Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.

Chapter 12

Information Security Management

Someone’s stealing wedding presents, but only from weddings of club members.

Knew how to access system ,access database, and maybe some SQL.

Access: Mike has yellow stickies with passwords on his monitor; copies of key to server building.

Knowledge: Greenskeeper guy, “a techno-whiz,” created report for Anne. Knows how to query database, and known to access it prior to Anne’s project. (ch. 9)

Scenario video

This Could Happen to You: “Could Someone Be Getting to Our Data?”

12-2Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Q1: What are the sources and types of security threats?

Q2: What are the elements of a security program?

Q3: How can technical safeguards protect against security threats?

Q4: How can data safeguards protect against security threats?

Q5: How can human safeguards protect against security threats?

Q6: What is necessary for disaster preparedness?Q7: How should organizations respond to security

incidents?How does the knowledge in this chapter help Fox Lake and you?

Study Questions


Q1: What Are the Sources and Types of Security Threats


Unauthorized Data Disclosure


• Incorrect entries and information• Procedural problems

Human errors

• Systems errors (lost-update problem)

Incorrect data modifications

• Unauthorized system accessHacking

• Human procedural mistakes•Errors in installation of hardware, software programs, or data

Faulty recovery actions

Incorrect Data Modifications


Usurpation•Unauthorized programs invade computer system and replace legitimate programs

• Inadvertently shut down web server, gateway router with computationally intensive application

• Example: OLAP application that uses operational DBMS blocks order-entry transaction

Human error

• Malicious attacks flood web server with millions of requests for web pages

• Computer worms• Natural disasters

Denial of service

Denial of Service (DOS)


• Bulldozer cutting fiber-optic cable, floor buffer bangs web server

• Water line breaks or fire damage hardware

Accidental

• Disgruntled employee steals equipment

• Damages computer center

Theft and terrorists

• Floods, tornadoes, hurricanes, fire, earthquakes

Natural disasters

Loss of Infrastructure


Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts


Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d)


2. Suppose you received the email in Figure 1 and mistakenly clicked See more details here. When you did so, you were taken to the web page shown in Figure 2. List every phishing symptom that you find in these two figures and explain why it is a symptom.

a. How would you learn that your organization is being attacked?

b. What steps should your organization take in response to the attack?

c. What liability, if any, do you think your organization has for damages to customers that result from a phishing attack that carries your brand and trademarks?

3. Suppose you work for an organization that is being phished.



4. Summarize why phishing is a serious problem to commerce today.

5. Describe actions that industry organizations, companies, governments, or individuals can take to help to reduce phishing.



•Must establish security policy•Manage riskBalancing costs and benefits of security measures

Senior managemen

t involvement

•Protections against security threats

Safeguards

•Priority plan for security incidents

Incident response

Q2: What Are the Elements of a Security Program?


Effective security programs balance safeguards

Security Safeguards as They Relate to the Five Components


Q3: How Can Technical Safeguards Protect Against Security Threats?


• Password• Smart card• Biometric

Authentication methods

• Microchip embedded with identifying data

• Authentication by PINSmart cards

• Fingerprints, face scans, retina scans

• See http://searchsecurity.techtarget.com

Biometric authenticatio

n

• Authenticate to network and other servers

Single sign-on for

multiple systems

Identification and Authentication


Encryption Terminology

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-17

• Figure 12-4

Encryption—SSL/TLS


Computing device that prevents unauthorized network accessMay be special-purpose computer or program on a general-purpose computer

Organizations may have multiple firewalls•Perimeter firewalls outside network•Internal firewalls inside network•Packet-filtering firewalls examine each part of a message

May filter both incoming and outgoing messages•Encoded rules stating IP addresses allowed in or out of networkDo not connect to Internet without firewall

protection!

Firewalls


Use of Multiple Firewalls

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Use of Multiple Firewalls

12-20

• Click for latest viruses, malware threats

Spyware programs

• Similar to spyware without malicious intent

• Watches users activity, produces pop-up ads, changes window, modifies search results

• Can slow computer performance• Remove with anti-spyware, anti-

adware programs

Adware

More on threats

Malware Protection


Malware Protection


Type Problems

MalwareViruses, worms, Trojan horses, spyware, and adware

VirusComputer program that replicates itself; take unwanted and harmful actions

Macro virusAttach themselves to word, excel, or other types of document; virus infects every file an application creates or processes

WormVirus propagates using Internet or other computer network; can choke a network

Spyware

Some capture keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Other spyware supports marketing analyses.

