risk management: information technology, infrastructure and security mba 8125 spring 2012 duane...
TRANSCRIPT
Risk Management: Information Technology, Infrastructure and
Security
MBA 8125Spring 2012
Duane TruexVeda C. Storey
Carl StuckeAcknowledgement:: Parts of this session are based upon material from Cecil Chua, Deb Dey, Kimball, Dorothy Dennings, Ray Panko, Graeme Payne, Ernst & Young, Gartner Group, Arjan Raven, Jessup and Valacich, J. Steten, Forrester
Why Study Security?
Company
Individual
Identity theft
Corporate database attacks
2
Tracking, Spyware
Q: What Other types of threats exist?
Privacy
Country
Cyber attacks
Generalized Security Design Model
4
Targets1. Physical
Hardware, facilities, people2. Software3. Data4. Communications
Threats1. Destruction2. Modification3. Disclosure
Sources1. People2. Mother nature
Controls1. Avoidance2. Tolerance3. Mitigation
Generalized Security Design Model
5
Targets1. Physical
Hardware, facilities, people2. Software3. Data4. Communications
Threats1. Destruction2. Modification3. Disclosure
Sources1. People2. Mother nature
Controls1. Avoidance2. Tolerance3. Mitigation
Risk -- (Cost) Benefit Analysis Model
6
• EC = Pi * ∑Ci
• Ev = Bi - EC
• Overall utility of scenarios– Where Bi = ∑ j (b i,j X Wj)– Where Bi is the expected benefit assigned to a strategy I given
its effect on scenario j and where Wj is the weighting given to scenario j
Q: What is an inherent weakness in this formulation?
Q: Are traditional investment decision metrics adequate?
“By eliminating time and distance, the Internet makes it possible to perform business in ways not previously
imaginable.” Ref: Baltzan and Phillips, 2011
• New way of doing things• Does not meet needs of existing
customers• Opens new markets/destroys old ones• Start in low end; evolve to high-end
competitors
• Produces improved customer product• Better / faster / cheaper
The Big Picture:Technology Emergence, Impact, Dependency
Technology
Disruptive Sustaining
7
Agenda
8
Item 1
• Information Technology InfrastructureItem 2
• Data Set: Sources, Storage, and Challenges
Item 3
• Risk Management• Organizational Perspectives• Risk Management Life Cycle• Business Impact Analysis• The Digital Firms: Where are the Risks?
Item 4
• Information Security• Framework• Unauthorized Access and Human Error• Four Factors: 1.What you Know 2.What you are 3.What you have 4.Where you are• Communication Line Access• Corporate Server Protection
Agenda (cont’d)
9
Item 5
• Attacks• Why so many attacks?• Attacks Via Social Engineering
Item 6
• Attackers• Who Are They?• Spamming
Item 7
• Management Issues• Disasters and business continuity planning• Security levels• Business value of security• Takeaways
Information Systems
Infrastructure
Communication and
Collaboration
Facilities Data and Knowledge
Services
Human Resources
Software
Hardware
Jessup & Valacich, 2008
Item 1: Information Technology Infrastructure
10
What?
If you were in charge of protecting your data assets, where would you start from a risk management point of view?
The Data SetData Sources and Storage
11Database
Data Sources:
Storage:
Risk Management
Cost of Doing
Business
Risk Avoidance
ROI
“Risk management is based on the notion that history repeats itself, but not quite.” Peter Bernstein
14
Risk Management:Organizational Perspective
BUSINESS UNITS
BOARD OF DIRECTORS
INTELLECTUAL PROPERTY
RISK MANAGEMENT COMMITTEE
REVENUECREDIT
MARKETFIDUCIARY
FINANCIAL
PROJECT MANAGEMENTINFO SECURITY AND AVAILABILITY
HUMAN CAPITAL
PHYSICAL SECURITY
OPERATIONAL
IT CAPACITY AND PERFORMANCE
RISK FINANCING AND INSURANCE
REPUTATIONSTRATEGIC
PRIVACY
Stra-tegic
Copyright © 2002
REGULATIONS
RISK
POLICIES
15
Risk Management Life Cycle:Mitigation and Risk Abatement
Inventory AssetsWho, what, what value, what priority?
Analyze/assess/measureHow much, how often, how related, what business impact?
MitigateEliminate, avoid, reduce
TransferContractual, risk financing, insurance
Monitor Results / Initiate Update
Identify RisksWho, what, where, when, why, how?
