Using MIS 2e Chapter 12: Information Security Management David Kroenke

1. Using MIS 2e Chapter 12: Information Security Management David Kroenke

2. Study Questions Q0 � What are concerns for personal security? Q1 � What are the threats to information security? Q2 � What is senior management�s security role? Q3 � What technical safeguards are available? Q4 � What data safeguards are available? Q5 � What human safeguards are available? Q6 � How should organizations respond to security incidents? Q7 � What is the extent of computer crime? Chapter 12: Information Security Management 12-2

3. Identity theft is the manipulation of, or improperly accessing, another person�s identifying information, such as social security number, mother�s maiden name, or personal identification number (rather than account number) in order to fraudulently establish credit or take over a deposit, credit or other financial account for benefit. Thieves gain access to personal data via: A stolen wallet or purse Stealing or diverting mail Rummaging through trash Fraudulently obtaining a credit report From personal information on the Internet From a business by conning or bribing an employee who has access to confidential data Chapter 12: Information Security Management 12-3

4. Chapter 12: Information Security Management 12-4

5. Beware of �Innocent� Documents Chapter 12: Information Security Management 12-5

6. If you are a victim: Notify Credit Bureaus and review your credit reports. File a report with your local police or the police in the community where the identity theft took place. Contact Fraud Department of Creditors. File a complaint with the FTC. Close any accounts that have been opened fraudulently There are laws to protect you Fair Credit Reporting Act (FCRA) Establishes procedures for resolving billing errors on your credit report. Truth in Lending Act Limits your liability for unauthorized credit card charges to $50 per card. The Fair Credit Billing Act (FCBA) Establishes procedures for resolving billing errors on your credit card accounts. Fair Debt Collection Practices Act Prohibits debt collectors from using unfair or deceptive practices to collect overdue bills. Q0 � What are concerns for personal security (identity theft)? Chapter 12: Information Security Management 12-6

7. Q0 � What are concerns for personal security (backup)? It�s not a question of if it will happen, but when; hard disks die, viruses infect a computer, files are lost due to human error, and so on. The essence of a backup strategy is to decide who does the backup, what files to back up and how (incremental versus full backup), when to do the backup and where to keep the backup files; i.e., who, what, how, when, and where . Our strategy is simple �back up anything you cannot afford to lose (i.e., your data), do it every time the data changes, and store the files away offsite from your computer. Chapter 12: Information Security Management 12-7

8. Q1 � What are the threats to information security? Fig 12-1 Security Problems and Sources Chapter 12: Information Security Management 12-8

9. Q1 � What are the threats to information security (sources)? Human error stems from employees and nonemployees. They may misunderstand operating procedures and inadvertently cause data to be deleted. Poorly written application programs and poorly designed procedures may allow employees to enter data incorrectly or misuse the system. Employees may make physical mistakes like unplugging a piece of hardware that causes the system to crash. Malicious human activity results from employees, former employees, and hackers who intentionally destroy data or system components. Breaking into systems with the intent of stealing or destroying data. Introducing viruses and worms into a system. Acts of terrorism. White-hat hackers are hired by organizations to test security systems Natural events and disasters pose problems stemming not just from the initial loss of capability and service but also problems a company may experience as it recovers from the initial problem. Chapter 12: Information Security Management 12-9

10. Chapter 12: Information Security Management An analyst at a major company searched its servers for documents called "passwords.doc� and found 40 such documents. Any malcontent employee with a minimal amount of computer know-how could unlock those documents and ravage the company's most sensitive applications. An MCI financial analyst's laptop was stolen from his car, which was parked in his home garage. That laptop contained the names and Social Security numbers of 16,500 current and former employees. A former Morgan Stanley executive, apparently with no more use for his Blackberry, sold the device on eBay for a whopping $15.50. The surprised buyer soon found out that the Blackberry still contained hundreds of confidential Morgan Stanley e-mails. Unsuspecting employees continually give out names, addresses, and other confidential information to outsiders who target well-meaning users over the phone and/or the Internet to obtain private information and/or passwords. Q1 � What are the threats to information security (Human Error)? 12-10

11. Chapter 12: Information Security Management Q1 � What are the threats to information security (Malicious Activity)? 12-11

12. Q2 � What is senior management�s security role? Senior managers should ensure their organization has an effective security policy that includes these elements: A general statement of the organization�s security program Issue-specific policies like personal use of email and the Internet System-specific policies that ensure the company is complying with laws and regulations. Senior managers must also manage risks associated with information systems security. Risk is the likelihood of an adverse occurrence. When you�re assessing risks to an information system you must first determine: What the threats are. How likely they are to occur. The consequences if they occur. You can reduce risk but always at a cost. The amount of money you spend on security influences the amount of risk you must assume. Chapter 12: Information Security Management 12-12

13. Q2 � What is senior management�s security role (Safeguards)? Appropriate safeguards must be established for all five components of an information system Chapter 12: Information Security Management 12-13

