1 / 67

IT Security and Privacy

IT Security and Privacy. A Presentation for MIS 5800 By: Chad Keeven Brian Ledford Hai Lin Komsun Santiwiwatkul. Session Overview. Costs of IT Security IT Threats – Man-made and Natural Role of CSO IT Behavior and Access Case Study Disaster and Recovery Conclusions.

rian
Download Presentation

IT Security and Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Security and Privacy A Presentation for MIS 5800 By: Chad Keeven Brian Ledford Hai Lin Komsun Santiwiwatkul IT Security & Privacy

  2. Session Overview • Costs of IT Security • IT Threats – Man-made and Natural • Role of CSO • IT Behavior and Access • Case Study • Disaster and Recovery • Conclusions IT Security & Privacy

  3. Why should senior management focus at IT security? • “…Those that have invested in IT security staff get more return on their investment via reduced security breaches and increased concordance among CEOs and other officers on the need for security investments.” http://www2.cio.com/research/surveyreport.cfm?id=6, viewed on November 26th, 2006 IT Security & Privacy

  4. How much do companies spend on IT security? • Companies spend, on average, 36% of their security budget toward technology and 7% - 8% of their overall IT budget on technology (N=276) http://www2.cio.com/research/surveyreport.cfm?id=6, viewed on November 26th, 2006 IT Security & Privacy

  5. Cost of Attacks • While the majority (84%) of survey respondents reported incidents (defined as security breaches or crimes including viruses and hoaxes that resulted in damage or loss) in the past 12 months, fewer than half (38%) of the IT professionals surveyed could quantify the damages. (N=276) http://www2.cio.com/research/surveyreport.cfm?id=6, viewed on November 26th, 2006 IT Security & Privacy

  6. “The proliferation in the use of computer and communications technologies over approximately the last 20 years has resulted in significant changes in the types of threats that are posed to the information environment that we have come to rely on. The way in which the threats that are posed to an information environment are measured has not advanced at the same rate as the technology has developed and as a result, has not yet transitioned from being an art to science.” - Andy Jones “Identification of the method for the calculation of the capability of threat agent in an information environment” Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003. IT Security & Privacy

  7. Today's world of Information Systems leaves us vulnerable to a plethora of threats Natural Threats Man Made Threats Vulnerabilities are weaknesses that allow specific threats to cause adverse affects Anything that weakens the security of the systems and the information they handle Threats and Vulnerabilities Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003. IT Security & Privacy

  8. Threat Assessment • You can look at threat assessment two ways: • Qualitative – an “educated best guess” based on opinions of knowledgeable others gained through interviews, history, tests, and personal experience • Quantitative – uses statistical sampling based on mathematical computations determining the probability of an occurrence based on historical data Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003. IT Security & Privacy

  9. Natural Threats • Sometimes thought of as “Acts of God,” these problems are random and often thought of as things that cannot be prepared for. • Fire • Hurricane • Earthquake • Typhoon • Accidents Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003. IT Security & Privacy

  10. Fire Paper data backed up and stored offsite? Servers in a fire retardant room? Escape plans for employees? Earthquake Building built properly? Data on computers backed up off-site? Servers stored in safe location? Can We Prepare for These? IT Security & Privacy

  11. Can We Prepare for These? • Hurricane? • Typhoon? • Accidents? • What are your solutions? IT Security & Privacy

  12. Man made :What kinds of IT security that can happen? • Hacker, Spam, and Phishing • Credit card fraud and Identity Thief • Terrorism IT Security & Privacy

  13. HACKER • is someone who creates and modifies computer software and computer hardware, including computer programming, administration, and security-related items. August 2006, AT&T computer systems were hacked and stolen credit-card numbers and other personal information of about 18,000 to 19,000 customers.1 June 2006, The Navy announced that personal data on 28,000 sailors and family members had been found on a civilian web site.2 http://en.wikipedia.org/ viewed November 4, 2006 1 AT&T Discloses Online Theft by Hackers. Wall Street Journal (Eastern edition). New York, N.Y.: Aug 30,2006. pg.B.2 2 Hack at USDA puts 26,000 at risk. Federal Computer Week; Jun 26, 2006.Vol.20, Iss 21; pg.11, 1pgs IT Security & Privacy

  14. SPAMMING • is the abuse of electronic messaging systems to send unsolicited, undesired bulk messages. Source : http://en.wikipedia.org/ viewed November 4, 2006 IT Security & Privacy

  15. PHISHING • is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Source : http://en.wikipedia.org/ viewed November 4, 2006 IT Security & Privacy