AcceptCreate/Implement BCP
Adapted From
Start/Update Risk Planning
16
Risk Management: Business Impact Analysis (BIA)
0
20
40
60
80
100
120
140
160
Day 1 Day 4 Week 1 Week 2
Lost Sales Order Cancel Penalties Interest
Cash flow
Competition Lost sales
Interest expense
Shareholder confidence
Legal/contractual obligations Penalties
Company viability
Customer serviceCanceled orders
Cost to business
Insurance issuesRegulatory requirements
Productivity
17
Risk Management The Digital Firm: Where Are The Risks?
Source: Laudon & Laudon
• Multiple Failure Points• Human Error• Performance / Capacity• Outsourced Service Providers• Natural Disasters• Downtime (planned/unplanned)• Security Incidents• Links to Third Parties
18
Agenda Item 4: Information Security
19
Item 4
• Information Security• Framework• Unauthorized Access and Human Error• Four Factors:
• What you Know• What you are• What you have• Where you are
• Communication Line Access• Corporate Server Protection
Information Security
Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems.
Source: Laudon & Laudon
Primary Issues • Confidentiality
– no “data spills”• Integrity• Availability
Sample Question: Why is “availability” considered a primary issue of information security?
20
Information Security: Framework for Understanding Challenges in Organizations
Source: Laudon & Laudon Question: What is the major use of this framework?
21
Unauthorized Access & Human Error
• Strong passwords; change frequently • Use additional authentication
– something you know, you have, you are, where you are• Encrypt data • Install anti-virus, anti-spyware, and firewall • Minimize data stored on client• Limit data access to need to know basis• Software Bugs
– Updates and patches• Input mistakes
– Application controls (http://www.sans.org/top20/ )• SPAM and Phish
http://images.businessweek.com/ss/05/05/hacker_phishing/index_01.htm
22
Factor One:What You Know
Attacks against a weak link: passwords• Brute Force Attack
Try every combination possible Defeated by long passwords
• Default Password Attack Check if user never changed password from default Defeated by changing password
• Dictionary Attack Dictionary of common passwords Name, Common words, Famous people, Domain specific
• Good passwords– Minimum Length – 8 characters – Passwords should use:
• Lowercase • Uppercase • Numbers • Special characters such as !@#$%^&*(){}[]
– My favorite song is “Sing to the Wind”. Password: “mFSI!19202023”
23
Fingerprint ScanRetinal Scan
Biometric examples are from Kelly Rainer.
Iris Scan
Signature Recognition
Speech Recognition
Facial Recognition
Factor Two:What You Are
24
Communications Line Access
• Secure physical communications lines• Encrypt communications
http://computer.howstuffworks.com/vpn.htm • Authenticate sender & receiver• Use digital signatures to prevent
alteration and identify sender (http://computer.howstuffworks.com/question571.htm )
27
Corporate Server Protection
• Limit external access – use firewalls– use anti-virus software– use “patches” for server software– use intrusion detection software
• Limit data/functions on servers• Encrypt data on servers
28
Agenda: Attacks and Attackers
29
• Attacks• Why so many attacks?• Attacks Via Social Engineering• Types of Attacks
• Virus• Denial of Service Attacks
Item 6• Attackers• Who Are They?• Spamming
Item 5
Why So Many Attacks?
• Today’s Systems • Internet Growth • Attackers Organized
– Teach each other and novices– Exchange tools and information
• Attackers Develop Better Tools– Build on each other’s work– Build on work of security community
• Attacks Easy, Low Risk, Hard to Trace– Investigations difficult; often international
• Lack of Security Awareness, Expertise, or Priorities– .0025 percent of revenue spent on information security [Forrester]
• Organized Crime involved!
30
Attacks via Social Engineering
• Acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of an inappropriate trust relationship with insiders.
• Manipulation of human beings to obtain information or confidence pertaining to the security of networked computer systems (with malicious intent)
We are the weakest link….
http://www.kevinmitnick.com/
31
Kevin Mitnick“The World’s Most Famous
Hacker”
Social Engineering Tactics & Defenses
Area of Risk Hacker Tactic Combat Strategy
Phone (Help Desk)
Impersonation and persuasionTrain employees/help desk to never give out passwords or other confidential info by phone
Building entrance Unauthorized physical accessTight badge security, employee training, and security officers present
Office Shoulder surfingDon’t type in passwords with anyone else present (or if you must, do it quickly!)
