Comprehensive Guide to Information Security

Title: URL Source: file://pdf.a7aeacb02c6ef2f0aef3927c6547054a/ Markdown Content: 6.1 Copyright 2014 Pearson Education, Inc. # Securing Information # Systems ## Chapter 8 VIDEO CASES Case 1: Stuxnet and Cyber Warfare Case 2: Cyber Espionage: The Chinese Threat Case 3: UBS Access Key: IBM Zone Trusted Information Channel Instructional Video 1: Sony PlayStation Hacked; Data Stolen from 77 million users Instructional Video 2: Zappos Working To Correct Online Security Breach Instructional Video 3: Meet the Hackers: Anonymous Statement on Hacking SONY 8.2 Copyright 2016 Pearson Education Ltd. > Management Information Systems > Chapter 8: Securing Information Systems Explain why information systems are vulnerable to destruction, error, and abuse. Describe the business value of security and control. Describe the components of an organizational framework for security and control. Describe the tools and technologies used for safeguarding information resources. > Learning Objectives 8.3 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Problem: Massive data breach; new sandbox-evading techniques Solution: Initiative to implement a common cybersecurity strategy. Demonstrates the lack of a centralized approach to cybersecurity that leaves nations vulnerable to national security breaches MiniDuke Exposes EU Cybersecurity Gaps 8.4 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Security: Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems Controls: Methods, policies, and organizational procedures that ensure safety of organizations assets; accuracy and reliability of its accounting records; and operational adherence to management standards System Vulnerability and Abuse 8.5 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Why systems are vulnerable Accessibility of networks Hardware problems (breakdowns, configuration errors, damage from improper use or crime) Software problems (programming errors, installation errors, unauthorized changes) Disasters Use of networks/computers outside of firms control Loss and theft of portable devices System Vulnerability and Abuse 8.6 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network. FIGURE 8-1 CONTEMPORARY SECURITY CHALLENGES AND VULNERABILITIES 8.7 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Internet vulnerabilities Network open to anyone Size of Internet means abuses can have wide impact Use of fixed Internet addresses with cable / DSL modems creates fixed targets for hackers Unencrypted VOIP E-mail, P2P, IM Interception Attachments with malicious software Transmitting trade secrets System Vulnerability and Abuse 8.8 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Wireless security challenges Radio frequency bands easy to scan SSIDs (service set identifiers) Identify access points Broadcast multiple times Can be identified by sniffer programs War driving Eavesdroppers drive by buildings and try to detect SSID and gain access to network and resources Once access point is breached, intruder can use OS to access networked drives and files System Vulnerability and Abuse 8.9 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the resources of a network without authorization. FIGURE 8-2 WI-FI SECURITY CHALLENGES 8.10 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Malware (malicious software) Viruses Rogue software program that attaches itself to other software programs or data files in order to be executed: Require Activation Worms Independent programs that copy themselves from one computer to other computers over a network. No activation Worms and viruses spread by Downloads (drive-by downloads) E-mail, IM attachments Downloads on Web sites and social networks System Vulnerability and Abuse 8.11 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Malware (cont.) Smartphones as vulnerable as computers Study finds 13,000 types of smartphone malware Trojan horses Software that appears benign but does something other than expected SQL injection attacks Hackers submit data to Web forms that exploits sites unprotected software and sends rogue SQL query to database https://www.w3schools.com/sql/sql_injection.asp System Vulnerability and Abuse 8.12 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems > Read the Interactive Session and discuss the following questions Interactive Session: Management malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again. It has the ability to lock a computer screen or encrypt important, predetermined files with a password . Typical attacks usually ask for $100 to $200. Other attacks seek much more. Ransomware 8.13 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems Malware (cont.) Spyware Small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising Key loggers Record every keystroke on computer to steal serial numbers, passwords, launch Internet attacks https://www.refog.com/ Other types: Reset browser home page Redirect search requests Slow computer performance by taking up memory System Vulnerability and Abuse 8.14 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems ## Hackers and computer crime Hackers vs. crackers Activities include: System intrusion System damage Cybervandalism Intentional disruption, defacement, destruction of Web site or corporate information system System Vulnerability and Abuse 8.15 