chapter 9 information security barbarians at the gateway and just about everywhere else n.
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 9 Information Security: Barbarians at the Gateway (and Just About Everywhere Else) PowerPoint Presentation
Download Presentation
Chapter 9 Information Security: Barbarians at the Gateway (and Just About Everywhere Else)

Chapter 9 Information Security: Barbarians at the Gateway (and Just About Everywhere Else)

36 Vues Download Presentation
Télécharger la présentation

Chapter 9 Information Security: Barbarians at the Gateway (and Just About Everywhere Else)

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Chapter 9Information Security: Barbarians at the Gateway (and Just About Everywhere Else)

  2. Introduction • Business establishments are increasingly under risk of information security threats • Network in TJX retail store was infiltrated via an insecure Wi-Fi base station • 45.7 million credit and debit card numbers were stolen • Driver’s licenses and other private information pilfered from 450,000 customers • TJX suffered under settlement costs and court-imposed punitive action to the tune of $150 million

  3. The TJX Breach • Factors that amplified severity of TJX security breach are: • Personnel betrayal: An alleged FBI informant used insider information to mastermind the attacks • Technology lapse: TJX used WEP, a insecure wireless security technology • Procedural gaffe: TJX had received an extension on the rollout of mechanisms that might have discovered and plugged the hole before the hackers got in

  4. Lessons Learned • Information security must be a top organizational priority • Information security isn’t just a technology problem; a host of personnel and procedural factors can create and amplify a firm’s vulnerability • A constant vigilance regarding security needs to be part of individual skill sets and a key component of organizations’ culture Item number: 95409048

  5. Motivations for Criminals • Compromising computing assets for use in other crimes such as : • Sending spam from thousands of difficult-to-shut-down accounts • Launching tough-to-track click-fraud efforts • Distributed denial of service (DDoS) attacks • Extortionists might leverage botnets or hacked data to demand payment to avoid retribution

  6. Motivations for Criminals • Corporate espionage might be performed by insiders, rivals, or even foreign governments • Cyberwarfare • Devastating technology disruptions by terrorists that cut off power to millions • Terrorism • Compromising a key component in an oil refinery, force it to overheat, and cause an explosion • Taking out key components of vulnerable national power grids • Pranks involving setting off rumors that could have widespread repercussions • Protest hacking (hacktivism) • Revenge for disgruntled employees

  7. Response to Crime • Law enforcement agencies dealing with computer crime are increasingly outnumbered, out-skilled, and underfunded • Technically-weak personnel trained in a prior era’s crime fighting techniques • Governments rarely match pay scale and stock bonuses offered by private industry

  8. Understanding Vulnerabilities • A wide majority of security threats is posed by insiders • Rogue employees can steal secrets, install malware, or hold a firm hostage • Other insider threats to information security can come from • Contract employees • Temporary staffers • Outsourcing key infrastructure components • Partner firms such as clients and technology providers

  9. Security and Employees • Main threat? • From “inside the walls” • White-collar crime costs $400 billion per year • Average non-managerial embezzlement is $60,000 • Average managerial embezzlement is $250,000 • Two-thirds of insider fraud is not reported • 2 out of 5 businesses suffered 5+ fraud losses • One quarter of those cost more than $1 million

  10. Security and Employees • Computer-aided fraud • Vendor fraud • Writing payroll checks to fictitious employees • Claiming expense reimbursements for costs not incurred • Stealing security codes, credit card numbers, proprietary files • Stealing intellectual property • 10% completely honest, 10% will steal, 80% depends on circumstances • Theft committed by those strapped for cash, who have access to poorly protected funds, perceive low risk of getting caught

  11. Security and Employees • Triggers to unethical employee behavior • Efforts to balance work and family • Poor internal communications • Poor leadership • Work hours, work load • Lack of management support • Need to meet sales, budget, or profit goals • Little or no recognition of achievements • Company politics • Personal financial worries • Insufficient resources

  12. Social Engineering • Con games trick employees into revealing information or performing other tasks that compromise a firm • Examples of social engineering methods include: • Baiting someone to add, deny, or clarify information that can help an attacker • Using harassment, guilt, or intimidation • Social media sites are a major source of information for social engineering scammers

