520 likes | 555 Views
Information Security. Lecture 20. Today Lecture. Information Security The Threats Security’s Five Pillars Management Countermeasures Technical Countermeasures CREDIT CARD FRAUD Case Example: Threats AN INTERNET SERVICES COMPANY Case Example: Security.
E N D
Information Security Lecture 20
Today Lecture • Information Security • The Threats • Security’s Five Pillars • Management Countermeasures • Technical Countermeasures • CREDIT CARD FRAUDCase Example: Threats • AN INTERNET SERVICES COMPANYCase Example: Security
Today Lecture…. • PLYMOUTH ROCK ASSURANCE CORPORATIONCase Example: Use of a VPN (Security) • Planning for Business ContinuityUsing Internal Resources • Planning for Business ContinuityUsing External Resources • HOUSEHOLD INTERNATIONALCase Example: Planning for Business Continuity
Information Security • Used to be an arcane technical topic • Today even CEOs need to ‘know about it’ due to the importance of electronic information in running their businesses • Need to understand Internet-based threats and countermeasures and continuously fund security work to protect their businesses
Information Security • Since 1996 the Computer Security Institute have conducted an annual survey of US security managers • Spring 2004 survey report – 2 key findings: • The unauthorized use of computers is declining • The most expensive cybercrime was denial of service
The Threats Note: heaps of similar Surveys e.g. KPMG
Information SecurityThe Threats • Threats are numerous • Websites are particularly vulnerable • Political activism is one motivation for Website defacement • Theft of proprietary information is a major concern • Financial fraud is still a significant threat • Especially credit card information • No data of any value should be stored on web servers
CREDIT CARD FRAUDCase Example: Threats • In one case, MSNBC reported that a bug in one shopping cart software product used by 4,000 e-commerce sites exposed customer records at those sites • One small e-commerce site did not receive the warning • Within days, cyber criminals charged thousands of dollars on the credit cards of users of this small site
CREDIT CARD FRAUDCase Example: Threats… • In another case, two foreigners stole 56,000 credit card numbers, bank account information, and other personal financial information from U.S. banks • Then tried to extort money from the cardholders and the banks, threatening to publicize the sensitive information they had unearthed
Information SecurityThe Threats cont. • Losses are increasing dramatically because companies have rushed into e-commerce, often with applications that do not have security built into the architecture or procedures • People think security can be added later but it really can’t be bolted on as an afterthought • Best security = designed into applications via checks during processing and at data transfer points
Information SecurityThe Threats cont. • It is easier to guard a bank vault than to guard every house in town • That’s why many companies are outsourcing their data center operations to data center specialists with vault-like security • Mobile computing and telecommunications increase the possibility for crime
Information SecurityThe Threats cont. • The greater number of network openings provides opportunities for illegal entry • The rise of e-commerce and e-business put more communications online to the Internet, which is open to everyone including crackers (evil hackers) • As the Internet doesn’t (currently?) have intrinsic security protocols this public space is vulnerable
Information SecurityThe Threats cont. • The ‘hacker community’ (public club?) • ‘True’ Vs. Parasites • Approaches hackers use: • Cracking the password • Tricking someone (social engineering = ‘cute’ term!) • Network sniffing
Information SecurityThe Threats cont. 4. Misusing administrative tools 5. Playing middleman 6. Denial of service 7. Trojan horse 8. Viruses 10. Spoofing
Information Security :Security’s Five Pillars • Authentication: verifying the authenticity of users • Identification: identifying users to grant them appropriate access • Privacy: protecting information from being seen • Integrity: keeping information in its original form • Nonrepudiation: preventing parties from denying actions they have taken
Information SecurityManagement Countermeasures • The major problem these days: • Enterprises cannot have both access to information and airtight security at the same time • Companies must make tradeoffs between: • Absolute information security and • The efficient flow of information
Information SecurityManagement Countermeasures • Because airtight security is not possible: • Companies need to prioritize their risks and work on safeguarding against the greatest threats • An example to consider is the case example of one company from a Gartner Executive Programs report
Information SecurityManagement Countermeasures cont. • Five major findings from the Computer Crime Survey: • Most organizations evaluate the return on their security expenditures • Over 80% conduct security audits • Including by ‘outsiders’ e.g. KPMG • The percentage reporting cybercrimes to law enforcement declined
Information SecurityManagement Countermeasures cont. • Some = worries are • Damage to stock price / company reputation • Competitors using for their advantage 4. Most do not outsource cybersecurity 5. Most respondents view security awareness training as important
AN INTERNET SERVICES COMPANYCase Example: Security • This firm’s starting point in protecting its systems is to deny all access to and from the Internet • From there, it opens portals only where required, and each opening has a firewall and only permits specific functions • The security team constantly “checks the locks” by: • Keeping track of the latest bugs found • Staying up to date on the latest security attacks
AN INTERNET SERVICES COMPANYCase Example: Security • Subscribing to hacker e-mail lists and bulletin boards • Personally exploring some risks • Logging and monitoring all incoming and outgoing traffic, and • Testing the system monthly from a remote site • Most importantly, it educates employees and clients as the greatest security precaution
Information Security: Technical Countermeasures • The trend in computer security is toward defining security policies and then centrally managing and enforcing those policies via security products and services or policy-based management • E.g. a user authenticates to a network once, and then a “rights based system” gives that user access only to the systems to which the user has been given rights • Establishes basic control of segregation of duties • The ‘computer’ (system) is the control
