1 / 70

INFORMATION SECURITY AND PRIVACY

INFORMATION SECURITY AND PRIVACY. Presented By: Jason Rottler Mengmeng Zhao Vijak Pongtippun Weiwei Huang Ju Yang. Agenda. What is IT Security .

chace
Télécharger la présentation

INFORMATION SECURITY AND PRIVACY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. INFORMATION SECURITY AND PRIVACY Presented By: Jason Rottler Mengmeng Zhao Vijak Pongtippun Weiwei Huang Ju Yang

  2. Agenda

  3. What is IT Security Information security means protecting information and information system from unauthorized access, use, disclosure, disruption, modification or destruction. “In the case of information security, the goals of confidentiality, integrity, and availability (CIA) must be balanced against organizational priorities and the negative consequences of security breaches.” http://en.wikipedia.org/wiki/It_security http://proquest.umi.com/pqdweb?index=2&did=901411&SrchMode=1&sid=1&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257803955&clientId=45249

  4. What is IT Security NSTISSC Security Model ( McCumber Cube) • Three dimensions: • 1. Confidentiality, integrity, and availability (CIA triangle) • Policy, education, and technology • 3. Storage, processing, and transmission Confidentiality Policy Education Technology Integrity Availability Storage Processing Transmission http://proquest.umi.com/pqdweb?index=0&did=1374511721&SrchMode=1&sid=1&Fmt=6&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257259579&clientId=45249 http://en.wikipedia.org/wiki/McCumber_cube

  5. Why is IT Security important “Security is, I would say, our top priority because for all the exciting things you will be able to do with computers - organizing your lives, staying in touch with people, being creative - if we don't solve these security problems, then people will hold back.” ----Bill gates http://www.billgatesmicrosoft.com/ http://chinadigitaltimes.net/china/bill-gates/

  6. Security Breach Example Wireless Security and the TJX Data Breach

  7. IT Security breaches happen everyday Why is IT Security important http://www.privacyrights.org/ar/ChronDataBreaches.htm#2009

  8. Why is IT Security important IT security breaches may be from outsider’s and Insider’s breaches. “As the network expand, including online, it will become harder to know whether market-moving information originated improperly through an insider’s breach or properly through gathering of information in other ways” http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article6861965.eceThe Times October 6, 2009 http://proquest.umi.com/pqdweb?index=0&did=1886259131&SrchMode=1&sid=5&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257262182&clientId=45249

  9. Why is IT Security important Consequences of poor Security in Organization • Unreliable Systems • Unauthorized Access By Employee • Reduced Employee Productivity • Financial Embezzlement & Lost Revenue • Theft of Customer Records Reno, NV, “Academy of Information and Management Sciences” Vol.11 No.2 (October 2007) p.51-53 http://www.alliedacademies.org/Public/Proceedings/Proceedings21/AIMS%20Proceedings.pdf

  10. Why is IT Security important Losses from IT Security Breaches In 2008 losses resulting from IT security breaches averaged 289,000 • 2008 CSI Computer Crime & Security Survey, Robert Richardson, GoCSI.com

  11. Agenda

  12. IT Security Spending 31% • 31% of companies spend more than 5% of their overall IT budget on information security in 2008. • 2008 CSI Computer Crime & Security Survey, Robert Richardson, GoCSI.com

  13. IT Budget Vs. Information Security Budget IT Security Spending The projected percentage cut in IT spending for 2009 is greater overall than the relative projected percentage cut in security spending. http://metrosite.files.wordpress.com/2008/06/information_security_spending_survey_2009.pdf

  14. IT Security Spending IT departments in U.S. enterprises spent US$61 billion on security in 2006, representing 7.3% of total IT spending in the U.S. http://proquest.umi.com/pqdweb?index=4&did=1162465461&SrchMode=1&sid=4&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257727916&clientId=45249#indexing

  15. IT Security Spending "IT security has become a higher priority over the last few years, with a greater proportion of the overall IT budget being spent on security equipment and services." ------ Ed Daugavietis http://proquest.umi.com/pqdweb?index=4&did=1162465461&SrchMode=1&sid=4&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257727916&clientId=45249#indexing

  16. Agenda

  17. Top 9 Network Security Threats CSOonline.com is the website that provides news, analysis and research on a broad range of security and risk management topics. Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more. • Malicious Insiders – Rising Threat • Malware – Steady Threat • Exploited Vulnerabilities – Weakening Threat • Social Engineering – Rising Threat • Careless Employees – Rising Threat • Reduced Budgets – Rising Threat • Remote workers – Steady Threat • Unstable Third Party Providers – Strong Rising Threat • Download Software Including Open Source & P2P Files – Steady Threat http://www.csoonline.com/article/print/472866

  18. Top 9 Network Security Threats Strong Rising Threat - Unstable Providers Rising Threat - Malicious Insiders - Social Engineering - Careless Employees - Reduced Budgets Steady Threat - Malware - Remote workers - Download Software Weakening Threat - Exploited Vulnerabilities

  19. Type of IT Security Threats Malware • Malware (Malicious Software) is a genetic term for programs that try to secretly install themselves on your computer. • Top 10 malware hosting countries in 2008 http://www.msun.edu/its/security/threats.htm http://www.sophos.com/sophos/.../sophos-security-threat-report-jan-2009-na.pdf

  20. Type of IT Security Threats Type of Malware • Viruses • Worms • Trojanhorses • Spyware • Adware Damage Some viruses delete files, reformat the hard disk. Worms consume bandwidth and can cause degraded network performance. Spyware can collect various types of personal information such as credit card number, or username and password. http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx http://proquest.umi.com/pqdweb?index=0&did=1783184381&SrchMode=1&sid=5&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257726601&clientId=45249

