Chapter 12

Report
Chapter 12
Information Security Management
“We Have to Design It for Privacy ... and Security.”
• Tension between Maggie and Ajit regarding terminology to
use with Dr. Flores.
• Overly technical communication is a common problem for
techies when talking with business professionals.
• Maggie and Ajit discuss security design later.
Copyright © 2015 Pearson Education, Inc.
12-2
PRIDE Design for Security
Copyright © 2015 Pearson Education, Inc.
12-3
Study Questions
Q1: What is the goal of information systems security?
Q2: How big is the computer security problem?
Q3: How should you respond to security threats?
Q4: How should organizations respond to security threats?
Q5: How can technical safeguards protect against security threats?
Q6: How can data safeguards protect against security threats?
Q7: How can human safeguards protect against security threats?
Q8: How should organizations respond to security incidents?
Q9: 2024?
Copyright © 2015 Pearson Education, Inc.
12-4
Q1: What Is the Goal of Information Systems
Security?
Copyright © 2015 Pearson Education, Inc.
12-5
Examples of Threat/ Loss
Copyright © 2015 Pearson Education, Inc.
12-6
What Are the
Sources of Threats?
Copyright © 2015 Pearson Education, Inc.
12-7
What Types of Security Loss Exists?
• Unauthorized Data Disclosure
– Pretexting
– Phishing
– Spoofing
IP spoofing
Email spoofing
• Drive-by sniffers
• Hacking
• Natural disasters
Copyright © 2015 Pearson Education, Inc.
12-8
Incorrect Data Modification
• Procedures incorrectly designed or not followed.
• Increasing a customer’s discount or incorrectly modifying
employee’s salary.
• Placing incorrect data on company the Web site.
• Improper internal controls on systems.
• System errors.
• Faulty recovery actions after a disaster.
Copyright © 2015 Pearson Education, Inc.
12-9
Faulty Service
• Incorrect data modification
• Systems working incorrectly
• Procedural mistakes
• Programming errors
• IT installation errors
• Usurpation
• Denial of service
(unintentional)
• Denial-of-service attacks
(intentional)
Copyright © 2015 Pearson Education, Inc.
12-10
Loss of Infrastructure
• Human accidents.
• Theft and terrorist events.
• Disgruntled or terminated employee.
• Natural disasters.
• Advanced Persistent Threat (APT)
– Sophisticated, possibly long-running computer hack
perpetrated by large, well-funded organizations.
Copyright © 2015 Pearson Education, Inc.
12-11
Goal of Information Systems Security
• Find an appropriate trade-off between the risk of loss and
the cost of implementing safeguards.
• Use a good antivirus software.
• Delete browser cookies.
• Get in front of the security problem by making appropriate
trade-offs for your life and your business.
Copyright © 2015 Pearson Education, Inc.
12-12
Q2: How Big Is the Computer Security Problem?
Computer Crime Costs per Organizational Respondent
Copyright © 2015 Pearson Education, Inc.
12-13
Average Computer Crime Cost and Percent of Attacks
by Type (5 Most Expensive Types)
Copyright © 2015 Pearson Education, Inc.
12-14
Ponemon Study Findings (2012)
• It is difficult to estimate the exact cost of a computer crime.
• Cost of computer crime is usually based on surveys.
• Data loss is the single most expensive consequence of
computer crime, accounting for 44% of costs in 2012.
• 80% of respondents believe data on mobile devices poses
significant risks.
Copyright © 2015 Pearson Education, Inc.
12-15
Ponemon 2012 Studies Summary
•
•
•
•
Median cost of computer crime increasing.
Malicious insiders increasingly serious security threat.
Data loss is principal cost of computer crime.
Survey respondents believe mobile device data a significant
security threat.
• Security safeguards work
Copyright © 2015 Pearson Education, Inc.
12-16
Q3: How Should You Respond to Security Threats?
Personal
Security
Safeguards
Copyright © 2015 Pearson Education, Inc.
12-17
Using MIS InClass Exercise 12: Phishing for Credit Cards,
Identifying Numbers, Bank Accounts
• Assume, you and a group of other students will investigate
phishing attacks.
• Search the Web for phishing, beware that your search may
bring the attention of an active phisher.
• Do not give any data to any site you visit as part of this
exercise!
Copyright © 2015 Pearson Education, Inc.
12-18
Q4: How Should Organizations Respond to Security
Threats?
Copyright © 2015 Pearson Education, Inc.
12-19
Security Policy Should Stipulate
• What sensitive data the organization will store.
• How it will process that data.
• Whether data will be shared with other organizations.
• How employees and others can obtain copies of data stored about
them.
• How employees and others can request changes to inaccurate
data.
• What employees can do with their own mobile devices at work
 As a new hire, seek out your employer’s security policy.
Copyright © 2015 Pearson Education, Inc.
12-20
Ethics Guide: Securing Privacy
“The best way to solve a problem is not to have it.”
– Resist providing sensitive data.
– Don’t collect data you don’t need.
• Gramm-Leach-Bliley (GLB) Act, 1999
• Privacy Act of 1974
• Health Insurance Portability and Accountability Act (HIPAA), 1996
• Australian Privacy Act of 1988
– Government, healthcare data, records maintained by businesses
with revenues in excess of AU$3 million.
Copyright © 2015 Pearson Education, Inc.
12-21
Ethics Guide: Securing Privacy: Wrap Up
• As a business professional, you have the responsibility to
consider legality, ethics, and wisdom when you request,
store, or disseminate data.
