IT Security and Privacy
A Presentation for MIS 5800
By: Chad Keeven
Brian Ledford
Hai Lin
Komsun Santiwiwatkul
IT Security & Privacy
1
Session Overview







Costs of IT Security
IT Threats – Man-made and Natural
Role of CSO
IT Behavior and Access
Case Study
Disaster and Recovery
Conclusions
IT Security & Privacy
2
Why should senior management
focus at IT security?

“…Those that have invested
in IT security staff get more
return on their investment
via reduced security breaches
and increased concordance
among CEOs and other
officers on the need for
security investments.”
http://www2.cio.com/research/surveyreport.cfm?id=6, viewed on November 26th, 2006
IT Security & Privacy
3
How much do companies spend on IT
security?

Companies spend, on average, 36% of their
security budget toward technology and 7% - 8%
of their overall IT budget on technology
(N=276)
http://www2.cio.com/research/surveyreport.cfm?id=6, viewed on November 26th, 2006
IT Security & Privacy
4
Cost of Attacks

While the majority (84%) of survey respondents
reported incidents (defined as security breaches
or crimes including viruses and hoaxes that
resulted in damage or loss) in the past 12
months, fewer than half (38%) of the IT
professionals surveyed could quantify the
damages. (N=276)
http://www2.cio.com/research/surveyreport.cfm?id=6, viewed on November 26th, 2006
IT Security & Privacy
5
“The proliferation in the use of computer and
communications technologies over approximately
the last 20 years has resulted in significant changes
in the types of threats that are posed to the
information environment that we have come to rely
on. The way in which the threats that are posed to
an information environment are measured has not
advanced at the same rate as the technology has
developed and as a result, has not yet transitioned
from being an art to science.”
- Andy Jones
“Identification of the method for the calculation of the capability of threat
agent in an information environment”
Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003.
IT Security & Privacy
6
Threats and Vulnerabilities

Today's world of Information Systems leaves us
vulnerable to a plethora of threats



Natural Threats
Man Made Threats
Vulnerabilities are weaknesses that allow specific
threats to cause adverse affects

Anything that weakens the security of the systems and the
information they handle
Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003.
IT Security & Privacy
7
Threat Assessment

You can look at threat assessment two ways:
Qualitative – an “educated best guess” based on
opinions of knowledgeable others gained through
interviews, history, tests, and personal experience
 Quantitative – uses statistical sampling based on
mathematical computations determining the
probability of an occurrence based on historical data

Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003.
IT Security & Privacy
8
Natural Threats

Sometimes thought of as “Acts of God,” these
problems are random and often thought of as things
that cannot be prepared for.





Fire
Hurricane
Earthquake
Typhoon
Accidents
Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003.
IT Security & Privacy
9
Can We Prepare for These?
Fire




Paper data backed up and stored offsite?
Servers in a fire retardant room?
Escape plans for employees?
Earthquake



Building built properly?
Data on computers backed up off-site?
Servers stored in safe location?
IT Security & Privacy
10
Can We Prepare for These?

Hurricane?
Typhoon?
Accidents?

What are your solutions?


IT Security & Privacy
11
Man made :
What kinds of IT security that can happen?



Hacker, Spam, and Phishing
Credit card fraud and Identity Thief
Terrorism
IT Security & Privacy
12
HACKER

is someone who creates and modifies computer software
and computer hardware, including computer
programming, administration, and security-related items.
August 2006, AT&T computer systems
were hacked and stolen credit-card
numbers and other personal information
of about 18,000 to 19,000 customers.1
June 2006, The Navy announced
that personal data on 28,000 sailors
and family members had been
found on a civilian web site.2
http://en.wikipedia.org/ viewed November 4, 2006
1 AT&T Discloses Online Theft by Hackers. Wall Street Journal (Eastern edition). New York, N.Y.: Aug 30,2006. pg.B.2
2 Hack at USDA puts 26,000 at risk. Federal Computer Week; Jun 26, 2006.Vol.20, Iss 21; pg.11, 1pgs
IT Security & Privacy
13
SPAMMING

is the abuse of electronic messaging systems to send unsolicited,
undesired bulk messages.
Source : http://en.wikipedia.org/ viewed November 4, 2006
IT Security & Privacy
14
PHISHING