  13. Phishing • Phishing refers to cons executed through technology • The goal is to leverage reputation of a trusted firm or friend, in order to trick a victim into performing an action or revealing information • Requests to reset passwords • Requests to update information • Requests to download malware • Spear phishing attacks specifically target a given organization or group of users Item number: 90846368

  14. Passwords • Most users employ inefficient and insecure password systems: • Using the same password for different accounts • Making only minor tweaks in passwords • Writing passwords down • Saving passwords in personal e-mail accounts or on unencrypted hard drives • Challenge questions offered by many sites to automate password distribution and resets offer flimsy protection • Any firm not changing default accounts and passwords sold with any software purchased risks having an open door • Users setting systems for open access leave their firms vulnerable to attacks

  15. Physical Threats Item number: 92050975 • Dumpster diving: Sifting through trash to uncover valuable data or insights to facilitate attacks • Shoulder surfing: Looking over someone’s shoulder to glean password or other proprietary information on a computer screen • Eavesdropping: Listening into or recording conversations, transmissions, or keystrokes

  16. Taking Action as a User • Question links, enclosures, download requests, and the integrity of Web sites visited • Be on guard for phishing attacks, social engineering con artists, and other attempts for letting in malware • Turn on software update features for your operating system and any application you use • Install a full suite of security software and regularly update it • Encrypt all valuable and sensitive data

  17. Taking Action as a User • Do not turn on risky settings like unrestricted folder sharing • Home networks should be secured with password protection and a firewall • Use VPN software when accessing public hotspots • Maintain a strict password regimen involving regular updating and changing default passwords • Regularly back up systems and destroy data on removable devices after use

  18. Taking Action as an Organization • Security frameworks aim to take all measures to ensure security of firm for its customers, employees, shareholders, and others • ISO 27,000 series • Firms may also face compliance requirements — legal or professionally binding steps • Compliance does not equal security

  19. Taking Action as an Organization • Education, audit, and enforcement • Employees need to know a firm’s policies, be regularly trained, and understand that they will face strict penalties if they fail to meet their obligations • Include operations employees, R&D function, representatives from general counsel, and audit in security teams • Audits include real-time monitoring of usage, announced audits, and surprise spot checks

  20. Taking Action as an Organization • Information security should start with an inventory-style auditing and risk assessment • Firms should invest wisely in easily prevented methods to thwart common infiltration techniques • Security is an economic problem; involving attack likelihood, costs, and prevention benefits • Tightening security and lobbying for legislation to impose severe penalties on crooks helps raise adversary costs and lowers likelihood of breaches

  21. Role of technology • Patches • Pay attention to security bulletins and install software updates that plug existing holes • Legitimate concerns exist over ability of patches to unfavorably affect a firm’s systems • Lock down hardware • Reimage hard drives of end-user PCs • Disable boot capability of removable media • Prevent Wi-Fi use • Require VPN encryption for network transmissions Item number: 98296819

  22. Role of Technology Item number: 100726564 • Lock down networks • Firewalls control network traffic, block unauthorized traffic and permit acceptable use • Intrusion detection systems monitor network use for hacking attempts and take preventive action • Honeypots are seemingly tempting, bogus targets meant to lure hackers • Blacklists deny the entry or exit of specific IP addresses and other entities • Whitelists permit communication only with approved entities or in an approved manner

  23. Role of Technology • Increasingly internetworked infrastructures: • Need for concern about partners’, suppliers’, distributors’, customers’ computer security (and your own) • Lock down partners • Insist on partner firms being compliant with security guidelines and audit them regularly • Use access controls to compartmentalize data access on a need-to-know basis • Use recording, monitoring, and auditing to hunt for patterns of abuse • Maintain multiple administrators to jointly control key systems

  24. Pointers for firms • Lock down systems • Audit for SQL injection and other application exploits • Have failure and recovery plans • Employ recovery mechanisms to regain control in the event that key administrators are incapacitated or uncooperative • Broad awareness of infiltration reduces organizational stigma in coming forward • Share knowledge on techniques used by cybercrooks with technology partners