IT Security, Crime, Compliance, and Continuity

Report
Part II. Data and Network Infrastructure
C hapter 5
IT Security, Crime,
Compliance, and Continuity
C o u rs e
Copyright 2012 John Wiley & Sons, Inc.
5-1
Chapter 5 Outline
5.1 Protecting Data and Business Operations
5.2 IS Vulnerabilities and Threats
5.3 Fraud, Crimes, and Violations
5.4 Information Assurance and Risk Management
5.5 Network Security
5.6 Internal Control and Compliance
5.7 Business Continuity and Auditing
Copyright 2012 John Wiley & Sons, Inc.
5-2
Chapter 5 Learning Objectives

Understand the objectives, functions, and financial value of IT security.

Recognize IS vulnerabilities, threats, attack methods, and cybercrime
symptoms.

Understand crimes committed against computers and crimes committed
with computers.

Explain key methods of defending information systems, networks, and
wireless devices.

Understand network security risks and defenses.

Describe internal control & fraud; and fraud legislation.

Understand business continuity and disaster recovery planning methods.
Copyright 2012 John Wiley & Sons, Inc.
5-3
5.1 Protecting Data and Business Operations

IT security: the protection of data, systems,
networks, and operations.

Technology defenses are necessary, but they’re not sufficient
because protecting data and business operations also involves:
• Implementing and enforcing acceptable use policies (AUPs).
• Complying with government regulations and laws.
• Making data available 24x7 while restricting access.
• Promoting secure and legal sharing of information.
Copyright 2012 John Wiley & Sons, Inc.
5-4
IT Security Principles
Copyright 2012 John Wiley & Sons, Inc.
5-5
Know Your Enemy and Your Risks

IT security risks are business risks

Threats range from high-tech exploits to gain access to a
company’s networks to non-tech tactics such as stealing
laptops or items of value. Common examples:
• Malware (malicious software): viruses, worms, trojan horses,
spyware, and disruptive or destructive programs
• insider error or action, either intentional or unintentional.
• Fraud
• Fire, flood, or other natural disasters
Copyright 2012 John Wiley & Sons, Inc.
5-6
IT at Work 5.1 $100 Million Data Breach

May 2006: a laptop and external hard drive belonging
to the U.S. Dept of Veterans Affairs (VA) were stolen
during a home burglary.

Data on 26.5 million veterans and spouses had been
stored in plaintext.

VA Secretary Jim Nicholson testified before Congress
that it would cost at least $10 million just to inform
veterans of the security breach.

Total cost of data breach: $100 million
Copyright 2012 John Wiley & Sons, Inc.
5-7
Risks
Cloud computing
 Social networks
 Phishing
 Search engine manipulation
 Money laundering
 Organized crime
 Terrorist financing

Copyright 2012 John Wiley & Sons, Inc.
5-8
IT Security Defense-in-Depth Model
Copyright 2012 John Wiley & Sons, Inc.
5-9
5.2 IS Vulnerabilities and Threats

Unintentional
• human error
• environmental hazards
• computer system failure

Intentional
• hacking
• malware
• manipulation
Copyright 2012 John Wiley & Sons, Inc.
5-10
Figure 5.4 How a computer virus can spread
Copyright 2012 John Wiley & Sons, Inc.
5-11
Malware and Botnet Defenses

Anti-virus software

Firewalls

Intrusion detection systems (IDS)

Intrusion prevention systems (IPS)
Copyright 2012 John Wiley & Sons, Inc.
5-12
5.3 Fraud, Crimes, and Violations
2 categories of crime:
• Violent
• Nonviolent

Fraud is nonviolent crime because instead of a gun or
knife, fraudsters use deception, confidence, and trickery.

Occupational fraud refers to the deliberate misuse of the
assets of one’s employer for personal gain.
Copyright 2012 John Wiley & Sons, Inc.
5-13
IT at Work 5.4
Madoff Defrauds Investors of $64.8 Billion


Bernard Madoff is in jail after pleading guilty in 2009 to
the biggest fraud in Wall Street history.
Fundamentally, Madoff relied on social engineering and
the predictability of human nature to generate income
for himself.
Figure 5.5
Annual Returns on a
Madoff-Investor’s
account from 2001-2007
Copyright 2012 John Wiley & Sons, Inc.
5-14
Internal Fraud Prevention and Detection

IT has a key role to play in demonstrating effective
corporate governance and fraud prevention.

Internal fraud prevention measures are based on
the same controls used to prevent external
intrusions—perimeter defense technologies, such as
firewalls, e-mail scanners, and biometric access.

