Part II. Data and Network Infrastructure C hapter 5 IT Security, Crime, Compliance, and Continuity C o u rs e Copyright 2012 John Wiley & Sons, Inc. 5-1 Chapter 5 Outline 5.1 Protecting Data and Business Operations 5.2 IS Vulnerabilities and Threats 5.3 Fraud, Crimes, and Violations 5.4 Information Assurance and Risk Management 5.5 Network Security 5.6 Internal Control and Compliance 5.7 Business Continuity and Auditing Copyright 2012 John Wiley & Sons, Inc. 5-2 Chapter 5 Learning Objectives Understand the objectives, functions, and financial value of IT security. Recognize IS vulnerabilities, threats, attack methods, and cybercrime symptoms. Understand crimes committed against computers and crimes committed with computers. Explain key methods of defending information systems, networks, and wireless devices. Understand network security risks and defenses. Describe internal control & fraud; and fraud legislation. Understand business continuity and disaster recovery planning methods. Copyright 2012 John Wiley & Sons, Inc. 5-3 5.1 Protecting Data and Business Operations IT security: the protection of data, systems, networks, and operations. Technology defenses are necessary, but they’re not sufficient because protecting data and business operations also involves: • Implementing and enforcing acceptable use policies (AUPs). • Complying with government regulations and laws. • Making data available 24x7 while restricting access. • Promoting secure and legal sharing of information. Copyright 2012 John Wiley & Sons, Inc. 5-4 IT Security Principles Copyright 2012 John Wiley & Sons, Inc. 5-5 Know Your Enemy and Your Risks IT security risks are business risks Threats range from high-tech exploits to gain access to a company’s networks to non-tech tactics such as stealing laptops or items of value. Common examples: • Malware (malicious software): viruses, worms, trojan horses, spyware, and disruptive or destructive programs • insider error or action, either intentional or unintentional. • Fraud • Fire, flood, or other natural disasters Copyright 2012 John Wiley & Sons, Inc. 5-6 IT at Work 5.1 $100 Million Data Breach May 2006: a laptop and external hard drive belonging to the U.S. Dept of Veterans Affairs (VA) were stolen during a home burglary. Data on 26.5 million veterans and spouses had been stored in plaintext. VA Secretary Jim Nicholson testified before Congress that it would cost at least $10 million just to inform veterans of the security breach. Total cost of data breach: $100 million Copyright 2012 John Wiley & Sons, Inc. 5-7 Risks Cloud computing Social networks Phishing Search engine manipulation Money laundering Organized crime Terrorist financing Copyright 2012 John Wiley & Sons, Inc. 5-8 IT Security Defense-in-Depth Model Copyright 2012 John Wiley & Sons, Inc. 5-9 5.2 IS Vulnerabilities and Threats Unintentional • human error • environmental hazards • computer system failure Intentional • hacking • malware • manipulation Copyright 2012 John Wiley & Sons, Inc. 5-10 Figure 5.4 How a computer virus can spread Copyright 2012 John Wiley & Sons, Inc. 5-11 Malware and Botnet Defenses Anti-virus software Firewalls Intrusion detection systems (IDS) Intrusion prevention systems (IPS) Copyright 2012 John Wiley & Sons, Inc. 5-12 5.3 Fraud, Crimes, and Violations 2 categories of crime: • Violent • Nonviolent Fraud is nonviolent crime because instead of a gun or knife, fraudsters use deception, confidence, and trickery. Occupational fraud refers to the deliberate misuse of the assets of one’s employer for personal gain. Copyright 2012 John Wiley & Sons, Inc. 5-13 IT at Work 5.4 Madoff Defrauds Investors of $64.8 Billion Bernard Madoff is in jail after pleading guilty in 2009 to the biggest fraud in Wall Street history. Fundamentally, Madoff relied on social engineering and the predictability of human nature to generate income for himself. Figure 5.5 Annual Returns on a Madoff-Investor’s account from 2001-2007 Copyright 2012 John Wiley & Sons, Inc. 5-14 Internal Fraud Prevention and Detection IT has a key role to play in demonstrating effective corporate governance and fraud prevention. Internal fraud prevention measures are based on the same controls used to prevent external intrusions—perimeter defense technologies, such as firewalls, e-mail scanners, and biometric access. Fraud detection can be handled by intelligent analysis engines using advanced data warehousing and analytics techniques. Copyright 2012 John Wiley & Sons, Inc. 5-15 5.4 IT and Network Security Objectives of a defense strategy 1. Prevention and deterrence 2. Detection 