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Spoofing Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else Redirecting Web link to address different from intended one, with site masquerading as intended destination Sniffer Eavesdropping program that monitors information traveling over network Enables hackers to steal proprietary information such as e-mail, company files, and so on System Vulnerability and Abuse 8.16 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Denial-of-service attacks (DoS) Flooding server with thousands of false requests to crash the network Distributed denial-of-service attacks (DDoS) Use of numerous computers to launch a DoS Botnets Networks of zombie PCs infiltrated by bot malware Deliver 90 percent of world spam, 80 percent of world malware Grum botnet: controlled 560K to 840K computers System Vulnerability and Abuse 8.17 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Computer crime Defined as any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution Computer may be target of crime, for example: Breaching confidentiality of protected computerized data Accessing a computer system without authority Computer may be instrument of crime, for example: Theft of trade secrets Using e-mail for threats or harassment System Vulnerability and Abuse 8.18 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Identity theft Theft of personal Information (social security ID, drivers license, or credit card numbers) to impersonate someone else Phishing Setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask users for confidential personal data Evil twins Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet System Vulnerability and Abuse 8.19 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems Management Information Systems 8.20 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Pharming Redirects users to a bogus Web page, even when individual types correct Web page address into his or her browser Click fraud Occurs when individual or computer program fraudulently clicks on online ad without any intention of learning more about the advertiser or making a purchase System Vulnerability and Abuse 8.21 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Cyberterrorism the use of the Internet in order to perform violent actions that either threaten or result in serious bodily harm or even loss of life. Cyberwarfare all the actions and processes that aim to attack a nation in order to cause harm that is comparable to the traditional warfare .8.22 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems > Read the Interactive Session and discuss the following questions Interactive Session: Management Is cyberwarfare a serious problem? Why or why not? Assess the management, organization, and technology factors that have created this problem. What makes Stuxnet different from other cyberwarfare attacks? How serious a threat is this technology? What solutions have been proposed for this problem? Do you think they will be effective? Why or why not? Stuxnet and the Changing Face of Cyberwarfare 8.23 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Internal threats: Employees Security threats often originate inside an organization Inside knowledge Sloppy security procedures User lack of knowledge Social engineering: Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information System Vulnerability and Abuse 8.24 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Software vulnerability Commercial software contains flaws that create security vulnerabilities Hidden bugs (program code defects) Zero defects cannot be achieved because complete testing is not possible with large programs Flaws can open networks to intruders Patches Small pieces of software to repair flaws Exploits often created faster than patches can be released and implemented System Vulnerability and Abuse 8.25 Copyright 2016 Pearson Education Ltd. > Management Information Systems > Chapter 8: Securing Information Systems Failed computer systems can lead to significant or total loss of business function. Firms now are more vulnerable than ever. Confidential personal and financial data Trade secrets, new products, strategies A security breach may cut into a firms market value almost immediately. Inadequate security and controls also bring forth issues of liability. > Business Value of Security and Control 8.26 Copyright 2016 Pearson Education Ltd. > Management Information Systems > Chapter 8: Securing Information Systems Legal and regulatory requirements for electronic records management and privacy protection HIPAA: Medical security and privacy rules and procedures Gramm-Leach-Bliley Act: Requires financial institutions to ensure the security and confidentiality of customer data Sarbanes-Oxley Act: Imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally > Business Value of Security and Control 8.27 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Electronic evidence Evidence for white collar crimes often in digital form Data on computers, e-mail, instant messages, e-commerce transactions Proper control of data can save time and money when responding to legal discovery request Computer forensics: Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law Includes recovery of ambient and hidden data Business Value of Security and Control 8.28 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Information systems controls Manual and