Phone (Help Desk)
Impersonation on help desk callsAll employees should be assigned a PIN specific to help desk support
OfficeWandering through halls looking for open offices
Require all guests to be escorted
Mail room Insertion of forged memos Lock & monitor mail room
Machine room/Phone closet
Attempting to gain access, remove equipment, and/or attach a protocol analyzer to grab confidential data
Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment
Phone & PBX Stealing phone toll accessControl overseas & long-distance calls, trace calls, refuse transfers
Dumpsters Dumpster divingKeep all trash in secured, monitored areas, shred important data, erase magnetic media
Intranet-InternetCreation & insertion of mock software on intranet or internet to snarf passwords
Continual awareness of system and network changes, training on password use
Office Stealing sensitive documentsMark documents as confidential & require those documents to be locked
General-Psychological
Impersonation & persuasionKeep employees on their toes through continued awareness and training programs
Sarah Granger,SecurityFocus
32
Attacks
• Virus– Piece of code embedded in e-mail
attachment• Denial of Service
– Generate large number of useless service requests
– Overload and system crash
33
Attackers: Who are they?
• Kid down the street?• Professional, working
for your competitors?• Foreign intelligence
agency?• Ex-employee?• Disgruntled co-
worker?• “Professional” funded
by organized crime
“It’s really just a bunch of really smart kids trying to prove themselves. I know I was.”
– Splurge, sm0ked crew
“It’s power at your fingertips. You can control all these computers from the government, from the military, from large corporations. … That’s power; it’s a power trip.”
– anonymous
“You do get a rush from doing it – definitely.”
“I’m like your nosy neighbor on steroids, basically.”
– Raphael Gray (aka Curador) [stole and posted 26,000 credit card numbers]
Source: Dorothy Denning 35
Spammers are winning:And it's not even close
• Size of Problem– Approximately 150 billion messages/day
• Approximately 2 million email messages / second• approximately 78% spam
– Mobile Spam
• Defense– Software– Can Spam Act 2003:
[Forbids “deceptive subject lines, headers, return addresses, etc. as well as the harvesting of email addresses from websites. It requires businesses that send spam to maintain a do-not-spam list and to include a posting mailing address in that message.]
http://www.news.com/8301-10784_3-9869269-7.html?part=rss&subj=news&tag=2547-1_3-0-20
36
Agenda: Management Issues
37
Item 7
• Management Issues• Disasters and business continuity planning• Developing Security Service levels• Business value of security• Takeaways
• Management Concerns• Strategic Alignment and business Priorities• Components for a Successful Information Security Program• Management Responsibilities
Management Challenges: Disasters (Can and Cannots)
Cannot – prevent natural disaster– prevent all human-initiated
disaster
Can – create business continuity /
disaster recovery plans– choose where people,
process, and technology located
Power outages, fires, floods
38
Disaster Recovery and Business Continuity Planning
Question: What is a disaster?-- 10 users out of service for 1 hour not a disaster (unless one is the CEO … )
– 1,000,000 users out of service for 24 hours is disaster
Source: A.P. Snow
Disaster Recovery: Levels of Backup• Hot backup
– Backup of complete system at another site– Data, operating components of hardware and software
• Cold backup– Backup of data only– No transaction can be processed during downtime
• Warm backup– Somewhere in the middle– Smaller system with full backup of data– Transactions processed, but more slowly
Pros/cons of each …
39
Distribute IS Architectures and Distribute Organizations to become Resilient
• Remove single point of failure so risk spread out geographically• Depends on
– redundancy of human capital necessary to run OR– ability to transition to backup site
• False security if personnel lost in outage, or loss of transportation or communication systems for transfer of operations
• Reliability demands for telecommunication services increase dramatically• Redundancy requirements shift to network services
1/51/5
1/5 1/5
Network
1/51/5x100%
40
Ref. A. Snow
Management Issues: Attack Challenges and Trends
• Growing number of attacks (and attackers!)
• Attacks– Fast, propagate over network– Random – Growing power / sophistication– Automated– Malicious
• Human / Social Behavior – Always connected – Widespread use of e-mail and instant messaging– Wireless access
41
Again, why is this happening?
Information systems– Complex– Interact with each other– Bugs
Integrated systems of digital enterprise very, very difficult to secure
Humans are imperfect…
42
Management Issues: Delivering a Security Service Level
Attack Resistance:
• What % of known attacks are we vulnerable to?
• When did we last check?
Process Improvement:
• How many machines are involved in each virus incident?
• How many weeks between critical patch issued and implemented?
Efficiency/effectiveness:
• What is our security spending as a % of revenue?
• What % of downtime is due to security incidents?
Internal Crunchiness:
• What % of our software, people and suppliers have been reviewed for security?
