dr. chen, management information systems chapter 12 information security management jason c. h....

Dr. Chen, Management Information Systems

Chapter 12Information Security

Management

Jason C. H. Chen, Ph.D.Professor of MIS

School of Business AdministrationGonzaga UniversitySpokane, WA 99258

[email protected]

1


Could Someone Be Getting To Our Data?

• Stealing only from weddings of club members• Knowledge: How to access system and database

and SQL• Access: Passwords on yellow stickies; many

copies of key to server building• Suspect: Greens keeper guy’s “a techno-whiz,”

created report for Anne, knows SQL and how to access database

2

Dr. Chen, Management Information Systems 3

Chapter Preview

• This chapter describes common sources of security threats and explains management’s role in addressing those threats. It defines the major elements of an organizational security policy. It presents the most common types of technical, data, and human security safeguards. We then discuss how organizations should respond to security incidents, and, finally, examine common types of computer crime.

• Primary focus is on management’s responsibility for the organization’s security policy and for implementing human security safeguards.

• We approach this topic from the standpoint of a major organization that has professional staff in order to learn the tasks that need to be accomplished. Both MRV and FlexTime need to adapt the full-scale security program to their smaller requirements and more limited budget.


Study Questions

Q1: What is the goal of information systems security?

Q2: How should you respond to security threats?

Q3: How should organizations respond to security threats?

Q4: What technical safeguards are available?

Q5: What data safeguards are available?

Q6: What human safeguards are available?

Q7: 2022?

4


Q1: What Is the Goal of Information Systems Security?

5


Q1: What Is the Goal of Information Systems Security?

The IS Security Threat/Loss Scenario• Threat

– is a person or organization that seeks to obtain data or other asset illegal, without the owner’s permission and often without the owner’s knowledge

• Vulnerability– is an opportunity for threats to gain access to individual or

organizational assets

• Safeguard– is someone measure that individuals or organizations take to

block the threat from obtaining the asset

• Target– is the asset that is desired by the threat

6


Fig 12-1 Threat/Loss Scenario


Safeguards

8Fig 12-extra Security Safeguards as They Relate to the Five Components

• There are three components of a sound organizational security program:– Senior management must establish a security policy and manage risks.– Safeguards of various kinds must be established for all five

components of an IS as the figure below demonstrates.– The organization must plan its incident response before any problems

occur.


Examples of Threat/Loss

9

Fig 12-2 Examples of Threat/Loss


What Are the Sources of Threats?

• Security threats arise from three sources:

1. Human error and mistakes,

2. Computer crime, and

3. Natural events and disasters.


Human Errors and Mistakes

• Human errors and mistakes include: Accidental problems caused by both employees and

nonemployees. • An employee misunderstands operating procedures

and accidentally deletes customer records. • An employee, while backing up a database,

inadvertently installs an old database on top of the current one.

Category also includes poorly written application programs and poorly designed procedures.

Physical accidents, such as driving a forklift through the wall of a computer room.


Computer Crime

• Employees and former employees who intentionally destroy data or other system components

• Hackers who break into a system; virus and worm writers who infect computer systems

• Outside criminals who break into a system to steal for financial gain

• Terrorism


Q/A

13

Which of the following is most likely to be the result of hacking?A) certain Web sites being blocked from viewing for security reasonsB) small amounts of spam in your inboxC) an unexplained reduction in your account balanceD) pop-up ads appearing frequentlyAnswer: _____C


Natural Events and Disasters

• Fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature

• Includes the initial loss of capability and service, and losses stemming from actions to recover from the initial problem


Fig 12-3 Security Problems and Sources


What Types of Security Loss Exists?

Unauthorized Data Disclosure• Pretexting• Phishing• Spoofing

– IP spoofing– Email spoofing

• Drive-by sniffers• Hacking• Natural disasters

16


Incorrect Data Modification

• Procedures not followed or incorrectly designed procedures

• Increasing a customer’s discount or incorrectly modifying employee’s salary

• Placing incorrect data on company Web site• Improper internal controls on systems • System errors• Faulty recovery actions after a disaster

17


Faulty Service

• Incorrect data modification • Systems working incorrectly• Procedural mistakes • Programming errors• IT installation errors • Usurpation• Denial of service (unintentional)• Denial-of-service attacks (intentional)

18


Loss of Infrastructure

• Human accidents• Theft and terrorist events• Disgruntled or terminated employees• Natural disasters

19


How Big Is the Computer Security Problem?

