Experiencing MIS 9th by m kronenke chapter 10

Q3: How should you respond to security threats?. Q5: How can technical safeguards protect against security threats?. Q6: How can data safeguards protect against security threats?. Q7: Ho

Information Security Management

Chapter 10

• PRIDE originally designed to store medical data.

• Does PRIDE systems have acceptable level of security?

• Doesn’t want to affiliate with company with major security

problem

• Criminals focusing on inter-organizational systems

PRIDE Design for Security

Study Questions

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

Q1: What is the goal of information systems security?

Q2: How big is the computer security problem?

Q3: How should you respond to security threats?

Q4: How should organizations respond to security threats?

Q5: How can technical safeguards protect against security threats?

Q6: How can data safeguards protect against security threats?

Q7: How can human safeguards protect against security threats?

Q8: How should organizations respond to security incidents?

Q9: 2026?

Q1: What Is the Goal of Information Systems

Security?

Examples of Threat/Loss

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

What Are the

Sources of Threats?

Incorrect Data Modification

• Procedures incorrectly designed or not followed

• Increasing customer’s discount or incorrectly modifying

Faulty Service

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

• Incorrect data modification

• Systems working incorrectly

• Procedural mistakes

• Programming errors

• IT installation errors

• Usurpation

• Denial of service (unintentional)

• Denial-of-service attacks (intentional)

Loss of Infrastructure

• Human accidents

• Theft and terrorist events

• Disgruntled or terminated employee

• Natural disasters

• Advanced Persistent Threat (APT1)

– Theft of intellectual property from U.S firms.

– Use antivirus software.

– Delete browser cookies?

– Make appropriate trade-offs to protect yourself and

your business.

Q2: How Big Is the Computer Security Problem?

Computer Crime Costs per Organizational Respondent

Average Computer Crime Cost and Percent of

Attacks by Type (5 Most Expensive Types)

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

Ponemon Study Findings (2014)

• Malicious insiders increasingly serious security threat

• Business disruption and data loss primary costs of computer

crime

• Negligent employees, connecting personal devices to

corporate network, use of commercial cloud-based applications pose significant security threats

• Security safeguards work

• Ponemon Study 2014

So What? New from Black Hat 2014

• Briefings on how to hack things

• Show how to exploit weaknesses in hardware, software,

protocols, or systems from smartphones to ATMs

• Encourage companies to fix product vulnerabilities

• Serve as educational forum for hackers, developers,

manufacturers, and government agencies

Dan Geer Recommendations

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

1 Mandatory reporting of security vulnerabilities

2 Make software venders liable for damage their code causes

after abandoned, or users allowed to see/have source code

3 ISP liable for harmful, inspected content

4 “Right to be forgotten” - appropriate and advantageous

5 End-to-End Encrypted Email

Hacking Smart Things

• Automobiles wireless features and internal systems architecture allow hackers to access automated driving functions

• Control hotel lights, thermostats, televisions, and blinds in 200+ rooms by reverse-engineering home automation protocol called KNX/IP

• 70% of smart devices use unencrypted network services, 60% vulnerable to persistent XSS (cross-site scripting), and weak

credentials

Q4: How Should Organizations Respond to

Security Threats?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

• Senior management creates company-wide policies:

– What sensitive data will be stored?

– How will data be processed?

– Will data be shared with other organizations?

– How can employees and others obtain copies of data stored about

Security Safeguards and the Five Components

Ethics Guide: Securing Privacy

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

“The best way to solve a problem is not to have it.”

– Resist providing sensitive data.

– Don’t collect data you don’t need.

• Gramm-Leach-Bliley (GLB) Act, 1999

• Privacy Act of 1974

• Health Insurance Portability and Accountability Act (HIPAA), 1996

• Australian Privacy Act of 1988

– Government, healthcare data, records maintained by businesses with

revenues in excess of AU$3 million.

Ethics Guide: Securing Privacy: Wrap Up

• Business professionals must consider legality, ethics, and

wisdom when requesting, storing, or disseminating data

• Think carefully about email you open over public, wireless

networks

• Use long, strong passwords

• If unsure, don’t give the data

Q5: How Can Technical Safeguards Protect

Against Security Threats?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

Essence of https (SSL or TLS)

Use of Multiple Firewalls

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

Packet-filtering Firewall

Malware Protection (Viruses, Spyware, Adware)

1 Antivirus and antispyware programs

2 Scan frequently

3 Update malware definitions

4 Open email attachments only from known sources

5 Install software updates

6 Browse only reputable Internet neighborhoods

Design for Secure Applications

• SQL injection attack

– User enters SQL statement into a form instead of a name or

other data

– Result

SQL code becomes part of database commands issued

Improper data disclosure, data damage and loss possible

– Well designed applications make injections ineffective.

