Risk Management: Information Technology, Infrastructure and

Security

MBA 8125Spring 2012

Duane TruexVeda C. Storey

Carl StuckeAcknowledgement:: Parts of this session are based upon material from Cecil Chua, Deb Dey, Kimball, Dorothy Dennings, Ray Panko, Graeme Payne, Ernst & Young, Gartner Group, Arjan Raven, Jessup and Valacich, J. Steten, Forrester

Why Study Security?

Company

Individual

Identity theft

Corporate database attacks

2

Tracking, Spyware

Q: What Other types of threats exist?

Privacy

Country

Cyber attacks

What are we willing to accept?

3

Generalized Security Design Model

4

Targets1. Physical

Hardware, facilities, people2. Software3. Data4. Communications

Threats1. Destruction2. Modification3. Disclosure

Sources1. People2. Mother nature

Controls1. Avoidance2. Tolerance3. Mitigation

Generalized Security Design Model

5

Targets1. Physical

Hardware, facilities, people2. Software3. Data4. Communications

Threats1. Destruction2. Modification3. Disclosure

Sources1. People2. Mother nature

Controls1. Avoidance2. Tolerance3. Mitigation

Risk -- (Cost) Benefit Analysis Model

6

• EC = Pi * ∑Ci

• Ev = Bi - EC

• Overall utility of scenarios– Where Bi = ∑ j (b i,j X Wj)– Where Bi is the expected benefit assigned to a strategy I given

its effect on scenario j and where Wj is the weighting given to scenario j

Q: What is an inherent weakness in this formulation?

Q: Are traditional investment decision metrics adequate?

“By eliminating time and distance, the Internet makes it possible to perform business in ways not previously

imaginable.” Ref: Baltzan and Phillips, 2011

• New way of doing things• Does not meet needs of existing

customers• Opens new markets/destroys old ones• Start in low end; evolve to high-end

competitors

• Produces improved customer product• Better / faster / cheaper

The Big Picture:Technology Emergence, Impact, Dependency

Technology

Disruptive Sustaining

7

Agenda

8

Item 1

• Information Technology InfrastructureItem 2

• Data Set: Sources, Storage, and Challenges

Item 3

• Risk Management• Organizational Perspectives• Risk Management Life Cycle• Business Impact Analysis• The Digital Firms: Where are the Risks?

Item 4

• Information Security• Framework• Unauthorized Access and Human Error• Four Factors: 1.What you Know 2.What you are 3.What you have 4.Where you are• Communication Line Access• Corporate Server Protection

Agenda (cont’d)

9

Item 5

• Attacks• Why so many attacks?• Attacks Via Social Engineering

Item 6

• Attackers• Who Are They?• Spamming

Item 7

• Management Issues• Disasters and business continuity planning• Security levels• Business value of security• Takeaways

Information Systems

Infrastructure

Communication and

Collaboration

Facilities Data and Knowledge

Services

Human Resources

Software

Hardware

Jessup & Valacich, 2008

Item 1: Information Technology Infrastructure

10

What?

If you were in charge of protecting your data assets, where would you start from a risk management point of view?

The Data SetData Sources and Storage

11Database

Data Sources:

Storage:

Item 2: Data SetChallenges

12

Business Strategy

Rules Processes

Agenda Item 3: Risk Management

13

Risk Management

Cost of Doing

Business

Risk Avoidance

ROI

“Risk management is based on the notion that history repeats itself, but not quite.”  Peter Bernstein

14

Risk Management:Organizational Perspective

BUSINESS UNITS

BOARD OF DIRECTORS

INTELLECTUAL PROPERTY

RISK MANAGEMENT COMMITTEE

REVENUECREDIT

MARKETFIDUCIARY

FINANCIAL

PROJECT MANAGEMENTINFO SECURITY AND AVAILABILITY

HUMAN CAPITAL

PHYSICAL SECURITY

OPERATIONAL

IT CAPACITY AND PERFORMANCE

RISK FINANCING AND INSURANCE

REPUTATIONSTRATEGIC

PRIVACY

Stra-tegic

Copyright © 2002

REGULATIONS

RISK

POLICIES

15

Risk Management Life Cycle:Mitigation and Risk Abatement

Inventory AssetsWho, what, what value, what priority?

Analyze/assess/measureHow much, how often, how related, what business impact?

MitigateEliminate, avoid, reduce

TransferContractual, risk financing, insurance

Monitor Results / Initiate Update

Identify RisksWho, what, where, when, why, how?

