chapter 12 information security management. q1:what are the sources and types of security threats?...
TRANSCRIPT
Chapter 12
Information Security Management
Q1: What are the sources and types of security threats?Q2: What are the elements of a security program?Q3: How can technical safeguards protect against security
threats?Q4: How can data safeguards protect against security
threats?Q5: How can human safeguards protect against security
threats?Q6: What is necessary for disaster preparedness?Q7: How should organizations respond to security incidents?
Study Questions
12-2Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
1. Unintentional human errors and mistakes– Accidental problems – deletions, copyovers, operating errors– Physical accidents—driving forklift through computer room wall
2. Malicious human activity– Intentional destruction of programs, hardware, and data by
employees– Insider attacks from disgruntled employees– Hackers, Criminals, Terrorists
3. Natural events and disasters– Fires, floods, hurricanes, earthquakes, avalanches, tornados
Q1: What Are the Sources and Types of Security Threats?
12-3Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• Human error– Posting private information in public place– Placing restricted information on searchable Web sites– Inadvertent disclosure during recovery
• Malicious release– Pretexting = pretending to be someone else via phone call – Phishing = pretexting using email– Spoofing = disguising as a different IP address or different
email sender– Sniffing/Drive-by sniffing = searching for unprotected or
WEP wireless networks– Network Tap = breaking into networks = slicing into cables,
using a client on network
Unauthorized Data Disclosure
12-4Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• Usurpation = unauthorized program or update replaces legitimate/approved program
Faulty Service
12-5Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• Human error – Inadvertently shut down Web server, gateway
router with computationally intensive application– Example: OLAP application that uses operational
DBMS blocks order-entry transaction
• Malicious denial-of-service attacks – Flood Web server with millions of requests for
Web pages– Computer worms
Denial of Service (DOS)
12-6Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• Senior management responsibility– Establish a security policy– Balancing costs and benefits of security program
• Safeguards• Incident response
Q2: What Are the Elements of a Security Program?
12-7Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
Primary technical safeguards
1. Identification and authentication
2. Encryption (Ch 6.)
3. Firewalls (Ch 6.)
4. Malware protection
5. Design for secure applications
Q3: How Can Technical Safeguards Protect Against Security Threats?
12-8Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• User names and passwords– Identification—user name– Authentication—password
• Authentication methods1. What you know (password, PIN)2. What you have (smart card, ID card, Digital Certificate)3. What you are (biometric)
• Single sign-on for multiple systems– Authenticate to network and other servers
Identification and Authentication
12-9Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• Types of Malware– Spyware programs
• Install without user’s knowledge• Reside in background, monitor user actions, keystrokes, etc.• Used for marketing analysis• Latest viruses, malware threats
– Adware • Similar to spyware without malicious intent• Watches users activity, produces pop-up ads, changes window,
modifies search results• Can slow computer performance• Remove with anti-spyware, anti-adware programs
Malware Protection
12-10Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
Malware Is a Serious Problem
12-11Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• Install antivirus and anti-spyware programs• Set anti-malware programs to scan frequently
– Scan hard drive and email
• Update malware definitions regularly• Open email attachments only from known sources
– 90% of all viruses spread by email attachments
• Install updates promptly and only from legitimate sources
• Browse only reputable Internet neighborhoods– It is possible for some malware to install itself when you do
nothing but open a Web page or download a picture.
Malware Safeguards
12-12Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• Design for secure applications– Be sure that your company designs and
builds systems with security as a requirement
• CERT
Design for Secure Applications
12-13Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
1. Data administration– Organization wide function
• Develops data policies• Enforces data standards
2. Database administration– Ensures procedures exist for orderly multiuser
processing– Controls changes to database structure– Protects the database
Q4: How Can Data Safeguards Protect Against Security Threats?
12-14Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
1. Human Safeguards for employees– Position definitions
• Separation of duties and authorities• Grant “least possible privileges”
2. Hiring and screening employees– Extensive interviews and background checks for new hires
and employees being promoted
3. Dissemination and enforcement (Security Policy)– Make employees aware of security policies and procedures– Enforcement factors
1. Responsibility
2. Accountability
3. Compliance
Q5: How Can Human Safeguards Protect Against Security Threats?
12-15Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
4. Termination– Standard human resources policies for “friendly” terminations
• Remove accounts, passwords on last work day• Recover all keys for encrypted data• Recover all door keys and pass cards, ID badges
– Unfriendly terminations• Remove accounts, passwords prior to notifying employee of termination• Security officer cleans out person’s desk or watches• Accompany person off premises
Q5: How Can Human Safeguards Protect Against Security Threats? (cont’d)
12-16Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• Account management procedures– Creation of new accounts, modification of existing accounts,
removal of terminated accounts– Users provide timely notification of account change needs– Users and business manager inform IT to remove accounts
• Password management– User-signed acknowledgment forms– Change passwords frequently
• Help-desk policies – Authentication of users who have lost password– Password should not be emailed
Account Administration
12-17Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• Procedure types – Normal operations– Backup– Recovery
Information Systems Safety Procedures
12-18Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• Disaster– Substantial loss of infrastructure caused by acts of nature,
crime, or terrorism
• Best safeguard is choose appropriate location for infrastructure (Common Sense?)– Avoid placing where prone to floods, earthquakes,
tornadoes, hurricanes, avalanches, car/truck accidents– Place in unobtrusive buildings, basements, backrooms
• NOT physical perimeter
– Fire-resistant buildings
Q6: What Is Necessary for Disaster Preparedness?
12-19Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• Create backups for critical resources – Contract with “hot site” or “cold site” provider
• www.ragingwire.com• A hot site provides all equipment needed to continue
operations there• A cold site provides space but you have set up and
install equipment– Periodically train and rehearse cutover of operations
Q6: What Is Necessary for Disaster Preparedness? (cont’d)
12-20Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
• Have a plan in place• Centralize reporting
– Computer Security Incident Reporting Team (CSIRT)
• Specific responses– Speed– Preparation pays– Don’t make problems worse
• Practice!
Q7: How Should Organizations Respond to Security Incidents?
12-21Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
Q1: What are the sources and types of security threats?Q2: What are the elements of a security program?Q3: How can technical safeguards protect against security
threats?Q4: How can data safeguards protect against security
threats?Q5: How can human safeguards protect against security
threats?Q6: What is necessary for disaster preparedness?Q7: How should organizations respond to security incidents?
Active Review
12-22Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall