Risk Management:
Information Technology, Infrastructure and
Security
MBA 8125
Spring 2012
Acknowledgement:: Parts of this session are based upon material from
Cecil Chua, Deb Dey, Kimball, Dorothy Dennings, Ray Panko, Graeme
Payne, Ernst & Young, Gartner Group, Arjan Raven, Jessup and
Valacich, J. Steten, Forrester
Duane Truex
Veda C. Storey
Carl Stucke
Why Study Security?
Country
Privacy
Cyber attacks
Company
Corporate
database attacks
Individual
Tracking,
Spyware
Identity theft
2
What are we willing to accept?
3
Generalized Security Design Model
Threats
1. Destruction
2. Modification
3. Disclosure
Targets
1. Physical
Hardware, facilities, people
2. Software
3. Data
4. Communications
Controls
1. Avoidance
2. Tolerance
3. Mitigation
Sources
1. People
2. Mother nature
4
Generalized Security Design Model
Threats
1. Destruction
2. Modification
3. Disclosure
Targets
1. Physical
Hardware, facilities, people
2. Software
3. Data
4. Communications
Controls
1. Avoidance
2. Tolerance
3. Mitigation
Sources
1. People
2. Mother nature
5
Risk -- (Cost) Benefit Analysis Model
• EC = Pi * ∑Ci
• Ev = Bi - EC
• Overall utility of scenarios
– Where Bi = ∑ j (b i,j X Wj)
– Where Bi is the expected benefit assigned to a strategy I given
its effect on scenario j and where Wj is the weighting given to
scenario j
Q: What is an inherent weakness in this formulation?
Q: Are traditional investment decision metrics adequate?
6
The Big Picture:
Technology Emergence, Impact, Dependency
Technology
Disruptive
•New way of doing things
•Does not meet needs of existing customers
•Opens new markets/destroys old ones
•Start in low end; evolve to high-end
competitors
Sustaining
•Produces improved customer product
•Better / faster / cheaper
“By eliminating time and distance, the Internet makes it possible to perform business in ways not previously
imaginable.” Ref: Baltzan and Phillips, 2011
7
Agenda
Item 1
• Information Technology Infrastructure
Item 2
• Data Set: Sources, Storage, and Challenges
• Risk Management
Item 3
• Organizational Perspectives
• Risk Management Life Cycle
• Business Impact Analysis
• The Digital Firms: Where are the Risks?
• Information Security
Item 4
• Framework
• Unauthorized Access and Human Error
• Four Factors: 1.What you Know 2.What you are 3.What you have 4.Where you are
• Communication Line Access
• Corporate Server Protection
8
Agenda (cont’d)
• Attacks
Item 5
• Why so many attacks?
• Attacks Via Social Engineering
• Attackers
Item 6
• Who Are They?
• Spamming
• Management Issues
Item
7
• Disasters and business continuity planning
• Security levels
• Business value of security
• Takeaways
9
Item 1: Information Technology
Infrastructure
Hardware
Human
Resources
Software
Information
Systems
Infrastructure
Services
Communication
and
Collaboration
Facilities
Jessup & Valacich, 2008
Data and
Knowledge
10
The Data Set
Data Sources and Storage
Data Sources:
What?
Storage:
If you were in charge of protecting
your data assets, where would you
start from a risk management
point of view?