automated controls General and application controls General controls Govern design, security, and use of computer programs and security of data files in general throughout organizations information technology infrastructure Apply to all computerized applications Combination of hardware, software, and manual procedures to create overall control environment Organizational Frameworks for Security and Control 8.29 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems ## Types of general controls Software controls Hardware controls Computer operations controls Data security controls Implementation controls Administrative controls Organizational Frameworks for Security and Control 8.30 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Application controls Specific controls unique to each computerized application, such as payroll or order processing Include both automated and manual procedures Ensure that only authorized data are completely and accurately processed by that application Include: Input controls Processing controls Output controls Organizational Frameworks for Security and Control 8.31 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems Risk assessment: Determines level of risk to firm if specific activity or process is not properly controlled Types of threat Probability of occurrence during year Potential losses, value of threat Expected annual loss Organizational Frameworks for Security and Control EXPOSURE PROBABILITY LOSS RANGE (AVG) EXPECTED ANNUAL LOSS Power failure 30% $5K$200K ($102,500) $30,750 Embezzlement 5% $1K$50K ($25,500) $1,275 User error 98% $200$40K ($20,100) $19,698 8.32 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems Security policy Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals Drives other policies Acceptable use policy (AUP) Defines acceptable uses of firms information resources and computing equipment Authorization policies Determine differing levels of user access to information assets Organizational Frameworks for Security and Control 8.33 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Identity management Business processes and tools to identify valid users of system and control access Identifies and authorizes different categories of users Specifies which portion of system users can access Authenticating users and protects identities Identity management systems Captures access rules for different levels of users Organizational Frameworks for Security and Control 8.34 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems These two examples represent two security profiles or data security patterns that might be found in a personnel system. Depending on the security profile, a user would have certain restrictions on access to various systems, locations, or data in an organization. FIGURE 8-3 SECURITY PROFILES FOR A PERSONNEL SYSTEM 8.35 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Disaster recovery planning: Devises plans for restoration of disrupted services Business continuity planning: Focuses on restoring business operations after disaster Both types of plans needed to identify firms most critical systems Business impact analysis to determine impact of an outage Management must determine which systems restored first Organizational Frameworks for Security and Control 8.36 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Information systems audit Examines firms overall security environment as well as controls governing individual information systems Reviews technologies, procedures, documentation, training, and personnel May even simulate disaster to test response of technology, IS staff, other employees Lists and ranks all control weaknesses and estimates probability of their occurrence Assesses financial and organizational impact of each threat Organizational Frameworks for Security and Control 8.37 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems This chart is a sample page from a list of control weaknesses that an auditor might find in a loan system in a local commercial bank. This form helps auditors record and evaluate control weaknesses and shows the results of discussing those weaknesses with management, as well as any corrective actions taken by management. FIGURE 8-4 SAMPLE AUDITORS LIST OF CONTROL WEAKNESSES 8.38 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Identity management software Automates keeping track of all users and privileges Authenticates users, protecting identities, controlling access Authentication Password systems Tokens Smart cards Biometric authentication Two-factor authentication Tools and Technologies for Safeguarding Information Resources 8.39 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems ## Firewall: Combination of hardware and software that prevents unauthorized users from accessing private networks Technologies include: Static packet filtering Stateful inspection Network address translation (NAT) Application proxy filtering Tools and Technologies for Safeguarding Information Resources 8.40 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems The firewall is placed between the firms private network and the public Internet or another distrusted network to protect against unauthorized traffic. FIGURE 8-5 A CORPORATE FIREWALL 8.41 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Intrusion detection systems: Monitors hot spots on corporate networks to detect and