Q7: How Can Human Safeguards Protect Against

Security Threats?

Q7: How Can Human Safeguards Protect Against

Security Threats? (cont' d)

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

Human Safeguards for Nonemployee Personnel

• Temporary personnel, vendors, partner personnel (employees

of business partners), and the public

• Require vendors and partners to perform appropriate screening and security training

• Contract specifies security responsibilities

• Provide accounts and passwords with least privilege and

remove accounts as soon as possible

 Special versions of operating system

 Lock down or eliminate operating systems features and

functions not required by application

– Protect such users from internal company security problems.

Account Administration

• Account Management

– Standards for new user accounts, modification of account

permissions, removal of unneeded accounts

• Password Management

– Users change passwords frequently.

• Help Desk Policies

– Provide means of authenticating users.

Sample Account Acknowledgment Form

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

Systems Procedures

 Lists of all dropped packets, infiltration attempts,

unauthorized access, attempts from within the firewall

– DBMS

 Successful and failed logins

– Web servers

 Voluminous logs of Web activities

• PC O/S produce record of log-ins and firewall activities

Security Monitoring (cont’d)

• Employ utilities to assess vulnerabilities

• Honeypots for computer criminals to attack.

• Investigate security incidents

• Constantly monitor to determine adequacy of existing security policy and safeguards

Q8: How Should Organizations Respond to

Security Incidents?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

Q9: 2026?

• APTs more common

• Concern about balance of national security and data

privacy

• Security on devices will be improved

• Skill level of cat-and-mouse activity increases substantially

• Improved security at large organizations

• Strong local “electronic” sheriffs

Guide: EMV to the Rescue

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

• EMV chip-and-PIN

• Changes way cards are verified

• Chip verifies authenticity of physical card, PIN verifies

identity of cardholder.

• What EMV can do to protect you?

Data Breach at Home Depot

• Loss of 56 million customer credit card records and 53 million

customer email addresses

• Hackers gained access to Home Depot’s internal network using stolen credentials from a third-party vendor

• Distributed malware to “scrape” credit card data from POS

terminal RAM

• Stolen data collected and moved out of Home Depot’s network

Data Breach at Home Depot (cont’d)

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

• HD used older version of antivirus software,

• Lacked encryption between point-of-sale (POS) systems and

central servers

– Didn’t directly contribute to data breach.

• Real security weakness - access to residual credit card data

stored in memory of the POS

• EVM doesn’t store card data in memory – only transaction ID

numbers

Building Adoption Momentum

• Adoption of EMV chip-and-PIN

– Western Europe - 99.9%,

– Canada - 84.7%,

– Asia – 71.4%

– U.S – 0.3%

• U.S last user of older magnetic stripe card technology

• Merchants liable for credit card fraud if POS terminals do not

support EMV, starting Oct 2015

• Card and card reader costs increase

Guide: Phishing for Credit Cards, Identifying

Numbers, Bank Accounts

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

• Phishing scams commonplace

• Examples of phishing scams at PhishTank.com and

ConsumerFraudReporting.org

• You need to be able to identify and avoid phishing scams

Phish Examples

Active Review

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

Q1: What is the goal of information systems security?

Q2: How big is the computer security problem?

Q3: How should you respond to security threats?

Q4: How should organizations respond to security threats?

Q5: How can technical safeguards protect against security threats?

Q6: How can data safeguards protect against security threats?

Q7: How can human safeguards protect against security threats?

Q8: How should organizations respond to security incidents?

Q9: 2026?

Case 10: Hitting the Target

• Lost 40 million credit and debit card numbers

• Later, announced additional 70 million customer accounts stolen that included names, emails, addresses, phone numbers, etc

• 98 million customers affected

– 31% of 318 million people in US.

• Stolen from point-of-sale (POS) systems at Target stores during holiday shopping season

Trojan.POSRAM extracted data from POS terminals

Card and pin numbers of 2 million cards for $26.85 each ($53.7M).

• Target took loss on merchandise purchased using stolen credit

cards.

• Costs

– Upgraded POS terminals to support chip-and-pin cards,

– Increased insurance premiums,

– Paid legal fees,

– Settled with credit card processors,

– Paid consumer credit monitoring,

– Paid regulatory fines.

Damage (cont'd)

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c

• Loss of customer confidence and drop in revenues (46% loss for quarter)

• Direct loss to Target as high at $450 million.

• CIO resigned, CEO paid $16 million to leave.

• Cost credit unions and banks more than $200 million to issue new cards.

• Insurers demand higher premiums, stricter controls, and more system

auditing.

• Consumers must watch their credit card statements, and fill out paperwork

if fraudulent charges appear.