Management of information systems - security challenges MBA 501 WEEK 7 This week: continuing our look at management issues • Last week we looked at the operational issue of outsourcing • This week we will look at another operational issue – that of managing security • Both of these areas reflect the change in focus of the IS function – From managing inwards, to managing outwards • WHY? WHAT HAS HAPPENED? Why is security an important management issue? • Information is a key business asset – It needs to be accessible to all who need it – It needs to be protected • Managers need to develop and implement an overall strategy for security • Managers need to understand the threats • Managers need to understand specific techniques for protecting systems • Particularly important as organizations move into eBusiness and open up • Goal is to reduce business risk to an acceptable level McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall Management issues re security – Business consequences of poor security can be very serious • damage to IT infrastructure through threats and attacks from outside • loss of data, exposure of customer’s private information, loss of profits, loss of opportunity, damaged reputation – Consumer impacts (credit cards exposed, viruses, malware, spyware etc) • “Chill” effect on eBusiness – both buy side and sell side (B2C) – Security issues have high profile in the media McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall Identifying and managing risk • Airtight security is not possible • Risks must be identified and prioritized (in terms of the business context) • Then resources must be put into guarding against the most serious threats – What does “serious mean”? – most likely to happen / greatest business impact? McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall Key security issues for both customers and managers • Organizations must guard their own data, and their customer’s data and create a secure and predictable environment for commercial exchange - they must create TRUST • Basic pillars of security : ‘PAIN’ – Privacy (and confidentiality) – Authentication and Authorization (Identification) – Integrity – Non-repudiation McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall PAIN: Privacy and Confidentiality • One of the major concerns that customers have about eBusiness – Internet is a public space • Firms need to ensure that information that is private or sensitive is kept secure and not used for any purpose other than that agreed to – – – – credit card numbers trade secrets / proprietary information business plans health records etc • Confidentiality during transactions is usually ensured by encryption McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall PAIN: Authentication • When someone submits something to your website, how can you be sure that they are who they claim to be. eg. – using credit cards – making a contract or application – registering for an email newsletter • Authentication is the process by which one entity verifies that another entity is who they claim to be • Authentication requires evidence in the form of credentials: : – “something you have” plus “something you know” plus something you are (biometrics) eg. • • • • username and password Two-factor authentication (Gmail example) credit card - match exact billing name and address digital signatures and digital certificates PAIN: Authorization • Once a person has been authenticated, we need to be satisfied that she is authorized to access or do certain things on our site • Does the person (or program) have the right to access particular data, programs, or system resources (particularly important when protecting a server from hackers) • Authorization is usually determined by comparing information about the person or program with access control information associated with the resource being accessed (permissions) McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall PAIN: Integrity • Integrity is the ability to prevent data from being altered or destroyed in an unauthorized or accidental manner – This could include hacking to deface a website – Altering data held on your website or database – Intercepting data • The parties to a transaction must be assured that all data and documents connected with it cannot be altered without detection McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall PAIN: Non-repudiation • The ability to ensure that neither side in a transaction can later claim that they for instance – didn’t order something using a credit card – or didn’t accept an order or offer for something • Non-repudiation ensures that neither side can back out of a transaction by claiming it never took place – Particular problem with credit cards • Verified by Visa • Non-repudiation is also achieved by using digital signatures that make it difficult to claim that you weren’t involved in an exchange McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall Security for e-payments and other transactions: encryption • The cornerstone for secure online payments and other transactions is encryption • Messages moving across the network can be encrypted or scrambled in such as way that it is too difficult, expensive or time consuming for an unauthorized person to unscramble it • The protocol that ensures this is SSL/TLS (Transport Layer Security) – an explanation from Google • Simple explanation of digital encryption using toolbox and key example McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall Management problem? • “Airtight security is not possible because companies have to allow on-line commerce. They have to make trade-offs between absolute information security and efficient flow of information.” McNurlin + Sprague • The management challenge is that of finding the balance • What is the reality of the threat? – What do you think are the most serious and high risk threats to business? McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall All threats are not equal for all organizations • “..the key components for managing a security program are the likelihood and the likely impact of an attack.” • CSI Computer Crime and Security Survey What are companies worried about? Canadian Cyber Crime research (2013) from International Cyber Security Protection Alliance https://www.icspa.org/fileadmin/user_upload/Downloads/ICSPA_Canada_Cyber_Crime_Study_May_2013.pdf What is the extent of the problem? • Half the respondents to the CSI survey didn’t experience a security incident over the course of the year – but that doesn’t mean that they weren’t threatened • 2010 CSI Computer Crime and Security Survey • 2010 CSI Computer Crime and Security Survey • 2010 CSI Computer Crime and Security Survey Types of direct threats and attacks: Risks to infrastructure (particularly eBusiness) – Distributed Denial of Service attacks (DoS) • Wikileaks (2010) • 4Chan attacks on Anti-Piracy Websites (2011) – Hacking – web site defacement • New York Times – 1998 – DNS Highjack • Twitter - 2009 – Malicious code: viruses, worms, trojans etc • Skype’s network frozen by a trojan horse attack in 2007 • Stuxnet – attacks on nuclear facilities and other industrial targets Types of threats and attacks: Attacks on data – Intercepted transmissions (eavesdropping / sniffing) – Attacks related to insecure passwords - are “strong” passwords and frequent changes the answer? – social engineering (and how to protect against it) – Phishing A new source of threat: BYOD • Security lax on the part of employees (not even a lock screen is common) • Sensitive work files stored on personal devices • Devices on the corporate network without IT knowledge • Fragmentation of operating system / support cost increases • Phone number as piece of branding / customer connection (what happens when employee leaves?) BYOD Policy: security, confidentiality and privacy • 69 % of companies permit some form of BYOD • 70 % have no policy to manage the practice • While 26 % of those with no policy plan to have one in place within one year, 44 % said they have no plans to enact one at all. – IDC Canada Survey 2012 • Software is being developed to create separate “spaces” on phones for work and personal use eg Blackberry Balance Creating a Security Policy (including BYOD) • The CSI Survey identified that a very small percentage of those surveyed did not have some kind of information security policy • The policy is aimed at both educating employees and managing (and balancing) the “people risks” we have identified • What should it address, and why? Control strategies for managers to ensure the integrity of an IS • • • • Containment Deterrence Obfuscation Recovery • Firms must balance these strategies to suit their business requirements Containment • Make the target look as unattractive as possible – Heavily encrypted data is less attractive • Focus on controlling access to data resources by erecting barriers – Expensive and requires constant vigilance to keep ahead of attackers • Physically remove the target system from threats – Isolating systems from the network – Distributing data across an organization or geographic area Deterrence • Need to understand and anticipate the motives of those who would breach security – Use of threats of prosecution and dismissal (internal), and well publicized barriers • Monitoring patterns of data usage or access to resources • Implementation of defenses or countermeasures Obfuscation • Involves hiding and/or distributing assets so that any damage caused can be limited • Often entails monitoring of all an organization’s activities, not just those where security threats are perceived (a broader strategy than containment or deterrence) • Needs good overview and frequent auditing of hardware, software and network resources – Eg. to identify illegal software loaded onto employees machines Recovery • Assumes security breach will occur, and puts in place an action plan and strategy for business recovery • Requires extensive organizational planning • Backup systems, redundant systems needed (often outsourced) • Emergency planning and recovery in place Two questions to consider 1. Reporting a cybercrime occurs less than 50% of the time. Why is this? Is this a good thing or not? What might you do to encourage a higher percentage of companies to make formal reports? 2. What is your view about the assertion that "Security is as much a human problem as a technical problem?"