deter intruders Examines events as they are happening to discover attacks in progress Antivirus and antispyware software: Checks computers for presence of malware and can often eliminate it as well Requires continual updating Unified threat management (UTM) systems Tools and Technologies for Safeguarding Information Resources 8.42 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Securing wireless networks WEP security can provide some security by: Assigning unique name to networks SSID and not broadcasting SSID Using it with VPN technology Wi-Fi Alliance finalized WPA2 specification, replacing WEP with stronger standards Continually changing keys Encrypted authentication system with central server Tools and Technologies for Safeguarding Information Resources 8.43 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems ## Encryption: Transforming text or data into cipher text that cannot be read by unintended recipients Two methods for encryption on networks Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS) Secure Hypertext Transfer Protocol (S-HTTP) Tools and Technologies for Safeguarding Information Resources 8.44 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Two methods of encryption Symmetric key encryption Sender and receiver use single, shared key Public key encryption Uses two, mathematically related keys: Public key and private key Sender encrypts message with recipients public key Recipient decrypts with private key Tools and Technologies for Safeguarding Information Resources 8.45 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock the data when they are received. The sender locates the recipients public key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message. FIGURE 8-6 PUBLIC KEY ENCRYPTION 8.46 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Digital certificate: Data file used to establish the identity of users and electronic assets for protection of online transactions Uses a trusted third party, certification authority (CA), to validate a user's identity CA verifies users identity, stores information in CA server, which generates encrypted digital certificate containing owner ID information and copy of owners public key Public key infrastructure (PKI) Use of public key cryptography working with certificate authority Widely used in e-commerce Tools and Technologies for Safeguarding Information Resources 8.47 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems Digital certificates help establish the identity of people or electronic assets. They protect online transactions by providing secure, encrypted, online communication. FIGURE 8-7 DIGITAL CERTIFICATES 8.48 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems ## Ensuring system availability Online transaction processing requires 100% availability, no downtime ## Fault-tolerant computer systems For continuous availability, for example, stock markets Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service Tools and Technologies for Safeguarding Information Resources 8.49 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems ## Controlling network traffic Deep packet inspection (DPI) Examines data files and sorts low priority material Can block video and music downloads ## Security outsourcing Managed security service providers (MSSPs) Tools and Technologies for Safeguarding Information Resources 8.50 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Security in the cloud Responsibility for security resides with company owning the data Firms must ensure providers provides adequate protection: Where data are stored Meeting corporate requirements, legal privacy laws Segregation of data from other clients Audits and security certifications Service level agreements (SLAs) Tools and Technologies for Safeguarding Information Resources 8.51 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Securing mobile platforms Security policies should include and cover any special requirements for mobile devices Guidelines for use of platforms and applications Mobile device management tools Authorization Inventory records Control updates Lock down/erase lost devices Encryption Software for segregating corporate data on devices Tools and Technologies for Safeguarding Information Resources 8.52 Copyright 2016 Pearson Education Ltd. Management Information Systems Chapter 8: Securing Information Systems > Read the Interactive Session and discuss the following questions Interactive Session: Technology What technology issues led to the security breach at MWEB? What is the possible business impact of this security breach for both MWEB and its customers? If you were an MWEB customer, would you consider MWEBs response to the security breach to be acceptable? Why or why not? What should MWEB do in the future to avoid similar incidents? MWEB Business: Hacked 8.53 Copyright 2016 Pearson Education Ltd. Management Information Systems > Chapter 8: Securing Information Systems Ensuring software quality Software metrics: Objective assessments of system in form of quantified measurements Number of transactions Online response time Payroll checks printed per hour Known bugs per hundred lines of code Early and regular testing Walkthrough: Review of specification or design document by small group of qualified people Debugging: Process by which errors are eliminated Tools and Technologies for Safeguarding Information Resources

