1 / 54

Chapter 12 Information Security Management

Chapter Preview. This chapter describes common sources of security threats and explains management's role in addressing those threats. It defines the major elements of an organizational security policy. It presents the most common types of technical, data, and human security safeguards. We then disc

linus
Download Presentation

Chapter 12 Information Security Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Chapter 12 Information Security Management 1

    2. Chapter Preview This chapter describes common sources of security threats and explains management’s role in addressing those threats. It defines the major elements of an organizational security policy. It presents the most common types of technical, data, and human security safeguards. We then discuss how organizations should respond to security incidents, and, finally, examine common types of computer crime. Primary focus is on management’s responsibility for the organization’s security policy and for implementing human security safeguards. We approach this topic from the standpoint of a major organization that has professional staff in order to learn the tasks that need to be accomplished. Both MRV and FlexTime need to adapt the full-scale security program to their smaller requirements and more limited budget.

    3. Study Questions Q1 What are the threats to information security? Q2 What is senior management’s security role? Q3 What technical safeguards are available? Q4 What data safeguards are available? Q5 What human safeguards are available? Q6 How should organizations respond to security incidents? Q7 What is the extent of computer crime? Q8 2020?

    4. What Are the Sources of Threats? (Tutorial video) Security threats arise from three sources: Human error and mistakes, Malicious human activity, and Natural events and disasters.

    5. Human Errors and Mistakes Human errors and mistakes include: Accidental problems caused by both employees and nonemployees. An employee misunderstands operating procedures and accidentally deletes customer records. An employee, while backing up a database, inadvertently installs an old database on top of the current one. Category also includes poorly written application programs and poorly designed procedures. Physical accidents, such as driving a forklift through the wall of a computer room.

    6. Malicious Human Activity Employees and former employees who intentionally destroy data or other system components Hackers who break into a system; virus and worm writers who infect computer systems Outside criminals who break into a system to steal for financial gain Terrorism

    7. Natural Events and Disasters Fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature Includes the initial loss of capability and service, and losses stemming from actions to recover from the initial problem

    8. What Are the Types of Security Problems? 8

    9. What Are the Components of an Organization’s Security Program? Three Components of a Security Program Senior-management involvement, Safeguards of various kinds, and Incident response. Senior-management involvement has two critical security functions: Senior management must establish security policy. This policy sets the stage for organization’s response to security threats. However, because no security program is perfect, there is always risk. Manage risk by balancing the costs and benefits of security program.

    10. Safeguards 10

    11. Study Questions Q1 What are the threats to information security? Q2 What is senior management’s security role? Q3 What technical safeguards are available? Q4 What data safeguards are available? Q5 What human safeguards are available? Q6 How should organizations respond to security incidents? Q7 What is the extent of computer crime? Q8 2020?

    12. NIST Handbook of Security Elements 12

    13. What Are the Elements of a Security Policy? Security policy has three elements: A general statement of organization’s security program. This statement becomes the foundation for more specific security measures. Management specifies the goals of security program and assets to be protected. Statement designates a department for managing security program and documents. In general terms, it specifies how the organization will ensure enforcement of security programs and policies. Issue-specific policy. Personal use of computers at work and email privacy. System-specific policy. What customer data from order-entry system will be sold or shared with other organizations? Or, what policies govern the design and operation of systems that process employee data? Addressing such policies are part of standard systems development process.

    14. How Is Risk Managed? Risk—likelihood of an adverse occurrence Management cannot manage threats directly, but can limit security consequences by creating a backup processing facility at a remote location. Companies can reduce risks, but always at a cost. It is management’s responsibility to decide how much to spend, or stated differently, how much risk to assume. Uncertainty refers to lack of knowledge especially about chance of occurrence or risk of an outcome or event. An earthquake could devastate a corporate data center built on a fault that no one knew about. An employee finds a way to steal inventory using a hole in the corporate Web site that no expert knew existed.

    15. Factors to Consider in Risk Assessment 15

    16. Factors to Consider in Risk Assessment Safeguard is any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat. No safeguard is ironclad; there is always a residual risk that it will not protect the assets in all circumstances. Vulnerability is an opening or a weakness in security system. Some vulnerabilities exist because there are no safeguards or because existing safeguards are ineffective. Consequences are damages that occur when an asset is compromised. Consequences can be tangible or intangible. Tangible consequences, those whose financial impact can be measured. Intangible consequences, such as the loss of customer goodwill due to an outage, cannot be measured.

    17. Final Two Factors in Risk Assessment Likelihood is the probability that a given asset will be compromised by a given threat, despite the safeguards. Probable loss is the “bottom line” of risk assessment. To obtain a measure of probable loss, companies multiply likelihood by cost of the consequences. Probable loss also includes a statement of intangible consequences.

