1 / 67

IT Security and Privacy

IT Security and Privacy. IT Security.

teleri
Télécharger la présentation

IT Security and Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Security and Privacy

  2. IT Security Information security is the process of protecting information systems and data from unauthorized access, use, disclosure, destruction, modification, or disruption. Information security is concerned with the confidentiality, integrity, and availability of data regardless of the form the data may take: electronic, print, or other forms. http://en.wikipedia.org/wiki/It_security, viewed April 2nd, 2007

  3. Overview Why is it important? Role of CSO Costs of IT Security Security Threats Practices to mitigate threats Case Study Case Study

  4. Why is IT Security Important? “Security breaches are as common in today’s business landscape as bad coffee and briefcases.” Computer systems are vulnerable to many threats that can inflict various types of damage resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers. An Introduction to Computer Security: The NIST Handbook, National Institute of Standards and Technology. U.S. Department of CommerceSpecial Publication 800-12 http://www.cio.com/article/28648/Data_Breaches_Preparation_Damage_Control_and_a_Recent_History, April 2, 2008

  5. Why is IT Security Important? 46% of Respondents said that their organization had experienced a security incident in 2007 Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007.

  6. Trends in Information Security Breaches

  7. Trends in Information Security Breaches Security is increasing as a top management concern. Luftman, J., Kempaiah, R., and Nash, E., Key Issues for IT Executives 2005, MIS Quarterly Executive, Vol. 5, No. 2, June 2006, pp 81-99

  8. Trends in Information Security Breaches The percentage of companies with a written security policy has increased from 47% in 2004 to 62% in 2006. http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOSKH0CJUNN2JVN ?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008

  9. Trends in Information Security Breaches Figure 2. Security breaches are getting more serious. Severity Level of Security Breaches 0-10 Scale of Severity http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOSKH0CJUNN2JVN?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008

  10. Role of Chief Security Officer

  11. Chief Security Officer (CSO) is a corporation's top executive who is responsible for security. The CSO serves as the business leader responsible for the development, implementation and management of the organization’s corporate security vision, strategy and programs. They direct staff in identifying, developing, implementing and maintaining security processes across the organization to reduce risks, respond to incidents, and limit exposure to liability in all areas of financial, physical, and personal risk; establish appropriate standards and risk controls associated with intellectual property; and direct the establishment and implementation of policies and procedures related to data security. CSO http://en.wikipedia.org/wiki/Chief_Security_Officer, view April 2, 2008

  12. Most CSOs have an IT Background (63%) Others: (37%) Corporate Security Military Law Enforcement Business Operations Audit Background of CSO Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.

  13. Oversee a network of security directors and vendors who safeguard the companies assets, intellectual property, and computer systems, along with the physical safety of employees and visitors Role of CSO Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82. http://images.google.com/imgres?imgurl=http://www.csointerchange.org/images/cso_interchange_logo.gif&imgrefurl=http://www.csointerchange.org/bios/bios-chicago-05/&h=93&w=303&sz=5&hl=en&start=19&um=1&tbnid=Zu6MFMM7sH-YvM:&tbnh=36&tbnw=116&prev=/images%3Fq%3Dcso%2BSymantec%2BCorporation%2B%26um%3D1%26hl%3Den, viewed April 10, 2008

  14. Role of CSO (Cont’d) • Identify protection goals, objectives, and metrics consistent with corporate strategic plans • Manage the development and implementation of global security policy, standards, guidelines, and procedures to ensure ongoing maintenance of security Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.

  15. IT Security Costs Between 1995 and 2000 company spending on IT security increased 188%

  16. IT Security Costs Average losses in 2007 were $345,000 per respondent Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007.

  17. IT Security Costs The figure above shows the total losses as reported by the 2005 CSI/FBI Annual Computer Crime and Security Survey. http://www.acunetix.com/websitesecurity/web-hacking.htm, viewed March 27, 2008

  18. IT Security Costs Are Costs equalizing? Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007.

  19. IT Security Costs Information Security Magazine July 1999 - "Top Obstacle is Budget: What is the SINGLE greatest obstacle to achieving adequate infosecurity at your organization?" What is the SINGLE greatest obstacle to achieving adequate infosecurity at your organization?" 19

  20. IT Security ThreatsOrganizational (Individual)

  21. Many types of threats exist. Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25. 21

  22. Types of Attacks or Abuse Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007. PP 1-25.

  23. Who is Attacking? http://www.esecurityplanet.com/, Viewed April 2, 2008

  24. 2 Types of threats that can affect both Individual and Organizational Security: • Natural Threats • - Weather, Deterioration, Accidents, etc • 2. Man Made Threats • - Hacker, Spam, Phishing, Identity Theft, Terrorism

  25. Natural Security Threats Weather Deterioration Accidents • Do you have backup data stored offsite? • - Do you have a plan?

  26. Phishing Identity Theft Terrorism Man Made Security Threats What do you have in place to prevent these things from happening?

  27. Phishing An attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Man Made Security Threats http://en.wikipedia.org/wiki/Phishing, viewed April 2, 2008

  28. Risk of Phishing http://www.lexisnexis.com.ezproxy.umsl.edu, Inter Business News on Jan 9, 2007 View on Mar 3, 2008 According to the Kaspersky Lab, 45% of the online activity requires users to disclose personal or financial data. The top online activities listed by home PC users that require the disclosure of personal information were banking(20%), shopping(15%), and travel booking(10%).

