it security, crime, compliance, and continuity c hapter 5 5-1 copyright 2012 john wiley & sons,...

IT Security, Crime, Compliance, and Conti nuity

Chapter 5

5-1Copyright 2012 John Wiley & Sons, Inc.

Cours e

Part II. Data and Network Infrastructure

Copyright 2012 John Wiley & Sons, Inc.

Chapter 5 Outl ine

5.1 Protecting Data and Business Operations

5.2 IS Vulnerabilities and Threats

5.3 Fraud, Crimes, and Violations

5.4 Information Assurance and Risk Management

5.5 Network Security

5.6 Internal Control and Compliance

5.7 Business Continuity and Auditing

5-2

Chapter 5 Learning Objecti ves Understand the objectives, functions, and financial value of IT security.

Recognize IS vulnerabilities, threats, attack methods, and cybercrime symptoms.

Understand crimes committed against computers and crimes committed with computers.

Explain key methods of defending information systems, networks, and wireless devices.

Understand network security risks and defenses.

Describe internal control & fraud; and fraud legislation.

Understand business continuity and disaster recovery planning methods.

Copyright 2012 John Wiley & Sons, Inc.5-3


5.1 Protecting Data and Business Operations

5-4

IT security: the protection of data, systems,networks, and operations.

Technology defenses are necessary, but they’re not sufficient because protecting data and business operations also involves:• Implementing and enforcing acceptable use policies (AUPs).

• Complying with government regulations and laws.

• Making data available 24x7 while restricting access.

• Promoting secure and legal sharing of information.


IT Security Principles

5-5


Know Your Enemy and Your Risks

IT security risks are business risks

Threats range from high-tech exploits to gain access to a company’s networks to non-tech tactics such as stealing laptops or items of value. Common examples:

• Malware (malicious software): viruses, worms, trojan horses, spyware, and disruptive or destructive programs

• insider error or action, either intentional or unintentional.

• Fraud

• Fire, flood, or other natural disasters

5-6


IT at Work 5.1 $100 Million Data Breach

May 2006: a laptop and external hard drive belonging to the U.S. Dept of Veterans Affairs (VA) were stolen during a home burglary.

Data on 26.5 million veterans and spouses had been stored in plaintext.

VA Secretary Jim Nicholson testified before Congress that it would cost at least $10 million just to inform veterans of the security breach.

Total cost of data breach: $100 million

5-7


Risks Cloud computing Social networks Phishing Search engine manipulation Money laundering Organized crime Terrorist financing

5-8


IT Security Defense-in-Depth Model

5-9


5.2 IS Vulnerabilities and Threats

Unintentional• human error• environmental hazards• computer system failure

Intentional• hacking• malware • manipulation

5-10


Figure 5.4 How a computer virus can spread


Malware and Botnet Defenses Anti-virus software

Firewalls

Intrusion detection systems (IDS)

Intrusion prevention systems (IPS)

5-12


5.3 Fraud, Crimes, and Violations

2 categories of crime:• Violent• Nonviolent

Fraud is nonviolent crime because instead of a gun or knife, fraudsters use deception, confidence, and trickery.

Occupational fraud refers to the deliberate misuse of the assets of one’s employer for personal gain.

5-13


IT at Work 5.4 Madoff Defrauds Investors of $64.8 Billion

Bernard Madoff is in jail after pleading guilty in 2009 to the biggest fraud in Wall Street history.

Fundamentally, Madoff relied on social engineering and the predictability of human nature to generate income for himself.

5-14

Figure 5.5

Annual Returns on a Madoff-Investor’s account from 2001-2007


Internal Fraud Prevention and Detection

IT has a key role to play in demonstrating effective corporate governance and fraud prevention.

Internal fraud prevention measures are based on the same controls used to prevent external intrusions—perimeter defense technologies, such as firewalls, e-mail scanners, and biometric access.

Fraud detection can be handled by intelligent analysis engines using advanced data warehousing and analytics techniques.

5-15


5.4 IT and Network Security

Objectives of a defense strategy

1. Prevention and deterrence

2. Detection

3. Containment

4. Recovery

5. Correction

6. Awareness and compliance

5-16


Figure 5.6 Major defense controls


Major categories of general controls

physical controls

access controls

biometric controls

communication network controls

administrative controls

application controls

endpoint security and control

5-18


Figure 5.7 Intelligent agents


5.5 Network Security

5-20

Figure 5.8 Three layers of network security measures


Figure 5.9 Where IT security mechanisms are located


Authentication

Questions to help authenticate a person:1. Who are you? Is this person an employee, a partner, or a

customer? Different levels of authentication would be set up for different types of people.

2. Where are you? For example, an employee who has already used a badge to access the building is less of a risk than an employee logging on from a remote site.

3. What do you want? Is this person accessing sensitive or proprietary information or simply gaining access to benign data?

5-22


5.6 Internal Control and Compliance

Internal control (IC) is a process designed to achieve:

• reliability of financial reporting

• operational efficiency

• compliance with laws

• regulations and policies

• safeguarding of assets

5-23


Internal Controls Needed for Compliance

Sarbanes-Oxley Act (SOX) is an antifraud law. • It requires more accurate business reporting and

disclosure of GAAP (generally accepted accounting principles) violations, including fraud.

SOX and the SEC made it clear that if controls can be ignored, there is no control—a violation of SOX.

If the company shows its employees that the company can find out everything that every employee does and use that evidence to prosecute, then the feeling that “I can get away with it” drops drastically.

5-24


Symptoms of Fraud That Can Be Detected by Internal Controls

Missing documents Delayed bank deposits Numerous outstanding checks or bills Employees who do not take vacations A large drop in profits A major increase in business with one particular customer Customers complaining about double billing Repeated duplicate payments Employees with the same address or phone number as a

vendor

5-25


5.7 Business Continuity and Auditing An important element in any security system is the business

continuity plan, also known as the disaster recovery plan.

The plan outlines the process by which businesses should recover from a major disaster.

The purpose of a business continuity plan is to keep the business running after a disaster occurs.

• Each business function should have a valid recovery capability plan.• The plan should be written so that it will be effective in case of

disaster, not just in order to satisfy the auditors.

5-26


Risk-Management Analysis

Expected loss = P1 × P2 × L where:

P1 = probability of attack

P2 = probability of attack being successful

L = loss occurring if attack is successfulExample:

P1 = .02, P2 = .10, L = $1,000,000

Expected loss from this particular attack isP1 × P2 × L = 0.02 × 0.1 × $1,000,000 = $2,000

5-27


Ethical issues

Implementing security programs raises many ethical issues.

Handling the privacy versus security dilemma is tough.

Ethical and legal obligations that may require companies to “invade the privacy” of employees and monitor their actions.

Under the doctrine of duty of care, senior managers and directors have a fiduciary obligation to use reasonable care to protect the company’s business operations.

5-28


Chapter 5 Link Library Information Security Magazine http://searchsecurity.techtarget.com CIO Magazine, IT Security http://cio.com/topic/3089/Security Computer and Internet Security http://cnet.com/internet-security IT Governance Institute http://itgi.org U.S. Computer Emergency Readiness Team http://us-cert.gov/cas/tips/ SANS Information Security Reading Room sans.org/reading_room/ Privacy news from around the world pogowasright.org/ Government Computer News (GCN ) http://gcn.com/ CompTIA http://comptia.org/ F-Secure http://f-secure.com/en_US/security/security-center/ Social engineering

http://symantec.com/connect/articles/social-engineering

5-29

http://searchsecurity.techtarget.com/

http://cio.com/topic/3089/Security

http://cnet.com/internet-security

http://itgi.org/

http://us-cert.gov/cas/tips/

http://www.sans.org/reading_room/

http://www.pogowasright.org/

http://gcn.com/

http://comptia.org/

http://f-secure.com/en_US/security/security-center/

http://symantec.com/connect/articles/social-engineering

it security, crime, compliance, and continuity c hapter 5 5-1 copyright 2012 john wiley & sons,...

Documents

john wiley sons

business operations

security principles

auditing copyright

security breach

protecting data

network security risks

network infrastructure