Using MIS 2e Chapter 12: Information Security Management David Kroenke

Using MIS 2e
Chapter 12: Information
Security Management
David Kroenke
This presentation has been
modified from the original and
should be downloaded from the
Course Documents area in
Blackboard
Study Questions

Q0 – What are concerns for personal security?

Q1 – What are the threats to information security?

Q2 – What is senior management’s security role?

Q3 – What technical safeguards are available?

Q4 – What data safeguards are available?

Q5 – What human safeguards are available?

Q6 – How should organizations respond to security incidents?

Q7 – What is the extent of computer crime?
Chapter 12: Information Security Management
12-2
Q0 – What are concerns for personal security (identity theft)?

Identity theft is the manipulation of, or improperly accessing,
another person’s identifying information, such as social
security number, mother’s maiden name, or personal
identification number (rather than account number) in order to
fraudulently establish credit or take over a deposit, credit or
other financial account for benefit.

Thieves gain access to personal data via:






A stolen wallet or purse
Stealing or diverting mail
Rummaging through trash
Fraudulently obtaining a credit report
From personal information on the Internet
From a business by conning or bribing an employee who has
access to confidential data
Chapter 12: Information Security Management
12-3
Q0 – What are concerns for personal security (identity theft)?
Dear Customer,
Our records show that your account has been
inactive for more than 3 months. In order to confirm
your membership with us and to avoid temporarily
suspending
yourhas
account,
we will
transfer
random
Your identity
now been
stolen!
Thanka you
amount
between 0.25
USD
and to
0.99
USD
for providing
me with
access
all of
yourto your
debit card. This personal
is a newrecords
security measure put in
place by our company to protect your account
against unauthorized charges cancellation. To
complete this process please, follow the link below:
Click Here to Validate Your Account
Chapter 12: Information Security Management
12-4
Q0 – What are concerns for personal security (identity theft)?

Beware of “Innocent” Documents
Chapter 12: Information Security Management
12-5
Q0 – What are concerns for personal security (identity theft)?

If you are a victim:






Notify Credit Bureaus and review your credit reports.
File a report with your local police or the police in the community
where the identity theft took place.
Contact Fraud Department of Creditors.
File a complaint with the FTC.
Close any accounts that have been opened fraudulently
There are laws to protect you




Fair Credit Reporting Act (FCRA) Establishes procedures for
resolving billing errors on your credit report.
Truth in Lending Act Limits your liability for unauthorized credit
card charges to $50 per card.
The Fair Credit Billing Act (FCBA) Establishes procedures for
resolving billing errors on your credit card accounts.
Fair Debt Collection Practices Act Prohibits debt collectors from
using unfair or deceptive practices to collect overdue bills.
Chapter 12: Information Security Management
12-6
Q0 – What are concerns for personal security (backup)?



It’s not a question of if it will happen, but when; hard disks
die, viruses infect a computer, files are lost due to human
error, and so on.
The essence of a backup strategy is to decide who does
the backup, what files to back up and how (incremental
versus full backup), when to do the backup and where to
keep the backup files; i.e., who, what, how, when, and
where .
Our strategy is simple –back up anything you cannot
afford to lose (i.e., your data), do it every time the data
changes, and store the files away offsite from your
computer.
Chapter 12: Information Security Management
12-7
Q1 – What are the threats to information security?
Fig 12-1 Security Problems and Sources
Chapter 12: Information Security Management
12-8
Q1 – What are the threats to information security (sources)?

Human error stems from employees and nonemployees.




Malicious human activity results from employees, former employees,
and hackers who intentionally destroy data or system components.





They may misunderstand operating procedures and inadvertently cause
data to be deleted.
Poorly written application programs and poorly designed procedures
may allow employees to enter data incorrectly or misuse the system.
Employees may make physical mistakes like unplugging a piece of
hardware that causes the system to crash.
Breaking into systems with the intent of stealing or destroying data.
Introducing viruses and worms into a system.
Acts of terrorism.
White-hat hackers are hired by organizations to test security systems
Natural events and disasters pose problems stemming not just from
the initial loss of capability and service but also problems a company
may experience as it recovers from the initial problem.
Chapter 12: Information Security Management
12-9
Q1 – What are the threats to information security (Human Error)?




