1 / 31

Absolute Security for Organizations: Myths and Realities

Explore the possibility of achieving absolute security for an organization's information system and learn about effective methods and controls to enhance security. Discover the rising popularity of social engineering and how to mitigate the risks associated with it.

jacquelinemiller
Download Presentation

Absolute Security for Organizations: Myths and Realities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tutorial_08

  2. AQ 8.1Discussion Question 7.4 (Romney page 284) Is it possible to provide absolute security for an organization` s information system? Why or why not?

  3. AQ 8.1Discussion Question 7.4 (Romney page 284) • To provide absolute information security an organization must follow Jeff Richards’ “Laws of Data Security.” • Don’t buy a computer • If you buy a computer, don’t turn it on. • Beyond this there is no way to make a system absolutely secure. However, as discussed in the text, there are numerous methods and controls to make a system more secure.

  4. AQ 8.2 • What is social engineering? • Why is social engineering becoming increasingly popular as a means to gain unauthorised access to an organisation’s systems? • Give some examples of social engineering methods? • What are the best methods or controls that will reduce the risk of a social engineering attack succeeding?

  5. AQ 8.2 • (1) What is social engineering? • Social engineering is “tricking” employees and other individuals into providing the attacker with access to the system or even by providing the attacker with the data they seek.

  6. AQ 8.2 • (2)Why is social engineering becoming increasingly popular as a means to gain unauthorised access to an organisation’s systems? • Why go through the trouble of trying to break into a system if you can get someone to let you in? As security measures become more sophisticated then less technical attack methods such as social engineering will tend to become more popular. This is particularly true of attackers who do not have a strong technical knowledge.

  7. AQ 8.2 • (3)Give some examples of social engineering methods? • The methods of social engineering are limited only by the imagination of the attacker. Attacks can take place over the phone or by email. Targets are usually new employees and non-technical, low level staff. Examples include:

  8. AQ 8.2 • Impersonating an executive who cannot obtain access to important files. The attacker calls a newly hired administrative assistant and asks for help in obtaining the files.

  9. AQ 8.2 • Posing as a clueless temporary worker who cannot log onto the system and calls the help desk for assistance.

  10. AQ 8.2 • Posing as a technical support person and ringing a secretary just before the close of business requesting access details to help resolve a difficulty with the secretary’s computer account.

  11. AQ 8.2 • Leaving USB drives in an organisations car park or reception areas. When a curious employee picks one up and plugs it into their computer a Trojan horse contained on the drive is automatically down loaded, this program will enable the attacker to gain access to the system.

  12. AQ 8.2 • Sending emails to employees purportedly from someone the user knows in the organisation. The email or “spear phishing” requires the user to click on an embedded link which will cause a Trojan horse to be downloaded. This again allows the user to gain access to the system.

  13. AQ 8.2 • (4)What are the best methods or controls that will reduce the risk of a social engineering attack succeeding? • The training of all employees in respect of information security, including the possibility of social engineering attacks is the first line of defence. In hand with training the organisation should have enforce policies that reduce the risk associated with social engineering. These would include prohibiting the behaviour that is often advocated in social engineering attacks, such as managers requesting assistance in gaining access to sensitive data etc.

  14. AQ 8.3Problem 7.1 (a) to (e) (Romney p 284) • Which preventive, detective, and /or corrective controls would best mitigate the following threats?

  15. AQ 8.3 • An employee’s laptop was stolen at the airport. The laptop contained personally identifying information about the company’s customers that could potentially be used to commit identity theft.

  16. AQ 8.3 • Solution: Encrypt data stored on company laptops. (Preventative)

  17. AQ 8.3 b. A salesperson successfully logged into the payroll system by guessing the payroll supervisor’s password.

  18. AQ 8.3 b. Solution: Employ and enforce strong password techniques such as at least an 8 character length, multiple character types, random characters, changed frequently. Also lock out accounts after 3-5 unsuccessful login attempts. (Preventative)

  19. AQ 8.3 c. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters.

  20. AQ 8.3 • Solution: The system should reject any attempts by any user to remotely log into the system if that same user is already logged in from a physical workstation. The system should also notify appropriate security staff about such an incident. (Preventative and Detective)

  21. AQ 8.3 d. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger.

  22. AQ 8.3 • Solution: Security awareness training is the best way to preventsuch problems. Employees should be taught that this is a common example of a sophisticated phishing scam. Detective and corrective controls includeemploying anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system.

  23. AQ 8.3 e. The director of R&D quit abruptly after an argument with the CEO. The company cannot access any of the files about several new projects because the R&D director had encrypted them before leaving.

  24. AQ 8.3 e. Solution: Employ a policy that files can only be encrypted using company encryption software and where IT security has access to the encryption keys stored independently of the system. Internal Audit should test encrypted files and encryption keys (Preventative and Detective).

  25. AQ 8.4 The Poppins Umbrella Company maintains an inventory of miscellaneous supplies (eg pens, paper, envelops, floppy disks, small stationery items) for its clerical workers. The company stores these supplies on shelves at the back of the office facility, easy accessible to all company employees. The company accountant, Brian Less, is concerned about the poor internal control over the office supplies.

  26. AQ 8.4 He estimates the monthly loss due to theft of the supplies by employees averages about $350. To reduce this monthly loss Brian recommends a separate room to store these supplies, and that a company employee be given full time responsibility for supervising the issuance of the supplies to those employees with a properly approved requisition. By implementing these controls, Brian believes the loss of supplies from employee theft will be reduced to almost zero.

  27. AQ 8.4 Required: • If you were the company manager responsible for either accepting or rejecting Brian’s control recommendations, what would your decision be? Explain your reasoning? • Identify some additional control procedures that the company might implement to reduce the monthly loss from theft of office supplies by employees.

  28. AQ 8.4 • Brian’s has made three recommendations: (1) A separate room to store the consumables. Either a room or a lockable storage area is a good idea for small items and stationery.Custody of the key would generally be the responsibility of one staff member as part of their other duties. This provides a low level control procedure which discourages theft as there is at least a cursory point of supervision. Highly unlikely that this would reduce theft to nil.

  29. AQ 8.4 • Brian’s has made three recommendations: (2) A company employee be given full time responsibility for the consumables. This would be cost prohibitive and should not be implemented. Theft at an average of $350 per month is costing $4,200 per annum. Even a low level employees wage would greatly exceed this.

  30. AQ 8.4 • Brian’s has made three recommendations: (3) Employees have a properly approved requisition. Again the cost ofrequiring the issuance, approval, storage, and monitoring of such a system of requisitions for minor cost items would be prohibitive and should not be implemented on the information given in the question.

  31. AQ 8.4 • Other control suggestions could include, employees signing a sheet showing the item and date. This would provide some accountability at a low cost of implementation. As suggested in point one above the consumables could be secured in a cabinet etc and access through a key retained by one employee located near the storage.

More Related