Experiencing MIS 7th by m kronenke chapter 12

Goal of Information Systems Security • Find an appropriate trade-off between the risk of loss and the cost of implementing safeguards.. Q2: How Big Is the Computer Security Problem?Compu

Information Security Management

Chapter 12

“We Have to Design It for Privacy and Security.”

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

• Tension between Maggie and Ajit regarding terminology to

use with Dr Flores

• Overly technical communication is a common problem for

techies when talking with business professionals

• Maggie and Ajit discuss security design later

PRIDE Design for Security

Study Questions

Q1: What is the goal of information systems security?

Q2: How big is the computer security problem?

Q3: How should you respond to security threats?

Q4: How should organizations respond to security threats?

Q5: How can technical safeguards protect against security threats?

Q6: How can data safeguards protect against security threats?

Q7: How can human safeguards protect against security threats?

Q8: How should organizations respond to security incidents?

Q9: 2024?

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Q1: What Is the Goal of Information Systems

Security?

Examples of Threat/ Loss

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

What Are the

Sources of Threats?

What Types of Security Loss Exists?

• Unauthorized Data Disclosure

Incorrect Data Modification

• Procedures incorrectly designed or not followed

• Increasing a customer’s discount or incorrectly modifying

employee’s salary

• Placing incorrect data on company the Web site

• Improper internal controls on systems

• System errors

• Faulty recovery actions after a disaster

Faulty Service

• Incorrect data modification

• Systems working incorrectly

• Denial-of-service attacks

(intentional)

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Loss of Infrastructure

• Human accidents

• Theft and terrorist events

• Disgruntled or terminated employee

• Natural disasters

• Advanced Persistent Threat (APT)

– Sophisticated, possibly long-running computer hack

perpetrated by large, well-funded organizations

Goal of Information Systems Security

• Find an appropriate trade-off between the risk of loss and

the cost of implementing safeguards

• Use a good antivirus software

• Delete browser cookies

• Get in front of the security problem by making appropriate

trade-offs for your life and your business

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Q2: How Big Is the Computer Security Problem?

Computer Crime Costs per Organizational Respondent

Average Computer Crime Cost and Percent of Attacks

by Type (5 Most Expensive Types)

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Ponemon Study Findings (2012)

• It is difficult to estimate the exact cost of a computer crime

• Cost of computer crime is usually based on surveys

• Data loss is the single most expensive consequence of

computer crime, accounting for 44% of costs in 2012

• 80% of respondents believe data on mobile devices poses

significant risks

Ponemon 2012 Studies Summary

• Median cost of computer crime increasing

• Malicious insiders increasingly serious security threat

• Data loss is principal cost of computer crime

• Survey respondents believe mobile device data a significant security threat

• Security safeguards work

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Q3: How Should You Respond to Security Threats?

Personal Security Safeguards

Using MIS InClass Exercise 12: Phishing for Credit Cards,

Identifying Numbers, Bank Accounts

• Assume, you and a group of other students will investigate

phishing attacks

• Search the Web for phishing, beware that your search may

bring the attention of an active phisher

• Do not give any data to any site you visit as part of this

exercise!

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Q4: How Should Organizations Respond to Security

Threats?

Security Policy Should Stipulate

• What sensitive data the organization will store.

• How it will process that data.

• Whether data will be shared with other organizations.

• How employees and others can obtain copies of data stored about them.

• How employees and others can request changes to inaccurate

data.

• What employees can do with their own mobile devices at work

 As a new hire, seek out your employer’s security policy.

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Ethics Guide: Securing Privacy

“The best way to solve a problem is not to have it.”

– Resist providing sensitive data.

– Don’t collect data you don’t need.

• Gramm-Leach-Bliley (GLB) Act, 1999

• Privacy Act of 1974

• Health Insurance Portability and Accountability Act (HIPAA), 1996

• Australian Privacy Act of 1988

– Government, healthcare data, records maintained by businesses

Ethics Guide: Securing Privacy: Wrap Up

• As a business professional, you have the responsibility to

consider legality, ethics, and wisdom when you request,

store, or disseminate data

• Think carefully about emails that you open over public

wireless networks

• Use long and strong passwords

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Q5: How Can Technical Safeguards Protect Against

Security Threats?

Essence of https (SSL or TLS)

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Use of Multiple Firewalls

Malware Protection

1 Antivirus and antispyware programs

2 Scan frequently

3 Update malware definitions

4 Open email attachments only from known sources

5 Install software updates

6 Browse only reputable Internet neighborhoods

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Malware Types and Spyware and Adware Symptoms

Q6: How Can Data Safeguards Protect Against

Security Threats?

Q7: How Can Human Safeguards Protect Against Security

Threats?

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Q7: How Can Human Safeguards Protect Against Security

Threats?

Account Administration

• Account Management

 Standards for new user accounts, modification of account

permissions, and removal of accounts that are not

needed

• Password Management

 Users should change passwords frequently

• Help Desk Policies

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Sample Account Acknowledgment Form

Systems Procedures

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Q8: How Should Organizations Respond to Security

Incidents?

Security Wrap Up

• Be aware of threats to computer security as an individual,

business professional, or an employee

• Know trade-offs of loss risks and the cost of safeguards

• Ways to protect your computing devices and data

• Understand technical, data, and human safeguards

• Understand how organizations should respond to security

incidents

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Q9: 2024

• APTs more common, inflicting serious damage

• Continued concern about balance of national security and data privacy.

• Computer crimes targeting mobile devices leads to improved operating

systems security

• Improved security procedures and employee training.

• Criminals focus on less protected mid-sized and smaller organizations, and

individuals.

• Electronic lawlessness by organized gangs.

• Strong local “electronic” sheriffs electronic border and enforce existing laws?

Guide: Metasecurity

• What are the security problems?

• What are the managers’ responsibilities for controls over the security system?

• All major software vendors are obvious targets for security

attacks against their networks What do these companies do

to prevent this?

• What extra precautions can you take when you hire and

manage employees such as white-hat hackers?

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Guide: The Final, Final Word

• Routine work will migrate to countries with lower labor costs

Active Review

Q1: What is the goal of information systems security?

Q2: How big is the computer security problem?

Q3: How should you respond to security threats?

Q4: How should organizations respond to security threats?

Q5: How can technical safeguards protect against security threats?

Q6: How can data safeguards protect against security threats?

Q7: How can human safeguards protect against security threats?

Q8: How should organizations respond to security incidents?

Q9: 2024

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Case 12: Will You Trust FIDO?

• One-third of all people record passwords somewhere,

whether on a sticky note or in a computer file

• Malicious code searches for files that include "password" or

some variant

• Many web sites offer to authenticate you using your

Facebook or other common credentials

• Use credentials only at site where created

Alternatives to Passwords

• Biometric: Fingerprints, retinal scans, keystroke rhythm

• Picture password in Windows 8

User makes three gestures over a photo

Asking user to name people in group photo or provide

facts about people in photo

• One defect: If user’s authentication compromised once, it is

compromised for all sites where that authentication method

used

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c

Fast Identity OnLine (FIDO)

Will You Trust FIDO? Probably

• FIDO does not eliminate need to send private data over the

Internet, but substantially reduces it

• Password or PIN never sent over a network

• Forming open standards and asking the community to find

holes and problems long before standard is implemented

• Support of major, well-funded organizations

C o p y r i g h t © 2 0 1 5 P e a r s o n E d u c a t i o n , I n c