20

Fig 12-4 Sample Arrests and Convictions Reported by the US Department of Justice


Percent of Security Incidents

21

Fig 12-5 Percent of Security Incidents


Goal of Information Systems Security

• Threats can be stopped, or at least threat loss reduced

• Safeguards are expensive and reduce work efficiency

• Find trade-off between risk of loss and cost of safeguards

22


Q2: How Should You Respond to Security Threats?

23

Fig 12-6 Personal Security Safeguards


Q/A

24

Cookies enables one to access Web sites without having to sign in every time.Answer: ____TRUE


Q3. How Should Organizations Respond to Security Threats?

• NIST Handbook of Security Elements

25

Fig 12-7 Management Guidelines for IS Security


What Are the Elements of a Security Policy?

Elements of Security Policy

Managing Risks

• Risk — threats & consequences we know about

• Uncertainty — things we do not know that we do not know

1. General statement of organization’s security program

2. Issue-specific policy

3. System-specific policy

26


What Are the Elements of a Security Policy?

• Security policy has three elements: 1. A general statement of organization’s security program. This

statement becomes the foundation for more specific security measures. Management specifies the goals of security program and assets to be protected. Statement designates a department for managing security program and documents. In general terms, it specifies how the organization will ensure enforcement of security programs and policies.

2. Issue-specific policy. Personal use of computers at work and email privacy.

3. System-specific policy. What customer data from order-entry system will be sold or shared with other organizations? Or, what policies govern the design and operation of systems that process employee data? Addressing such policies are part of standard systems development process.


Q/A

28

Which of the following is an example of a system-specific security policy?A) limiting the personal use of an organization's computer systems B) deciding what customer data from the order-entry system will be shared with other organizationsC) designating a department for managing an organization's IS securityD) inspecting an employee's personal email for compliance with company policyAnswer: ____B


How Is Risk Managed?

• Risk—likelihood of an adverse occurrence Management cannot manage threats directly, but can limit

security consequences by creating a backup processing facility at a remote location.

Companies can reduce risks, but always at a cost. It is management’s responsibility to decide how much to spend, or stated differently, how much risk to assume.

• Uncertainty refers to lack of knowledge especially about chance of occurrence or risk of an outcome or event. An earthquake could devastate a corporate data center built on a

fault that no one knew about. An employee finds a way to steal inventory using a hole in the

corporate Web site that no expert knew existed.


Risk Assessment and Management

Risk Assessment• Tangible consequences• Intangible consequences• Likelihood• Probable loss

Risk-Management Decisions• Given probable loss, what to protect?• Which safeguards inexpensive and easy?• Which vulnerabilities expensive to eliminate?• How to balance cost of safeguards with benefits of

probable loss reduction?

30


Factors to Consider in Risk Assessment and Risk Management Decisions

31Fig 12-Extra Risk Assessment Factors

When you’re assessing risks to an information system you must first determine: What the threats are. How likely they are to occur. The consequences if they occur.

The figure below lists the factors you should include in a risk assessment. Once you’ve assessed the risks to your information system, you must

make decisions about how much security you want to pay for. Each risk-management decision carries consequences. Some risk is easy and inexpensive. Some risk is expensive and difficult. Managers have a fiduciary

responsibility to the organization

to adequately manage risk.


Factors to Consider in Risk Assessment: Brief Summary

• Safeguard is any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat. No safeguard is ironclad; there is always a residual risk that it will

not protect the assets in all circumstances.

• Vulnerability is an opening or a weakness in security system. Some vulnerabilities exist because there are no safeguards or because existing safeguards are ineffective.

• Consequences are damages that occur when an asset is compromised. Consequences can be tangible or intangible. Tangible consequences, those whose financial impact can be measured. Intangible consequences, such as the loss of customer goodwill due to an

outage, cannot be measured.


Factors to Consider in Risk Assessment: Brief Summary

(Final Two Factors in Risk Assessment)

• Likelihood is the probability that a given asset will be compromised by a given threat, despite the safeguards.

• Probable loss is the “bottom line” of risk assessment. To obtain a measure of probable loss, companies

multiply likelihood by cost of the consequences. Probable loss also includes a statement of intangible consequences.