• Think carefully about emails that you open over public
wireless networks.
• Use long and strong passwords.
Copyright © 2015 Pearson Education, Inc.
12-22
Q5: How Can Technical Safeguards Protect Against
Security Threats?
Copyright © 2015 Pearson Education, Inc.
12-23
Essence of https (SSL or TLS)
Copyright © 2015 Pearson Education, Inc.
12-24
Use of Multiple Firewalls
Copyright © 2015 Pearson Education, Inc.
12-25
Malware Protection
1.
2.
3.
4.
5.
6.
Antivirus and antispyware programs.
Scan frequently.
Update malware definitions.
Open email attachments only from known sources.
Install software updates.
Browse only reputable Internet neighborhoods.
Copyright © 2015 Pearson Education, Inc.
12-26
Malware Types and Spyware and Adware Symptoms
• Viruses
 Payload
 Trojan horses
 Worms
 Beacons
Copyright © 2015 Pearson Education, Inc.
12-27
Design for Secure Applications
• SQL injection attack
– User enters SQL statement into a form instead of a name
or other data.
Accepted code becomes part of database commands
issued.
Improper data disclosure, data damage, and loss
possible.
Well designed applications make injections ineffective.
Copyright © 2015 Pearson Education, Inc.
12-28
Q6: How Can Data Safeguards Protect Against
Security Threats?
Copyright © 2015 Pearson Education, Inc.
12-29
Q7: How Can Human Safeguards Protect Against Security
Threats?
Copyright © 2015 Pearson Education, Inc.
12-30
Q7: How Can Human Safeguards Protect Against Security
Threats?
Copyright © 2015 Pearson Education, Inc.
12-31
Account Administration
• Account Management
 Standards for new user accounts, modification of account
permissions, and removal of accounts that are not
needed.
• Password Management
 Users should change passwords frequently.
• Help Desk Policies
Copyright © 2015 Pearson Education, Inc.
12-32
Sample Account Acknowledgment Form
Copyright © 2015 Pearson Education, Inc.
12-33
Systems Procedures
Copyright © 2015 Pearson Education, Inc.
12-34
Q8: How Should Organizations Respond to Security
Incidents?
Copyright © 2015 Pearson Education, Inc.
12-35
Security Wrap Up
• Be aware of threats to computer security as an individual,
business professional, or an employee.
• Know trade-offs of loss risks and the cost of safeguards.
• Ways to protect your computing devices and data.
• Understand technical, data, and human safeguards.
• Understand how organizations should respond to security
incidents.
Copyright © 2015 Pearson Education, Inc.
12-36
Q9: 2024
• APTs more common, inflicting serious damage
• Continued concern about balance of national security and data
privacy.
• Computer crimes targeting mobile devices leads to improved operating
systems security.
• Improved security procedures and employee training.
• Criminals focus on less protected mid-sized and smaller organizations,
and individuals.
• Electronic lawlessness by organized gangs.
• Strong local “electronic” sheriffs electronic border and enforce existing
laws?
Copyright © 2015 Pearson Education, Inc.
12-37
Guide: Metasecurity
• What are the security problems?
• What are the managers’ responsibilities for controls over the
security system?
• All major software vendors are obvious targets for security
attacks against their networks. What do these companies do
to prevent this?
• What extra precautions can you take when you hire and
manage employees such as white-hat hackers?
Copyright © 2015 Pearson Education, Inc.
12-38
Guide: The Final, Final Word
• Routine work will migrate to countries with lower labor costs.
• Be a symbolic-analytic worker
– Abstract thinking
– How to experiment
– Systems thinking
– Collaboration
• The best is yet to come! What you do with it is up to
you.
Copyright © 2015 Pearson Education, Inc.
12-39
Active Review
Q1: What is the goal of information systems security?
Q2: How big is the computer security problem?
Q3: How should you respond to security threats?
Q4: How should organizations respond to security threats?
Q5: How can technical safeguards protect against security threats?
Q6: How can data safeguards protect against security threats?
Q7: How can human safeguards protect against security threats?
Q8: How should organizations respond to security incidents?
Q9: 2024
Copyright © 2015 Pearson Education, Inc.
12-40
Case 12: Will You Trust FIDO?
• One-third of all people record passwords somewhere,
whether on a sticky note or in a computer file.
• Malicious code searches for files that include "password" or
some variant.
• Many web sites offer to authenticate you using your
Facebook or other common credentials.
• Use credentials only at site where created.
Copyright © 2015 Pearson Education, Inc.
12-41
Alternatives to Passwords
• Biometric: Fingerprints, retinal scans, keystroke rhythm
• Picture password in Windows 8
User makes three gestures over a photo.
Asking user to name people in group photo or provide
facts about people in photo.
• One defect: If user’s authentication compromised once, it is
compromised for all sites where that authentication method
used.
Copyright © 2015 Pearson Education, Inc.
12-42
Fast Identity OnLine (FIDO)
Copyright © 2015 Pearson Education, Inc.
12-43
Will You Trust FIDO? Probably
• FIDO does not eliminate need to send private data over the
Internet, but substantially reduces it.
• Password or PIN never sent over a network.
• Forming open standards and asking the community to find
holes and problems long before standard is implemented.
• Support of major, well-funded organizations.
Copyright © 2015 Pearson Education, Inc.
12-44
12-45

similar documents