Database
11
Item 2: Data Set
Challenges
Business Strategy
Rules Processes
12
Agenda Item 3: Risk Management
13
Risk Management
Risk
Avoidance
Cost of
Doing
Business
ROI
“Risk management is based on the notion that history repeats itself, but not
quite.” Peter Bernstein
14
Risk Management:
Organizational Perspective
BOARD OF DIRECTORS
RISK MANAGEMENT COMMITTEE
R
E
G
U
L
A
T
I
O
N
S
Strategic
F
I
N
A
N
C
I
A
L
O
P
E
R
A
T
I
O
N
A
L
STRATEGIC
REPUTATION
REVENUE
CREDIT
MARKET
FIDUCIARY
INTELLECTUAL PROPERTY
RISK FINANCING AND INSURANCE
INFO SECURITY AND AVAILABILITY
I
PROJECT MANAGEMENT
T
CAPACITY AND PERFORMANCE
HUMAN CAPITAL
PRIVACY
PHYSICAL SECURITY
R
I
S
K
P
O
L
I
C
I
E
S
BUSINESS UNITS
Copyright © 2002
15
Risk Management Life Cycle:
Mitigation and Risk Abatement
Start/Update Risk Planning
Monitor Results / Initiate Update
Mitigate
Accept
Transfer
Eliminate, avoid, reduce Create/Implement BCP Contractual, risk financing, insurance
Analyze/assess/measure
How much, how often, how related, what business impact?
Identify Risks
Who, what, where, when, why, how?
Inventory Assets
Who, what, what value, what priority?
Adapted From
16
Risk Management:
Business Impact Analysis (BIA)
Competition
Customer service
Lost sales
Productivity
Canceled orders
Legal/contractual obligations
Penalties
Regulatory requirements
Insurance issues
160
140
120
100
Cash flow
Cost to business
Interest expense
80
60
40
20
0
Shareholder
confidence
Day 1
Lost Sales
Day 4
Order Cancel
Week 1
Penalties
Week 2
Interest
Company
viability
17
Risk Management
The Digital Firm: Where Are The Risks?
•Multiple Failure Points
•Human Error
•Performance / Capacity
•Outsourced Service Providers
•Natural Disasters
•Downtime (planned/unplanned)
•Security Incidents
•Links to Third Parties
Source: Laudon & Laudon
18
Agenda Item 4: Information
Security
• Information Security
Item
4
• Framework
• Unauthorized Access and Human Error
• Four Factors:
• What you Know
• What you are
• What you have
• Where you are
• Communication Line Access
• Corporate Server Protection
19
Information Security
Policies, procedures, and technical measures
used to prevent unauthorized access,
alteration, theft, or physical damage to
information systems.
Source: Laudon & Laudon
Primary Issues
• Confidentiality
– no “data spills”
• Integrity
• Availability
Sample Question: Why is “availability” considered a primary issue of information security?
20
Information Security:
Framework for Understanding Challenges in Organizations
Source: Laudon & Laudon
Question: What is the major use of this framework?
21
Unauthorized Access & Human Error
• Strong passwords; change frequently
• Use additional authentication
– something you know, you have, you are, where you are
•
•
•
•
•
Encrypt data
Install anti-virus, anti-spyware, and firewall
Minimize data stored on client
Limit data access to need to know basis
Software Bugs
– Updates and patches
• Input mistakes
– Application controls (http://www.sans.org/top20/ )
• SPAM and Phish
http://images.businessweek.com/ss/05/05/hacker_phishing/index_01.htm
22
Factor One:
What You Know
Attacks against a weak link: passwords
• Brute Force Attack
 Try every combination possible
 Defeated by long passwords
• Default Password Attack
 Check if user never changed password from default
 Defeated by changing password
• Dictionary Attack
 Dictionary of common passwords
 Name, Common words, Famous people, Domain specific
• Good passwords
– Minimum Length – 8 characters
– Passwords should use:
• Lowercase
• Uppercase
• Numbers
• Special characters such as !@#$%^&*(){}[]
– My favorite song is “Sing to the Wind”. Password: “mFSI!19202023”
23
Factor Two:
What You Are
Facial Recognition
Iris Scan
Signature Recognition
Speech Recognition
Retinal Scan
Fingerprint Scan
Biometric examples are from Kelly Rainer.
