Chapter 12
Information
Security Management
Study Questions
Q1: What is the goal of information systems security?
Q2: How big is the computer security problem?
Q3: How should you respond to security threats?
Q4: How should organizations respond to security threats?
Q5: How can technical safeguards protect against security
threats?
Q6: How can data safeguards protect against security threats?
Q7: How can human safeguards protect against security threats?
Q8: How should organizations respond to security incidents?
12-4
Q1: What Is the Goal of Information
Systems Security?
12-5
Examples of Threat/Loss
12-6
What Are the Sources of Threats?
12-7
Unauthorized Data Disclosure
Unauthorized data disclosure—inadvertent release of data
in violation of policy
Pretexting—pretending to be someone else via phone call
Phishing—pretexting using email; email spoofing
Spoofing—disguising as a different IP address or different
email sender, web spoofing
IP spoofing—impersonating another computing system
Drive-by Sniffing—intercepting computer communications
Email spoofing—synonym for phishing
Hacking, natural disasters, etc.
12-8
Incorrect Data Modification
• Procedures not followed or incorrectly designed
procedures
• Increasing a customer’s discount or incorrectly
modifying employee’s salary
• Placing incorrect data on company Web site
• Improper internal controls on systems
• System errors
• Faulty recovery actions after a disaster
12-9
Faulty Service
• Incorrect data modification
• Systems working incorrectly
• Procedural mistakes
• Programming errors
• IT installation errors
• Usurpation
• Denial of service (unintentional)
• Denial-of-service attacks (intentional)
12-10
Loss of Infrastructure
• Human accidents
• Theft and terrorist events
• Disgruntled or terminated employee
• Natural disasters
• Advanced Persistent Threat (APT) or
cyberwarfare
12-11
Mobile Security
•
•
•
•
•
•
155% increase in mobile malware apps from
2010 to 2011
Apps for snooping – track location, record phone
calls, save and display chats and messages.
“jailbreak” targeted at App Store of iPhone
Sniffer programs to access Wi-Fi networks
unauthorized.
Kaspersky, Lookout, DroidSecurity, Sandboxing
Performing a remote wipe of offending apps
12-12
Q2: How Big Is the Computer Security
Problem?
12-13
Verizon–Secret Service Findings 2011
• Number of data-loss security incidents
reached all-time high, but number of data
records lost fell dramatically for second year
in a row
• Data theft most successful at small and
medium-sized businesses
12-14
Verizon–Secret Service Findings 2011
(cont'd)
Four most frequent computer crimes
1. Criminal activity against servers
2. Viruses
3. Code insertion
4. Data loss on user computer
12-15
Types of Attacks Experienced
12-16
Intrusion Detection System (IDS)
• Computer program that senses when
another computer is attempting to scan disk
or otherwise access a computer
• “When I run an IDS on a computer on the
public Internet,... I get more than 1,000
attempts, mostly from foreign countries.
There is nothing you can do about it except
use reasonable safeguards.”
12-17
Q3: How Should You Respond to
Security Threats?
12-18
Q4: How Should Organizations Respond
to Security Threats?
• Establish a company-wide security policy
– What sensitive data to store
– How it will process that data
– Will data be shared with other
organizations
– How employees and others can obtain
copies of data stored about them
12-19
Q4: How Should Organizations Respond
to Security Threats? (cont'd)
– How employees and others can request
changes to inaccurate data
– What employees can do with their own
mobile devices at work
– What non-organizational activities
employees can take with employee-owned
equipment
12-20
Security Safeguards as They Relate to
the Five IS Components
12-21
Q5: How Can Technical Safeguards
Protect Against Security Threats?
12-22
Identification and Authentication (Access)
Authentication
methods
• Password
• Smart card
• Biometric
Smart cards
• Microchip embedded with identifying data
• Authentication by PIN
Biometric
authentication
• Fingerprints, face scans, retina scans
• See http://searchsecurity.techtarget.com
Single sign-on for
multiple systems
• Authenticate to network and other servers
12-23
Encryption Terminology
Encryption algorithms (DES, 3DES, AES, blowfish, idea)
Key—a number used to encrypt the data
Symmetric encryption
Asymmetric encryption—public/private key
HTTPS (HTTP + SSL/TLS)
Secure Sock Layer (SSL) (Predecessor of TLS)
Transport Layer Security (TLS) (DC, Privacy, PKE)
12-24
Encryption: Essence of HTTPS (SSL or
TLS)
12-25
Firewalls
12-26
Malware Types and Spyware and
Adware Symptoms
• Viruses
 Payload
 Trojan horses
 Worms
 Beacons
Spyware & Adware Symptoms
12-27
Malware Safeguards
1.
2.
3.
4.
Install antivirus and antispyware programs
Scan frequently
Update malware definitions
Open email attachments only from known
sources
5. Install software updates from legitimate
sources
6. Browse only reputable Internet neighborhoods
12-28
Q6: How Can Data Safeguards Protect
Against Security Threats?
12-31
Q7:
How can
Human
Safeguards
Protect Against
Security
Threats?
12-32
Account Administration
• Account Management
 Standards for new user accounts,
modification of account permissions,
removal of unneeded accounts
• Password Management
 Users should change passwords
frequently
• Help Desk Policies
12-33
Sample Account Acknowledgment Form
12-34
Systems Procedures
Data recovery; online recovery - the process of salvaging data from
damaged, failed, corrupted, or inaccessible secondary storage media
when it cannot be accessed normally.
12-35
Security Monitoring Functions
•Firewall logs
Activity log analyses •DBMS log-in records
•Web server logs
Security testing
•In-house and external security professionals
Investigation of
incidents
•How did the problem occur?
Learn from
incidences
•Indication of potential vulnerability and
needed corrective actions
Review and update security and safeguard policies
12-36
What Is Necessary for Disaster Preparedness?
•
Disaster
― Substantial loss of infrastructure
caused by acts of nature, crime,
or terrorism
•
Appropriate location
― Avoid places prone to floods,
earthquakes, tornadoes,
hurricanes, avalanches,
car/truck accidents
― Not in unobtrusive buildings,
basements, backrooms, physical
perimeter
― Fire-resistant buildings
12-37
Google’s Data Center in Finland
•
•
•
•
Hamina Data Center
http://www.google.co
m/about/datacenters
/locations/hamina/
http://www.youtube.c
om/watch?v=VChOEv
KicQQ
High-tech cooling
system
12-38
What Is Necessary for Disaster preparedness?
(cont’d)
Backup processing centers in geographically removed
site
Create backups for critical resources
Contract with “hot site” or “cold site” provider
• Hot site provides all equipment needed to continue operations
there
• Cold site provides space but you set up and install equipment
• www.ragingwire.com/managed_services?=recovery
Periodically train and rehearse cutover of operations
Cloud Backup: a service that provides users with a system for the
backup and storage of computer files. A form of cloud computing
12-39
Q8: How Should Organizations
Respond to Security Incidents?
12-40
How Does the Knowledge in this
Chapter Help You?
• Aware of threats to computer security as an
individual, business professional and employee
• Know trade-offs of loss risks and cost of
safeguards
• Ways to protect your computing devices and data
• Understand technical, data, and human
safeguards
• Understand how organizations should respond to
security incidents
12-41