information security management chapter 12. 12-2 “we have to design it for privacy... and...
TRANSCRIPT
Information Security Management
Chapter 12
12-2
“We Have to Design It for Privacy ... and Security.”
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
• Tension between Maggie and Ajit regarding terminology to use with Dr. Flores.
• Overly technical communication is a common problem for techies when talking with business professionals.
• Maggie and Ajit discuss security design later.
12-3
PRIDE Design for Security
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-4
Study Questions
Q1: What is the goal of information systems security?
Q2: How big is the computer security problem?
Q3: How should you respond to security threats?
Q4: How should organizations respond to security threats?
Q5: How can technical safeguards protect against security threats?
Q6: How can data safeguards protect against security threats?
Q7: How can human safeguards protect against security threats?
Q8: How should organizations respond to security incidents?
Q9: 2024?
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-5
Q1: What Is the Goal of Information Systems Security?
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-6
Examples of Threat/ Loss
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-7
What Are the Sources of Threats?
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-8
What Types of Security Loss Exists?
• Unauthorized Data Disclosure– Pretexting– Phishing– Spoofing
IP spoofingEmail spoofing
• Drive-by sniffers
• Hacking
• Natural disasters
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-9
Incorrect Data Modification
• Procedures incorrectly designed or not followed.
• Increasing a customer’s discount or incorrectly modifying employee’s salary.
• Placing incorrect data on company the Web site.
• Improper internal controls on systems.
• System errors.
• Faulty recovery actions after a disaster.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-10
Faulty Service
• Incorrect data modification
• Systems working incorrectly
• Procedural mistakes
• Programming errors
• IT installation errors
• Usurpation
• Denial of service (unintentional)
• Denial-of-service attacks (intentional)
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-11
Loss of Infrastructure
• Human accidents.
• Theft and terrorist events.
• Disgruntled or terminated employee.
• Natural disasters.
• Advanced Persistent Threat (APT)– Sophisticated, possibly long-running computer hack
perpetrated by large, well-funded organizations.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c . 12-12
Goal of Information Systems Security
• Find an appropriate trade-off between the risk of loss and the cost of implementing safeguards.
• Use a good antivirus software.
• Delete browser cookies.
• Get in front of the security problem by making appropriate trade-offs for your life and your business.
12-13
Q2: How Big Is the Computer Security Problem?
Computer Crime Costs per Organizational Respondent
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-14
Average Computer Crime Cost and Percent of Attacks by Type (5 Most Expensive Types)
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-15
Ponemon Study Findings (2012)
• It is difficult to estimate the exact cost of a computer crime.
• Cost of computer crime is usually based on surveys.
• Data loss is the single most expensive consequence of computer crime, accounting for 44% of costs in 2012.
• 80% of respondents believe data on mobile devices poses significant risks.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-16
Ponemon 2012 Studies Summary
• Median cost of computer crime increasing.
• Malicious insiders increasingly serious security threat.
• Data loss is principal cost of computer crime.
• Survey respondents believe mobile device data a significant security threat.
• Security safeguards work
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-17
Q3: How Should You Respond to Security Threats?
Personal Security Safeguards
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-18
Using MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts
• Assume, you and a group of other students will investigate phishing attacks.
• Search the Web for phishing, beware that your search may bring the attention of an active phisher.
• Do not give any data to any site you visit as part of this exercise!
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-19
Q4: How Should Organizations Respond to Security Threats?
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-20
Security Policy Should Stipulate
• What sensitive data the organization will store.
• How it will process that data.
• Whether data will be shared with other organizations.
• How employees and others can obtain copies of data stored about them.
• How employees and others can request changes to inaccurate data.
• What employees can do with their own mobile devices at work As a new hire, seek out your employer’s security policy.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-21
Ethics Guide: Securing Privacy
“The best way to solve a problem is not to have it.”– Resist providing sensitive data.– Don’t collect data you don’t need.
• Gramm-Leach-Bliley (GLB) Act, 1999
• Privacy Act of 1974
• Health Insurance Portability and Accountability Act (HIPAA), 1996
• Australian Privacy Act of 1988 – Government, healthcare data, records maintained by businesses
with revenues in excess of AU$3 million.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-22
Ethics Guide: Securing Privacy: Wrap Up
• As a business professional, you have the responsibility to consider legality, ethics, and wisdom when you request, store, or disseminate data.
