Experiencing MIS 10th by m kronenke chapter 10

Q10-5 How can technical safeguards protect against security threats?. Threat Human Error Computer Crime Natural Disasters Loss Unauthorized data disclosure Procedural mistakes Pretexting

Trang 2

“I think you’ll see that we really do take security seriously.”

• Video conference with exercise equipment manufacturer CanyonBack Fitness (potential ARES partner)

• Security concerns about integrating ARES with CanyonBack exercise bikes.

• Does ARES systems have acceptable level of security?

• Can their bikes get hacked? Customers hurt? Personal data stolen?

Trang 3

“I think you’ll see that we really do take security seriously.” (cont’d)

• ARES implements secure coding practices and secure data backup.

• Users interact with radio buttons, dropdown menus, and other interactive AR elements.

• Reduces the possibility of an SQL injection attack.

• New technology typically brings new risks.

Trang 4

Study Questions

Q10-1 What is the goal of information systems security?

Q10-2 How big is the computer security problem?

Q10-3 How should you respond to security threats?

Q10-4 How should organizations respond to security threats?

Q10-5 How can technical safeguards protect against security threats?

Q10-6 How can data safeguards protect against security threats?

Q10-7 How can human safeguards protect against security threats?

Q10-8 How should organizations respond to security incidents?

Q10-9 2027?

Trang 5

Information Systems Security Threats

Figure 10-1 Threat/Loss Scenario

Trang 6

Examples of Threat/Loss

Figure 10-2 Examples of Threat/Loss

Hacker wants to steal your bank

login credentials

Hacker creates a phishing site nearly identical to your online banking site

Only access sites using https

None Loss of login credentials Ineffective safeguard

Employee posts sensitive data to

public Google + group

Public access to not-secure group

Passwords Procedures Employee training

Loss of sensitive data Ineffective safeguard

Trang 7

What Are the Sources of Threats?

Figure 10-3 Security Problems and Sources

Threat Human Error Computer Crime Natural Disasters

Loss

Unauthorized data disclosure Procedural mistakes Pretexting

Phishing Spoofing Sniffing Hacking

Disclosure during recovery

Incorrect data modification Procedural mistakes

Incorrect procedures Ineffective accounting controls System errors

Faulty service Procedural mistakes

Development and installation errors

Denial of service (DoS) Accidents DoS attacks Service interruption

Loss of infrastructure Accidents Theft

Terrorist activity

Property loss

Trang 8

What Types of Security Loss Exists?

Unauthorized Data Disclosure

Trang 9

Incorrect Data Modification

Procedures incorrectly designed or not followed

Increasing customer’s discount or incorrectly modifying employee’s salary

Placing incorrect data on company Web site

Trang 10

Faulty Service

Incorrect data modification

Systems working incorrectly

Procedural mistakes

Programming errors

IT installation errors

Usurpation

Denial of service (unintentional)

Denial-of-service attacks (intentional)

Trang 11

Loss of Infrastructure

Human accidents

Theft and terrorist events

Disgruntled or terminated employee

Natural disasters

Advanced Persistent Threat

APT29 (Russia) and Deep Panda (China)

Theft of intellectual property from U.S firms.

Trang 12

Goal of Information Systems Security

Find appropriate trade-off between risk of loss and cost of implementing safeguards

Protective actions

Use antivirus software.

Delete browser cookies?

Make appropriate trade-offs to protect yourself and your business.

Trang 13

Average Computer Crime Cost and Percent of Attacks by Type

Figure 10-4 Average Computer Crime Cost and Percent of Attacks by Type (Six Most Expensive Types)

Source: Data from Ponemon Institute 2015 Cost of Cyber Crime Study: United States, October 2015, p 12

Trang 14

Severity of Computer Crime

Figure 10-5 Computer Crime Costs

Trang 15

Ponemon Study Findings (2015)

Most of the increase in computer crime over the past year are from malicious code and denial-of-service attacks

Information loss was the single most expensive consequence of computer crime

Detection and recovery account for more than half of the internal costs related to cyber intrusions

Security safeguards work

Trang 16

Personal Security Safeguards

Figure 10-6 Personal Security Safeguards

Trang 17

New from Black Hat 2015

So What?