• What % of critical data is “strongly” protected?
Source: Gartner43
• Cost of inadequate security• legal liability
• Value of security• protect own information assets • protect assets of customers, employees, business
partners• assure business continuity
Management Issues: Business Value of Security
44
Security and privacy
Compliance
Legal
• Can you ensure secure operations?• Who has access to my data, and how is it stored and communicated? • What data do you collect about me, and how is it used?
• Can you help me achieve compliance? • What about laws and regulations that impact operation? • Is my data subject to any local regulations?
• Who is responsible (liability) when things go wrong? • Intellectual property issue: ownership and rights to use • How is the data used and stored? For how long?
Topic Specific concerns
Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Takeaway: Management Concerns What should you be concerned about?
45
46
Takeaway: Information Security Management:Strategic Alignment and Business Priorities
ProcessTechnology
Organization
Strategic Objectives
Business Environment
Tactical Issues
Business Priorities
Cost Time
Information Security Architecture MethodologyStep 1 Step 2 Step 3
Business Requirements Analysis
Assessment of Current As- is and To-Be Architecture
Information Security Roadmap Development
Takeaway: 10 Essential Components for a Successful Information Security Program
1. Make sure the CEO “owns” the information security program.
2. Assign senior-level staff with responsibility for information security.
3. Establish a cross-functional information security governance board.
4. Establish metrics to manage the program.
5. Implement an ongoing security improvement plan.
6. Conduct an independent review of the information security program.
7. Layer security at gateway, server, and client.
8. Separate your computing environment into “zones.”
9. Start with basics and then improve the program.
10. Consider information security an essential investment for your
business.
47
Takeaway: Management Responsibilities
• Policies and Procedures • Education and Training
– Strong authentication (e.g., 8 character password)– Social Engineering (recognize, handle)
• Techniques– Access control (need to know) / authentication (multi-factor: know, have, am,
location)– Filtering (firewall) ; intrusion detection– Data encryption (code data transmitted over a link or stored)– Anti-virus software
• Process– Continuous evaluation / investment– Business Continuity Planning
• Vulnerability Assessment & Audit– Third-party consultant– Standards (ISO 17799 see http://en.wikipedia.org/wiki/ISO_17799 , http://www.iso-17799.com/ and
http://www.sans.org/score/checklists/ISO_17799_checklist.pdf, ISO 27001,CoBIT, PCI, … )Based on Kimball
48
Conclusion• Risk management
– Essential aspect of successful business operation
• Security problems– Real and growing– Plan for tomorrow’s threat environment
• Security measures– Multiple protection measures – Ongoing update and evaluation– People greatest risk (and greatest asset)
• Hope for Future . . .– Increased security awareness / priority– Growing number of security experts– Laws to facilitate investigations– International cooperation to fight cyber crime
49
Other Resources
• CERT Podcasts• CyberCIEGE Movies
The Executive Guide to Information Security: Threats, Challenges, and Solutions (Symantec Press)
.http://www.amazon.com/gp/product/0321304519/sr=1-1/qid=1239277259/ref=olp_product_details?ie=UTF8&me=&qid=1239277259&sr=1-1&seller
51
WebServer
DB
DBWebClient
HTTPrequest
(cleartext or SSL)
HTTP reply(HTML,
Javascript, etc)
SQLDatabase
(Also see http://computer.howstuffworks.com/firewall.htm )
Web app
Web app
Web app
Web app
Firewall Firewall
DMZ
Sample Firewall Configuration
Intrusion Detection Systems
DMZ Servers
Data Center
Users
Internet
Corporate Office
Business Partner
Intranet/Internal Protection Protects Data Centers and Critical Systems from Internal Threats
Intranet/Internal Protection Protects Data Centers and Critical Systems from Internal Threats
Internet Protection
Complements FW and VPN by Monitoring Traffic for Malicious Activity
Internet Protection
Complements FW and VPN by Monitoring Traffic for Malicious Activity
Extranet Protection Monitors Partner Traffic Where “Trust” is Implied But Not Assured
Extranet Protection Monitors Partner Traffic Where “Trust” is Implied But Not Assured
Remote Access Protection Hardens Perimeter Control by Monitoring Remote Users
Remote Access Protection Hardens Perimeter Control by Monitoring Remote Users
Server Farm Protection Protects e-Business Servers from Attack and Compromise
Server Farm Protection Protects e-Business Servers from Attack and Compromise
Also see http://en.wikipedia.org/wiki/Intrusion_detection_system