24
Factor Three:
What You Have
Smart ID Card
Hardware Token
25
Factor Four:
Where You Are
GPS
26
Communications Line Access
• Secure physical communications lines
• Encrypt communications
http://computer.howstuffworks.com/vpn.htm
• Authenticate sender & receiver
• Use digital signatures to prevent
alteration and identify sender
(http://computer.howstuffworks.com/question571.htm )
27
Corporate Server Protection
• Limit external access
– use firewalls
– use anti-virus software
– use “patches” for server software
– use intrusion detection software
• Limit data/functions on servers
• Encrypt data on servers
28
Agenda: Attacks and Attackers
•Attacks
Item 5
Item 6
• Why so many attacks?
• Attacks Via Social Engineering
• Types of Attacks
• Virus
• Denial of Service Attacks
•Attackers
• Who Are They?
• Spamming
29
Why So Many Attacks?
• Today’s Systems
• Internet Growth
• Attackers Organized
– Teach each other and novices
– Exchange tools and information
• Attackers Develop Better Tools
– Build on each other’s work
– Build on work of security community
• Attacks Easy, Low Risk, Hard to Trace
– Investigations difficult; often international
• Lack of Security Awareness, Expertise, or Priorities
– .0025 percent of revenue spent on information security [Forrester]
• Organized Crime involved!
30
Attacks via Social Engineering
• Acquisition of sensitive information or
inappropriate access privileges by an
outsider, based upon the building of an
inappropriate trust relationship with insiders.
Kevin Mitnick
“The World’s Most Famous
Hacker”
• Manipulation of human beings to obtain
information or confidence pertaining to the
security of networked computer systems
(with malicious intent)
We are the weakest link….
http://www.kevinmitnick.com/
31
Social Engineering Tactics &
Defenses
Sarah Granger,
SecurityFocus
Area of Risk
Hacker Tactic
Combat Strategy
Phone (Help
Desk)
Impersonation and persuasion
Train employees/help desk to never give out
passwords or other confidential info by phone
Building entrance
Unauthorized physical access
Tight badge security, employee training, and security
officers present
Office
Shoulder surfing
Don’t type in passwords with anyone else present (or
if you must, do it quickly!)
Phone (Help
Desk)
Impersonation on help desk calls
All employees should be assigned a PIN specific to
help desk support
Office
Wandering through halls looking for
open offices
Require all guests to be escorted
Mail room
Insertion of forged memos
Lock & monitor mail room
Machine
room/Phone
closet
Attempting to gain access, remove
equipment, and/or attach a protocol
analyzer to grab confidential data
Keep phone closets, server rooms, etc. locked at all
times and keep updated inventory on equipment
Phone & PBX
Stealing phone toll access
Control overseas & long-distance calls, trace calls,
refuse transfers
Dumpsters
Dumpster diving
Keep all trash in secured, monitored areas, shred
important data, erase magnetic media
Intranet-Internet
Creation & insertion of mock
software on intranet or internet to
snarf passwords
Continual awareness of system and network changes,
training on password use
Office
Stealing sensitive documents
Mark documents as confidential & require those
documents to be locked
GeneralPsychological
Impersonation & persuasion
Keep employees on their toes through continued
awareness and training programs
32
Attacks
• Virus
– Piece of code embedded in e-mail
attachment
• Denial of Service
– Generate large number of useless service
requests
– Overload and system crash
33
Attackers: Who are they?
34
Attackers: Who are they?
• Kid down the street?
• Professional, working
for your competitors?
• Foreign intelligence
agency?
• Ex-employee?
• Disgruntled coworker?
• “Professional” funded
by organized crime
“It’s really just a bunch of really smart
kids trying to prove themselves. I
know I was.”
– Splurge, sm0ked crew
“It’s power at your fingertips. You can
control all these computers from the
government, from the military, from
large corporations. … That’s power;
it’s a power trip.”
– anonymous
“You do get a rush from doing it –
definitely.”
“I’m like your nosy neighbor on steroids,
basically.”
