dr. chen, management information systems chapter 12 information security management jason c. h....
TRANSCRIPT
Dr. Chen, Management Information Systems
Chapter 12Information Security
Management
Jason C. H. Chen, Ph.D.Professor of MIS
School of Business AdministrationGonzaga UniversitySpokane, WA 99258
1
Dr. Chen, Management Information Systems
Could Someone Be Getting To Our Data?
• Stealing only from weddings of club members• Knowledge: How to access system and database
and SQL• Access: Passwords on yellow stickies; many
copies of key to server building• Suspect: Greens keeper guy’s “a techno-whiz,”
created report for Anne, knows SQL and how to access database
2
Dr. Chen, Management Information Systems 3
Chapter Preview
• This chapter describes common sources of security threats and explains management’s role in addressing those threats. It defines the major elements of an organizational security policy. It presents the most common types of technical, data, and human security safeguards. We then discuss how organizations should respond to security incidents, and, finally, examine common types of computer crime.
• Primary focus is on management’s responsibility for the organization’s security policy and for implementing human security safeguards.
• We approach this topic from the standpoint of a major organization that has professional staff in order to learn the tasks that need to be accomplished. Both MRV and FlexTime need to adapt the full-scale security program to their smaller requirements and more limited budget.
Dr. Chen, Management Information Systems
Study Questions
Q1: What is the goal of information systems security?
Q2: How should you respond to security threats?
Q3: How should organizations respond to security threats?
Q4: What technical safeguards are available?
Q5: What data safeguards are available?
Q6: What human safeguards are available?
Q7: 2022?
4
Dr. Chen, Management Information Systems
Q1: What Is the Goal of Information Systems Security?
The IS Security Threat/Loss Scenario• Threat
– is a person or organization that seeks to obtain data or other asset illegal, without the owner’s permission and often without the owner’s knowledge
• Vulnerability– is an opportunity for threats to gain access to individual or
organizational assets
• Safeguard– is someone measure that individuals or organizations take to
block the threat from obtaining the asset
• Target– is the asset that is desired by the threat
6
Dr. Chen, Management Information Systems
Safeguards
8Fig 12-extra Security Safeguards as They Relate to the Five Components
• There are three components of a sound organizational security program:– Senior management must establish a security policy and manage risks.– Safeguards of various kinds must be established for all five
components of an IS as the figure below demonstrates.– The organization must plan its incident response before any problems
occur.
Dr. Chen, Management Information Systems 10
What Are the Sources of Threats?
• Security threats arise from three sources:
1. Human error and mistakes,
2. Computer crime, and
3. Natural events and disasters.
Dr. Chen, Management Information Systems 11
Human Errors and Mistakes
• Human errors and mistakes include: Accidental problems caused by both employees and
nonemployees. • An employee misunderstands operating procedures
and accidentally deletes customer records. • An employee, while backing up a database,
inadvertently installs an old database on top of the current one.
Category also includes poorly written application programs and poorly designed procedures.
Physical accidents, such as driving a forklift through the wall of a computer room.
Dr. Chen, Management Information Systems 12
Computer Crime
• Employees and former employees who intentionally destroy data or other system components
• Hackers who break into a system; virus and worm writers who infect computer systems
• Outside criminals who break into a system to steal for financial gain
• Terrorism
Dr. Chen, Management Information Systems
Q/A
13
Which of the following is most likely to be the result of hacking?A) certain Web sites being blocked from viewing for security reasonsB) small amounts of spam in your inboxC) an unexplained reduction in your account balanceD) pop-up ads appearing frequentlyAnswer: _____C
Dr. Chen, Management Information Systems 14
Natural Events and Disasters
• Fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature
• Includes the initial loss of capability and service, and losses stemming from actions to recover from the initial problem
Dr. Chen, Management Information Systems
What Types of Security Loss Exists?
Unauthorized Data Disclosure• Pretexting• Phishing• Spoofing
– IP spoofing– Email spoofing
• Drive-by sniffers• Hacking• Natural disasters
16
Dr. Chen, Management Information Systems
Incorrect Data Modification
• Procedures not followed or incorrectly designed procedures
• Increasing a customer’s discount or incorrectly modifying employee’s salary
• Placing incorrect data on company Web site• Improper internal controls on systems • System errors• Faulty recovery actions after a disaster
17
Dr. Chen, Management Information Systems
Faulty Service
• Incorrect data modification • Systems working incorrectly• Procedural mistakes • Programming errors• IT installation errors • Usurpation• Denial of service (unintentional)• Denial-of-service attacks (intentional)
18
Dr. Chen, Management Information Systems
Loss of Infrastructure
• Human accidents• Theft and terrorist events• Disgruntled or terminated employees• Natural disasters
19
Dr. Chen, Management Information Systems
How Big Is the Computer Security Problem?
