720 likes | 959 Views
INFORMATION SECURITY AND PRIVACY. Presented By: Jason Rottler Mengmeng Zhao Vijak Pongtippun Weiwei Huang Ju Yang. Agenda. What is IT Security .
E N D
INFORMATION SECURITY AND PRIVACY Presented By: Jason Rottler Mengmeng Zhao Vijak Pongtippun Weiwei Huang Ju Yang
What is IT Security Information security means protecting information and information system from unauthorized access, use, disclosure, disruption, modification or destruction. “In the case of information security, the goals of confidentiality, integrity, and availability (CIA) must be balanced against organizational priorities and the negative consequences of security breaches.” http://en.wikipedia.org/wiki/It_security http://proquest.umi.com/pqdweb?index=2&did=901411&SrchMode=1&sid=1&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257803955&clientId=45249
What is IT Security NSTISSC Security Model ( McCumber Cube) • Three dimensions: • 1. Confidentiality, integrity, and availability (CIA triangle) • Policy, education, and technology • 3. Storage, processing, and transmission Confidentiality Policy Education Technology Integrity Availability Storage Processing Transmission http://proquest.umi.com/pqdweb?index=0&did=1374511721&SrchMode=1&sid=1&Fmt=6&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257259579&clientId=45249 http://en.wikipedia.org/wiki/McCumber_cube
Why is IT Security important “Security is, I would say, our top priority because for all the exciting things you will be able to do with computers - organizing your lives, staying in touch with people, being creative - if we don't solve these security problems, then people will hold back.” ----Bill gates http://www.billgatesmicrosoft.com/ http://chinadigitaltimes.net/china/bill-gates/
Security Breach Example Wireless Security and the TJX Data Breach
IT Security breaches happen everyday Why is IT Security important http://www.privacyrights.org/ar/ChronDataBreaches.htm#2009
Why is IT Security important IT security breaches may be from outsider’s and Insider’s breaches. “As the network expand, including online, it will become harder to know whether market-moving information originated improperly through an insider’s breach or properly through gathering of information in other ways” http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article6861965.eceThe Times October 6, 2009 http://proquest.umi.com/pqdweb?index=0&did=1886259131&SrchMode=1&sid=5&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257262182&clientId=45249
Why is IT Security important Consequences of poor Security in Organization • Unreliable Systems • Unauthorized Access By Employee • Reduced Employee Productivity • Financial Embezzlement & Lost Revenue • Theft of Customer Records Reno, NV, “Academy of Information and Management Sciences” Vol.11 No.2 (October 2007) p.51-53 http://www.alliedacademies.org/Public/Proceedings/Proceedings21/AIMS%20Proceedings.pdf
Why is IT Security important Losses from IT Security Breaches In 2008 losses resulting from IT security breaches averaged 289,000 • 2008 CSI Computer Crime & Security Survey, Robert Richardson, GoCSI.com
IT Security Spending 31% • 31% of companies spend more than 5% of their overall IT budget on information security in 2008. • 2008 CSI Computer Crime & Security Survey, Robert Richardson, GoCSI.com
IT Budget Vs. Information Security Budget IT Security Spending The projected percentage cut in IT spending for 2009 is greater overall than the relative projected percentage cut in security spending. http://metrosite.files.wordpress.com/2008/06/information_security_spending_survey_2009.pdf
IT Security Spending IT departments in U.S. enterprises spent US$61 billion on security in 2006, representing 7.3% of total IT spending in the U.S. http://proquest.umi.com/pqdweb?index=4&did=1162465461&SrchMode=1&sid=4&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257727916&clientId=45249#indexing
IT Security Spending "IT security has become a higher priority over the last few years, with a greater proportion of the overall IT budget being spent on security equipment and services." ------ Ed Daugavietis http://proquest.umi.com/pqdweb?index=4&did=1162465461&SrchMode=1&sid=4&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257727916&clientId=45249#indexing
Top 9 Network Security Threats CSOonline.com is the website that provides news, analysis and research on a broad range of security and risk management topics. Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more. • Malicious Insiders – Rising Threat • Malware – Steady Threat • Exploited Vulnerabilities – Weakening Threat • Social Engineering – Rising Threat • Careless Employees – Rising Threat • Reduced Budgets – Rising Threat • Remote workers – Steady Threat • Unstable Third Party Providers – Strong Rising Threat • Download Software Including Open Source & P2P Files – Steady Threat http://www.csoonline.com/article/print/472866
Top 9 Network Security Threats Strong Rising Threat - Unstable Providers Rising Threat - Malicious Insiders - Social Engineering - Careless Employees - Reduced Budgets Steady Threat - Malware - Remote workers - Download Software Weakening Threat - Exploited Vulnerabilities
Type of IT Security Threats Malware • Malware (Malicious Software) is a genetic term for programs that try to secretly install themselves on your computer. • Top 10 malware hosting countries in 2008 http://www.msun.edu/its/security/threats.htm http://www.sophos.com/sophos/.../sophos-security-threat-report-jan-2009-na.pdf
Type of IT Security Threats Type of Malware • Viruses • Worms • Trojanhorses • Spyware • Adware Damage Some viruses delete files, reformat the hard disk. Worms consume bandwidth and can cause degraded network performance. Spyware can collect various types of personal information such as credit card number, or username and password. http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx http://proquest.umi.com/pqdweb?index=0&did=1783184381&SrchMode=1&sid=5&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257726601&clientId=45249
Type of IT Security Threats Social Engineering • Social engineering is a term is used to describe the art of persuading people to divulge information, such as usernames, and passwords. • Identity Theft steal and sell identity information. • Phishing a fake web page. Damage • Criminals can use a person’s detail to make transactions or create fake accounts in victim’s name. http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx
Type of IT Security Threats SPAM • SPAM is electronic junk email. E-mail addresses are collected from chat rooms, websites, newsgroups. Damage • SPAM can clog a personal mailbox, overload mail servers and impact network performance. http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx
Type of IT Security Threats Denial of Service Attack (DoS Attack) • DoS Attack is an attempt to make a computer resource such as a website or web service unavailable to use.. • Criminals frequently use Bot to launch DoS Attack Damage • Dos attacks typically target large businesses or government institutions. They can make a website or web service temporarily unavailable (for minutes, hours, or days) with ramifications for sales or customer service. http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx
Prevention of IT Threats Malware • Use antivirus and anti spyware software. • Keep current with latest security updates or patches • Be wary of opening unexpected e-mails Social Engineering • Never disclose any personal information • Use Strong passwords. • Never e-mail personal or financial information. • Check your statements often. http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx
Prevention of IT Threats SPAM • Use spam filters • Use a form of e-mail authentication. • Using reasonable mailing and ensuring relevant e-mails. • Make sure your e-mails look right in multiple e-mail clients. DOS Attack • Plan ahead • Use Firewalls to allow or deny protocols, ports, or IP addresses. • Utilize routers and switches http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx http://proquest.umi.com/pqdweb?index=0&did=1876359931&SrchMode=1&sid=13&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257728149&clientId=45249&cfc=1
Chief Security Officer (CSO) The executive responsible for the organization's entire security posture, both physical and digital. The title Chief Security Officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. http://www.csoonline.com/article/221739/What_is_a_Chief_Security_Officer_?page=1,viewed October 10,2009
Chief Information Security Officer (CISO) A more accurate description of a job that focuses on information security within an organization , and today the CISO title is becoming more prevalent for leaders with an exclusive info security focus. http://www.csoonline.com/article/221739/What_is_a_Chief_Security_Officer_?page=1,viewed October 10,2009
Roles & Responsibilities of a CISO Communications and Relationship Risk and Control Assessment Threat and Vulnerability Management Identity and Access Management http://en.wikipedia.org/wiki/Chief_information_security_officer, Viewed October 10,2009
CISO: Skills Required for Success Literature Review CISO should first think of themselves as Business professionals and secondly as security specialist. Partake in continuing security education Soft skills Management Problem solving Understand of the security threats and risks Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18 30
Interviews with Eight Executives The executives were basically in agreement that the skills which emerged from the analysis were important. They suggested the addition of two items: * disaster recovery planning * security breach investigation The interviews were conducted over a two month period between December,2005 and January,2006 CISO: Skills Required for Success Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18 31
CISO: Skills Required for Success Frequency of Duties on Job Listings A review of 33 recent CISO job listing posted at Chief Security Officer magazine (http://www.CSOonline.com) Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18 32
CISO: Skills Required for Success Frequency of Background Experience on Job Listing A review of 33 recent CISO job listing posted at Chief Security Officer magazine (http://www.CSOonline.com) Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18 33
CISO: Skills Required for Success Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18 34
CISO: Skills Required for Success Conclusion Business strategy was given the high level of importance by the literature and executives, but it was not in the job listing surveys. Many of the organizations searching for new CISOs during the research period didn’t fully understand the importance of including in the business strategy formulation. Organizations currently employing a CISO should consider the duties and responsibilities included in these results as perfunctory in their position requirement. Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18 35
Case Studies IT & Security Compliance Manager of: Mining Company Chief Information Security Officer (CISO) of: Compal Communication, Inc. (CCI)
Mining Company in St. Louis Part 1 Overview Compal Communication, Inc. (CCI) 38
Mining Company • Size: • 4,600 employees • Background: • 2nd largest in their industry • Ships and provide product to 35 states and 20+ countries worldwide • Revenues: • $2.9 Billion • $350 Million in profits IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
Compal Communication, Inc. (CCI) • Background: • Manufacturers and trades wireless handsets and other telecommunication equipment • Size: • 4,000 employees • Revenues: • $3.25 Billion • $380 Million in Profit Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009 • http://www.compalcomm.com/
Mining Company in St. Louis Part 2 Reporting Structures Compal Communication, Inc. (CCI) 41
Mining Company IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
Compal Communication, Inc. (CCI) Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009
Mining Company in St. Louis Part 3 The Role of CISO Compal Communication, Inc. (CCI) 44
Manager IT Security and Compliance • In current position for 4 years • In charge of security for past 2 • Responsibilities • Overseeing IS departments of Security, Change Management, Business Continuity, and Compliance IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
Chief Information Security Officer • In current position for 2 years • In charge of security for past 4 • Responsibilities • Develop and structure information security policies, change management, help with integrating security skills Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009
Mining Company in St. Louis Part 4 Threats & Risks Compal Communication, Inc. (CCI) 47
Threat Examples and Mitigation IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
Security Issues and Threats Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009
Mining Company in St. Louis Part 5 IT Security Policies Compal Communication, Inc. (CCI) 50