1 / 52

Information Security

Information Security. Lecture 20. Today Lecture. Information Security The Threats Security’s Five Pillars Management Countermeasures Technical Countermeasures CREDIT CARD FRAUD Case Example: Threats AN INTERNET SERVICES COMPANY Case Example: Security.

dmedina
Télécharger la présentation

Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Lecture 20

  2. Today Lecture • Information Security • The Threats • Security’s Five Pillars • Management Countermeasures • Technical Countermeasures • CREDIT CARD FRAUDCase Example: Threats • AN INTERNET SERVICES COMPANYCase Example: Security

  3. Today Lecture…. • PLYMOUTH ROCK ASSURANCE CORPORATIONCase Example: Use of a VPN (Security) • Planning for Business ContinuityUsing Internal Resources • Planning for Business ContinuityUsing External Resources • HOUSEHOLD INTERNATIONALCase Example: Planning for Business Continuity

  4. Information Security • Used to be an arcane technical topic • Today even CEOs need to ‘know about it’ due to the importance of electronic information in running their businesses • Need to understand Internet-based threats and countermeasures and continuously fund security work to protect their businesses

  5. Information Security • Since 1996 the Computer Security Institute have conducted an annual survey of US security managers • Spring 2004 survey report – 2 key findings: • The unauthorized use of computers is declining • The most expensive cybercrime was denial of service

  6. The Threats Note: heaps of similar Surveys e.g. KPMG

  7. Information SecurityThe Threats • Threats are numerous • Websites are particularly vulnerable • Political activism is one motivation for Website defacement • Theft of proprietary information is a major concern • Financial fraud is still a significant threat • Especially credit card information • No data of any value should be stored on web servers

  8. CREDIT CARD FRAUDCase Example: Threats • In one case, MSNBC reported that a bug in one shopping cart software product used by 4,000 e-commerce sites exposed customer records at those sites • One small e-commerce site did not receive the warning • Within days, cyber criminals charged thousands of dollars on the credit cards of users of this small site

  9. CREDIT CARD FRAUDCase Example: Threats… • In another case, two foreigners stole 56,000 credit card numbers, bank account information, and other personal financial information from U.S. banks • Then tried to extort money from the cardholders and the banks, threatening to publicize the sensitive information they had unearthed

  10. Information SecurityThe Threats cont. • Losses are increasing dramatically because companies have rushed into e-commerce, often with applications that do not have security built into the architecture or procedures • People think security can be added later but it really can’t be bolted on as an afterthought • Best security = designed into applications via checks during processing and at data transfer points

  11. Information SecurityThe Threats cont. • It is easier to guard a bank vault than to guard every house in town • That’s why many companies are outsourcing their data center operations to data center specialists with vault-like security • Mobile computing and telecommunications increase the possibility for crime

  12. Information SecurityThe Threats cont. • The greater number of network openings provides opportunities for illegal entry • The rise of e-commerce and e-business put more communications online to the Internet, which is open to everyone including crackers (evil hackers) • As the Internet doesn’t (currently?) have intrinsic security protocols this public space is vulnerable

  13. Information SecurityThe Threats cont. • The ‘hacker community’ (public club?) • ‘True’ Vs. Parasites • Approaches hackers use: • Cracking the password • Tricking someone (social engineering = ‘cute’ term!) • Network sniffing

  14. Information SecurityThe Threats cont. 4. Misusing administrative tools 5. Playing middleman 6. Denial of service 7. Trojan horse 8. Viruses 10. Spoofing

  15. Information Security :Security’s Five Pillars • Authentication: verifying the authenticity of users • Identification: identifying users to grant them appropriate access • Privacy: protecting information from being seen • Integrity: keeping information in its original form • Nonrepudiation: preventing parties from denying actions they have taken

  16. Information SecurityManagement Countermeasures • The major problem these days: • Enterprises cannot have both access to information and airtight security at the same time • Companies must make tradeoffs between: • Absolute information security and • The efficient flow of information

  17. Information SecurityManagement Countermeasures • Because airtight security is not possible: • Companies need to prioritize their risks and work on safeguarding against the greatest threats • An example to consider is the case example of one company from a Gartner Executive Programs report

  18. Information SecurityManagement Countermeasures cont. • Five major findings from the Computer Crime Survey: • Most organizations evaluate the return on their security expenditures • Over 80% conduct security audits • Including by ‘outsiders’ e.g. KPMG • The percentage reporting cybercrimes to law enforcement declined

  19. Information SecurityManagement Countermeasures cont. • Some = worries are • Damage to stock price / company reputation • Competitors using for their advantage 4. Most do not outsource cybersecurity 5. Most respondents view security awareness training as important

  20. AN INTERNET SERVICES COMPANYCase Example: Security • This firm’s starting point in protecting its systems is to deny all access to and from the Internet • From there, it opens portals only where required, and each opening has a firewall and only permits specific functions • The security team constantly “checks the locks” by: • Keeping track of the latest bugs found • Staying up to date on the latest security attacks

  21. AN INTERNET SERVICES COMPANYCase Example: Security • Subscribing to hacker e-mail lists and bulletin boards • Personally exploring some risks • Logging and monitoring all incoming and outgoing traffic, and • Testing the system monthly from a remote site • Most importantly, it educates employees and clients as the greatest security precaution

