Experiencing MIS 8th by m kronenke chapter 10

Q5: How can technical safeguards protect against security threats?. Q6: How can data safeguards protect against security threats?. Q7: How can human safeguards protect against security t

Information Security Management

Chapter 10

“But How Do You Implement That Security?”

PRIDE Design for Security

Study Questions

Q1: What is the goal of information systems security?

Q2: How big is the computer security problem?

Q3: How should you respond to security threats?

Q4: How should organizations respond to security threats?

Q5: How can technical safeguards protect against security threats?

Q6: How can data safeguards protect against security threats?

Q7: How can human safeguards protect against security threats?

Q8: How should organizations respond to security incidents?

Q1: What Is the Goal of Information Systems Security?

Examples of Threat/Loss

What Are the Sources of Threats?

What Types of Security Loss Exists?

Incorrect Data Modification

Faulty Service

•

Loss of Infrastructure

• Advanced Persistent Threat (APT)

well-Goal of Information Systems Security

• Find appropriate trade-off between risk of loss and cost of implementing safeguards

• Use antivirus software

• Deleting browser cookies?

• Get in front of security problem by making appropriate trade-offs for your life and your business

Q2: How Big Is the Computer Security Problem?

Computer Crime Costs per Organizational Respondent

Average Computer Crime Cost and Percent of Attacks by Type (5 Most Expensive

Types)

Computer Crime Costs

Ponemon Study Findings (2013)

costs in 2013

Ponemon 2013 Studies Summary

• Security safeguards work

• Ponemon Study 2014

Q3: How Should You Respond to Security Threats?

Personal Security Safeguards

So What? The Latest from Black Hat

government entities

to ATMs

developers, manufacturers, and government agencies

Q4: How Should Organizations Respond to Security Threats?

Security Policy Should Stipulate

• What sensitive data the organization will store

• How it will process that data

• Whether data will be shared with other organizations

• How employees and others can obtain copies of data stored about them

• How employees and others can request changes to inaccurate data

• What employees can do with their own mobile devices at work

 As a new hire, seek out your employer’s security policy

Ethics Guide: Securing Privacy

“The best way to solve a problem is not to have it.”

– Resist providing sensitive data

– Don’t collect data you don’t need

• Gramm-Leach-Bliley (GLB) Act, 1999

• Privacy Act of 1974

• Health Insurance Portability and Accountability Act (HIPAA), 1996

• Australian Privacy Act of 1988

– Government, healthcare data, records maintained by businesses with revenues in excess of AU$3

Ethics Guide: Securing Privacy: Wrap Up

request, store, or disseminate data

Q5: How Can Technical Safeguards Protect Against Security Threats?

Essence of https (SSL or TLS)

Use of Multiple Firewalls

Malware Protection

Malware Types and Spyware and Adware Symptoms

Design for Secure Applications

• SQL injection attack

Q6: How Can Data Safeguards Protect Against Security Threats?

Q7: How Can Human Safeguards Protect Against Security Threats?

Q7: How Can Human Safeguards Protect Against Security Threats? (cont' d)

Sample Account Acknowledgment Form

Systems Procedures

Q8: How Should Organizations Respond to Security Incidents?

Security Wrap Up

employee

Q9: 2025

security

individuals

Guide: A Look through NSA’s PRISM

• Nine of the largest Internet services (Google, Microsoft, Yahoo!, Facebook, PalTalk, YouTube, Skype, AOL, and Apple)

participate in PRISM program

• Dates when PRISM began collecting data from each of these services

• Types of data collected include email, videos, photos, video and voice chat, file transfers, VoIP, stored data, videoconferencing,

login activity, social networking activity, and something called “special requests”

• How information flows from around the world could be collected

• How data flowed from service provider to NSA, CIA, or FBI

• http://www.wired.com/2013/06/snowden-powerpoint/#slideid-522485

Trade Offs

– "Freedom is Slavery" (G Orwell, 1984)

– Users frustrated with stringent password policies

– Firewalls block users from remotely accessing certain resources

– Managers can’t access certain data without special permission

Wrap Up

Guide: Phishing for Credit Cards, Identifying Numbers, Bank Accounts

Wrap Up

Active Review

Q1: What is the goal of information systems security?

Q2: How big is the computer security problem?

Q3: How should you respond to security threats?

Q4: How should organizations respond to security threats?

Q5: How can technical safeguards protect against security threats?

Q6: How can data safeguards protect against security threats?

Q7: How can human safeguards protect against security threats?

Q8: How should organizations respond to security incidents?

Case 10: Hitting the Target

included names, emails, addresses, phone numbers, and so on

How Did They Do

Trojan.POSRAM extracted data from POS terminals

premiums, paid legal fees, settled with credit card processors, paid consumer credit monitoring, and paid regulatory fines

Damage (cont'd)

• Target loss of customer confidence and drop in revenues (46% loss for quarter).

• Analysts put direct loss to Target as high at $450 million

• CIO resigned, CEO paid $16 million to leave

• Cost credit unions and banks more than $200 million to issue new cards

• Insurers demand higher premiums, stricter controls, and more system auditing

• Consumers must watch their credit card statements, and fill out paperwork if fraudulent charges appear