Title:

URL Source: file://pdf.a7aeacb02c6ef2f0aef3927c6547054a/

Markdown Content:
6.1 Copyright  2014 Pearson Education, Inc.

# Securing Information

# Systems

## Chapter 8

VIDEO CASES

Case 1: Stuxnet and Cyber Warfare

Case 2: Cyber Espionage: The Chinese Threat

Case 3: UBS Access Key: IBM Zone Trusted Information Channel

Instructional Video 1: Sony PlayStation Hacked; Data Stolen from 77 million users

Instructional Video 2: Zappos Working To Correct Online Security Breach

> Management Information Systems
> Chapter 8: Securing Information Systems

Explain why information systems are

vulnerable to destruction, error, and abuse.

Describe the business value of security and

control.

Describe the components of an

organizational framework for security and

control.

Describe the tools and technologies used for

safeguarding information resources.

Management Information Systems

> Chapter 8: Securing Information Systems

Problem: Massive data breach; new

sandbox-evading techniques

Solution: Initiative to implement a common

cybersecurity strategy.

Demonstrates the lack of a centralized approach to

cybersecurity that leaves nations vulnerable to

national security breaches

Management Information Systems

> Chapter 8: Securing Information Systems

Security:

Policies, procedures, and technical measures used to

prevent unauthorized access, alteration, theft, or

physical damage to information systems

Controls:

Methods, policies, and organizational procedures

that ensure safety of organizations assets; accuracy

and reliability of its accounting records; and

operational adherence to management standards

Management Information Systems

> Chapter 8: Securing Information Systems

Why systems are vulnerable

Accessibility of networks

Hardware problems (breakdowns, configuration errors,

damage from improper use or crime)

Software problems (programming errors, installation

errors, unauthorized changes)

Disasters

Use of networks/computers outside of firms control

Loss and theft of portable devices

Management Information Systems

Chapter 8: Securing Information Systems

The architecture of a Web-based application typically includes a Web client, a server, and corporate

information systems linked to databases. Each of these components presents security challenges and

vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in

the network.

FIGURE 8-1

Management Information Systems

> Chapter 8: Securing Information Systems

Internet vulnerabilities

Network open to anyone

Size of Internet means abuses can have wide impact

Use of fixed Internet addresses with cable / DSL

modems creates fixed targets for hackers

Unencrypted VOIP

E-mail, P2P, IM

Interception

Attachments with malicious software

Transmitting trade secrets

Management Information Systems

> Chapter 8: Securing Information Systems

Wireless security challenges

Radio frequency bands easy to scan

SSIDs (service set identifiers)

Identify access points

Broadcast multiple times

Can be identified by sniffer programs

War driving

Eavesdroppers drive by buildings and try to detect SSID and

gain access to network and resources

Once access point is breached, intruder can use OS to

access networked drives and files

Management Information Systems

Chapter 8: Securing Information Systems

Many Wi-Fi networks can be

penetrated easily by intruders

using sniffer programs to obtain

an address to access the

resources of a network without

authorization.

FIGURE 8-2

Management Information Systems

> Chapter 8: Securing Information Systems

Malware (malicious software)

Viruses

Rogue software program that attaches itself to other

software programs or data files in order to be executed:

Require Activation

Worms

Independent programs that copy themselves from one

computer to other computers over a network. No activation

Worms and viruses spread by

Downloads (drive-by downloads)

E-mail, IM attachments

Downloads on Web sites and social networks

Management Information Systems

> Chapter 8: Securing Information Systems

Malware (cont.)

Smartphones as vulnerable as computers

Study finds 13,000 types of smartphone malware

Trojan horses

Software that appears benign but does something

other than expected

SQL injection attacks

Hackers submit data to Web forms that exploits sites

unprotected software and sends rogue SQL query to

database

https://www.w3schools.com/sql/sql_injection.asp

Management Information Systems

Chapter 8: Securing Information Systems

> Read the Interactive Session and discuss the following questions

Interactive Session: Management

malicious software that infects your computer

and displays messages demanding a fee to be

paid in order for your system to work again.

It has the ability to lock a computer screen or

encrypt important, predetermined files with a

password .

Typical attacks usually ask for $100 to $200.

Other attacks seek much more.

Management Information Systems

Chapter 8: Securing Information Systems

Malware (cont.)

Spyware

Small programs install themselves surreptitiously on

computers to monitor user Web surfing activity and

serve up advertising

Key loggers

Record every keystroke on computer to steal serial numbers,

passwords, launch Internet attacks

https://www.refog.com/

Other types:

Reset browser home page

Redirect search requests

Slow computer performance by taking up memory

Management Information Systems

> Chapter 8: Securing Information Systems

##  Hackers and computer crime

Hackers vs. crackers

Activities include:

System intrusion

System damage

Cybervandalism

Intentional disruption, defacement,

destruction of Web site or corporate

information system

Management Information Systems

> Chapter 8: Securing Information Systems

Spoofing

Misrepresenting oneself by using fake e-mail

addresses or masquerading as someone else

Redirecting Web link to address different from

intended one, with site masquerading as intended

destination

Sniffer

Eavesdropping program that monitors information

traveling over network

Enables hackers to steal proprietary information

such as e-mail, company files, and so on

Management Information Systems

> Chapter 8: Securing Information Systems

Denial-of-service attacks (DoS)

Flooding server with thousands of false requests to

crash the network

Distributed denial-of-service attacks (DDoS)