AcceptCreate/Implement BCP

Adapted From

Start/Update Risk Planning

16

Risk Management: Business Impact Analysis (BIA)

0

20

40

60

80

100

120

140

160

Day 1 Day 4 Week 1 Week 2

Lost Sales Order Cancel Penalties Interest

Cash flow

Competition Lost sales

Interest expense

Shareholder confidence

Legal/contractual obligations Penalties

Company viability

Customer serviceCanceled orders

Cost to business

Insurance issuesRegulatory requirements

Productivity

17

Risk Management The Digital Firm: Where Are The Risks?

Source: Laudon & Laudon

• Multiple Failure Points• Human Error• Performance / Capacity• Outsourced Service Providers• Natural Disasters• Downtime (planned/unplanned)• Security Incidents• Links to Third Parties

18

Agenda Item 4: Information Security

19

Item 4

• Information Security• Framework• Unauthorized Access and Human Error• Four Factors:

• What you Know• What you are• What you have• Where you are

• Communication Line Access• Corporate Server Protection

Information Security

Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems.

Source: Laudon & Laudon

Primary Issues • Confidentiality

– no “data spills”• Integrity• Availability

Sample Question: Why is “availability” considered a primary issue of information security?

20

Information Security: Framework for Understanding Challenges in Organizations

Source: Laudon & Laudon Question: What is the major use of this framework?

21

Unauthorized Access & Human Error

• Strong passwords; change frequently • Use additional authentication

– something you know, you have, you are, where you are• Encrypt data • Install anti-virus, anti-spyware, and firewall • Minimize data stored on client• Limit data access to need to know basis• Software Bugs

– Updates and patches• Input mistakes

– Application controls (http://www.sans.org/top20/ )• SPAM and Phish

http://images.businessweek.com/ss/05/05/hacker_phishing/index_01.htm

22

Factor One:What You Know

Attacks against a weak link: passwords• Brute Force Attack

Try every combination possible Defeated by long passwords

• Default Password Attack Check if user never changed password from default Defeated by changing password

• Dictionary Attack Dictionary of common passwords Name, Common words, Famous people, Domain specific

• Good passwords– Minimum Length – 8 characters – Passwords should use:

• Lowercase • Uppercase • Numbers • Special characters such as !@#$%^&*(){}[]

– My favorite song is “Sing to the Wind”. Password: “mFSI!19202023”

23

Fingerprint ScanRetinal Scan

Biometric examples are from Kelly Rainer.

Iris Scan

Signature Recognition

Speech Recognition

Facial Recognition

Factor Two:What You Are

24

Factor Three:What You Have

Hardware TokenSmart ID Card

25

GPS

Factor Four:Where You Are

26

Communications Line Access

• Secure physical communications lines• Encrypt communications

http://computer.howstuffworks.com/vpn.htm • Authenticate sender & receiver• Use digital signatures to prevent

alteration and identify sender (http://computer.howstuffworks.com/question571.htm )

27

Corporate Server Protection

• Limit external access – use firewalls– use anti-virus software– use “patches” for server software– use intrusion detection software

• Limit data/functions on servers• Encrypt data on servers

28

Agenda: Attacks and Attackers

29

• Attacks• Why so many attacks?• Attacks Via Social Engineering• Types of Attacks

• Virus• Denial of Service Attacks

Item 6• Attackers• Who Are They?• Spamming

Item 5

Why So Many Attacks?

• Today’s Systems • Internet Growth • Attackers Organized

– Teach each other and novices– Exchange tools and information

• Attackers Develop Better Tools– Build on each other’s work– Build on work of security community

• Attacks Easy, Low Risk, Hard to Trace– Investigations difficult; often international

• Lack of Security Awareness, Expertise, or Priorities– .0025 percent of revenue spent on information security [Forrester]

• Organized Crime involved!

30

Attacks via Social Engineering

• Acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of an inappropriate trust relationship with insiders.

• Manipulation of human beings to obtain information or confidence pertaining to the security of networked computer systems (with malicious intent)

We are the weakest link….

http://www.kevinmitnick.com/

31

Kevin Mitnick“The World’s Most Famous

Hacker”

Social Engineering Tactics & Defenses

Area of Risk Hacker Tactic Combat Strategy

Phone (Help Desk)

Impersonation and persuasionTrain employees/help desk to never give out passwords or other confidential info by phone

Building entrance Unauthorized physical accessTight badge security, employee training, and security officers present

Office Shoulder surfingDon’t type in passwords with anyone else present (or if you must, do it quickly!)