  22. Information Security: Technical Countermeasures • The trend in computer security is toward defining security policies and then centrally managing and enforcing those policies via security products and services or policy-based management • E.g. a user authenticates to a network once, and then a “rights based system” gives that user access only to the systems to which the user has been given rights • Establishes basic control of segregation of duties • The ‘computer’ (system) is the control

  23. Information Security: Technical Countermeasures cont. Three techniques used by companies to protect themselves • Firewalls: Control access between networks • Used to separate intranets and extranets from the Internet so that only employees and authorized business partners can access • Implementation • Packet filtering to block “illegal” traffic, which is defined by the security policy… or • By using a proxy server, which acts as an intermediary

  24. Information Security: Technical Countermeasures cont. • Encryption: to protect against sniffing, messages can be encrypted before being sent e.g. over the Internet • Two classes of encryption methods are used today: • Secret Key encryption • DES

  25. Information Security: Technical Countermeasures cont. • Public Key encryption • RSA • Needs public and private key • Incorporated into all major Web browsers and is the basis for secure socket layer (SSL) • Most individuals don’t have such keys hence B2C applications are only secure from the consumer to the merchant

  26. Information Security: Technical Countermeasures cont. Note: The Internet is not secure because, for one thing, none of the TCP/IP protocols authenticate the communicating parties • Virtual Private Networks (VPN): maintains data security as it is transmitted by using: • Tunneling: creates a temporary connection between a remote computer and the CLEC’s or ISP’s local data center. Blocks access to anyone trying to intercept messages sent over that link • Encryption: scrambles the message before it is sent and decodes it at the receiving end

  27. Information Security: Technical Countermeasures cont. • Three ways to use VPNs: • Remote Access VPNs: give remote employees a way to access an enterprise intranet by dialing a specific ISP • Remote Office VPNs: give enterprises a way to create a secure private network with remote offices. The ISP’s VPN equipment encrypts all transactions • Extranet VPNs: give enterprises a way to conduct e-business with trading partners

  28. PLYMOUTH ROCK ASSURANCE CORPORATIONCase Example: Use of a VPN (Security) • This automobile insurance company created an extranet that independent agents could use to transact business with the company • The most cost-effective approach was to create a DSL-based virtual private network between each agent and PRAC, an offering of a local company

  29. Information Security cont. • Information security has become an important management topic, and it has no clear-cut answers • It is too costly to provide all the security a company wants, and performing security checks on packets takes a lot of processor power, which can slow down performance • Even with world class technical security, management needs to make sure all employees follow security policies because companies are only as safe as their weakest link.

  30. Information Security cont. • In fact, that weakest link could be a supplier or contractor who has secure to a company’s systems, yet has poor security of its own • Security is as much a human problem as a technical problem • Fines etc. = this is not a ‘victimless crime’ • PRACTICE SAFE COMPUTING!!!!!

  31. Planning for Business Continuity • Business continuity is broader than disaster recovery because it includes: • Safeguarding people during a disaster • Documenting business procedures (instead of relying on certain employees who may become unavailable), and • Giving employees the tools and space to handle personal issues first so that they can then concentrate on work • Where will the work be done? • In short, it is a business issue, because IT disaster recovery is just one component

  32. Planning for Business ContinuityUsing Internal Resources • Organizations that rely on internal resources for IT disaster recovery generally see this planning as a normal part of systems planning and development. They use : • Multiple data centers • Move to have all computing in ‘one location’ = now under question • Distributed processing • Backup telecommunication facilities • Local area networks • One LAN can be used to backup servers for other networks

  33. Planning for Business ContinuityUsing External Resources • Cost Vs. Risk may not justify permanent resources so companies use the services of a disaster recovery firm: • Integrated disaster recovery services • Specialized disaster recovery services • Online and off-line data storage facilities

  34. HOUSEHOLD INTERNATIONALCase Example: Planning for Business Continuity • Typical of a large financial services institution, Household justified its disaster recovery planning based upon legal and regulatory requirements and the need to maintain uninterrupted customer service • Company established full time staff to prepare, maintain and test disaster recovery plans

  35. HOUSEHOLD INTERNATIONALCase Example: Planning for Business Continuity • Comdisco Disaster Recovery Services was relied on as it’s a major supplier of alternate site data processing services in North America • Heaps of rain in Chicago: large number of disasters declared • Household declared a disaster quickly– it enabled close relocation

  36. HOUSEHOLD INTERNATIONALCase Example: Planning for Business Continuity cont. Lessons Learnt: • Consider the risks of a natural disaster in selecting a data center location • Create a plan to return to the primary site after a disaster • Do not expect damaged equipment, disks, and tapes to always be replaced, monitor equipment • Plan for alternate telecommunications • Test site under full workload conditions • Maintain critical data at the alternate site

  37. Conclusion • The subject of managing computer operations is, perhaps surprisingly, at an all-time high because of: • The emergence of e-commerce • The increasing use of outsourcing • News-grabbing viruses • Attacks on major websites, and • The terrorists acts on September 11th, October 12th etc.

  38. Conclusion cont. • As enterprises increasingly rely on computing and telecom to work closely with others, they open themselves up to more threats by electronic means • Companies must be increasingly vigilant to outside threats • In short, the view of operations is shifting from managing inward to managing outward • It’s ‘essential’ but often ‘forgotten’ and it’s not easy. Key = MANAGEMENT

  39. Part II Discussion Case MANAGING INFORMATION SECURITY ON A SHOESTRING BUDGET

More Related