An analyst at a major company searched its servers for documents
called "passwords.doc“ and found 40 such documents. Any
malcontent employee with a minimal amount of computer know-how
could unlock those documents and ravage the company's most
sensitive applications.
An MCI financial analyst's laptop was stolen from his car, which was
parked in his home garage. That laptop contained the names and
Social Security numbers of 16,500 current and former employees.
A former Morgan Stanley executive, apparently with no more use for
his Blackberry, sold the device on eBay for a whopping $15.50. The
surprised buyer soon found out that the Blackberry still contained
hundreds of confidential Morgan Stanley e-mails.
Unsuspecting employees continually give out names, addresses, and
other confidential information to outsiders who target well-meaning
users over the phone and/or the Internet to obtain private information
and/or passwords.
Chapter 12: Information Security Management
12-10
Q1 – What are the threats to information security (Malicious Activity)?
Pretexting is the practice of getting your information under false
pretenses; a common scam involves a telephone caller who
pretends to be from a credit card company.
 Phishing is a similar technique that uses pretexting via email; the
phisher pretends to be a legitimate company and sends an email
“CIOs canconfidential
spend millions
firewalls,
intrusion
detection
requesting
data,on
such
as Social
Security
numbers
andiswhatever
else for
their
security vendors
are selling,
but
systems
Spoofing
another term
pretexting;
i.e., someone
pretending
when
VP of marketing
decides to sync his work laptop with
to bethat
someone
else.
his unsecured home PC—and there's no policy or training to
 Sniffing is a technique for intercepting computer communications.
make
him think twice—your million-dollar security efforts become
 With wired networks, sniffing requires a physical connection to the
worthless.”
www.cio.com/archive/101505/security.html
network.



With wireless networks, no such connection is required; drive-by
sniffers simply take computers with wireless connections through an
area and search for unprotected wireless networks.
Hacking is the act of breaking into a computer system
Chapter 12: Information Security Management
12-11
Q2 – What is senior management’s security role?

Senior managers should ensure their organization has an effective
security policy that includes these elements:




A general statement of the organization’s security program
Issue-specific policies like personal use of email and the Internet
System-specific policies that ensure the company is complying with laws
and regulations.
Senior managers must also manage risks associated with
information systems security.


Risk is the likelihood of an adverse occurrence.
When you’re assessing risks to an information system you must first
determine:




What the threats are.
How likely they are to occur.
The consequences if they occur.
You can reduce risk but always at a cost. The amount of money you
spend on security influences the amount of risk you must assume.
Chapter 12: Information Security Management
12-12
Q2 – What is senior management’s security role (Safeguards)?

Appropriate safeguards must be established for all five components of
an information system
Chapter 12: Information Security Management
12-13
Q3 – What technical safeguards are available (identification and authentication)?
Chapter 12: Information Security Management
12-14
Q3 – What technical safeguards are available (identification and authentication)?

Every information system today should require users to
sign in with a user name and password.


The user name identifies the user (the process of identification), and
the password authenticates the user (the process of authentication)
Three types of authentication methods



What you know; e.g. a password such as MwbiJu14
What you have; e.g., a smart card which is a plastic card similar to a
credit card, which has a microchip and is loaded with identifying
data.
What you are; e.g., biometric authentication which uses personal
physical characteristics such as fingerprints, facial features, and
retinal scans to authenticate users)
Chapter 12: Information Security Management
12-15
Q3 – What technical safeguards are available (encryption)?




Senders use a key to encrypt a plaintext message and then send the
encrypted message to a recipient, who uses a key to decrypt it.
Consider a simple encryption scheme where each letter is transposed
by a constant (known as the key)
 “Go Canes” becomes “Hp Dboft” (using key of 1)
 “Go Canes” becomes “Iq Ecpgu” (using key of 2)
In this example:
 Only 25 keys are possible which is too limited
 This a symmetric key system because the same key is used to
encrypt and decrypt a message. Both sender and recipient must
keep the key secret which becomes a problem when too many
people use the same key
In practice:
 Web browsers use 2128 possible keys (39-digit number)
 Two different keys are used to encrypt and decrypt a message (an
asymmetric key). The public key is freely distributed; the private key
is kept secret
Chapter 12: Information Security Management
12-16
Q3 What technical safeguards are available?
Most secure communication over
the Internet uses a protocol called
HTTPS. With HTTPS, data are
encrypted using a protocol called
the Secure Socket
Layer/Transport Layer Security
(SSL/TLS).
Chapter 12: Information Security Management
12-17
Q3 – What technical safeguards are available (encryption)?
Chapter 12: Information Security Management
12-18
Q3 – What technical safeguards are available (Digital Signature)?
Digital signatures ensure that plaintext
messages are received without
alteration. The plaintext message is first
hashed; i.e., mathematically converted to
a bit string of bits (message digest) that
contain the message.
Chapter 12: Information Security Management
12-19
Q3 – What technical safeguards are available (Digital Certificate)?