Information Security: Technical Countermeasures cont. Three techniques used by companies to protect themselves • Firewalls: Control access between networks • Used to separate intranets and extranets from the Internet so that only employees and authorized business partners can access • Implementation • Packet filtering to block “illegal” traffic, which is defined by the security policy… or • By using a proxy server, which acts as an intermediary
Information Security: Technical Countermeasures cont. • Encryption: to protect against sniffing, messages can be encrypted before being sent e.g. over the Internet • Two classes of encryption methods are used today: • Secret Key encryption • DES
Information Security: Technical Countermeasures cont. • Public Key encryption • RSA • Needs public and private key • Incorporated into all major Web browsers and is the basis for secure socket layer (SSL) • Most individuals don’t have such keys hence B2C applications are only secure from the consumer to the merchant
Information Security: Technical Countermeasures cont. Note: The Internet is not secure because, for one thing, none of the TCP/IP protocols authenticate the communicating parties • Virtual Private Networks (VPN): maintains data security as it is transmitted by using: • Tunneling: creates a temporary connection between a remote computer and the CLEC’s or ISP’s local data center. Blocks access to anyone trying to intercept messages sent over that link • Encryption: scrambles the message before it is sent and decodes it at the receiving end
Information Security: Technical Countermeasures cont. • Three ways to use VPNs: • Remote Access VPNs: give remote employees a way to access an enterprise intranet by dialing a specific ISP • Remote Office VPNs: give enterprises a way to create a secure private network with remote offices. The ISP’s VPN equipment encrypts all transactions • Extranet VPNs: give enterprises a way to conduct e-business with trading partners
PLYMOUTH ROCK ASSURANCE CORPORATIONCase Example: Use of a VPN (Security) • This automobile insurance company created an extranet that independent agents could use to transact business with the company • The most cost-effective approach was to create a DSL-based virtual private network between each agent and PRAC, an offering of a local company
Information Security cont. • Information security has become an important management topic, and it has no clear-cut answers • It is too costly to provide all the security a company wants, and performing security checks on packets takes a lot of processor power, which can slow down performance • Even with world class technical security, management needs to make sure all employees follow security policies because companies are only as safe as their weakest link.
Information Security cont. • In fact, that weakest link could be a supplier or contractor who has secure to a company’s systems, yet has poor security of its own • Security is as much a human problem as a technical problem • Fines etc. = this is not a ‘victimless crime’ • PRACTICE SAFE COMPUTING!!!!!
Planning for Business Continuity • Business continuity is broader than disaster recovery because it includes: • Safeguarding people during a disaster • Documenting business procedures (instead of relying on certain employees who may become unavailable), and • Giving employees the tools and space to handle personal issues first so that they can then concentrate on work • Where will the work be done? • In short, it is a business issue, because IT disaster recovery is just one component
Planning for Business ContinuityUsing Internal Resources • Organizations that rely on internal resources for IT disaster recovery generally see this planning as a normal part of systems planning and development. They use : • Multiple data centers • Move to have all computing in ‘one location’ = now under question • Distributed processing • Backup telecommunication facilities • Local area networks • One LAN can be used to backup servers for other networks
Planning for Business ContinuityUsing External Resources • Cost Vs. Risk may not justify permanent resources so companies use the services of a disaster recovery firm: • Integrated disaster recovery services • Specialized disaster recovery services • Online and off-line data storage facilities
HOUSEHOLD INTERNATIONALCase Example: Planning for Business Continuity • Typical of a large financial services institution, Household justified its disaster recovery planning based upon legal and regulatory requirements and the need to maintain uninterrupted customer service • Company established full time staff to prepare, maintain and test disaster recovery plans
HOUSEHOLD INTERNATIONALCase Example: Planning for Business Continuity • Comdisco Disaster Recovery Services was relied on as it’s a major supplier of alternate site data processing services in North America • Heaps of rain in Chicago: large number of disasters declared • Household declared a disaster quickly– it enabled close relocation
HOUSEHOLD INTERNATIONALCase Example: Planning for Business Continuity cont. Lessons Learnt: • Consider the risks of a natural disaster in selecting a data center location • Create a plan to return to the primary site after a disaster • Do not expect damaged equipment, disks, and tapes to always be replaced, monitor equipment • Plan for alternate telecommunications • Test site under full workload conditions • Maintain critical data at the alternate site
Conclusion • The subject of managing computer operations is, perhaps surprisingly, at an all-time high because of: • The emergence of e-commerce • The increasing use of outsourcing • News-grabbing viruses • Attacks on major websites, and • The terrorists acts on September 11th, October 12th etc.
Conclusion cont. • As enterprises increasingly rely on computing and telecom to work closely with others, they open themselves up to more threats by electronic means • Companies must be increasingly vigilant to outside threats • In short, the view of operations is shifting from managing inward to managing outward • It’s ‘essential’ but often ‘forgotten’ and it’s not easy. Key = MANAGEMENT
Part II Discussion Case MANAGING INFORMATION SECURITY ON A SHOESTRING BUDGET