20
Fig 12-4 Sample Arrests and Convictions Reported by the US Department of Justice
Dr. Chen, Management Information Systems
Percent of Security Incidents
21
Fig 12-5 Percent of Security Incidents
Dr. Chen, Management Information Systems
Goal of Information Systems Security
• Threats can be stopped, or at least threat loss reduced
• Safeguards are expensive and reduce work efficiency
• Find trade-off between risk of loss and cost of safeguards
22
Dr. Chen, Management Information Systems
Q2: How Should You Respond to Security Threats?
23
Fig 12-6 Personal Security Safeguards
Dr. Chen, Management Information Systems
Q/A
24
Cookies enables one to access Web sites without having to sign in every time.Answer: ____TRUE
Dr. Chen, Management Information Systems
Q3. How Should Organizations Respond to Security Threats?
• NIST Handbook of Security Elements
25
Fig 12-7 Management Guidelines for IS Security
Dr. Chen, Management Information Systems
What Are the Elements of a Security Policy?
Elements of Security Policy
Managing Risks
• Risk — threats & consequences we know about
• Uncertainty — things we do not know that we do not know
1. General statement of organization’s security program
2. Issue-specific policy
3. System-specific policy
26
Dr. Chen, Management Information Systems 27
What Are the Elements of a Security Policy?
• Security policy has three elements: 1. A general statement of organization’s security program. This
statement becomes the foundation for more specific security measures. Management specifies the goals of security program and assets to be protected. Statement designates a department for managing security program and documents. In general terms, it specifies how the organization will ensure enforcement of security programs and policies.
2. Issue-specific policy. Personal use of computers at work and email privacy.
3. System-specific policy. What customer data from order-entry system will be sold or shared with other organizations? Or, what policies govern the design and operation of systems that process employee data? Addressing such policies are part of standard systems development process.
Dr. Chen, Management Information Systems
Q/A
28
Which of the following is an example of a system-specific security policy?A) limiting the personal use of an organization's computer systems B) deciding what customer data from the order-entry system will be shared with other organizationsC) designating a department for managing an organization's IS securityD) inspecting an employee's personal email for compliance with company policyAnswer: ____B
Dr. Chen, Management Information Systems 29
How Is Risk Managed?
• Risk—likelihood of an adverse occurrence Management cannot manage threats directly, but can limit
security consequences by creating a backup processing facility at a remote location.
Companies can reduce risks, but always at a cost. It is management’s responsibility to decide how much to spend, or stated differently, how much risk to assume.
• Uncertainty refers to lack of knowledge especially about chance of occurrence or risk of an outcome or event. An earthquake could devastate a corporate data center built on a
fault that no one knew about. An employee finds a way to steal inventory using a hole in the
corporate Web site that no expert knew existed.
Dr. Chen, Management Information Systems
Risk Assessment and Management
Risk Assessment• Tangible consequences• Intangible consequences• Likelihood• Probable loss
Risk-Management Decisions• Given probable loss, what to protect?• Which safeguards inexpensive and easy?• Which vulnerabilities expensive to eliminate?• How to balance cost of safeguards with benefits of
probable loss reduction?
30
Dr. Chen, Management Information Systems
Factors to Consider in Risk Assessment and Risk Management Decisions
31Fig 12-Extra Risk Assessment Factors
When you’re assessing risks to an information system you must first determine: What the threats are. How likely they are to occur. The consequences if they occur.
The figure below lists the factors you should include in a risk assessment. Once you’ve assessed the risks to your information system, you must
make decisions about how much security you want to pay for. Each risk-management decision carries consequences. Some risk is easy and inexpensive. Some risk is expensive and difficult. Managers have a fiduciary
responsibility to the organization
to adequately manage risk.
Dr. Chen, Management Information Systems 32
Factors to Consider in Risk Assessment: Brief Summary
• Safeguard is any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat. No safeguard is ironclad; there is always a residual risk that it will
not protect the assets in all circumstances.
• Vulnerability is an opening or a weakness in security system. Some vulnerabilities exist because there are no safeguards or because existing safeguards are ineffective.
• Consequences are damages that occur when an asset is compromised. Consequences can be tangible or intangible. Tangible consequences, those whose financial impact can be measured. Intangible consequences, such as the loss of customer goodwill due to an
outage, cannot be measured.
Dr. Chen, Management Information Systems 33
Factors to Consider in Risk Assessment: Brief Summary
(Final Two Factors in Risk Assessment)
• Likelihood is the probability that a given asset will be compromised by a given threat, despite the safeguards.
• Probable loss is the “bottom line” of risk assessment. To obtain a measure of probable loss, companies
multiply likelihood by cost of the consequences. Probable loss also includes a statement of intangible consequences.