– Raphael Gray (aka Curador) [stole
and posted 26,000 credit card numbers]
Source: Dorothy Denning
35
Spammers are winning:
And it's not even close
• Size of Problem
– Approximately 150 billion messages/day
• Approximately 2 million email messages / second
• approximately 78% spam
– Mobile Spam
• Defense
– Software
– Can Spam Act 2003:
[Forbids “deceptive subject lines, headers, return addresses,
etc. as well as the harvesting of email addresses from
websites. It requires businesses that send spam to maintain a
do-not-spam list and to include a posting mailing address in
that message.]
http://www.news.com/8301-10784_3-9869269-7.html?part=rss&subj=news&tag=2547-1_3-0-20
36
Agenda: Management Issues
•Management Issues
Item
7
• Disasters and business continuity planning
• Developing Security Service levels
• Business value of security
• Takeaways
• Management Concerns
• Strategic Alignment and business Priorities
• Components for a Successful Information Security Program
• Management Responsibilities
37
Management Challenges: Disasters
(Can and Cannots)
Cannot
– prevent natural disaster
– prevent all human-initiated
disaster
Can
– create business continuity /
disaster recovery plans
– choose where people,
process, and technology
located
Power
outages,
fires, floods
38
Disaster Recovery and Business Continuity
Planning
Question: What is a disaster?
-- 10 users out of service for 1 hour not a disaster
(unless one is the CEO …  )
– 1,000,000 users out of service for 24 hours is disaster
Disaster Recovery: Levels of Backup
•
Hot backup
– Backup of complete system at another site
– Data, operating components of hardware and software
•
Cold backup
– Backup of data only
– No transaction can be processed during downtime
•
Warm backup
– Somewhere in the middle
– Smaller system with full backup of data
– Transactions processed, but more slowly
Pros/cons of each …
Source: A.P. Snow
39
Distribute IS Architectures and Distribute
Organizations to become Resilient
x
100%
•
•
•
•
•
1/5
1/5
1/5
1/5
Network
1/5
1/5
Remove single point of failure so risk spread out geographically
Depends on
– redundancy of human capital necessary to run OR
– ability to transition to backup site
False security if personnel lost in outage, or loss of transportation or
communication systems for transfer of operations
Reliability demands for telecommunication services increase dramatically
Redundancy requirements shift to network services
Ref. A. Snow
40
Management Issues:
Attack Challenges and Trends
• Growing number of attacks (and attackers!)
• Attacks
–
–
–
–
–
Fast, propagate over network
Random
Growing power / sophistication
Automated
Malicious
• Human / Social Behavior
– Always connected
– Widespread use of e-mail and instant messaging
– Wireless access
41
Again, why is this happening?
Information systems
– Complex
– Interact with each other
– Bugs
Integrated systems of digital
enterprise very, very difficult to
secure
Humans are imperfect… 
42
Management Issues:
Delivering a Security Service Level
Process Improvement:
Efficiency/effectiveness:
• How many machines are
involved in each virus incident?
• What is our security spending as
a % of revenue?
• How many weeks between
critical patch issued and
implemented?
• What % of downtime is due to
security incidents?
Attack Resistance:
• What % of known attacks
are we vulnerable to?
• When did we last check?
Internal Crunchiness:
• What % of our software,
people and suppliers have
been reviewed for security?
• What % of critical data is
“strongly” protected?
Source: Gartner
43
Management Issues:
Business Value of Security
•
Cost of inadequate security
• legal liability
•
Value of security
• protect own information assets
• protect assets of customers, employees, business
partners
• assure business continuity
44
Takeaway: Management Concerns
What should you be concerned about?
Topic
Specific concerns
Security and
privacy
• Can you ensure secure operations?
• Who has access to my data, and how is it stored and communicated?
• What data do you collect about me, and how is it used?
Compliance
• Can you help me achieve compliance?
• What about laws and regulations that impact operation?
• Is my data subject to any local regulations?