Use of numerous computers to launch a DoS

Botnets

Networks of zombie PCs infiltrated by bot malware

Deliver 90 percent of world spam, 80 percent of world

malware

Grum botnet: controlled 560K to 840K computers

Management Information Systems

> Chapter 8: Securing Information Systems

Computer crime

Defined as any violations of criminal law that

involve a knowledge of computer technology for

their perpetration, investigation, or prosecution

Computer may be target of crime, for example:

Breaching confidentiality of protected computerized

data

Accessing a computer system without authority

Computer may be instrument of crime, for example:

Theft of trade secrets

Using e-mail for threats or harassment

Management Information Systems

> Chapter 8: Securing Information Systems

Identity theft

Theft of personal Information (social security ID,

drivers license, or credit card numbers) to

impersonate someone else

Phishing

Setting up fake Web sites or sending e-mail messages

that look like legitimate businesses to ask users for

confidential personal data

Evil twins

Wireless networks that pretend to offer trustworthy

Wi-Fi connections to the Internet

Management Information Systems

Chapter 8: Securing Information Systems

Management Information Systems

> Chapter 8: Securing Information Systems

Pharming

Redirects users to a bogus Web page, even when

individual types correct Web page address into his or

her browser

Click fraud

Occurs when individual or computer program

fraudulently clicks on online ad without any

intention of learning more about the advertiser or

making a purchase

Management Information Systems

> Chapter 8: Securing Information Systems

Cyberterrorism

the use of the Internet in order to perform violent

actions that either threaten or result in serious bodily

harm or even loss of life.

Cyberwarfare

all the actions and processes that aim to attack a nation

in order to cause harm that is comparable to the

Management Information Systems

Chapter 8: Securing Information Systems

> Read the Interactive Session and discuss the following questions

Interactive Session: Management

Is cyberwarfare a serious problem? Why or why not?

Assess the management, organization, and technology

factors that have created this problem.

What makes Stuxnet different from other cyberwarfare

attacks? How serious a threat is this technology?

What solutions have been proposed for this problem? Do

you think they will be effective? Why or why not?

Management Information Systems

> Chapter 8: Securing Information Systems

Internal threats: Employees

Security threats often originate inside an

organization

Inside knowledge

Sloppy security procedures

User lack of knowledge

Social engineering:

Tricking employees into revealing their passwords by

pretending to be legitimate members of the company

in need of information

Management Information Systems

> Chapter 8: Securing Information Systems

Software vulnerability

Commercial software contains flaws that create

security vulnerabilities

Hidden bugs (program code defects)

Zero defects cannot be achieved because complete testing is

not possible with large programs

Flaws can open networks to intruders

Patches

Small pieces of software to repair flaws

Exploits often created faster than patches can be

released and implemented

> Management Information Systems
> Chapter 8: Securing Information Systems

Failed computer systems can lead to

significant or total loss of business function.

Firms now are more vulnerable than ever.

Confidential personal and financial data

Trade secrets, new products, strategies

A security breach may cut into a firms

market value almost immediately.

Inadequate security and controls also bring

forth issues of liability.

> Business Value of Security and Control 8.26 Copyright  2016 Pearson Education Ltd.
> Management Information Systems
> Chapter 8: Securing Information Systems

Legal and regulatory requirements for electronic

records management and privacy protection

HIPAA: Medical security and privacy rules and procedures

Gramm-Leach-Bliley Act: Requires financial institutions to

ensure the security and confidentiality of customer data

Sarbanes-Oxley Act: Imposes responsibility on companies

and their management to safeguard the accuracy and

integrity of financial information that is used internally and

released externally

Management Information Systems

> Chapter 8: Securing Information Systems

Electronic evidence

Evidence for white collar crimes often in digital form

Data on computers, e-mail, instant messages,

e-commerce transactions

Proper control of data can save time and money

when responding to legal discovery request

Computer forensics:

