive buildings, basements, backrooms, physical perimeter
― Fire-resistant buildings
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Q6: What Is Necessary for Disaster Preparedness? (cont’d)
12-34Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Backup processing centers in geographically removed site
Create backups for critical resources
Contract with “hot site” or “cold site” provider• Hot site provides all equipment needed to continue
operations there• Cold site provides space but you set up and install
equipment• www.ragingwire.com/managed_services?=recovery
Periodically train and rehearse cutover of operations
Q7: How Should Organizations Respond to Security Incidents?
12-35Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Knowledge in Chapter 11 and Chapter 12 could help Jeff and Mike better protect Fox Lake computing infrastructure.
Mike would have known to protect his passwords better.
Would have known the dangers of having someone like Jason producing reports for Anne. If you work in a small business, take Fox Lake example to heart. Remembering these problems, you can do a better job of protecting your computing assets.
How Does the Knowledge in This Chapter Help Fox Lake and You?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-36
ChoicePoint provides motor vehicle reports, claim histories, and similar data to automobile insurance industry, general business, and government agencies. Offers data for volunteer and job-applicant screening and data to assist in location of missing children.
ChoicePoint has over 4,000 employees, and its 2007 revenue was $982 million.ChoicePoint was victim of a spoofing attack in which unauthorized individuals posed as legitimate customers and obtained personal data on more than 145,000 individuals.Example of authentication failure, not a network break in.
Case Study 12:The ChoicePoint Attack
12-37Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
If ChoicePoint had quietly shut down data access for illegitimate businesses, no one would have known. However . . .
145,000 customers whose identities were compromised would be unknowing victims of identity theft, but thefts could have been tracked back to ChoicePoint.
ChoicePoint Attack (cont’d)
12-38Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Firewalls and other safeguards were not overcome.
Criminals spoofed legitimate businesses by obtaining valid California business licenses.
Undetected for months until unusual processing activity was detected.
Contacted police and cooperated in attempt to apprehend the criminals.
Resulted in public relations nightmare, considerable expense, class-action lawsuit, Senate investigation, and 20% drop in share price.
ChoicePoint Attack (cont’d)
12-39Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall