it security, crime, compliance, and continuity c hapter 5 5-1 copyright 2012 john wiley & sons,...
TRANSCRIPT
IT Security, Crime, Compliance, and Conti nuity
Chapter 5
5-1Copyright 2012 John Wiley & Sons, Inc.
Cours e
Part II. Data and Network Infrastructure
Copyright 2012 John Wiley & Sons, Inc.
Chapter 5 Outl ine
5.1 Protecting Data and Business Operations
5.2 IS Vulnerabilities and Threats
5.3 Fraud, Crimes, and Violations
5.4 Information Assurance and Risk Management
5.5 Network Security
5.6 Internal Control and Compliance
5.7 Business Continuity and Auditing
5-2
Chapter 5 Learning Objecti ves Understand the objectives, functions, and financial value of IT security.
Recognize IS vulnerabilities, threats, attack methods, and cybercrime symptoms.
Understand crimes committed against computers and crimes committed with computers.
Explain key methods of defending information systems, networks, and wireless devices.
Understand network security risks and defenses.
Describe internal control & fraud; and fraud legislation.
Understand business continuity and disaster recovery planning methods.
Copyright 2012 John Wiley & Sons, Inc.5-3
Copyright 2012 John Wiley & Sons, Inc.
5.1 Protecting Data and Business Operations
5-4
IT security: the protection of data, systems,networks, and operations.
Technology defenses are necessary, but they’re not sufficient because protecting data and business operations also involves:• Implementing and enforcing acceptable use policies (AUPs).
• Complying with government regulations and laws.
• Making data available 24x7 while restricting access.
• Promoting secure and legal sharing of information.
Copyright 2012 John Wiley & Sons, Inc.
IT Security Principles
5-5
Copyright 2012 John Wiley & Sons, Inc.
Know Your Enemy and Your Risks
IT security risks are business risks
Threats range from high-tech exploits to gain access to a company’s networks to non-tech tactics such as stealing laptops or items of value. Common examples:
• Malware (malicious software): viruses, worms, trojan horses, spyware, and disruptive or destructive programs
• insider error or action, either intentional or unintentional.
• Fraud
• Fire, flood, or other natural disasters
5-6
Copyright 2012 John Wiley & Sons, Inc.
IT at Work 5.1 $100 Million Data Breach
May 2006: a laptop and external hard drive belonging to the U.S. Dept of Veterans Affairs (VA) were stolen during a home burglary.
Data on 26.5 million veterans and spouses had been stored in plaintext.
VA Secretary Jim Nicholson testified before Congress that it would cost at least $10 million just to inform veterans of the security breach.
Total cost of data breach: $100 million
5-7
Copyright 2012 John Wiley & Sons, Inc.
Risks Cloud computing Social networks Phishing Search engine manipulation Money laundering Organized crime Terrorist financing
5-8
Copyright 2012 John Wiley & Sons, Inc.
IT Security Defense-in-Depth Model
5-9
Copyright 2012 John Wiley & Sons, Inc.
5.2 IS Vulnerabilities and Threats
Unintentional• human error• environmental hazards• computer system failure
Intentional• hacking• malware • manipulation
5-10
Copyright 2012 John Wiley & Sons, Inc.5-11
Figure 5.4 How a computer virus can spread
Copyright 2012 John Wiley & Sons, Inc.
Malware and Botnet Defenses Anti-virus software
Firewalls
Intrusion detection systems (IDS)
Intrusion prevention systems (IPS)
5-12
Copyright 2012 John Wiley & Sons, Inc.
5.3 Fraud, Crimes, and Violations
2 categories of crime:• Violent• Nonviolent
Fraud is nonviolent crime because instead of a gun or knife, fraudsters use deception, confidence, and trickery.
Occupational fraud refers to the deliberate misuse of the assets of one’s employer for personal gain.
5-13
Copyright 2012 John Wiley & Sons, Inc.
IT at Work 5.4 Madoff Defrauds Investors of $64.8 Billion
Bernard Madoff is in jail after pleading guilty in 2009 to the biggest fraud in Wall Street history.
Fundamentally, Madoff relied on social engineering and the predictability of human nature to generate income for himself.
5-14
Figure 5.5
Annual Returns on a Madoff-Investor’s account from 2001-2007
Copyright 2012 John Wiley & Sons, Inc.
Internal Fraud Prevention and Detection
IT has a key role to play in demonstrating effective corporate governance and fraud prevention.
Internal fraud prevention measures are based on the same controls used to prevent external intrusions—perimeter defense technologies, such as firewalls, e-mail scanners, and biometric access.
Fraud detection can be handled by intelligent analysis engines using advanced data warehousing and analytics techniques.
5-15
Copyright 2012 John Wiley & Sons, Inc.
5.4 IT and Network Security
Objectives of a defense strategy
1. Prevention and deterrence
2. Detection
3. Containment
4. Recovery
5. Correction
6. Awareness and compliance
5-16
Copyright 2012 John Wiley & Sons, Inc.5-17
Figure 5.6 Major defense controls
Copyright 2012 John Wiley & Sons, Inc.
Major categories of general controls
physical controls
access controls
biometric controls
communication network controls
administrative controls
application controls
endpoint security and control
5-18
Copyright 2012 John Wiley & Sons, Inc.5-19
Figure 5.7 Intelligent agents
Copyright 2012 John Wiley & Sons, Inc.
5.5 Network Security
5-20
Figure 5.8 Three layers of network security measures
Copyright 2012 John Wiley & Sons, Inc.5-21
Figure 5.9 Where IT security mechanisms are located
Copyright 2012 John Wiley & Sons, Inc.
Authentication
Questions to help authenticate a person:1. Who are you? Is this person an employee, a partner, or a
customer? Different levels of authentication would be set up for different types of people.
2. Where are you? For example, an employee who has already used a badge to access the building is less of a risk than an employee logging on from a remote site.
3. What do you want? Is this person accessing sensitive or proprietary information or simply gaining access to benign data?
5-22
Copyright 2012 John Wiley & Sons, Inc.
5.6 Internal Control and Compliance
Internal control (IC) is a process designed to achieve:
• reliability of financial reporting
• operational efficiency
• compliance with laws
• regulations and policies
• safeguarding of assets
5-23
Copyright 2012 John Wiley & Sons, Inc.
Internal Controls Needed for Compliance
Sarbanes-Oxley Act (SOX) is an antifraud law. • It requires more accurate business reporting and
disclosure of GAAP (generally accepted accounting principles) violations, including fraud.
SOX and the SEC made it clear that if controls can be ignored, there is no control—a violation of SOX.
If the company shows its employees that the company can find out everything that every employee does and use that evidence to prosecute, then the feeling that “I can get away with it” drops drastically.
5-24
Copyright 2012 John Wiley & Sons, Inc.
Symptoms of Fraud That Can Be Detected by Internal Controls
Missing documents Delayed bank deposits Numerous outstanding checks or bills Employees who do not take vacations A large drop in profits A major increase in business with one particular customer Customers complaining about double billing Repeated duplicate payments Employees with the same address or phone number as a
vendor
5-25
Copyright 2012 John Wiley & Sons, Inc.
5.7 Business Continuity and Auditing An important element in any security system is the business
continuity plan, also known as the disaster recovery plan.
The plan outlines the process by which businesses should recover from a major disaster.
The purpose of a business continuity plan is to keep the business running after a disaster occurs.
• Each business function should have a valid recovery capability plan.• The plan should be written so that it will be effective in case of
disaster, not just in order to satisfy the auditors.
5-26
Copyright 2012 John Wiley & Sons, Inc.
Risk-Management Analysis
Expected loss = P1 × P2 × L where:
P1 = probability of attack
P2 = probability of attack being successful
L = loss occurring if attack is successfulExample:
P1 = .02, P2 = .10, L = $1,000,000
Expected loss from this particular attack isP1 × P2 × L = 0.02 × 0.1 × $1,000,000 = $2,000
5-27
Copyright 2012 John Wiley & Sons, Inc.
Ethical issues
Implementing security programs raises many ethical issues.
Handling the privacy versus security dilemma is tough.
Ethical and legal obligations that may require companies to “invade the privacy” of employees and monitor their actions.
Under the doctrine of duty of care, senior managers and directors have a fiduciary obligation to use reasonable care to protect the company’s business operations.
5-28
Copyright 2012 John Wiley & Sons, Inc.
Chapter 5 Link Library Information Security Magazine http://searchsecurity.techtarget.com CIO Magazine, IT Security http://cio.com/topic/3089/Security Computer and Internet Security http://cnet.com/internet-security IT Governance Institute http://itgi.org U.S. Computer Emergency Readiness Team http://us-cert.gov/cas/tips/ SANS Information Security Reading Room sans.org/reading_room/ Privacy news from around the world pogowasright.org/ Government Computer News (GCN ) http://gcn.com/ CompTIA http://comptia.org/ F-Secure http://f-secure.com/en_US/security/security-center/ Social engineering
http://symantec.com/connect/articles/social-engineering
5-29