Scientific collection, examination, authentication,

preservation, and analysis of data from computer

storage media for use as evidence in court of law

Includes recovery of ambient and hidden data

Management Information Systems

> Chapter 8: Securing Information Systems

Information systems controls

Manual and automated controls

General and application controls

General controls

Govern design, security, and use of computer

programs and security of data files in general

throughout organizations information technology

infrastructure

Apply to all computerized applications

Combination of hardware, software, and manual

procedures to create overall control environment

Management Information Systems

Chapter 8: Securing Information Systems

##  Types of general controls

Software controls

Hardware controls

Computer operations controls

Data security controls

Implementation controls

Administrative controls

Management Information Systems

> Chapter 8: Securing Information Systems

Application controls

Specific controls unique to each computerized

application, such as payroll or order processing

Include both automated and manual procedures

Ensure that only authorized data are completely and

accurately processed by that application

Include:

Input controls

Processing controls

Output controls

Management Information Systems

Chapter 8: Securing Information Systems

Risk assessment: Determines level of risk to firm if

specific activity or process is not properly controlled

Types of threat

Probability of occurrence during year

Potential losses, value of threat

Expected annual loss

Organizational Frameworks for Security and Control

EXPOSURE PROBABILITY LOSS RANGE (AVG)

EXPECTED

ANNUAL LOSS

Power failure 30% $5K$200K ($102,500) $30,750

Embezzlement 5% $1K$50K ($25,500) $1,275

Management Information Systems

Chapter 8: Securing Information Systems

Security policy

Ranks information risks, identifies acceptable

security goals, and identifies mechanisms for

achieving these goals

Drives other policies

Acceptable use policy (AUP)

Defines acceptable uses of firms information resources and

computing equipment

Authorization policies

Determine differing levels of user access to information assets

Management Information Systems

> Chapter 8: Securing Information Systems

Identity management

Business processes and tools to identify valid

users of system and control access

Identifies and authorizes different categories of

users

Specifies which portion of system users can access

Authenticating users and protects identities

Identity management systems

Captures access rules for different levels of users

Management Information Systems

Chapter 8: Securing Information Systems

These two examples represent

two security profiles or data

security patterns that might be

found in a personnel system.

Depending on the security

profile, a user would have

certain restrictions on access to

various systems, locations, or

data in an organization.

FIGURE 8-3

Management Information Systems

> Chapter 8: Securing Information Systems

Disaster recovery planning: Devises plans for

restoration of disrupted services

Business continuity planning: Focuses on

restoring business operations after disaster

Both types of plans needed to identify firms most

critical systems

Business impact analysis to determine impact of an

outage

Management must determine which systems

restored first

Management Information Systems

> Chapter 8: Securing Information Systems

Information systems audit

Examines firms overall security environment as well

as controls governing individual information systems

Reviews technologies, procedures, documentation,

training, and personnel

May even simulate disaster to test response of

technology, IS staff, other employees

Lists and ranks all control weaknesses and estimates

probability of their occurrence

Assesses financial and organizational impact of each

threat

Management Information Systems

Chapter 8: Securing Information Systems

This chart is a sample page

from a list of control

weaknesses that an auditor

might find in a loan system in a

local commercial bank. This

form helps auditors record and

evaluate control weaknesses

and shows the results of

discussing those weaknesses

with management, as well as

any corrective actions taken by

management.

FIGURE 8-4

Management Information Systems

> Chapter 8: Securing Information Systems

Identity management software

Automates keeping track of all users and privileges

Authenticates users, protecting identities, controlling

access

Authentication

Password systems

Tokens

Smart cards

Biometric authentication

Two-factor authentication

Management Information Systems

> Chapter 8: Securing Information Systems

##  Firewall:

Combination of hardware and software

that prevents unauthorized users from

accessing private networks

Technologies include:

Static packet filtering

Stateful inspection

Network address translation (NAT)

Application proxy filtering

Management Information Systems

Chapter 8: Securing Information Systems

The firewall is placed

between the firms private

network and the public

Internet or another distrusted

network to protect against

unauthorized

traffic.