14. Q3 � What technical safeguards are available (identification and authentication)? Chapter 12: Information Security Management 12-14

15. Every information system today should require users to sign in with a user name and password. The user name identifies the user (the process of identification), and the password authenticates the user (the process of authentication) Three types of authentication methods What you know; e.g. a password such as MwbiJu14 What you have; e.g., a smart card which is a plastic card similar to a credit card, which has a microchip and is loaded with identifying data. What you are; e.g., biometric authentication which uses personal physical characteristics such as fingerprints, facial features, and retinal scans to authenticate users) Q3 � What technical safeguards are available (identification and authentication)? Chapter 12: Information Security Management 12-15

16. Senders use a key to encrypt a plaintext message and then send the encrypted message to a recipient, who uses a key to decrypt it. Consider a simple encryption scheme where each letter is transposed by a constant (known as the key) �Go Canes� becomes �Hp Dboft� (using key of 1) �Go Canes� becomes �Iq Ecpgu� (using key of 2) In this example: Only 25 keys are possible which is too limited This a symmetric key system because the same key is used to encrypt and decrypt a message. Both sender and recipient must keep the key secret which becomes a problem when too many people use the same key In practice: Web browsers use 2128 possible keys (39-digit number) Two different keys are used to encrypt and decrypt a message (an asymmetric key). The public key is freely distributed; the private key is kept secret Q3 � What technical safeguards are available (encryption)? Chapter 12: Information Security Management 12-16

17. Q3 What technical safeguards are available? 12-17 Chapter 12: Information Security Management

18. Q3 � What technical safeguards are available (encryption)? Chapter 12: Information Security Management 12-18

19. Q3 � What technical safeguards are available (Digital Signature)? Chapter 12: Information Security Management 12-19

20. The message was unaltered, but how are you sure of who sent it? A digital certificate (the electronic file that is the equivalent of an �online passport�) can be appended to the message to ensure the identity of the sender. The certificate is issued by a trusted third party knows as a certification authority (CA) such as www.verisign.com. The certificate contains the name of the holder, a serial number, expiration dates, a copy of the certificate holder's public key It also contains the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Q3 � What technical safeguards are available (Digital Certificate)? Chapter 12: Information Security Management 12-20

21. A firewall is a computing device that prevents unauthorized network access. It can be a special-purpose computer or a program on a general-purpose computer or on a router Organizations normally use multiple firewalls. A perimeter firewall sits outside the organization network; it is the first device that Internet traffic encounters. Some organizations employ internal firewalls inside the organizational network in addition to the perimeter firewall. A packet-filtering firewall examines each packet and determines whether to let the packet pass. Packet-filtering firewalls can prohibit outsiders from starting a session with any user behind the firewall. They can also disallow traffic from particular sites, such as known hacker addresses. They can also prohibit traffic from legitimate, but unwanted addresses, such as competitors� computers. Firewalls can filter outbound traffic as well. Q3 � What technical safeguards are available (Firewall)? Chapter 12: Information Security Management 12-21

22. Q3 � What technical safeguards are available (Firewall)? Chapter 12: Information Security Management 12-22

23. Chapter 12: Information Security Management Malware (malicious software) is software that seeks to disrupt or damage a computer system. Our definition is on the broadest use of the tem and includes viruses, worms, Trojan horses, spyware, and adware. A computer virus is a program that replicates itself A Trojan horse is a virus masquerading as a useful program or file A worm is a virus that propagates itself using the Internet or other computer network Spyware is software that is installed on the user�s computer without the user�s knowledge. It resides in the background and, unknown to the user, observes the user�s actions and keystrokes, monitors computer activity, and reports the user�s activities to sponsoring organizations Q3 � What technical safeguards are available (Malware)? 12-23

24. Chapter 12: Information Security Management Adware is similar to spyware in that it is installed without the user�s permission and resides in the background and observes user behavior. Most adware is benign in that it does not perform malicious acts or steal data. Adware produces pop-up ads and can also change the user�s default window or modify search results and switch the user�s search engine. Malware Safeguards Install antivirus and antispyware programs on your computer. Scan your computer frequently. Update malware definitions. Open email attachments only from known sources. Promptly install software updates from legitimate sources. Browse only in reputable Internet neighborhoods Q3 � What technical safeguards are available (Malware)? 12-24

25. Chapter 12: Information Security Management 12-25

26. Q4 � What data safeguards are available? Chapter 12: Information Security Management 12-26

27. Chapter 11: Information Security Management 27 Q5 � What human safeguards are available (employee/non-employee)?

28. Q5 � What human safeguards are available (employee/non-employee)? Position Definitions (employee) Effective human safeguards begin with definitions of job tasks and responsibilities. User accounts should be defined to give users the least possible privilege needed to perform their jobs. At least two individuals should be required to authorize disbursements (over a specified amount) The security sensitivity should be documented for each position. Security considerations should be part of the hiring process; when hiring for high-sensitive positions, extensive screening interviews, references, and high background investigations are appropriate. Dissemination and Enforcement (employee) Employees need to be made aware of the security policies, procedures, and responsibilities they will have. Employee security training begins during new-employee training with the explanation of general security policies and procedures. Enforcement consists of three interdependent factors: responsibility, accountability, and compliance. Chapter 12: Information Security Management 12-28