Q/A

34

Which of the following is an example of an intangible consequence?A) a dip in sales because supplies were not replenishedB) a loss of customer goodwill due to an outageC) a drop in production due to plant maintenanceD) a financial loss due to high input costsAnswer: ____B


Q4: What Technical Safeguards Are Available?

35

Fig 12-8 Technical Safeguards


List of Primary Technical Safeguards

You can establish five technical safeguards for the hardware and software components of an information system as the Figure 12-8 shows.

• 1. Identification and authentication includes (1) passwords (what you know), (2) smart cards (what you have), and (3) biometric authentication (what you are). (4) Single sign-on for multiple systems (Kerberos)

Since users must access many different systems, it’s often more secure, and easier, to establish it

Authenticates users without sending passwords across network. “Tickets” enable users to obtain services from multiple networks

and servers. Windows, Linux, Unix employ Kerberos


• Identification and authentication (cont.) (5) Wireless systems pose additional threats.

VPNs and special security servers Wired Equivalent Privacy (WEP)-first developed Wi-Fi Protected Access (WPA)-more secure Wi-Fi Protected Access (WPA2)-newest and most

secure

Note: 4 &5 are for System Access Protocols

List of Primary Technical Safeguards (cont.)


Q/A

38

T/F A magnetic strip holds far more data than a microchip.Answer: _______FALSE


2. Encryption

39Fig 12-9 Basic Encryption Techniques

• Encryption is the second safeguard you can establish for an IS. The chart below and on the next slide describe each of them.

Asymmetric encryption is simpler and much faster than asymmetric encryption. Answer: FALSE


Essence of HTTPS (SSL or TLS)

40Fig 12-10 The Essence of HTTPS (SSL or TLS)


Which of the following observations concerning Secure Socket Layer (SSL) is true?A) It uses only asymmetric encryption. B) It is a useful hybrid of symmetric and asymmetric encryption techniques.C) It works between Levels 2 and 3 of the TCP-OSI architecture.D) It is a stronger version of HTTPS.Answer:____

You are transferring funds online through the Web site of a reputed bank. Which of the following displayed in your browser's address bar will let you know that the bank is using the SSL protocol?A) httpB) wwwC) httpsD) .comAnswer: ____

B

C


3. Firewalls• Firewalls, the third technical safeguard, are computing devices

that prevent unauthorized network access. They should be installed and used with every computer that’s connected to any network, especially the Internet. – The diagram shows how perimeter and internal firewalls are special

devices that help protect a network.– Packet-filtering firewalls are programs on general-purpose computers

or on routers that examine each packet entering the network.

Fig (extra) Use of Multiple Firewalls 42


Symptoms of Adware and Spyware

43

Fig 12-8 Spyware & Adware Symptoms

• Malware Protection is the fourth technical safeguard. We’ll concentrate on spyware and adware here.– Spyware are programs that may be

installed on your computer without your knowledge or permission.

– Adware is a benign program that’s also installed without your permission. It resides in your computer’s background and observes your behavior.

– If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer.

This slide is for lecture


4. Malware Protection

• Malware Protection (fourth technical safeguard): Spyware - resides in background, unknown to user; observes user’s

actions and keystrokes, monitors computer activity, and reports user’s activities to sponsoring organizations. Some captures keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Some support marketing analyses, observing what users do, Web sites visited, products examined and purchased, and so forth.

Adware - does not perform malicious acts or steal data. It watches user activity and produces pop-up ads. Adware can change user’s default window or modify search results and switch user’s search engine.

Beacons – tiny files that gather demographic information (e.g., gender, age income). The information is refreshed in real time and sold to other company.


4. Malware Types and Spyware and Adware Symptoms (cont.)

• Viruses Payload Trojan horses Worms Beacons

Spyware & Adware Symptoms

45

Fig 12-11 Spyware & Adware Symptoms

If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer.


Malware Safeguards

1. Antivirus and antispyware programs

2. Scan frequently

3. Update malware definitions

4. Open email attachments only from known sources

5. Install software updates

6. Browse only reputable Internet neighborhoods

46


Bots, Botnets, and Bot Herders

• Bot Surreptitiously installed, takes actions unknown and uncontrolled by

user or administrator Some very malicious, others annoying

• Botnet a network of bots created and managed by an individual or

organization that infects networks with a bot program

• Bot herder individual or organization that controls the botnet Serious problems for commerce and national security

It is believed that a unit of the North Korean Army served as a bot herder for a botnet that caused denial of service attacks on Web servers in South Korea and in the United States in July, 2009.