Dr. Chen, Management Information Systems
Q/A
34
Which of the following is an example of an intangible consequence?A) a dip in sales because supplies were not replenishedB) a loss of customer goodwill due to an outageC) a drop in production due to plant maintenanceD) a financial loss due to high input costsAnswer: ____B
Dr. Chen, Management Information Systems
Q4: What Technical Safeguards Are Available?
35
Fig 12-8 Technical Safeguards
Dr. Chen, Management Information Systems 36
List of Primary Technical Safeguards
You can establish five technical safeguards for the hardware and software components of an information system as the Figure 12-8 shows.
• 1. Identification and authentication includes (1) passwords (what you know), (2) smart cards (what you have), and (3) biometric authentication (what you are). (4) Single sign-on for multiple systems (Kerberos)
Since users must access many different systems, it’s often more secure, and easier, to establish it
Authenticates users without sending passwords across network. “Tickets” enable users to obtain services from multiple networks
and servers. Windows, Linux, Unix employ Kerberos
Dr. Chen, Management Information Systems 37
• Identification and authentication (cont.) (5) Wireless systems pose additional threats.
VPNs and special security servers Wired Equivalent Privacy (WEP)-first developed Wi-Fi Protected Access (WPA)-more secure Wi-Fi Protected Access (WPA2)-newest and most
secure
Note: 4 &5 are for System Access Protocols
List of Primary Technical Safeguards (cont.)
Dr. Chen, Management Information Systems
Q/A
38
T/F A magnetic strip holds far more data than a microchip.Answer: _______FALSE
Dr. Chen, Management Information Systems
2. Encryption
39Fig 12-9 Basic Encryption Techniques
• Encryption is the second safeguard you can establish for an IS. The chart below and on the next slide describe each of them.
Asymmetric encryption is simpler and much faster than asymmetric encryption. Answer: FALSE
Dr. Chen, Management Information Systems
Essence of HTTPS (SSL or TLS)
40Fig 12-10 The Essence of HTTPS (SSL or TLS)
Dr. Chen, Management Information Systems 41
Which of the following observations concerning Secure Socket Layer (SSL) is true?A) It uses only asymmetric encryption. B) It is a useful hybrid of symmetric and asymmetric encryption techniques.C) It works between Levels 2 and 3 of the TCP-OSI architecture.D) It is a stronger version of HTTPS.Answer:____
You are transferring funds online through the Web site of a reputed bank. Which of the following displayed in your browser's address bar will let you know that the bank is using the SSL protocol?A) httpB) wwwC) httpsD) .comAnswer: ____
B
C
Dr. Chen, Management Information Systems
3. Firewalls• Firewalls, the third technical safeguard, are computing devices
that prevent unauthorized network access. They should be installed and used with every computer that’s connected to any network, especially the Internet. – The diagram shows how perimeter and internal firewalls are special
devices that help protect a network.– Packet-filtering firewalls are programs on general-purpose computers
or on routers that examine each packet entering the network.
Fig (extra) Use of Multiple Firewalls 42
Dr. Chen, Management Information Systems
Symptoms of Adware and Spyware
43
Fig 12-8 Spyware & Adware Symptoms
• Malware Protection is the fourth technical safeguard. We’ll concentrate on spyware and adware here.– Spyware are programs that may be
installed on your computer without your knowledge or permission.
– Adware is a benign program that’s also installed without your permission. It resides in your computer’s background and observes your behavior.
– If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer.
This slide is for lecture
Dr. Chen, Management Information Systems 44
4. Malware Protection
• Malware Protection (fourth technical safeguard): Spyware - resides in background, unknown to user; observes user’s
actions and keystrokes, monitors computer activity, and reports user’s activities to sponsoring organizations. Some captures keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Some support marketing analyses, observing what users do, Web sites visited, products examined and purchased, and so forth.
Adware - does not perform malicious acts or steal data. It watches user activity and produces pop-up ads. Adware can change user’s default window or modify search results and switch user’s search engine.
Beacons – tiny files that gather demographic information (e.g., gender, age income). The information is refreshed in real time and sold to other company.
Dr. Chen, Management Information Systems
4. Malware Types and Spyware and Adware Symptoms (cont.)
• Viruses Payload Trojan horses Worms Beacons
Spyware & Adware Symptoms
45
Fig 12-11 Spyware & Adware Symptoms
If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer.
Dr. Chen, Management Information Systems
Malware Safeguards
1. Antivirus and antispyware programs
2. Scan frequently
3. Update malware definitions
4. Open email attachments only from known sources
5. Install software updates
6. Browse only reputable Internet neighborhoods
46
Dr. Chen, Management Information Systems
Bots, Botnets, and Bot Herders
• Bot Surreptitiously installed, takes actions unknown and uncontrolled by
user or administrator Some very malicious, others annoying
• Botnet a network of bots created and managed by an individual or
organization that infects networks with a bot program
• Bot herder individual or organization that controls the botnet Serious problems for commerce and national security
It is believed that a unit of the North Korean Army served as a bot herder for a botnet that caused denial of service attacks on Web servers in South Korea and in the United States in July, 2009.