Phone (Help Desk)

Impersonation on help desk callsAll employees should be assigned a PIN specific to help desk support

OfficeWandering through halls looking for open offices

Require all guests to be escorted

Mail room Insertion of forged memos Lock & monitor mail room

Machine room/Phone closet

Attempting to gain access, remove equipment, and/or attach a protocol analyzer to grab confidential data

Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment

Phone & PBX Stealing phone toll accessControl overseas & long-distance calls, trace calls, refuse transfers

Dumpsters Dumpster divingKeep all trash in secured, monitored areas, shred important data, erase magnetic media

Intranet-InternetCreation & insertion of mock software on intranet or internet to snarf passwords

Continual awareness of system and network changes, training on password use

Office Stealing sensitive documentsMark documents as confidential & require those documents to be locked

General-Psychological

Impersonation & persuasionKeep employees on their toes through continued awareness and training programs

Sarah Granger,SecurityFocus

32

Attacks

• Virus– Piece of code embedded in e-mail

attachment• Denial of Service

– Generate large number of useless service requests

– Overload and system crash

33

Attackers: Who are they?

34

Attackers: Who are they?

• Kid down the street?• Professional, working

for your competitors?• Foreign intelligence

agency?• Ex-employee?• Disgruntled co-

worker?• “Professional” funded

by organized crime

“It’s really just a bunch of really smart kids trying to prove themselves. I know I was.”

– Splurge, sm0ked crew

“It’s power at your fingertips. You can control all these computers from the government, from the military, from large corporations. … That’s power; it’s a power trip.”

– anonymous

“You do get a rush from doing it – definitely.”

“I’m like your nosy neighbor on steroids, basically.”

– Raphael Gray (aka Curador) [stole and posted 26,000 credit card numbers]

Source: Dorothy Denning 35

Spammers are winning:And it's not even close

• Size of Problem– Approximately 150 billion messages/day

• Approximately 2 million email messages / second• approximately 78% spam

– Mobile Spam

• Defense– Software– Can Spam Act 2003:

[Forbids “deceptive subject lines, headers, return addresses, etc. as well as the harvesting of email addresses from websites. It requires businesses that send spam to maintain a do-not-spam list and to include a posting mailing address in that message.]

http://www.news.com/8301-10784_3-9869269-7.html?part=rss&subj=news&tag=2547-1_3-0-20

36

Agenda: Management Issues

37

Item 7

• Management Issues• Disasters and business continuity planning• Developing Security Service levels• Business value of security• Takeaways

• Management Concerns• Strategic Alignment and business Priorities• Components for a Successful Information Security Program• Management Responsibilities

Management Challenges: Disasters (Can and Cannots)

Cannot – prevent natural disaster– prevent all human-initiated

disaster

Can – create business continuity /

disaster recovery plans– choose where people,

process, and technology located

Power outages, fires, floods

38

Disaster Recovery and Business Continuity Planning

Question: What is a disaster?-- 10 users out of service for 1 hour not a disaster (unless one is the CEO … )

– 1,000,000 users out of service for 24 hours is disaster

Source: A.P. Snow

Disaster Recovery: Levels of Backup• Hot backup

– Backup of complete system at another site– Data, operating components of hardware and software

• Cold backup– Backup of data only– No transaction can be processed during downtime

• Warm backup– Somewhere in the middle– Smaller system with full backup of data– Transactions processed, but more slowly

Pros/cons of each …

39

Distribute IS Architectures and Distribute Organizations to become Resilient

• Remove single point of failure so risk spread out geographically• Depends on

– redundancy of human capital necessary to run OR– ability to transition to backup site

• False security if personnel lost in outage, or loss of transportation or communication systems for transfer of operations

• Reliability demands for telecommunication services increase dramatically• Redundancy requirements shift to network services

1/51/5

1/5 1/5

Network

1/51/5x100%

40

Ref. A. Snow

Management Issues: Attack Challenges and Trends

• Growing number of attacks (and attackers!)

• Attacks– Fast, propagate over network– Random – Growing power / sophistication– Automated– Malicious

• Human / Social Behavior – Always connected – Widespread use of e-mail and instant messaging– Wireless access

41

Again, why is this happening?

Information systems– Complex– Interact with each other– Bugs

Integrated systems of digital enterprise very, very difficult to secure

Humans are imperfect…

42

Management Issues: Delivering a Security Service Level

Attack Resistance:

• What % of known attacks are we vulnerable to?

• When did we last check?

Process Improvement:

• How many machines are involved in each virus incident?

• How many weeks between critical patch issued and implemented?

Efficiency/effectiveness:

• What is our security spending as a % of revenue?

• What % of downtime is due to security incidents?

Internal Crunchiness:

• What % of our software, people and suppliers have been reviewed for security?

• What % of critical data is “strongly” protected?