    18. Risk-Management Decisions  Given the probable loss from the risk assessment just described, senior management must decide what to do. Some assets can be protected by inexpensive and easily implemented safeguards. Some vulnerabilities can be expensive to eliminate, and management must determine if costs of safeguard are worth the benefit of probable loss reduction.

    19. Study Questions Q1 What are the threats to information security? Q2 What is senior management’s security role? Q3 What technical safeguards are available? Q4 What data safeguards are available? Q5 What human safeguards are available? Q6 How should organizations respond to security incidents? Q7 What is the extent of computer crime? Q8 2020?

    20. List of Primary Technical Safeguards (Tutorial video)

    21. Single Sign-on for Multiple Systems Operating systems authenticate you to networks and other servers. You sign on to your local computer and provide authentication data; from that point on, your operating system authenticates you to another network or server, which can authenticate you to yet another network and server, and so forth. Kerberos is a system protocol that authenticates users without sending their passwords across the computer network. Uses a complicated system of “tickets” to enable users to obtain services from networks and other servers. Windows, Linux, Unix, and other operating systems employ kerberos and thus can authenticate user requests across networks of computers using a mixture of these operating systems. Protect your passwords!

    22. Wireless Access Drive-by sniffers can walk or drive around business or residential neighborhoods with a wireless computer and locate dozens, or even hundreds, of wireless networks. Businesses with sophisticated communications equipment use elaborate techniques—techniques that require support of highly trained communications specialists. Common protections use VPNs and special security servers. IEEE 802.11 committee developed a wireless security standard called Wired Equivalent Privacy (WEP). Unfortunately, WEP has serious flaws. Wi-Fi Protected Access (WPA) and WPA2 developed and improved wireless security standards that newer wireless devices use. Search Web for latest on wireless network security

    23. Encryption 23

    24. Digital Signatures Most messages, such as email, are sent over Internet as plaintext. “Please deliver shipment 1000 to our Oakdale facility.” It is possible for a third party to intercept the email, remove the words “our Oakdale facility,” substitute its own address, and send the message on to its destination. Digital signatures are a technique for ensuring that plaintext messages are received without alteration. Plaintext message is first hashed. Hashing is a method of mathematically creating a string of bits (message digest) that characterize the message. According to one popular standard, message digests are 160 bits long.

    25. Using Digital Signatures 25

    26. Digital Certificates: How Does Receiver Obtain True Party’s Public Key? Trusted, independent third-party companies, called certificate authorities (CAs), supply public keys. For your browser to obtain the public key for Bank of America, either to conduct a secure session using SSL/TLS or to authenticate a digital signature, your browser will obtain Bank of America’s public key from a CA. CA will respond with a digital certificate that contains the name “Bank of America” and Bank of America’s public key. Your browser will verify the name and then use that public key. A digital certificate is sent as plaintext, so there is possibility an entity can intercept the digital certificate sent by the CA and substitute its own public key. To prevent that possibility, the CA signs the digital certificate with its digital signature.

    27. Firewalls Firewall is a computing device that prevents unauthorized network access. A firewall can be a special-purpose computer or it can be a program on a general-purpose computer or on a router. Malware Protection: Spyware—resides in background, unknown to user; observes user’s actions and keystrokes, monitors computer activity, and reports user’s activities to sponsoring organizations. Some captures keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Some support marketing analyses, observing what users do, Web sites visited, products examined and purchased, and so forth. Adware—does not perform malicious acts or steal data. It watches user activity and produces pop-up ads. Adware can change user’s default window or modify search results and switch user’s search engine.

    28. Firewalls Firewalls, the third technical safeguard, should be installed and used with every computer that’s connected to any network, especially the Internet. The diagram shows how perimeter and internal firewalls are special devices that help protect a network. Packet-filtering firewalls are programs on general-purpose computers or on routers that examine each packet entering the network. 28

    29. Symptoms of Adware and Spyware 29

    30. Malware Safeguards   Install antivirus and antispyware programs on your computer Set up your antimalware programs to scan your computer frequently Update malware definitions Open email attachments only from known sources Promptly install software updates from legitimate sources Browse only in reputable Internet neighborhoods

    31. AOL and the National Cyber Security Alliance Malware Study 31

    32. Bots, BotNets, and Bot Herders Bot—a computer program surreptitiously installed and that takes actions unknown and uncontrolled by computer’s owner or administrator Botnet—a network of bots created and managed by an individual or organization that infects networks with a bot program Bot herder—individual or organization that controls the botnet Serious problems to commerce and national security. It is believed that a unit of the North Korean Army served as a bot herder for a botnet that caused denial of service attacks on Web servers in South Korea and in the United States in July, 2009.

    33. Design Secure Applications You should ensure that any information system developed for you and your department includes security as one of the application requirements.

    34. Study Questions Q1 What are the threats to information security? Q2 What is senior management’s security role? Q3 What technical safeguards are available? Q4 What data safeguards are available? Q5 What human safeguards are available? Q6 How should organizations respond to security incidents? Q7 What is the extent of computer crime? Q8 2020?

    35. Some Important Data Safeguards 35

    36. Some Important Data Safeguards Should protect sensitive data by storing it in encrypted form When data are encrypted, a trusted party should have a copy of encryption key. This safety procedure is called key escrow Periodically create backup copies of database contents DBMS and all devices that store database data should reside in locked, controlled-access facilities Physical security was a problem that MRV had when it lost its data. Organizations may contract with other companies to manage their databases, inspect their premises, and interview its personnel to make sure they practice proper data protections.

    37. Study Questions Q1 What are the threats to information security? Q2 What is senior management’s security role? Q3 What technical safeguards are available? Q4 What data safeguards are available? Q5 What human safeguards are available? Q6 How should organizations respond to security incidents? Q7 What is the extent of computer crime? Q8 2020?

    38. Human Safeguards for Employees

    39. Human Safeguards for Nonemployee Personnel Temporary personnel, vendors, partner personnel (employees of business partners), and the public Contracts that govern activity should list security measures appropriate for sensitive data and IS resources involved. Require vendors and partners to perform appropriate screening and security training Specify security responsibilities for work to be performed Provide computer accounts and passwords with least privilege and remove those accounts as soon as possible

    40. Best Safeguard to Protect from Threats from Public Users “Harden” Web site or other facility against attack Hardening a site means to take extraordinary measures to reduce a system’s vulnerability. Hardened sites use special versions of operating system, and lock down or eliminate operating systems features and functions that are not required.

    41. Protect Ourselves from Us Safeguards need to protect users from internal company security problems. A disgruntled employee who maliciously changes prices on a Web site potentially damages both public users and business partners.

    42. Account Administration

    43. Systems Procedures 43

    44. Security Monitoring Important monitoring functions Activity log analyses Firewalls produce logs of their activities, including lists of all dropped packets, infiltration attempts, and unauthorized access attempts from within the firewall. DBMS products produce logs of successful and failed log ins. Web servers produce voluminous logs of Web activities. Operating systems in personal computers can produce logs of log ins and firewall activities. Security testing Use in-house personnel and outside security consultants to conduct testing Investigating and learning from security incident

    45. Study Questions Q1 What are the threats to information security? Q2 What is senior management’s security role? Q3 What technical safeguards are available? Q4 What data safeguards are available? Q5 What human safeguards are available? Q6 How should organizations respond to security incidents? Q7 What is the extent of computer crime? Q8 2020?

    46. Major Disaster-Preparedness Tasks No system is fail-proof. Every organization must have an effective plan for dealing with a loss of computing systems. This figure describes disaster preparedness tasks for every organization, large and small. The last item that suggests an organization train and rehearse its disaster preparedness plans is very important.

    47. Disaster-Recovery Backup Sites Hot site Utility company that can take over another company’s processing with no forewarning. Hot sites are expensive; organizations pay $250,000 or more per month for such services. Cold sites Provide computers and office space. They are cheaper to lease, but customers install and manage systems themselves. The total cost of a cold site, including all customer labor and other expenses, might not cost less than a hot site.

    48. Incident-Response Plan 48

    49. Study Questions Q1 What are the threats to information security? Q2 What is senior management’s security role? Q3 What technical safeguards are available? Q4 What data safeguards are available? Q5 What human safeguards are available? Q6 How should organizations respond to security incidents? Q7 What is the extent of computer crime? Q8 2020?

    50. What Is the Extent of Computer Crime? Computer Security Institute survey (2009) http://gocsi.com (registration required) Only 144 of the 522 responding organizations provided cost of loss data (2009) Financial fraud had highest average incident cost of $463,100 and losses due to bots averaged $345,600 Some losses are difficult to quantify. What is the loss of a denial of service attack on an organization’s Web site? If a company’s Web site is unavailable for 24 hours, what potential sales, prospects, or employees have been lost? What reputation problem was created for the organization?

    51. Percentage of Security Incidents 51

    52. Study Questions Q1 What are the threats to information security? Q2 What is senior management’s security role? Q3 What technical safeguards are available? Q4 What data safeguards are available? Q5 What human safeguards are available? Q6 How should organizations respond to security incidents? Q7 What is the extent of computer crime? Q8 2020?

    53. 2020? Skill level of cat and mouse activity is likely to increase substantially Increased security in operating systems and other software, improved security procedures and employee training will make it harder and harder for the lone hacker to find some vulnerability to exploit.

    54. 2020? Rise of professionals, primarily bot herders, who may be organized criminals, terrorists, or elements of governments inflicting a new type of cyber warfare on other nations We may see cyber warfare among nations. Number of computer security jobs is projected to increase by 27 percent by 2016

    55. End of Chapter 12 55

More Related