  21. Type of IT Security Threats Social Engineering • Social engineering is a term is used to describe the art of persuading people to divulge information, such as usernames, and passwords. • Identity Theft steal and sell identity information. • Phishing a fake web page. Damage • Criminals can use a person’s detail to make transactions or create fake accounts in victim’s name. http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx

  22. Type of IT Security Threats SPAM • SPAM is electronic junk email. E-mail addresses are collected from chat rooms, websites, newsgroups. Damage • SPAM can clog a personal mailbox, overload mail servers and impact network performance. http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx

  23. Type of IT Security Threats Denial of Service Attack (DoS Attack) • DoS Attack is an attempt to make a computer resource such as a website or web service unavailable to use.. • Criminals frequently use Bot to launch DoS Attack Damage • Dos attacks typically target large businesses or government institutions. They can make a website or web service temporarily unavailable (for minutes, hours, or days) with ramifications for sales or customer service. http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx

  24. Prevention of IT Threats Malware • Use antivirus and anti spyware software. • Keep current with latest security updates or patches • Be wary of opening unexpected e-mails Social Engineering • Never disclose any personal information • Use Strong passwords. • Never e-mail personal or financial information. • Check your statements often. http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx

  25. Prevention of IT Threats SPAM • Use spam filters • Use a form of e-mail authentication. • Using reasonable mailing and ensuring relevant e-mails. • Make sure your e-mails look right in multiple e-mail clients. DOS Attack • Plan ahead • Use Firewalls to allow or deny protocols, ports, or IP addresses. • Utilize routers and switches http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx http://proquest.umi.com/pqdweb?index=0&did=1876359931&SrchMode=1&sid=13&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257728149&clientId=45249&cfc=1

  26. Agenda

  27. Chief Security Officer (CSO) The executive responsible for the organization's entire security posture, both physical and digital. The title Chief Security Officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. http://www.csoonline.com/article/221739/What_is_a_Chief_Security_Officer_?page=1,viewed October 10,2009

  28. Chief Information Security Officer (CISO) A more accurate description of a job that focuses on information security within an organization , and today the CISO title is becoming more prevalent for leaders with an exclusive info security focus. http://www.csoonline.com/article/221739/What_is_a_Chief_Security_Officer_?page=1,viewed October 10,2009

  29. Roles & Responsibilities of a CISO Communications and Relationship Risk and Control Assessment Threat and Vulnerability Management Identity and Access Management http://en.wikipedia.org/wiki/Chief_information_security_officer, Viewed October 10,2009

  30. CISO: Skills Required for Success Literature Review CISO should first think of themselves as Business professionals and secondly as security specialist. Partake in continuing security education Soft skills Management Problem solving Understand of the security threats and risks Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18 30

  31. Interviews with Eight Executives The executives were basically in agreement that the skills which emerged from the analysis were important. They suggested the addition of two items: * disaster recovery planning * security breach investigation The interviews were conducted over a two month period between December,2005 and January,2006 CISO: Skills Required for Success Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18 31

  32. CISO: Skills Required for Success Frequency of Duties on Job Listings A review of 33 recent CISO job listing posted at Chief Security Officer magazine (http://www.CSOonline.com) Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18 32

  33. CISO: Skills Required for Success Frequency of Background Experience on Job Listing A review of 33 recent CISO job listing posted at Chief Security Officer magazine (http://www.CSOonline.com) Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18 33

  34. CISO: Skills Required for Success Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18 34

  35. CISO: Skills Required for Success Conclusion Business strategy was given the high level of importance by the literature and executives, but it was not in the job listing surveys. Many of the organizations searching for new CISOs during the research period didn’t fully understand the importance of including in the business strategy formulation. Organizations currently employing a CISO should consider the duties and responsibilities included in these results as perfunctory in their position requirement. Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18 35

  36. Agenda

  37. Case Studies IT & Security Compliance Manager of: Mining Company Chief Information Security Officer (CISO) of: Compal Communication, Inc. (CCI)

  38. Mining Company in St. Louis Part 1 Overview Compal Communication, Inc. (CCI) 38

  39. Mining Company • Size: • 4,600 employees • Background: • 2nd largest in their industry • Ships and provide product to 35 states and 20+ countries worldwide • Revenues: • $2.9 Billion • $350 Million in profits IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009

  40. Compal Communication, Inc. (CCI) • Background: • Manufacturers and trades wireless handsets and other telecommunication equipment • Size: • 4,000 employees • Revenues: • $3.25 Billion • $380 Million in Profit Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009 • http://www.compalcomm.com/

  41. Mining Company in St. Louis Part 2 Reporting Structures Compal Communication, Inc. (CCI) 41

  42. Mining Company IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009

  43. Compal Communication, Inc. (CCI) Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009

  44. Mining Company in St. Louis Part 3 The Role of CISO Compal Communication, Inc. (CCI) 44

  45. Manager IT Security and Compliance • In current position for 4 years • In charge of security for past 2 • Responsibilities • Overseeing IS departments of Security, Change Management, Business Continuity, and Compliance IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009

  46. Chief Information Security Officer • In current position for 2 years • In charge of security for past 4 • Responsibilities • Develop and structure information security policies, change management, help with integrating security skills Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009

  47. Mining Company in St. Louis Part 4 Threats & Risks Compal Communication, Inc. (CCI) 47

  48. Threat Examples and Mitigation IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009

  49. Security Issues and Threats Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009

  50. Mining Company in St. Louis Part 5 IT Security Policies Compal Communication, Inc. (CCI) 50

More Related