Briefings on how to hack things

Show how to exploit weaknesses in hardware, software, protocols, or systems including smartphones, IoT devices, cars, etc

Encourage companies to fix product vulnerabilities

Serves as educational forum for hackers, developers, manufacturers, and government agencies

Trang 18

New from Black Hat 2015 (cont’d)

So What?

Keynote presentation by Jennifer Granick (Stanford)

Internet is becoming less free and open due to increased centralization.

A few big companies are controlling the majority of Internet behavior

These few companies can be used to censor, surveil, and control user behavior.

Not wise to allow a few centralized companies total control over our lives.

Trang 19

Security Policies

Senior management creates company-wide policies:

What sensitive data will be stored?

How will data be processed?

Will data be shared with other organizations?

How can employees and others obtain copies of data stored about them?

How can employees and others request changes to inaccurate data?

Senior management manages risks

Trang 20

Security Safeguards and the Five Components

Figure 10-7 Security Safeguards as They Relate to the Five Components

Trang 21

Securing Privacy

Ethics Guide

“The best way to solve a problem is not to have it.”

Resist providing sensitive data.

Don’t collect data you don’t need.

Gramm-Leach-Bliley (GLB) Act, 1999

Privacy Act of 1974

Health Insurance Portability and Accountability Act (HIPAA), 1996

Australian Privacy Act of 1988

Government, healthcare data, records maintained by businesses with revenues in excess of AU$3

million.

Trang 22

Securing Privacy: Wrap Up

Ethics Guide

Business professionals must consider legality, ethics, and wisdom when requesting, storing, or disseminating data

Think carefully about email you open over public, wireless networks

Use long, strong passwords

If unsure, don’t give the data

Trang 23

Technical Safeguards

Figure 10-8 Technical Safeguards

Trang 24

Essence of https (SSL or TLS)

Figure 10-9 The Essence of https (SSL or TLS)

Trang 25

Use of Multiple Firewalls

Figure 10-10 Use of Multiple Firewalls

Packet-filtering Firewall Q10-5 How can technical safeguards protect against security threats?

Trang 26

Malware Protection (Viruses, Spyware, Adware)

1. Antivirus and antispyware programs

2. Scan frequently

3. Update malware definitions

4. Open email attachments only from known sources

5. Install software updates

6. Browse only reputable Internet neighborhoods

Trang 27

Spyware/Adware Symptoms and Types of Malware

Figure 10-11 Spyware and Adware Symptoms

MalwareViruses Trojan horses Worms Spyware Adware Ransomware PayloadQ10-5 How can technical safeguards protect against security threats?

Figure 10-11 Spyware and Adware Symptoms

Trang 28

Design for Secure Applications

SQL injection attack

User enters SQL statement into a form instead of a name or other data

Result

SQL code becomes part of database commands issued.

Improper data disclosure, data damage and loss possible.

Well designed applications make injections ineffective.

Trang 29

Data Safeguards

Data safeguards Data administrationKey escrow

Figure 10-12 Data Safeguards

Trang 30

Security Policies for In-House Staff

Position definition

Separate duties and authorities

Determine least privilege

Document position sensitivity

Hiring and screening

Trang 31

Security Policies for In-House Staff (cont’d)

Dissemination and enforcement

Trang 32

Human Safeguards for Nonemployee Personnel

Temporary personnel, vendors, partner personnel (employees of business partners), and the public

Require vendors and partners to perform appropriate screening and security training

Contract specifies security responsibilities

Provide accounts and passwords with least privilege and remove accounts as soon as possible

Trang 33

Public Users

Web sites and other openly accessible information systems

Hardening

Special versions of operating system

Lock down or eliminate operating systems features and functions not required by application.

Protect such users from internal company security problems.