• Think carefully about emails that you open over public wireless networks.
• Use long and strong passwords.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-23
Q5: How Can Technical Safeguards Protect Against Security Threats?
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-24
Essence of https (SSL or TLS)
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-25
Use of Multiple Firewalls
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-26
Malware Protection
1. Antivirus and antispyware programs.
2. Scan frequently.
3. Update malware definitions.
4. Open email attachments only from known sources.
5. Install software updates.
6. Browse only reputable Internet neighborhoods.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-27
Malware Types and Spyware and Adware Symptoms
• Viruses Payload Trojan horses Worms Beacons
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-28
Design for Secure Applications
• SQL injection attack – User enters SQL statement into a form instead of a name
or other data. Accepted code becomes part of database commands
issued.Improper data disclosure, data damage, and loss
possible.Well designed applications make injections ineffective.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-29
Q6: How Can Data Safeguards Protect Against Security Threats?
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-30
Q7: How Can Human Safeguards Protect Against Security Threats?
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-31
Q7: How Can Human Safeguards Protect Against Security Threats?
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-32
Account Administration
• Account Management Standards for new user accounts, modification of account
permissions, and removal of accounts that are not needed.
• Password Management Users should change passwords frequently.
• Help Desk Policies
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-33
Sample Account Acknowledgment Form
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-34
Systems Procedures
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-35
Q8: How Should Organizations Respond to Security Incidents?
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-36
Security Wrap Up
• Be aware of threats to computer security as an individual, business professional, or an employee.
• Know trade-offs of loss risks and the cost of safeguards.• Ways to protect your computing devices and data.• Understand technical, data, and human safeguards.• Understand how organizations should respond to security
incidents.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-37
Q9: 2024
• APTs more common, inflicting serious damage
• Continued concern about balance of national security and data privacy.
• Computer crimes targeting mobile devices leads to improved operating systems security.
• Improved security procedures and employee training.
• Criminals focus on less protected mid-sized and smaller organizations, and individuals.
• Electronic lawlessness by organized gangs.
• Strong local “electronic” sheriffs electronic border and enforce existing laws?
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-38
Guide: Metasecurity
• What are the security problems?
• What are the managers’ responsibilities for controls over the security system?
• All major software vendors are obvious targets for security attacks against their networks. What do these companies do to prevent this?
• What extra precautions can you take when you hire and manage employees such as white-hat hackers?
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-39
Guide: The Final, Final Word
• Routine work will migrate to countries with lower labor costs.
• Be a symbolic-analytic worker – Abstract thinking – How to experiment– Systems thinking– Collaboration
• The best is yet to come! What you do with it is up to you.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-40
Active Review
Q1: What is the goal of information systems security?
Q2: How big is the computer security problem?
Q3: How should you respond to security threats?
Q4: How should organizations respond to security threats?
Q5: How can technical safeguards protect against security threats?
Q6: How can data safeguards protect against security threats?
Q7: How can human safeguards protect against security threats?
Q8: How should organizations respond to security incidents?
Q9: 2024
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-41
Case 12: Will You Trust FIDO?
• One-third of all people record passwords somewhere, whether on a sticky note or in a computer file.
• Malicious code searches for files that include "password" or some variant.
• Many web sites offer to authenticate you using your Facebook or other common credentials.
• Use credentials only at site where created.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-42
Alternatives to Passwords
• Biometric: Fingerprints, retinal scans, keystroke rhythm
• Picture password in Windows 8User makes three gestures over a photo.Asking user to name people in group photo or provide
facts about people in photo.
• One defect: If user’s authentication compromised once, it is compromised for all sites where that authentication method used.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-43
Fast Identity OnLine (FIDO)
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-44
Will You Trust FIDO? Probably
• FIDO does not eliminate need to send private data over the Internet, but substantially reduces it.
• Password or PIN never sent over a network.
• Forming open standards and asking the community to find holes and problems long before standard is implemented.
• Support of major, well-funded organizations.
C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c .
12-45