The message was unaltered, but how are you sure of
who sent it? A digital certificate (the electronic file that is
the equivalent of an “online passport”) can be appended
to the message to ensure the identity of the sender.
The certificate is issued by a trusted third party knows as
a certification authority (CA) such as www.verisign.com.
The certificate contains the name of the holder, a serial
number, expiration dates, a copy of the certificate
holder's public key
It also contains the digital signature of the certificateissuing authority so that a recipient can verify that the
certificate is real.
Chapter 12: Information Security Management
12-20
Q3 – What technical safeguards are available (Firewall)?



A firewall is a computing device that prevents unauthorized
network access. It can be a special-purpose computer or a
program on a general-purpose computer or on a router
Organizations normally use multiple firewalls.
A perimeter firewall sits outside the organization network; it
is the first device that Internet traffic encounters.


A packet-filtering firewall examines each packet and
determines whether to let the packet pass.




Some organizations employ internal firewalls inside the
organizational network in addition to the perimeter firewall.
Packet-filtering firewalls can prohibit outsiders from starting a
session with any user behind the firewall.
They can also disallow traffic from particular sites, such as known
hacker addresses.
They can also prohibit traffic from legitimate, but unwanted
addresses, such as competitors’ computers.
Firewalls can filter outbound traffic as well.
Chapter 12: Information Security Management
12-21
Q3 – What technical safeguards are available (Firewall)?
Fig 12-8 Use of Multiple Firewalls
Chapter 12: Information Security Management
12-22
Q3 – What technical safeguards are available (Malware)?

Malware (malicious software) is software that seeks to
disrupt or damage a computer system. Our definition is on
the broadest use of the tem and includes viruses, worms,
Trojan horses, spyware, and adware.




A computer virus is a program that replicates itself
A Trojan horse is a virus masquerading as a useful program
or file
A worm is a virus that propagates itself using the Internet or
other computer network
Spyware is software that is installed on the user’s
computer without the user’s knowledge. It resides in the
background and, unknown to the user, observes the user’s
actions and keystrokes, monitors computer activity, and
reports the user’s activities to sponsoring organizations
Chapter 12: Information Security Management
12-23
Q3 – What technical safeguards are available (Malware)?

Adware is similar to spyware in that it is installed without
the user’s permission and resides in the background and
observes user behavior.



Most adware is benign in that it does not perform malicious
acts or steal data.
Adware produces pop-up ads and can also change the user’s
default window or modify search results and switch the user’s
search engine.
Malware Safeguards






Install antivirus and antispyware programs on your computer.
Scan your computer frequently.
Update malware definitions.
Open email attachments only from known sources.
Promptly install software updates from legitimate sources.
Browse only in reputable Internet neighborhoods
Chapter 12: Information Security Management
12-24
Q3 – What technical safeguards are available (Malware)?
AOL/NCSA Online Safety Study, October 204, stayssafeonline.info/news/safety-study-V04.pdf
Chapter 12: Information Security Management
12-25
Q4 – What data safeguards are available?

To protect databases and other data sources, an
organization should follow various safeguards which
include the following:






Determine data rights and responsibilities
Enforce rights by user accounts and passwords
Encrypt sensitive data
Establish backup and recovery procedures
Establish physical security
Remember, data and the information from it are one of
the most important resources an organization has.
Chapter 12: Information Security Management
12-26
Q5 – What human safeguards are available (employee/non-employee)?
Chapter 11: Information Security Management
27
Q5 – What human safeguards are available (employee/non-employee)?


Position Definitions (employee)

Effective human safeguards begin with definitions of job tasks and
responsibilities. User accounts should be defined to give users the
least possible privilege needed to perform their jobs.

At least two individuals should be required to authorize
disbursements (over a specified amount)

The security sensitivity should be documented for each position.

Security considerations should be part of the hiring process; when
hiring for high-sensitive positions, extensive screening interviews,
references, and high background investigations are appropriate.
Dissemination and Enforcement (employee)

Employees need to be made aware of the security policies,
procedures, and responsibilities they will have.

Employee security training begins during new-employee training with
the explanation of general security policies and procedures.

Enforcement consists of three interdependent factors: responsibility,
accountability, and compliance.
Chapter 12: Information Security Management
12-28
Q5 – What human safeguards are available (employee/non-employee)?

Termination (employee)




Companies must establish security policies and procedures for the
termination of employees.
Standard human resources policies should ensure that system
administrators receive notification in advance of the employee’s last day, so
that they can remove accounts and passwords.
The need to recover keys for encrypted data and any other security
requirements should be part of the employee’s out-processing.
Non-employee personnel



Business requirements may necessitate opening information systems to
non-employees such as temporary workers, vendors, and/or partner
personnel (employees of business partners)
In the case of temporary, vendor, and partner personnel, the contracts that
govern the activity should call for security measures appropriate to the
sensitivity of the data and IS resource involved.
Companies should require vendors and partners to perform appropriate
screening and security training.
Chapter 11: Information Security Management
29
Q5 – What human safeguards are available (Account administration)?

Account administration has three components—account
management, password management, and help-desk policies.

Account management focuses on




Password management requires that users




Establishing new accounts
Modifying existing accounts
Terminating unnecessary accounts.
Immediately change newly created passwords
Change passwords periodically
Sign an account acknowledgment form
Help-desks have been a source of problems for account administration
because of the inherent nature of their work.


It is difficult for the help-desk to determine exactly with whom they’re
speaking. Users call up for a new password without the help-desk having a
method of definitively identifying who is on the other end of the line.
There must be policies in place to provide ways of authenticating users like
asking questions only the user would know the answers to.
Chapter 12: Information Security Management
12-30
Q5 – What human safeguards are available?

Effective system procedures can help increase security and reduce
the likelihood of computer crime. As this figure shows, procedures
should exist for both system users and operations personnel that
cover normal, backup, and recovery procedures.
Chapter 12: Information Security Management
12-31
Q5 – What human safeguards are available (Security Monitoring)?



Important monitoring functions are activity log analyses, security
testing, and investigating and learning from security incidents.
Many information system programs produce activity logs.

Firewalls produce logs of their activities, including lists of all dropped
packets, infiltration attempts, and unauthorized access attempts from
within the firewall.

DBMS products produce logs of successful and failed log-ins.

Web servers produce voluminous logs of Web activities.

The operating systems in personal computers can produce logs of log-ins
and firewall activities.
An important security function is to analyze activity logs for threats
patterns, successful and unsuccessful attacks, and evidence of
security vulnerabilities; i.e., none of the logs have any value unless
they are looked at.
Chapter 11: Information Security Management
32
Q6 – How should organizations respond to incidents (disaster preparedness)?

No system is fail-proof. Every organization must have an effective
plan for dealing with a loss of computing systems.




Locate infrastructure in safe location
Identify mission-critical systems
Identify resources needed to run those systems
Prepare remote backup facilities




Hot sites are remote processing centers run by commercial disaster-recovery
services. For a monthly fee, they provide all the equipment needed to
continue operations following a disaster.
Cold sites provide office space, but customers themselves provide and install
the equipment needed to continue operations.
A backup facility is very expensive, but the costs of maintaining that facility
are a form of insurance.
Every organization should think about how it will respond to security
incidences that may occur, before they actually happen.



Have plan in place
Centralized reporting
Practice!
Chapter 12: Information Security Management
12-33
Q7 – What is the extent of computer crime?
Computer crime: Commission of
illegal acts through the use of a
computer or against a computer
system is on the increase.
Computer abuse: Unethical but
not necessarily illegal acts.
82% of unauthorized access
incidents came from inside the
organization according to a 1998
survey of 1600 companies by
PricewaterhouseCoopers
Chapter 12: Information Security Management
12-34
Q7 – What is the extent of computer crime?

The full extent of computer crime is unknown.



There is no national census because many organizations are
reluctant to report losses for fear of alienating customers,
suppliers, and business partners.
A 2006 survey estimated that the total loss due to computer crime
is at least $52.5 billion.
This chart shows the top four sources of computer crime
and the total dollar loss (2006 FBI/CSI Survey).
Chapter 12: Information Security Management
12-35
Summary






Computer threats come from human error, malicious human
activity, and natural disaster.
Five types of security problems are unauthorized data
disclosure, incorrect data modification, faulty service, denial of
service, and loss of infrastructure.
Management has three critical security functions: establishing a
security policy, educating employees about security, and
managing security risk.
Security safeguards are classified into technical, data, and
human categories.
Disaster preparedness safeguards include asset location,
identification of mission-critical systems, and the preparation of
remote backup facilities.
Organizations should prepare for security incidents ahead of
time by developing a plan, ensuring centralized reporting,
defining responses to specific threats, and practicing the plan.
Chapter 12: Information Security Management
12-36
Review: Select the appropriate term for each item
Phishing – Spyware – Certificate Authority – Asymmetric encryption
– Spoofing – Sniffing – Special character – Digital signature – Firewall
1.
2.
3.
4.
5.
6.
7.
8.
9.
Combination of hardware and/or software designed to keep
unwanted users out of a system Firewall
Sending an e-mail claiming to be a legitimate enterprise in an
attempt to get confidential information Phishing
In addition to numbers, upper-, and lower-case letters, one of
these should be in every password Special character
Software installed on a user’s computer without the user’s
knowledge which monitor’s user’s activity Spyware
Agency that issues digital certificates Certificate authority
Ensures a message has not been altered Digital signature
Uses a public key and a private key Asymmetric encryption
Pretending to be someone else Spoofing
A technique to intercept computer communications Sniffing
Chapter 12: Information Security Management
12-37