FIGURE 8-5

Management Information Systems

> Chapter 8: Securing Information Systems

Intrusion detection systems:

Monitors hot spots on corporate networks to detect

and deter intruders

Examines events as they are happening to discover

attacks in progress

Antivirus and antispyware software:

Checks computers for presence of malware and can

often eliminate it as well

Requires continual updating

Unified threat management (UTM) systems

Management Information Systems

> Chapter 8: Securing Information Systems

Securing wireless networks

WEP security can provide some security by:

Assigning unique name to networks SSID and

not broadcasting SSID

Using it with VPN technology

Wi-Fi Alliance finalized WPA2 specification,

replacing WEP with stronger standards

Continually changing keys

Encrypted authentication system with central

server

Management Information Systems

> Chapter 8: Securing Information Systems

##  Encryption:

Transforming text or data into cipher text

that cannot be read by unintended

recipients

Two methods for encryption on networks

Secure Sockets Layer (SSL) and successor

Transport Layer Security (TLS)

Secure Hypertext Transfer Protocol

(S-HTTP)

Management Information Systems

> Chapter 8: Securing Information Systems

Two methods of encryption

Symmetric key encryption

Sender and receiver use single, shared key

Public key encryption

Uses two, mathematically related keys: Public

key and private key

Sender encrypts message with recipients

public key

Recipient decrypts with private key

Management Information Systems

Chapter 8: Securing Information Systems

A public key encryption system can be viewed as a series of public and private keys that lock data when they

are transmitted and unlock the data when they are received. The sender locates the recipients public key in a

directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private

network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and

read the message.

FIGURE 8-6

Management Information Systems

> Chapter 8: Securing Information Systems

Digital certificate:

Data file used to establish the identity of users and

electronic assets for protection of online transactions

Uses a trusted third party, certification authority (CA), to

validate a user's identity

CA verifies users identity, stores information in CA server,

which generates encrypted digital certificate containing

owner ID information and copy of owners public key

Public key infrastructure (PKI)

Use of public key cryptography working with certificate

authority

Widely used in e-commerce

Management Information Systems

Chapter 8: Securing Information Systems

Digital certificates help

establish the identity of people

or electronic assets. They

protect online transactions by

providing secure, encrypted,

online communication.

FIGURE 8-7

Management Information Systems

> Chapter 8: Securing Information Systems

##  Ensuring system availability

Online transaction processing requires 100%

availability, no downtime

##  Fault-tolerant computer systems

For continuous availability, for example, stock

markets

Contain redundant hardware, software, and

power supply components that create an

environment that provides continuous,

uninterrupted service

Management Information Systems

Chapter 8: Securing Information Systems

##  Controlling network traffic

Deep packet inspection (DPI)

Examines data files and sorts low priority

material

Can block video and music downloads

##  Security outsourcing

Managed security service providers (MSSPs)

Management Information Systems

> Chapter 8: Securing Information Systems

Security in the cloud

Responsibility for security resides with company

owning the data

Firms must ensure providers provides adequate

protection:

Where data are stored

Meeting corporate requirements, legal privacy laws

Segregation of data from other clients

Audits and security certifications

Service level agreements (SLAs)

Management Information Systems

> Chapter 8: Securing Information Systems

Securing mobile platforms

Security policies should include and cover any special

requirements for mobile devices

Guidelines for use of platforms and applications

Mobile device management tools

Authorization

Inventory records

Control updates

Lock down/erase lost devices

Encryption

Software for segregating corporate data on devices

Management Information Systems

Chapter 8: Securing Information Systems

> Read the Interactive Session and discuss the following questions

Interactive Session: Technology

What technology issues led to the security breach at MWEB?

What is the possible business impact of this security breach

for both MWEB and its customers?

If you were an MWEB customer, would you consider MWEBs

response to the security breach to be acceptable? Why or

why not?

What should MWEB do in the future to avoid similar

incidents?

Management Information Systems

> Chapter 8: Securing Information Systems

Ensuring software quality

Software metrics: Objective assessments of system

in form of quantified measurements

Number of transactions

Online response time

Payroll checks printed per hour

Known bugs per hundred lines of code

Early and regular testing

Walkthrough: Review of specification or design

document by small group of qualified people

Debugging: Process by which errors are eliminated

Tools and Technologies for Safeguarding Information Resources

Transcript for:Comprehensive Guide to Information Security

Transcript for:
Comprehensive Guide to Information Security