is a criminal activity using social engineering techniques. Phishers
attempt to fraudulently acquire sensitive information, such as
passwords and credit card details, by masquerading as a
trustworthy person or business in an electronic communication.
Source : http://en.wikipedia.org/ viewed November 4, 2006
IT Security & Privacy
15
FROM THE DESK OF MR. HASSAN YERIMA,
EXECUTIVE DIRECTOR,
FOREIGN OPERATIONS DEPARTMENT,
CENTRAL BANK OF NIGERIA,
GARIKI ABUJA
TELL : 234-803-7105651.
IMMEDIATE Release of your contract payment of US$18 million with
contract number #:MAV/NNPC/FGN/MIN/2003.
ATTENTION : THE HONOURABLE CONTRACTOR,
Sir,
From the records of outstanding contractors due for payment with the Federal government of Nigeria, your name
was discovered as next on the list the outstanding contractors who have not received their payment.
I wish to inform you that your payment is being processed and will be released to you as soon as you respond to
this letter. Also note that from the record in my file your outstanding contract payment is US$18,000,000.00 million dollars
(Eighteen million united states dollars) only.
Please re-confirm to me if this is inline with what you have in your record
and also re-confirm to me the following :
1) Your full name and address
2) Phone, fax and mobile #.
3) Company's name, position and address.
4) Profession, age and marital status.
As soon as this information is received, your payment will be made to you by Telegraphic Wire Transfer (KTT) or
Certified Bank Draft from central bank of Nigeria call me on my direct number as soon as you receive this letter for more details.
Thanks,
MR. HASSAN YERIMA.,
EXECUTIVE DIRECTOR,
FOREIGN OPERATIONS DEPARTMENT,
CENTRAL BANK OF NIGERIA
IT Security & Privacy
16
Recently study by Symantec

Phishing attacks skyrocketed 260% in 2nd half of 2004

Virus and worm attacks jumped more than 300% (the number
one is financial institutions)

47 % of 229 mid-size and large companies were hit by worms
(Mazu network)
Symantec conducts the surveys using its "Global Intelligence Network," which consists of more than
40,000 sensors monitoring activity on computers in over 180 countries. The firm also gathers data from
over 120 million computer systems that use Symantec's anti virus products.
Corporate Cyber Attacks on the Rise. Information Management Journal: Jul/Aug
2005,Vol.39, Iss. 4
IT Security & Privacy
17
Identity Thief
IT Security & Privacy
18
Identity Thief

The fastest growth crime
in the United states1

13.3 persons per
minute1
799 per hour1
19,178 per day1



Victims spent between
15-60 hours resolving
their problems.
1Identity
theft toolkid Vinita M Ramaswamy. The CPA Journal. New York: Oct
2006.Vol.76, Iss. 10; pg. 66, 5 pgs
IT Security & Privacy
19
Consumer Fraud and Identity Theft Complaint Data January-December 2005, Federal Trade
Commission. http://www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf
IT Security & Privacy
20
Consumer Fraud and Identity Theft Complaint Data January-December 2005, Federal Trade
Commission. http://www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf
IT Security & Privacy
21
Cost of Identity Thief per year




Victims: 9.3 million
Loss to businesses: $52.6
billion
Loss to individual
victims: $5 billion
Hours victims spent
resolving their problems:
297 million.
1Identity
theft toolkid Vinita M Ramaswamy. The CPA Journal. New York: Oct
2006.Vol.76, Iss. 10; pg. 66, 5 pgs
IT Security & Privacy
22
Terrorism

“Bin Laden's operatives use encrypted e-mail to
communicate, and . . . the hijackers did as well"
(Behar, R. (2001, October 15). Fear along the fire wall. Fortune, 144(7), 145-148.)

"Terrorist watchers suspect al-Qaeda may be hiding its plans
on online pornographic sites because there are so many of
them, and they're the last place fundamentalist Muslims
would be expected to go" (Cohen, A. (2001, November 12). When terror hides
online. Time, 158(21), p. 65)
Cybercrime in the United States Criminal Justice System: Cryptography and Steganography as tools of
Terrorism. Andrew Schmurr, William Crawley; Journal of security administration; Dec 2003; 26, 2
ABI/INFORM GLOBAL
IT Security & Privacy
23
Terrorism

Cryptography
the replacement of a unit of
plaintext (i.e., a meaningful
word or phrase) with a code
word (for example, apple pie
replaces attack at dawn).
The Ancient Greek scytale, probably
much like this modern reconstruction,
may have been one of the earliest
devices used to implement a cipher.
Source : http://en.wikipedia.org/ viewed November 4, 2006
IT Security & Privacy
24
Terrorism

Steganography
 the art and science of writing hidden messages in such a
way that no one apart from the intended recipient knows
of the existence of the message
By removing all but
the last 2 bits of each
color component, an
almost completely
black image results.
Making the resulting
image 85 times
brighter results in the
image.
Image extracted from above image.
Image of a tree.
Source : http://en.wikipedia.org/ viewed November 4, 2006
IT Security & Privacy
25
ROLE OF CSO
IT Security & Privacy
26
CSO Job Descriptions