3. Containment 4. Recovery 5. Correction 6. Awareness and compliance Copyright 2012 John Wiley & Sons, Inc. 5-16 Figure 5.6 Major defense controls Copyright 2012 John Wiley & Sons, Inc. 5-17 Major categories of general controls physical controls access controls biometric controls communication network controls administrative controls application controls endpoint security and control Copyright 2012 John Wiley & Sons, Inc. 5-18 Figure 5.7 Intelligent agents Copyright 2012 John Wiley & Sons, Inc. 5-19 5.5 Network Security Figure 5.8 Three layers of network security measures Copyright 2012 John Wiley & Sons, Inc. 5-20 Figure 5.9 Where IT security mechanisms are located Copyright 2012 John Wiley & Sons, Inc. 5-21 Authentication Questions to help authenticate a person: 1. Who are you? Is this person an employee, a partner, or a customer? Different levels of authentication would be set up for different types of people. 2. Where are you? For example, an employee who has already used a badge to access the building is less of a risk than an employee logging on from a remote site. 3. What do you want? Is this person accessing sensitive or proprietary information or simply gaining access to benign data? Copyright 2012 John Wiley & Sons, Inc. 5-22 5.6 Internal Control and Compliance Internal control (IC) is a process designed to achieve: • reliability of financial reporting • operational efficiency • compliance with laws • regulations and policies • safeguarding of assets Copyright 2012 John Wiley & Sons, Inc. 5-23 Internal Controls Needed for Compliance Sarbanes-Oxley Act (SOX) is an antifraud law. • It requires more accurate business reporting and disclosure of GAAP (generally accepted accounting principles) violations, including fraud. SOX and the SEC made it clear that if controls can be ignored, there is no control—a violation of SOX. If the company shows its employees that the company can find out everything that every employee does and use that evidence to prosecute, then the feeling that “I can get away with it” drops drastically. Copyright 2012 John Wiley & Sons, Inc. 5-24 Symptoms of Fraud That Can Be Detected by Internal Controls Missing documents Delayed bank deposits Numerous outstanding checks or bills Employees who do not take vacations A large drop in profits A major increase in business with one particular customer Customers complaining about double billing Repeated duplicate payments Employees with the same address or phone number as a vendor Copyright 2012 John Wiley & Sons, Inc. 5-25 5.7 Business Continuity and Auditing An important element in any security system is the business continuity plan, also known as the disaster recovery plan. The plan outlines the process by which businesses should recover from a major disaster. The purpose of a business continuity plan is to keep the business running after a disaster occurs. • Each business function should have a valid recovery capability plan. • The plan should be written so that it will be effective in case of disaster, not just in order to satisfy the auditors. Copyright 2012 John Wiley & Sons, Inc. 5-26 Risk-Management Analysis Expected loss = P1 × P2 × L where: P1 = probability of attack P2 = probability of attack being successful L = loss occurring if attack is successful Example: P1 = .02, P2 = .10, L = $1,000,000 Expected loss from this particular attack is P1 × P2 × L = 0.02 × 0.1 × $1,000,000 = $2,000 Copyright 2012 John Wiley & Sons, Inc. 5-27 Ethical issues Implementing security programs raises many ethical issues. Handling the privacy versus security dilemma is tough. Ethical and legal obligations that may require companies to “invade the privacy” of employees and monitor their actions. Under the doctrine of duty of care, senior managers and directors have a fiduciary obligation to use reasonable care to protect the company’s business operations. Copyright 2012 John Wiley & Sons, Inc. 5-28 Chapter 5 Link Library Information Security Magazine http://searchsecurity.techtarget.com CIO Magazine, IT Security http://cio.com/topic/3089/Security Computer and Internet Security http://cnet.com/internet-security IT Governance Institute http://itgi.org U.S. Computer Emergency Readiness Team http://uscert.gov/cas/tips/ SANS Information Security Reading Room sans.org/reading_room/ Privacy news from around the world pogowasright.org/ Government Computer News (GCN ) http://gcn.com/ CompTIA http://comptia.org/ F-Secure http://f-secure.com/en_US/security/security-center/ Social engineering http://symantec.com/connect/articles/socialengineering Copyright 2012 John Wiley & Sons, Inc. 5-29