47


5. Design Secure Applications

• Design secure application is the last (fifth) technical safeguard.

• You should ensure that any information system developed for you and your department includes security as one of the application requirements.


Q5: What Data Safeguards Are Available?

49Fig 12-12 Data Safeguards

Data safeguards are measures used to protect databases and other organizational data.

An organization should follow the safeguards listed in this figure. Remember, data and the information from it are one of the most

important resources an organization has.


Some Important Data Safeguards• Should protect sensitive data by storing it in encrypted

form When data are encrypted, a trusted party should have a

copy of encryption key. This safety procedure is called key escrow

• Periodically create backup copies of database contents• DBMS and all devices that store database data should

reside in locked, controlled-access facilitiesPhysical security was a problem that MRV had when it

lost its data.• Organizations may contract with other companies to

manage their databases, inspect their premises, and interview its personnel to make sure they practice proper data protections.


Q6: Human Safeguards for Employees

51

• Human safeguards for employees are some of the most important safeguards an organization can deploy.

• They should be coupled with effective procedures to help protect information systems.

• This figure shows the safeguards for in-house employees.

Fig 12-13 Human Safeguards for Employees (In-house Staff)


Human Safeguards for Nonemployee Personnel

• Nonemployee personnel Least privileged accounts

• Contract personnel Specify security responsibilities

• Public Users Hardening site Require vendors and partners to perform appropriate

screening and security training Specify security responsibilities for work to be

performed

52


Account Administration

• Account Management Standards for new user accounts, modification of

account permissions, removal of unneeded accounts.

• Password Management Users should change passwords frequently

• Help Desk Policies

53


Account Administration

• Account management (administration) is the third type of human safeguard and has three components—account management, password management, and help-desk policies. Account management focuses on

Standards for new user accounts, modification of account permissions, removal of unneeded accounts

Password management requires that users Immediately change

newly created passwords Change passwords

periodically Help Desk Policies

Fig 12-14 Sample Account Acknowledgement Form


Systems Procedures

55

• Effective system procedures can help increase security and reduce the likelihood of computer crime. As this figure shows, procedures should exist for both system users and operations personnel that cover normal, backup, and recovery procedures.

Fig 12-15 Systems Procedures

Security monitoring is the last human safeguard. It includes: Activity log analyses Security testing Investigating and

learning from security incidents.


Security Monitoring Functions

• Activity log analyses Firewall, DBMS, Web server

• In-house and external Security testing Investigation of incidents Create “honeypots”

56


Responding to Security Incidents

• Human error & Computer crimes Procedures for how to respond to security problems,

whom to contact, data to gather, and steps to reduce further loss

• Centralized reporting of all security incidents• Incident-response plan (see next slide)• Emergency procedures

57


Incident-Response Plan

58

• Along with disaster preparedness plans, every organization should think about how it will respond to security incidences that may occur, before they actually happen. The figure below lists the major factors that should be included in any incident response.

Fig 12 (extra) Factors in Incident Response


Major Disaster-Preparedness Tasks

• No system is fail-proof. Every organization must have an effective plan for dealing with a loss of computing systems. This figure describes disaster preparedness tasks for every organization, large and small. The last item that suggests an organization train and rehearse its disaster preparedness plans is very important.

Fig 12-16 Disaster Preparedness Tasks


Disaster-Recovery Backup Sites

• Hot site Utility company that can take over another

company’s processing with no forewarning. Hot sites are expensive; organizations pay $250,000

or more per month for such services. • Cold sites

Provide computers and office space. They are cheaper to lease, but customers install and manage systems themselves.

The total cost of a cold site, including all customer labor and other expenses, might not necessarily less than the cost of a hot site.


Q7: 2022?

• Challenges likely to be iOS and other intelligent portable devices

• Harder for the lone hacker to find vulnerability to exploit

• Continued investment in safeguards• Continued problem of electronically porous

national borders

61


• End of Chapter 12

62

dr. chen, management information systems chapter 12 information security management jason c. h....

Documents

human security safeguards

security incidents

extra security safeguards

organizations security

organizational security

scale security program

senior management

data safeguards