Lecture Business management information system - Lecture 20: Information security

This chapter presents the following content: Information security, the threats, security’s five pillars, management countermeasures, technical countermeasures, credit card fraud, an internet services company, planning for business continuity, planning for business continuity, household international.

Trang 1

Information Security Lecture 20

Trang 2

n CREDIT CARD FRAUD

Case Example: Threats

n AN INTERNET SERVICES COMPANYCase Example: Security

Trang 3

Today Lecture….

n PLYMOUTH ROCK ASSURANCE CORPORATIONCase Example: Use of a VPN (Security)

n Planning for Business Continuity

Using Internal Resources

Using External Resources

n HOUSEHOLD INTERNATIONAL

Case Example: Planning for Business Continuity

Trang 4

n Used to be an arcane technical topic

n Today even CEOs need to ‘know about it’ due to the

importance of electronic information in running their businesses

n Need to understand Internet-based threats and

countermeasures and continuously fund security work

to protect their businesses

Information Security

Trang 5

n Since 1996 the Computer Security Institute have

conducted an annual survey of US security managers

¨ Spring 2004 survey report – 2 key findings:

1. The unauthorized use of computers is declining

2. The most expensive cybercrime was denial of

service

Trang 6

The Threats

Note: heaps of similar Surveys e.g KPMG

Trang 8

The Threats

n Threats are numerous

n Websites are particularly vulnerable

n Political activism is one motivation for Website

defacement

n Theft of proprietary information is a major concern

n Financial fraud is still a significant threat

¨ Especially credit card information

¨ No data of any value should be stored on web servers

Trang 9

CREDIT CARD FRAUD Case Example: Threats

n In one case, MSNBC reported that a bug in one

shopping cart software product used by 4,000

e-commerce sites exposed customer records at those sites

¨ One small e-commerce site did not receive the

warning

¨ Within days, cyber criminals charged thousands of dollars on the credit cards of users of this small

site

Trang 10

CREDIT CARD FRAUD Case Example: Threats…

n In another case, two foreigners stole 56,000 credit card numbers, bank account information, and other personal financial information from U.S banks

¨ Then tried to extort money from the cardholders and the banks, threatening to publicize the sensitive

information they had unearthed

Trang 11

Information Security The Threats cont.

n Losses are increasing dramatically because

companies have rushed into e-commerce, often with applications that do not have security built into the architecture or procedures

¨ People think security can be added later but it really can’t be bolted on as an afterthought

¨ Best security = designed into applications via checks during processing and at data transfer points

Trang 12

n It is easier to guard a bank vault than to guard every

Trang 13

¨ The greater number of network openings provides opportunities for illegal entry

n The rise of e-commerce and e-business put more

communications online to the Internet, which is open to everyone including crackers (evil hackers)

n As the Internet doesn’t (currently?) have intrinsic

security protocols this public space is vulnerable

Trang 14

n The ‘hacker community’ (public club?)

¨ ‘True’ Vs Parasites

n Approaches hackers use:

1. Cracking the password

2. Tricking someone (social engineering = ‘cute’

term!)

3. Network sniffing

Trang 15

4 Misusing administrative tools

Trang 16

1. Authentication: verifying the authenticity of users

2. Identification: identifying users to grant them

appropriate access

3. Privacy: protecting information from being seen

4. Integrity: keeping information in its original form

5. Nonrepudiation: preventing parties from denying

actions they have taken

Information Security : Security’s Five Pillars

Trang 17

n The major problem these days:

¨ Enterprises cannot have both access to information and airtight security at the same time

n Companies must make tradeoffs between:

¨ Absolute information security and

¨ The efficient flow of information

Information Security Management Countermeasures

Trang 18

Information Security Management Countermeasures

n Because airtight security is not possible:

¨ Companies need to prioritize their risks and work on safeguarding against the greatest threats

n An example to consider is the case example of one company from a Gartner Executive Programs

report

Trang 19

n Five major findings from the Computer Crime Survey:

1. Most organizations evaluate the return on their

security expenditures

2. Over 80% conduct security audits

– Including by ‘outsiders’ e.g KPMG

3. The percentage reporting cybercrimes to law

enforcement declined

Information Security Management Countermeasures cont.

Trang 20

Information Security Management Countermeasures cont.

– Some = worries are

• Damage to stock price / company reputation

• Competitors using for their advantage

4 Most do not outsource cybersecurity

5 Most respondents view security awareness training

as important

Trang 21

Pearson Education.

8-21

Trang 22

AN INTERNET SERVICES COMPANY

Case Example: Security

n This firm’s starting point in protecting its systems is to deny all access to and from the Internet

n From there, it opens portals only where required, and each opening has a firewall and only permits specific functions

n The security team constantly “checks the locks” by:

¨ Keeping track of the latest bugs found

¨ Staying up to date on the latest security attacks

Trang 23

AN INTERNET SERVICES COMPANY

Case Example: Security

¨ Subscribing to hacker e-mail lists and bulletin boards

¨ Personally exploring some risks

¨ Logging and monitoring all incoming and outgoing traffic, and

¨ Testing the system monthly from a remote site

n Most importantly, it educates employees and clients as the greatest security precaution

Trang 24

n The trend in computer security is toward defining

security policies and then centrally managing and

enforcing those policies via security products and

services or policy-based management

n E.g a user authenticates to a network once, and then

a “rights based system” gives that user access only to the systems to which the user has been given rights

¨ Establishes basic control of segregation of duties

¨ The ‘computer’ (system) is the control

Information Security:

Technical Countermeasures

Trang 26

Three techniques used by companies to protect themselves

1. Firewalls: Control access between networks

n. Used to separate intranets and extranets from the

Internet so that only employees and authorized

business partners can access

n. Implementation

¨ Packet filtering to block “illegal” traffic, which is

defined by the security policy… or

¨ By using a proxy server, which acts as an

intermediary

Technical Countermeasures cont.