Source: Gartner43

• Cost of inadequate security• legal liability

• Value of security• protect own information assets • protect assets of customers, employees, business

partners• assure business continuity

Management Issues: Business Value of Security

44

Security and privacy

Compliance

Legal

• Can you ensure secure operations?• Who has access to my data, and how is it stored and communicated? • What data do you collect about me, and how is it used?

• Can you help me achieve compliance? • What about laws and regulations that impact operation? • Is my data subject to any local regulations?

• Who is responsible (liability) when things go wrong? • Intellectual property issue: ownership and rights to use • How is the data used and stored? For how long?

Topic Specific concerns

Entire contents © 2009 Forrester Research, Inc. All rights reserved.

Takeaway: Management Concerns What should you be concerned about?

45

46

Takeaway: Information Security Management:Strategic Alignment and Business Priorities

ProcessTechnology

Organization

Strategic Objectives

Business Environment

Tactical Issues

Business Priorities

Cost Time

Information Security Architecture MethodologyStep 1 Step 2 Step 3

Business Requirements Analysis

Assessment of Current As- is and To-Be Architecture

Information Security Roadmap Development

Takeaway: 10 Essential Components for a Successful Information Security Program

1. Make sure the CEO “owns” the information security program.

2. Assign senior-level staff with responsibility for information security.

3. Establish a cross-functional information security governance board.

4. Establish metrics to manage the program.

5. Implement an ongoing security improvement plan.

6. Conduct an independent review of the information security program.

7. Layer security at gateway, server, and client.

8. Separate your computing environment into “zones.”

9. Start with basics and then improve the program.

10. Consider information security an essential investment for your

business.

47

Takeaway: Management Responsibilities

• Policies and Procedures • Education and Training

– Strong authentication (e.g., 8 character password)– Social Engineering (recognize, handle)

• Techniques– Access control (need to know) / authentication (multi-factor: know, have, am,

location)– Filtering (firewall) ; intrusion detection– Data encryption (code data transmitted over a link or stored)– Anti-virus software

• Process– Continuous evaluation / investment– Business Continuity Planning

• Vulnerability Assessment & Audit– Third-party consultant– Standards (ISO 17799 see http://en.wikipedia.org/wiki/ISO_17799 , http://www.iso-17799.com/ and

http://www.sans.org/score/checklists/ISO_17799_checklist.pdf, ISO 27001,CoBIT, PCI, … )Based on Kimball

48

Conclusion• Risk management

– Essential aspect of successful business operation

• Security problems– Real and growing– Plan for tomorrow’s threat environment

• Security measures– Multiple protection measures – Ongoing update and evaluation– People greatest risk (and greatest asset)

• Hope for Future . . .– Increased security awareness / priority– Growing number of security experts– Laws to facilitate investigations– International cooperation to fight cyber crime

49

Appendices

50

Other Resources

• CERT Podcasts• CyberCIEGE Movies

The Executive Guide to Information Security: Threats, Challenges, and Solutions (Symantec Press)

.http://www.amazon.com/gp/product/0321304519/sr=1-1/qid=1239277259/ref=olp_product_details?ie=UTF8&me=&qid=1239277259&sr=1-1&seller

51

WebServer

DB

DBWebClient

HTTPrequest

(cleartext or SSL)

HTTP reply(HTML,

Javascript, etc)

SQLDatabase

(Also see http://computer.howstuffworks.com/firewall.htm )

Web app

Web app

Web app

Web app

Firewall Firewall

DMZ

Sample Firewall Configuration

Intrusion Detection Systems

DMZ Servers

Data Center

Users

Internet

Corporate Office

Business Partner

Intranet/Internal Protection Protects Data Centers and Critical Systems from Internal Threats

Intranet/Internal Protection Protects Data Centers and Critical Systems from Internal Threats

Internet Protection

Complements FW and VPN by Monitoring Traffic for Malicious Activity

Internet Protection

Complements FW and VPN by Monitoring Traffic for Malicious Activity

Extranet Protection Monitors Partner Traffic Where “Trust” is Implied But Not Assured

Extranet Protection Monitors Partner Traffic Where “Trust” is Implied But Not Assured

Remote Access Protection Hardens Perimeter Control by Monitoring Remote Users

Remote Access Protection Hardens Perimeter Control by Monitoring Remote Users

Server Farm Protection Protects e-Business Servers from Attack and Compromise

Server Farm Protection Protects e-Business Servers from Attack and Compromise

Also see http://en.wikipedia.org/wiki/Intrusion_detection_system

High-availability facilities feature sturdy construction, air conditioning, backup generators, fire suppression systems, access control, and intrusion detection systems.

Source: http://www.fastservers.net/products-services/colocation-data-center.html