Fraud detection can be handled by intelligent
analysis engines using advanced data warehousing
and analytics techniques.
Copyright 2012 John Wiley & Sons, Inc.
5-15
5.4 IT and Network Security
Objectives of a defense strategy
1. Prevention and deterrence
2. Detection
3. Containment
4. Recovery
5. Correction
6. Awareness and compliance
Copyright 2012 John Wiley & Sons, Inc.
5-16
Figure 5.6 Major
defense controls
Copyright 2012 John Wiley & Sons, Inc.
5-17
Major categories of general controls

physical controls

access controls

biometric controls

communication network controls

administrative controls

application controls

endpoint security and control
Copyright 2012 John Wiley & Sons, Inc.
5-18
Figure 5.7 Intelligent agents
Copyright 2012 John Wiley & Sons, Inc.
5-19
5.5 Network Security
Figure 5.8 Three layers of network security measures
Copyright 2012 John Wiley & Sons, Inc.
5-20
Figure 5.9 Where IT security mechanisms are located
Copyright 2012 John Wiley & Sons, Inc.
5-21
Authentication
Questions to help authenticate a person:
1. Who are you? Is this person an employee, a partner, or a
customer? Different levels of authentication would be set
up for different types of people.
2. Where are you? For example, an employee who has
already used a badge to access the building is less of a risk
than an employee logging on from a remote site.
3. What do you want? Is this person accessing sensitive or
proprietary information or simply gaining access to benign
data?
Copyright 2012 John Wiley & Sons, Inc.
5-22
5.6 Internal Control and Compliance
Internal control (IC) is a process designed to achieve:
• reliability of financial reporting
• operational efficiency
• compliance with laws
• regulations and policies
• safeguarding of assets
Copyright 2012 John Wiley & Sons, Inc.
5-23
Internal Controls Needed for Compliance

Sarbanes-Oxley Act (SOX) is an antifraud law.
• It requires more accurate business reporting and
disclosure of GAAP (generally accepted accounting
principles) violations, including fraud.

SOX and the SEC made it clear that if controls can be ignored,
there is no control—a violation of SOX.

If the company shows its employees that the company can
find out everything that every employee does and use that
evidence to prosecute, then the feeling that “I can get away
with it” drops drastically.
Copyright 2012 John Wiley & Sons, Inc.
5-24
Symptoms of Fraud That Can Be Detected by Internal Controls
Missing documents
 Delayed bank deposits
 Numerous outstanding checks or bills
 Employees who do not take vacations
 A large drop in profits
 A major increase in business with one particular customer
 Customers complaining about double billing
 Repeated duplicate payments
 Employees with the same address or phone number as a
vendor

Copyright 2012 John Wiley & Sons, Inc.
5-25
5.7 Business Continuity and Auditing

An important element in any security system is the business
continuity plan, also known as the disaster recovery plan.

The plan outlines the process by which businesses should
recover from a major disaster.

The purpose of a business continuity plan is to keep the
business running after a disaster occurs.
• Each business function should have a valid recovery capability plan.
• The plan should be written so that it will be effective in case of
disaster, not just in order to satisfy the auditors.
Copyright 2012 John Wiley & Sons, Inc.
5-26
Risk-Management Analysis
Expected loss = P1 × P2 × L
where:
P1 = probability of attack
P2 = probability of attack being successful
L = loss occurring if attack is successful
Example:
P1 = .02, P2 = .10, L = $1,000,000
Expected loss from this particular attack is
P1 × P2 × L = 0.02 × 0.1 × $1,000,000 = $2,000
Copyright 2012 John Wiley & Sons, Inc.
5-27
Ethical issues

Implementing security programs raises many ethical issues.

Handling the privacy versus security dilemma is tough.

Ethical and legal obligations that may require companies to
“invade the privacy” of employees and monitor their actions.

Under the doctrine of duty of care, senior managers and
directors have a fiduciary obligation to use reasonable care to
protect the company’s business operations.
Copyright 2012 John Wiley & Sons, Inc.
5-28
Chapter 5 Link Library











Information Security Magazine http://searchsecurity.techtarget.com
CIO Magazine, IT Security http://cio.com/topic/3089/Security
Computer and Internet Security http://cnet.com/internet-security
IT Governance Institute http://itgi.org
U.S. Computer Emergency Readiness Team http://uscert.gov/cas/tips/
SANS Information Security Reading Room sans.org/reading_room/
Privacy news from around the world pogowasright.org/
Government Computer News (GCN ) http://gcn.com/
CompTIA http://comptia.org/
F-Secure http://f-secure.com/en_US/security/security-center/
Social engineering http://symantec.com/connect/articles/socialengineering
Copyright 2012 John Wiley & Sons, Inc.
5-29

similar documents