Oversee a network of security directors and vendors
who safeguard the companies assets, intellectual
property, and computer systems, along with the
physical safety of employees and visitors
Identify protection goals, objectives, and metrics
consistent with corporate strategic plans
Manage the development and implementation of
global security policy, standards, guidelines, and
procedures to ensure ongoing maintenance of security
Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.
IT Security & Privacy
27
CSO Job Descriptions (cont.)
Maintain relationships with local, state, and
federal law enforcement and other related
government agencies
 Oversee incident response planning as well
as the investigation of security breaches
 Work with outside consultants as
appropriate for independent security
audits.

Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.
IT Security & Privacy
28
The role of the CSO within
organizations

75% of all organizations have some form of
integration between physical security and
computer security


This is up from 53% in 2005 and 29% in 2003
40% have the same executive overseeing
computer and physical security

This is up from 31% in 2005 and 11% in 2003
Vara, Vauhini, Technology (A Special Report); Intruder Alerts: Physical security and
information security have a lot in common; But melding the two isn’t always smooth: Wall
Street Journal (Eastern edition). New York, October 23, 2006, pp. R. 10 “”
IT Security & Privacy
29
CSO Background
CSO’s come from Information Systems background 63%
of the time
35
30
25
20
15
CSO background
10
Audit
Business
Operations
Law
Enforcement
Military
0
Corporate
Security
5
Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.
IT Security & Privacy
30
CSO Qualifications

An intelligent, articulate and persuasive leader who can serve as
an effective member of the senior management team and who is
able to communicate security-related concepts to a broad range
of technical and non-technical staff

Experience with business continuity planning, auditing and risk
management, as well as contract and vendor negotiation

Strong working knowledge of pertinent law and the law
enforcement community

A solid understanding of information technology and
information security
Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.
IT Security & Privacy
31
How many CSO’s are there?



Last year, 16 percent of companies surveyed
created a CISO position while 15 percent had a
CSO position.
This year’s study finds that 20 percent currently
employ a CISO and an additional 20 percent
have a CSO.
N = 8,200 from 63 countries
The State of Information Security, 2005, Part Two, CSO research reports,
http://www.csoonline.com/csoresearch/report95.html. viewed November 26th, 2006.
IT Security & Privacy
32
IT Security: Behavior & Access
POP QUIZ
IT Security & Privacy
33
IT Security: Behavior & Access





How many passwords do you have for work?
How many passwords do you have for your
personal business?
How many of you have passwords written
down?
How many of you have had passwords stolen?
How many of you know someone else’s
passwords (ATM, log-ins, etc.)?
IT Security & Privacy
34
IT Security: Behavior & Access



Easy passwords are easy to hack
Written down passwords defeat the purpose of having
a password
Weak passwords and security behaviors are a Clear and
Present Danger to your office and your accounts.
IT Security & Privacy
35
IT Security: Behavior & Access


Strong passwords are a must
New UMSL requirements:*
Strong Passwords
For security reasons, you must choose a strong password that meets the
following requirements.
1.Your password must be 8 or more characters long.
2.Your password must contain at least three out of four of the
following categories of characters:
•Uppercase letters (A-Z)
•Lowercase letters (a-z)
•Digits (0-9)
•The following symbols/punctuation: ? . , ! _ - ~ $ % + =
*UMSL My Gateway website https://sso.umsl.edu/perl/reset_pass.pl
IT Security & Privacy
36
IT Security: Behavior & Access

Some companies are utilizing stronger measures for
passwords and log-ins:
IT Security & Privacy
37
IT Security: Behavior & Access



Trusted Platform Module (TPM) System
A chipset in a device stores all passwords for a
user
One password accesses all protected sites
Eliminates the need to remember or write down
dozens of passwords: users need only one
password
IT Security & Privacy
38
IT Security: Behavior & Access
Biometrics


Soon to be the security
standard
Fingerprint access:
commonly appearing on phones,
laptops, and PDAs

Optical scan: rare; for high
security

Voice recognition: constantly
improving

Facial recognition: limited
use
IT Security & Privacy
39
IT Security: Threats & Remedies
POP QUIZ
IT Security & Privacy
40
IT Security: Threats & Remedies



How many of your employers restrict
downloads?
How many of your employers disable or remove
USB ports on your PC or laptop?
How many have been affected at work or home
by a virus? What was the extent of the damage?
IT Security & Privacy
41
IT Security: Threats & Remedies
Threats to Information Systems