Adware Can slow computer performance

Click for latest viruses, malware threats

Spyware and Adware Symptoms


Install antivirus and anti-spyware programs on your computer

Set up your anti-malware programs to scan your computer frequently

Update malware definitions

Open email attachments only from known sources

Promptly install software updates from legitimate sources

Browse only in reputable Internet neighborhoods

Malware Safeguards


Q4: How Can Data Safeguards Protect Against Security Threats?


Data Safeguards

12-25

•Least privilege possiblePosition

Definitions•Extensive interviews and background checks for high-sensitivity positions

Hiring & Screening Employees

•Make employees aware of security policies and procedures

Dissemination & Enforcement

•Establish security policies and procedures for employee termination

•HR dept. giving IS early notification

Termination

Q5: How Can Human Safeguards Protect Against Security Threats?


How Can Human Safeguards Protect Against Security Threats? (cont’d)


How Can Human Safeguards Protect Against Security Threats? (cont’d)


Administration of user accounts, passwords, and help-desk policies and procedures

• Creation of new user accounts, modification of existing account permissions, removal of unneeded accounts.

• Improve your relationship with IS personnel by providing early and timely notification of need for account changes.

Account Management

• Users should change passwords every three months or more frequently.

Password Management

Account Administration


User signs statement like this.

National Institute of Standards and Technology (NIST) Recommendation


Systems Procedures


•Firewall logs•DBMS log-in records•Web server logs

Activity log analyses

•In-house and external security professionalsSecurity testing

•How did the problem occur? Investigation of incidents

•Indication of potential vulnerability and needed corrective actions

Learn from incidences

Review and update security and safeguard policies

Security Monitoring Functions


12-33

Q6: What Is Necessary for Disaster Preparedness?

• Disaster― Substantial loss of

infrastructure caused by acts of nature, crime, or terrorism

• Appropriate location― Avoid places prone to floods,

earthquakes, tornadoes, hurricanes, avalanches, car/truck accidents

― Not in unobtrusive buildings, basements, backrooms, physical perimeter

― Fire-resistant buildings


Q6: What Is Necessary for Disaster Preparedness? (cont’d)


Backup processing centers in geographically removed site

Create backups for critical resources

Contract with “hot site” or “cold site” provider• Hot site provides all equipment needed to continue

operations there• Cold site provides space but you set up and install

equipment• www.ragingwire.com/managed_services?=recovery

Periodically train and rehearse cutover of operations

Q7: How Should Organizations Respond to Security Incidents?


Knowledge in Chapter 11 and Chapter 12 could help Jeff and Mike better protect Fox Lake computing infrastructure.

Mike would have known to protect his passwords better.

Would have known the dangers of having someone like Jason producing reports for Anne. If you work in a small business, take Fox Lake example to heart. Remembering these problems, you can do a better job of protecting your computing assets.

How Does the Knowledge in This Chapter Help Fox Lake and You?


ChoicePoint provides motor vehicle reports, claim histories, and similar data to automobile insurance industry, general business, and government agencies. Offers data for volunteer and job-applicant screening and data to assist in location of missing children.

ChoicePoint has over 4,000 employees, and its 2007 revenue was $982 million.ChoicePoint was victim of a spoofing attack in which unauthorized individuals posed as legitimate customers and obtained personal data on more than 145,000 individuals.Example of authentication failure, not a network break in.

Case Study 12:The ChoicePoint Attack


If ChoicePoint had quietly shut down data access for illegitimate businesses, no one would have known. However . . .

145,000 customers whose identities were compromised would be unknowing victims of identity theft, but thefts could have been tracked back to ChoicePoint.

ChoicePoint Attack (cont’d)


Firewalls and other safeguards were not overcome.

Criminals spoofed legitimate businesses by obtaining valid California business licenses.

Undetected for months until unusual processing activity was detected.

Contacted police and cooperated in attempt to apprehend the criminals.

Resulted in public relations nightmare, considerable expense, class-action lawsuit, Senate investigation, and 20% drop in share price.

ChoicePoint Attack (cont’d)


Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.

Documents

pearson education

prentice hallclick

prentice hallfirewalls12

prentice hallq3

prentice hallidentification

prentice hallq2

prentice hall12

prentice hallq1