Trang 27

2. Encryption: to protect against sniffing, messages can be

encrypted before being sent e.g over the Internet

• Two classes of encryption methods are used today:

– Secret Key encryption

Trang 28

– Public Key encryption

• Needs public and private key

• Incorporated into all major Web browsers and is the basis for secure socket layer (SSL)

• Most individuals don’t have such keys hence B2C applications are only secure from the consumer to the merchant

Trang 32

Note: The Internet is not secure because, for one thing,

none of the TCP/IP protocols authenticate the

communicating parties

3. Virtual Private Networks (VPN): maintains data

security as it is transmitted by using:

¨ Tunneling: creates a temporary connection

between a remote computer and the CLEC’s or ISP’s local data center Blocks access to anyone trying to intercept messages sent over that link

¨ Encryption: scrambles the message before it is

sent and decodes it at the receiving end

Trang 33

n Three ways to use VPNs:

1. Remote Access VPNs: give remote employees a

way to access an enterprise intranet by dialing a specific ISP

2. Remote Office VPNs: give enterprises a way to

create a secure private network with remote offices The ISP’s VPN equipment encrypts all transactions

3. Extranet VPNs: give enterprises a way to conduct

e-business with trading partners

Trang 34

PLYMOUTH ROCK ASSURANCE

CORPORATION Case Example: Use of a VPN (Security)

n This automobile insurance company created an

extranet that independent agents could use to

transact business with the company

n The most cost-effective approach was to create a

DSL-based virtual private network between each

agent and PRAC, an offering of a local company

Trang 35

Information Security cont.

n Information security has become an important

management topic, and it has no clear-cut answers

n It is too costly to provide all the security a company wants, and performing security checks on packets takes a lot of processor power, which can slow down performance

n Even with world class technical security,

management needs to make sure all employees

follow security policies because companies are only

as safe as their weakest link

Trang 36

Information Security cont.

n In fact, that weakest link could be a supplier or contractor who has secure to a company’s systems, yet has poor security of its own

n Security is as much a human problem as a technical

problem

n Fines etc = this is not a ‘victimless crime’

n PRACTICE SAFE COMPUTING!!!!!

Trang 37

Planning for Business Continuity

n Business continuity is broader than disaster

recovery because it includes:

¨ Safeguarding people during a disaster

¨ Documenting business procedures (instead of relying on certain employees who may become unavailable), and

¨ Giving employees the tools and space to handle personal issues first so that they can then

concentrate on work

¨ Where will the work be done?

n In short, it is a business issue, because IT disaster recovery is just one component

Trang 38

n Organizations that rely on internal resources for IT disaster recovery generally see this planning as a normal part of systems planning and development They use :

¨ Multiple data centers

n Move to have all computing in ‘one location’ = now under question

¨ Distributed processing

¨ Backup telecommunication facilities

¨ Local area networks

n One LAN can be used to backup servers for other networks

Trang 39

n Cost Vs Risk may not justify permanent resources so companies use the services of a disaster recovery firm:

¨ Integrated disaster recovery services

¨ Specialized disaster recovery services

¨ Online and off-line data storage facilities

Trang 40

HOUSEHOLD INTERNATIONAL

Case Example: Planning for Business

Continuity

n Typical of a large financial services institution,

Household justified its disaster recovery planning based upon legal and regulatory requirements and the need to maintain uninterrupted customer service

n Company established full time staff to prepare,

maintain and test disaster recovery plans

Trang 41

HOUSEHOLD INTERNATIONAL Case Example: Planning for Business

Continuity

n Comdisco Disaster Recovery Services was relied on as it’s a major supplier of alternate site data processing

services in North America

n Heaps of rain in Chicago: large number of disasters

declared

n Household declared a disaster quickly– it enabled close relocation

Trang 42

HOUSEHOLD INTERNATIONAL Case Example: Planning for Business

n Plan for alternate telecommunications

n Test site under full workload conditions

n Maintain critical data at the alternate site

Trang 43

n The subject of managing computer operations is,

perhaps surprisingly, at an all-time high because of:

¨ The emergence of e-commerce

¨ The increasing use of outsourcing

¨ News-grabbing viruses

¨ Attacks on major websites, and

¨ The terrorists acts on September 11th, October 12th etc

Trang 44

Conclusion cont.

n As enterprises increasingly rely on computing and telecom to work closely with others, they open

themselves up to more threats by electronic means

n Companies must be increasingly vigilant to outside threats

n In short, the view of operations is shifting from

managing inward to managing outward

n It’s ‘essential’ but often ‘forgotten’ and it’s not easy Key = MANAGEMENT

Trang 45

Part II Discussion Case

MANAGING INFORMATION

SECURITY ON A SHOESTRING BUDGET

Trang 51