Hacks
Denial of Service Attacks
Viruses
Inadvertent and intentional sabotage from authorized users
IT Security & Privacy
42
IT Security: Threats & Remedies
Remedies





Virus Protection
Strong passwords
Active countermeasures and monitoring
Limited user access to systems and hardware
Others?
IT Security & Privacy
43
IT Security: Hardware & Software
Telecommuting


Rising in popularity: 23.5M million currently;
40M+ by 2010*
How do you secure your company’s systems
with outside users?
* Int’l Telework Association & Council, July 2006
IT Security & Privacy
44
IT Security: Hardware & Software



Virtual Private Network (VPN)
Secure channel established through the Internet
Encryption
Enables remote users to securely access their
desktop at work
IT Security & Privacy
45
IT Security: Case Study
Diversified Financial Services, LLC
•Underwriter of commercial and agricultural equipment loans
and leases
•$300M in volume; income not disclosed (privately owned)
•100 employees in St. Louis and Omaha; 20 remote users
IT Security & Privacy
46
IT Security: Procedures
Security is imperative




Personal credit bureaus
Financial statements
Credit applications with account numbers
Banking and commercial lending laws
IT Security & Privacy
47
IT Security: Procedures




All remote users must be approved by Vice
President
Approvals forwarded to Chief Operating
Officer
VPN information and setups are given to
employee by network administrator
Same passwords and logins are used remotely as
in the office
IT Security & Privacy
48
IT Security: Procedures
Other Security Measures:
 Tough password standards; changed monthly
 USB ports disabled
 Network administrator limits access
 No downloads permitted; emailed documents
scanned and macros disabled prior to opening
 Virus and network protection
IT Security & Privacy
49
After Disaster Strikes
The Federal Emergency Management Agency (FEMA) states that
 Between 1976 and 2001, a total of 906 major disasters were
declared in the United States.
 Of all the businesses damaged by Hurricane Andrew in 1992, 80
percent of those lacking a business continuity plan (BCP) failed
within two years of the storm.
A study by Data Pro Research Company found that
 43 percent of companies hit by severe crises never reopen
 another 29 percent fail within two years.
Virginia Cerullo and Michael J. Cerullo, “Business Continuity Planning: A Comprehensive Approach”
www.ism-journal.com, Summer 2004
IT Security & Privacy
50
What happened in Katrina

The 2005 hurricane season emerged as the busiest
ever recorded. A total of 23 named storms have
formed by early November, causing 11 federal
disaster declarations. The most storms everrecorded prior to 2005 was 21 in 1933.

Loss Total damage estimates now place Katrina as
the costliest natural disaster to occur in the United
States, with an estimated $40 billion in insurance
losses.
Janette Ballman, “2005 Hurricane Season: A Recap of the devastating,
record breaking season”, www.drj.com
IT Security & Privacy
51
Business Continuity Planning VS.
Disaster Recovery Management



Business continuity is all about planning ways to
keep the doors open while minimizing the
impact of disruptions on customers and
business operations.
Disaster Recovery Management is the series of
steps taken to restore the business once a
problem occurs.
Disaster Recovery is a subset of Business
Continuity Planning.
John Wylder, “Strategic Information Security”, P153
IT Security & Privacy
52
Types of outages



Natural disasters

Floods

Earthquakes

Fire

Weather events: tornados, hurricanes, ice, hail &
wind

Landslides, avalanches & other earth movements
Man-made disasters

Sabotage of property, computer systems, and
information

Terrorist acts

Strikes

Protests and other forms of civil unrest

Denial-of-service attacks on computer networks

Viruses, worms, and other computer beasts
Subset of natural disasters and man-made events

Infrastructure failures (utility outrages, power
outages, etc.)

Communications failures

Transportation outages
John Wylder, “Strategic Information Security”, P153
Virginia Cerullo and Michael J. Cerullo, “Business Continuity
Planning: A Comprehensive Approach”
CPM/KPMG Business Continuity Benchmark
Survey Based on 624 respondents
IT Security & Privacy
53
Causes of Unavailability
Causes for Unavailability of Critical Business Systems
(Source: Ernst & Young, Global Information Security Survey, 2002)
Virginia Cerullo and Michael J. Cerullo, “Business Continuity Planning: A Comprehensive Approach”
www.ism-journal.com, Summer 2004
IT Security & Privacy
54
Cost of Outage
Published estimates of the costs of systems downtime for company Web sites
include the following:
❚ Downtime is costing major Internet players an estimated $8000 per hour
(Forrester Research).
❚ Downtime costs $1400 per minute on average (Oracle).
❚ Typical medium-sized business downtime costs average $78,000 per hour;
these sites typically lose more than $1 million annually due to downtime (IDC).
Average Hourly Effect on
Businesses of Web Site Downtime
Virginia Cerullo and Michael J. Cerullo, “Business Continuity Planning: A Comprehensive Approach”
www.ism-journal.com, Summer 2004
IT Security & Privacy
55
Steps To Develop A Plan