  29. Risk of Phishing http://www.lexisnexis.com.ezproxy.umsl.edu, The Sun: Still @ IT on Oct 23, 2007 View on Mar 3, 2008 Presently, the risk of phishing is attacking both business and personal transactions. The main purpose of phishing is to steal financial data. There were around 14,156 fake websites in 2006, increase from 1,713 in 2005. (The Sun)

  30. Risk of Phishing (Cont) http://www.lexisnexis.com.ezproxy.umsl.edu, The Sun: Still @ IT on Oct 23, 2007, Viewed on Mar 3, 2008 According to the Sun poll as of 2007, a third of the internet users responded to the email they did not know. 15%thought a website was secure if it claimed to belong to a well know company but were unable to distinguish a secure website from the fake one.

  31. Most Targeted Industry Sectors in December 2007 Financial service is the most targeted industry sector of all attacks record at 91.7%. http://www.antiphishing.org, Phishing Activity Trends Report for 2007 by Anti-Phishing Working Group (APWG) viewed March 4, 2008

  32. Top 10 Phishing Sites Hosting Countries The United States is the 1st rank phishing sites hosting. http://www.antiphishing.org, Phishing Activity Trends Report for 2007 by Anti-Phishing Working Group (APWG) viewed March 4, 2008

  33. Example of the phishing The real example happened to an UMSL email several recently. The UMSL email sever was attacked from the phishing email which claimed that it came from the Central Bank

  34. Example of the phishing (Con’t) http://www.centralbank.net7idpersonalbanking-secure-survey-id-58274.28secure.net.jikao.com.tw/.https://www.centralbank.net/

  35. Some Tips to avoid risk of phishing Do not complete a form in an e-mail message that ask you for personal information Enter personal information only at the secure website (https) Avoid clicking the link in the e-mail message Never type PIN or secret data via e-mail

  36. Man Made Security Threats Identity Theft Crimes involving illegal usage of another individual's identity. The most common form of identity theft is credit card fraud. While the term is relatively new, the practice of stealing money or getting other benefits by pretending to be a different person is thousands of years old. http://en.wikipedia.org/wiki/Identity_Theft, Viewed April 2, 2008

  37. Types/ Cost of Identity theft Crimes involving illegal usage of another individual's identity Types: Financial Identity Theft(using another's identity to obtain goods and services) Criminal Identity Theft(posing as another when apprehended for a crime) Identity Cloning(using another's information to assume his or her identity in daily life) Business/Commercial Identity Theft(using another's business name to obtain credit)

  38. “Identity Theft by Victims Age”. Identity Theft Data Clearinghouse. May 12 2006. PP 2-32.

  39. Man Made Security Threats Terrorism Those acts which are intended to create fear (terror), are perpetrated for an ideological goal and by a member or members of a group (as opposed to being carried out in a lone attack), and which deliberately target, or else disregard the safety of, non-combatants (civilians). http://en.wikipedia.org/wiki/Terrorism, Viewed 4/02/2008

  40. Threat Assessment You can look at threat assessment two ways: Qualitative – an “educated best guess” based on opinions of knowledgeable others gained through interviews, history, tests, and personal experience Quantitative – uses statistical sampling based on mathematical computations determining the probability of an occurrence based on historical data Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003.

  41. Security Audits were 63% useful in evaluating the effectiveness of security technology Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007.

  42. Insurance Policies Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007.

  43. Practices to Mitigate Threats Biometric Security Intrusion Prevention System

  44. Biometric Security Use computerized method to identify a person by their unique physical or behavioral characteristics Provide extremely accurate and secure access to information http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm, Biometric Technology. BBC News. March 4, 2008. http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10, Biometric Technology Overview. March 4, 2008.

  45. Example of Biometric • Iris Scan - provide an analysis of the rings, furrows, and freckles in the colored ring which surrounds the pupil of the eye http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10 http://en.wikipedia.org/wiki/Biometric Fingerprint Identification – the process of automatically matching one or unknown fingerprint against a database of know and unknown pattern

  46. Intrusion Prevention System Next Generation Firewall It is a computer security device that monitors network and system activities for malicious or unwanted behavior and can react in real-time http://en.wikipedia.org/wiki/Intrusion_Prevention_System

  47. Washington Mutual Phishing Case 47

  48. Washington Mutual Overview Founded in 1889 Retailer of financial services Mortgage Lending Commercial Banking Other Financial Services CIO -Debora D. Horvath Prior to joining WaMu, she served as senior vice president and CIO for Richmond, Virginia-based GE Insurance. There, she led a global information technology organization with a $500 million budget. Assets of 333.62 billion More than 2,400 Retail Banking http://www.wamu.com/business/default.asp, viewed April 11th, 2008 48 Source:http://www.rsa.com/press_release.aspx?id=6801, viewed April 10, 2008

  49. Phishing trip: Washington Mutual 49 http://www.infectionvectors.com/library/phishing_trip_wamu-iv.pdf,, viewed April 10, 2008

  50. Current Practice of Online Banking Security Washington Mutual further protects its online users with multi-factor authentication solution 50 http://www.wamu.com/business/default.asp

More Related