Legal
• Who is responsible (liability) when things go wrong?
• Intellectual property issue: ownership and rights to use
• How is the data used and stored? For how long?
Entire contents © 2009 Forrester Research, Inc. All rights reserved.
45
Takeaway: Information Security Management:
Strategic Alignment and Business Priorities
Information Security Architecture Methodology
Step 2
Step 1
Strategic Objectives
Business
Environment
Tactical
Issues
Business Requirements
Analysis
Step 3
Organization
Technology
Process
Assessment of Current As- is
and To-Be Architecture
Cost
Time
Business Priorities
Information Security
Roadmap Development
46
Takeaway: 10 Essential Components for a
Successful Information Security Program
1. Make sure the CEO “owns” the information security program.
2. Assign senior-level staff with responsibility for information security.
3. Establish a cross-functional information security governance board.
4. Establish metrics to manage the program.
5. Implement an ongoing security improvement plan.
6. Conduct an independent review of the information security program.
7. Layer security at gateway, server, and client.
8. Separate your computing environment into “zones.”
9. Start with basics and then improve the program.
10. Consider information security an essential investment for your
business.
47
Takeaway: Management Responsibilities
• Policies and Procedures
• Education and Training
– Strong authentication (e.g., 8 character password)
– Social Engineering (recognize, handle)
• Techniques
– Access control (need to know) / authentication (multi-factor: know, have, am,
location)
– Filtering (firewall) ; intrusion detection
– Data encryption (code data transmitted over a link or stored)
– Anti-virus software
• Process
– Continuous evaluation / investment
– Business Continuity Planning
• Vulnerability Assessment & Audit
– Third-party consultant
– Standards (ISO 17799 see http://en.wikipedia.org/wiki/ISO_17799 , http://www.iso-17799.com/ and
http://www.sans.org/score/checklists/ISO_17799_checklist.pdf, ISO 27001,CoBIT, PCI, … )
Based on Kimball
48
Conclusion
• Risk management
– Essential aspect of successful business operation
• Security problems
– Real and growing
– Plan for tomorrow’s threat environment
• Security measures
– Multiple protection measures
– Ongoing update and evaluation
– People greatest risk (and greatest asset)
• Hope for Future . . .
– Increased security awareness / priority
– Growing number of security experts
– Laws to facilitate investigations
– International cooperation to fight cyber crime
49
Appendices
50
Other Resources
• CERT Podcasts
• CyberCIEGE Movies
The Executive Guide to Information Security: Threats, Challenges, and Solutions (Symantec
Press).
http://www.amazon.com/gp/product/0321304519/sr=1-1/qid=1239277259/ref=olp_product_details?ie=UTF8&me=&qid=1239277259&sr=1-1&seller
51
Sample Firewall Configuration
Firewall
Firewall
HTTP
request
(cleartext
or SSL)
Web
Client
SQL
Database
DMZ
Web app
Web
Server
Web app
Web app
Web app
HTTP reply
(HTML,
Javascript,
etc)
(Also see http://computer.howstuffworks.com/firewall.htm )
DB
DB
Intrusion Detection Systems
Also see http://en.wikipedia.org/wiki/Intrusion_detection_system
Extranet
Protection
Business
Partner
Internet Protection
Users
Monitors Partner
Traffic Where
“Trust” is Implied
But Not Assured
Data Center
Corporate
Office
Complements FW and
VPN by Monitoring
Traffic for Malicious
Activity
Internet
Intranet/Internal
Protection Protects
Data Centers and
Critical Systems
from Internal Threats
Remote Access
Protection Hardens
Server Farm
Protection Protects
Perimeter Control by
Monitoring Remote
Users
e-Business Servers
from Attack and
Compromise
DMZ
Servers
High-availability facilities feature sturdy construction, air conditioning, backup generators, fire suppression systems, access
control, and intrusion detection systems.
Source: http://www.fastservers.net/products-services/colocation-data-center.html