Acquire executive support
Select a process owner
Assemble a cross-functional team
Conduct a business impact analysis
Identify and prioritize requirements
Assess possible business continuity strategies
Rich Schiesser, “IT Systems Management”, P300-306
IT Security & Privacy
56
Steps To Develop A Plan







Develop a request for proposal for outside services
Evaluate proposals and select best offering
Choose participants and clarify their roles for the recovery team
Document the disaster recovery plan
Plan and execute regularly scheduled tests of the plan
Conduct a lessons-learned postmortem after each test
Continually maintain, update, and improve the plan
Rich Schiesser, “IT Systems Management”, P300-306
IT Security & Privacy
57
Roles and Responsibility

Quiz: Who should be the executive sponsor?

CFO, CTO or the Head of Internal Audit?
IT Security & Privacy
58
Roles and Responsibility

Executive sponsor



CTO
 Pro: Responsible for critical IT resources
 Con: Not responsible for operational resources or for buildings and facilities
 Usually places emphasis on the protection of technology based assets
Head of internal audit
 Lacks credibility to make decisions about operational issues or nonfinancial
risk management issues.
CFO
 Chooses alternatives such as insurance
 Judges the impact of an outage on the financial viability of the business,
which is a key of the Business Impact Analysis
 Assesses regulatory issues and their affect on risk management
 Assesses cost issues and recommending budget and cost guidelines
John Wylder, “Strategic Information Security”, P159-160
IT Security & Privacy
59
Roles and Responsibility

Teams:

Recovery management team:



Salvage team


Decide what can be salvaged and what needs to be replaced
Operational team



Execute the disaster recovery plan
Get the critical functions of the business restored as soon as possible
The people who run things until the business returns to normal
Usually is a subset of the team that runs the same functions under normal
circumstances
Communication team

Design the means of communicating information to employees, customers,
and the public in general
Quiz: emergency contact phone list
John Wylder, “Strategic Information Security”, P160-161
IT Security & Privacy
60
Integration of the BCP
(Source: 2002 CPM/KPMG Business Continuity Benchmark Survey, Witter
Publishing Coporation, 2002)
The Ernst & Young Survey 2002 found that only 29 percent of responding
firms treated BCPs as a business unit expenditure, and 45 percent said it was
within the IT budget.
Virginia Cerullo and Michael J. Cerullo, “Business Continuity Planning: A Comprehensive Approach”
www.ism-journal.com, Summer 2004
IT Security & Privacy
61
The Cost

Increased dependence on E-business would also
increase the need for spending on disaster recovery to
reduce the risk of short-term interruptions; these costs
are estimated to be from an average of 3 percent to 7
percent of data center budgets.

Tradeoff of cost and service level
A case study……
Virginia Cerullo and Michael J. Cerullo, “Business Continuity Planning: A Comprehensive Approach”
www.ism-journal.com, Summer 2004
IT Security & Privacy
62
Case Study

Company description
global power leader that designs, manufactures, sells
and services engines and related technology around
the world
 revenues: $9.9 billion
 Employees: 33,500 worldwide


Structure
IT Security & Privacy
63
Case Study


The spending on business continuity infrastructure till now is
$2.5 millions, most is on data storage and redundant links.
Data backup: synchronized infrastructure vs. asynchronies
infrastructure




synchronized infrastructure: send the record simultaneously
asynchronies infrastructure: send the records in a batch of dozen
Cost: synchronized cost 3 - 4 times compared to asynchronies
Chargeback system

The daily operation cost is using a chargeback system
IT Security & Privacy
64
Business Continuity Summarize


A comprehensive BCP will dramatically increase
a company’s defenses and reduce the impact of
any business interruptions
BCP need to acquire executive support
Reference:
Business Continuity Planning: A Comprehensive Approach
Virginia Cerullo and Michael J. Cerullo
www.ism-journal.com, Summer 2004
IT Security & Privacy
65
What does it mean?
IT Security & Privacy
66
There’s no guarantee…



Despite the growing number of CSO/CISO
positions and the implementation of security
measures, the threat of attacks on a companies
data remains.
There are no sure-fire ways to stop attacks, but
the better prepared you are, the less damaging
they can be.
Remember, it’s an art, not a science!
IT Security & Privacy
67