29. Chapter 11: Information Security Management 29 Q5 � What human safeguards are available (employee/non-employee)? Termination (employee) Companies must establish security policies and procedures for the termination of employees. Standard human resources policies should ensure that system administrators receive notification in advance of the employee�s last day, so that they can remove accounts and passwords. The need to recover keys for encrypted data and any other security requirements should be part of the employee�s out-processing. Non-employee personnel Business requirements may necessitate opening information systems to non-employees such as temporary workers, vendors, and/or partner personnel (employees of business partners) In the case of temporary, vendor, and partner personnel, the contracts that govern the activity should call for security measures appropriate to the sensitivity of the data and IS resource involved. Companies should require vendors and partners to perform appropriate screening and security training.

30. Q5 � What human safeguards are available (Account administration)? Account administration has three components�account management, password management, and help-desk policies. Account management focuses on Establishing new accounts Modifying existing accounts Terminating unnecessary accounts. Password management requires that users Immediately change newly created passwords Change passwords periodically Sign an account acknowledgment form Help-desks have been a source of problems for account administration because of the inherent nature of their work. It is difficult for the help-desk to determine exactly with whom they�re speaking. Users call up for a new password without the help-desk having a method of definitively identifying who is on the other end of the line. There must be policies in place to provide ways of authenticating users like asking questions only the user would know the answers to. Chapter 12: Information Security Management 12-30

31. Q5 � What human safeguards are available? Effective system procedures can help increase security and reduce the likelihood of computer crime. As this figure shows, procedures should exist for both system users and operations personnel that cover normal, backup, and recovery procedures. Chapter 12: Information Security Management 12-31

32. Chapter 11: Information Security Management 32 Important monitoring functions are activity log analyses, security testing, and investigating and learning from security incidents. Many information system programs produce activity logs. Firewalls produce logs of their activities, including lists of all dropped packets, infiltration attempts, and unauthorized access attempts from within the firewall. DBMS products produce logs of successful and failed log-ins. Web servers produce voluminous logs of Web activities. The operating systems in personal computers can produce logs of log-ins and firewall activities. An important security function is to analyze activity logs for threats patterns, successful and unsuccessful attacks, and evidence of security vulnerabilities; i.e., none of the logs have any value unless they are looked at.

33. Q6 � How should organizations respond to incidents (disaster preparedness)? No system is fail-proof. Every organization must have an effective plan for dealing with a loss of computing systems. Locate infrastructure in safe location Identify mission-critical systems Identify resources needed to run those systems Prepare remote backup facilities Hot sites are remote processing centers run by commercial disaster-recovery services. For a monthly fee, they provide all the equipment needed to continue operations following a disaster. Cold sites provide office space, but customers themselves provide and install the equipment needed to continue operations. A backup facility is very expensive, but the costs of maintaining that facility are a form of insurance. Every organization should think about how it will respond to security incidences that may occur, before they actually happen. Have plan in place Centralized reporting Practice! Chapter 12: Information Security Management 12-33

34. Chapter 12: Information Security Management Q7 � What is the extent of computer crime? 12-34

35. Q7 � What is the extent of computer crime? The full extent of computer crime is unknown. There is no national census because many organizations are reluctant to report losses for fear of alienating customers, suppliers, and business partners. A 2006 survey estimated that the total loss due to computer crime is at least $52.5 billion. This chart shows the top four sources of computer crime and the total dollar loss (2006 FBI/CSI Survey). Chapter 12: Information Security Management 12-35

36. Summary Computer threats come from human error, malicious human activity, and natural disaster. Five types of security problems are unauthorized data disclosure, incorrect data modification, faulty service, denial of service, and loss of infrastructure. Management has three critical security functions: establishing a security policy, educating employees about security, and managing security risk. Security safeguards are classified into technical, data, and human categories. Disaster preparedness safeguards include asset location, identification of mission-critical systems, and the preparation of remote backup facilities. Organizations should prepare for security incidents ahead of time by developing a plan, ensuring centralized reporting, defining responses to specific threats, and practicing the plan. Chapter 12: Information Security Management 12-36

37. Review: Select the appropriate term for each item Combination of hardware and/or software designed to keep unwanted users out of a system Firewall Sending an e-mail claiming to be a legitimate enterprise in an attempt to get confidential information Phishing In addition to numbers, upper-, and lower-case letters, one of these should be in every password Special character Software installed on a user�s computer without the user�s knowledge which monitor�s user�s activity Spyware Agency that issues digital certificates Certificate authority Ensures a message has not been altered Digital signature Uses a public key and a private key Asymmetric encryption Pretending to be someone else Spoofing A technique to intercept computer communications Sniffing Chapter 12: Information Security Management 12-37