47
Dr. Chen, Management Information Systems 48
5. Design Secure Applications
• Design secure application is the last (fifth) technical safeguard.
• You should ensure that any information system developed for you and your department includes security as one of the application requirements.
Dr. Chen, Management Information Systems
Q5: What Data Safeguards Are Available?
49Fig 12-12 Data Safeguards
Data safeguards are measures used to protect databases and other organizational data.
An organization should follow the safeguards listed in this figure. Remember, data and the information from it are one of the most
important resources an organization has.
Dr. Chen, Management Information Systems 50
Some Important Data Safeguards• Should protect sensitive data by storing it in encrypted
form When data are encrypted, a trusted party should have a
copy of encryption key. This safety procedure is called key escrow
• Periodically create backup copies of database contents• DBMS and all devices that store database data should
reside in locked, controlled-access facilitiesPhysical security was a problem that MRV had when it
lost its data.• Organizations may contract with other companies to
manage their databases, inspect their premises, and interview its personnel to make sure they practice proper data protections.
Dr. Chen, Management Information Systems
Q6: Human Safeguards for Employees
51
• Human safeguards for employees are some of the most important safeguards an organization can deploy.
• They should be coupled with effective procedures to help protect information systems.
• This figure shows the safeguards for in-house employees.
Fig 12-13 Human Safeguards for Employees (In-house Staff)
Dr. Chen, Management Information Systems
Human Safeguards for Nonemployee Personnel
• Nonemployee personnel Least privileged accounts
• Contract personnel Specify security responsibilities
• Public Users Hardening site Require vendors and partners to perform appropriate
screening and security training Specify security responsibilities for work to be
performed
52
Dr. Chen, Management Information Systems
Account Administration
• Account Management Standards for new user accounts, modification of
account permissions, removal of unneeded accounts.
• Password Management Users should change passwords frequently
• Help Desk Policies
53
Dr. Chen, Management Information Systems 54
Account Administration
• Account management (administration) is the third type of human safeguard and has three components—account management, password management, and help-desk policies. Account management focuses on
Standards for new user accounts, modification of account permissions, removal of unneeded accounts
Password management requires that users Immediately change
newly created passwords Change passwords
periodically Help Desk Policies
Fig 12-14 Sample Account Acknowledgement Form
Dr. Chen, Management Information Systems
Systems Procedures
55
• Effective system procedures can help increase security and reduce the likelihood of computer crime. As this figure shows, procedures should exist for both system users and operations personnel that cover normal, backup, and recovery procedures.
Fig 12-15 Systems Procedures
Security monitoring is the last human safeguard. It includes: Activity log analyses Security testing Investigating and
learning from security incidents.
Dr. Chen, Management Information Systems
Security Monitoring Functions
• Activity log analyses Firewall, DBMS, Web server
• In-house and external Security testing Investigation of incidents Create “honeypots”
56
Dr. Chen, Management Information Systems
Responding to Security Incidents
• Human error & Computer crimes Procedures for how to respond to security problems,
whom to contact, data to gather, and steps to reduce further loss
• Centralized reporting of all security incidents• Incident-response plan (see next slide)• Emergency procedures
57
Dr. Chen, Management Information Systems
Incident-Response Plan
58
• Along with disaster preparedness plans, every organization should think about how it will respond to security incidences that may occur, before they actually happen. The figure below lists the major factors that should be included in any incident response.
Fig 12 (extra) Factors in Incident Response
Dr. Chen, Management Information Systems 59
Major Disaster-Preparedness Tasks
• No system is fail-proof. Every organization must have an effective plan for dealing with a loss of computing systems. This figure describes disaster preparedness tasks for every organization, large and small. The last item that suggests an organization train and rehearse its disaster preparedness plans is very important.
Fig 12-16 Disaster Preparedness Tasks
Dr. Chen, Management Information Systems 60
Disaster-Recovery Backup Sites
• Hot site Utility company that can take over another
company’s processing with no forewarning. Hot sites are expensive; organizations pay $250,000
or more per month for such services. • Cold sites
Provide computers and office space. They are cheaper to lease, but customers install and manage systems themselves.
The total cost of a cold site, including all customer labor and other expenses, might not necessarily less than the cost of a hot site.
Dr. Chen, Management Information Systems
Q7: 2022?
• Challenges likely to be iOS and other intelligent portable devices
• Harder for the lone hacker to find vulnerability to exploit
• Continued investment in safeguards• Continued problem of electronically porous
national borders
61