Trang 34

Users change passwords frequently.

Help Desk Policies

Provide means of authenticating users.

Trang 35

Sample Account Acknowledgment Form

Figure 10-14 Sample Account Acknowledgment Form

Source: National Institute of Standards and Technology, U.S Department of Commerce Introduction to Computer Security: The NIST Handbook, Publication 800–812

Trang 36

Systems Procedures

Figure 10-15 Systems Procedures

Normal operation Use the system to perform job tasks, with security

appropriate to sensitivity.

Operate data center equipment, manage networks, run Web servers, and do related operational tasks.

Backup Prepare for loss of system functionality Back up Web site resources, databases, administrative data, account

and password data, and other data.

Recovery Accomplish job tasks during failure Know tasks to do

during system recovery.

Recover systems from backed up data Perform role of help desk during recovery.

Trang 37

Security Monitoring

Server activity logs

Voluminous logs of Web activities.

PC O/S produce record of log-ins and firewall activities

Trang 38

Security Monitoring (cont’d)

Employ utilities to assess vulnerabilities

Honeypots for computer criminals to attack.

Investigate security incidents

Constantly monitor to determine adequacy of existing security policy and safeguards

Trang 39

Factors in Incident Response

Figure 10-16 Factors in Incident Response

Trang 40

Information Systems Security in 2027

Q10-9 2027?

APTs more common

Concern about balance of national security and data privacy

Security on devices will be improved

Skill level of cat-and-mouse activity increases substantially

Improved security at large organizations

Strong local “electronic” sheriffs

Trang 41

Exhaustive Cheating

Security Guide

Employees (possibly managers) created deceptive software to cheat standardized emissions testing

Black-box software made it difficult to detect the malicious software

Embedded software was designed to:

Temporarily improve fuel savings

Reduce torque and acceleration

When normal performance resumed, emissions output rose well above legal levels

Trang 42

IT Security Analyst

Career Guide

Stefanie at Overstock.com

Q What attracted you to this field?

A “I was first attracted to the field of IT security as a sophomore in college when I took my initial MIS class In one session, the professor deployed a honeypot, and we watched as attackers scanned the system for vulnerabilities There were so many scans! I liked the idea that I could find and stop attackers from taking advantage of people.”

Q What advice would you give to someone who is considering working in your field?

A “Read, read, read—and start playing with toys! I’ve seen so many potential analysts tank in interviews because they didn’t have the foundational building blocks of security down.”

Trang 43

Active Review

Q10-9 2027?

Trang 44

Hitting the Target

Case Study 10

Lost 40 million credit and debit card numbers

Later, announced additional 70 million customer accounts stolen that included names, emails, addresses, phone numbers, etc

98 million customers affected

31% of 318 million people in US.

Stolen from point-of-sale (POS) systems at Target stores during holiday shopping season

Trang 45

How Did They Do It?

Case Study 10

1 Bought malware

2 Spearphished users at Fazio to get login

credentials on Target vendor server.

3 Attackers escalated privileges, accessed

Target’s internal network, and planted malware.

4 Trojan.POSRAM extracted data from POS

terminals.

5 Sent data to drop servers

Figure 10-18 Target Data Breach

Trang 46

Case Study 10

Card and pin numbers of 2 million cards for $26.85 each ($53.7M)

Costs

Upgraded POS terminals to support chip-and-pin cards,

Increased insurance premiums,

Paid legal fees,

Settled with credit card processors,

Paid consumer credit monitoring,

Paid regulatory fines.

Trang 47

Damage (cont’d)

Case Study 10

Loss of customer confidence and drop in revenues (46% loss for quarter)

Direct loss to Target as high as $450 million.

CIO resigned, CEO paid $16 million to leave.

Cost credit unions and banks more than $200 million to issue new cards.

Insurers demand higher premiums, stricter controls, and more system auditing.

Consumers must watch their credit card statements, and fill out paperwork if fraudulent charges appear.

Định dạng
Số trang	48
Dung lượng	4,04 MB