  16. FROM THE DESK OF MR. HASSAN YERIMA, EXECUTIVE DIRECTOR, FOREIGN OPERATIONS DEPARTMENT, CENTRAL BANK OF NIGERIA, GARIKI ABUJA TELL : 234-803-7105651. IMMEDIATE Release of your contract payment of US$18 million with contract number #:MAV/NNPC/FGN/MIN/2003. ATTENTION : THE HONOURABLE CONTRACTOR, Sir, From the records of outstanding contractors due for payment with the Federal government of Nigeria, your name was discovered as next on the list the outstanding contractors who have not received their payment. I wish to inform you that your payment is being processed and will be released to you as soon as you respond to this letter. Also note that from the record in my file your outstanding contract payment is US$18,000,000.00 million dollars (Eighteen million united states dollars) only. Please re-confirm to me if this is inline with what you have in your record and also re-confirm to me the following : 1) Your full name and address 2) Phone, fax and mobile #. 3) Company's name, position and address. 4) Profession, age and marital status. As soon as this information is received, your payment will be made to you by Telegraphic Wire Transfer (KTT) or Certified Bank Draft from central bank of Nigeria call me on my direct number as soon as you receive this letter for more details. Thanks, MR. HASSAN YERIMA., EXECUTIVE DIRECTOR, FOREIGN OPERATIONS DEPARTMENT, CENTRAL BANK OF NIGERIA IT Security & Privacy

  17. Recently study by Symantec • Phishing attacks skyrocketed 260% in 2nd half of 2004 • Virus and worm attacks jumped more than 300% (the number one is financial institutions) • 47 % of 229 mid-size and large companies were hit by worms (Mazu network) Symantec conducts the surveys using its "Global Intelligence Network," which consists of more than 40,000 sensors monitoring activity on computers in over 180 countries. The firm also gathers data from over 120 million computer systems that use Symantec's anti virus products. Corporate Cyber Attacks on the Rise.Information Management Journal: Jul/Aug 2005,Vol.39, Iss. 4 IT Security & Privacy

  18. Identity Thief IT Security & Privacy

  19. Identity Thief • The fastest growth crime in the United states1 • 13.3 persons per minute1 • 799 per hour1 • 19,178 per day1 • Victims spent between 15-60 hours resolving their problems. 1Identity theft toolkid Vinita M Ramaswamy. The CPA Journal. New York: Oct 2006.Vol.76, Iss. 10;  pg. 66, 5 pgs IT Security & Privacy

  20. Consumer Fraud and Identity Theft Complaint Data January-December 2005, Federal Trade Commission. http://www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf IT Security & Privacy

  21. Consumer Fraud and Identity Theft Complaint Data January-December 2005, Federal Trade Commission. http://www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf IT Security & Privacy

  22. Cost of Identity Thief per year • Victims: 9.3 million • Loss to businesses: $52.6 billion • Loss to individual victims: $5 billion • Hours victims spent resolving their problems: 297 million. 1Identity theft toolkid Vinita M Ramaswamy. The CPA Journal. New York: Oct 2006.Vol.76, Iss. 10;  pg. 66, 5 pgs IT Security & Privacy

  23. Terrorism • “Bin Laden's operatives use encrypted e-mail to communicate, and . . . the hijackers did as well" (Behar, R. (2001, October 15). Fear along the fire wall. Fortune, 144(7), 145-148.) • "Terrorist watchers suspect al-Qaeda may be hiding its plans on online pornographic sites because there are so many of them, and they're the last place fundamentalist Muslims would be expected to go" (Cohen, A. (2001, November 12). When terror hides online. Time, 158(21), p. 65) Cybercrime in the United States Criminal Justice System: Cryptography and Steganography as tools of Terrorism. Andrew Schmurr, William Crawley; Journal of security administration; Dec 2003; 26, 2 ABI/INFORM GLOBAL IT Security & Privacy

  24. Terrorism • Cryptography the replacement of a unit of plaintext (i.e., a meaningful word or phrase) with a code word (for example, apple pie replaces attack at dawn). The Ancient Greek scytale, probably much like this modern reconstruction, may have been one of the earliest devices used to implement a cipher. • Source : http://en.wikipedia.org/ viewed November 4, 2006 IT Security & Privacy

  25. Terrorism • Steganography • the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message By removing all but the last 2 bits of each color component, an almost completely black image results. Making the resulting image 85 times brighter results in the image. Image of a tree. Image extracted from above image. • Source : http://en.wikipedia.org/ viewed November 4, 2006 IT Security & Privacy

  26. ROLE OF CSO IT Security & Privacy

  27. Oversee a network of security directors and vendors who safeguard the companies assets, intellectual property, and computer systems, along with the physical safety of employees and visitors Identify protection goals, objectives, and metrics consistent with corporate strategic plans Manage the development and implementation of global security policy, standards, guidelines, and procedures to ensure ongoing maintenance of security CSO Job Descriptions Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82. IT Security & Privacy

  28. CSO Job Descriptions (cont.) • Maintain relationships with local, state, and federal law enforcement and other related government agencies • Oversee incident response planning as well as the investigation of security breaches • Work with outside consultants as appropriate for independent security audits. Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82. IT Security & Privacy

  29. The role of the CSO within organizations • 75% of all organizations have some form of integration between physical security and computer security • This is up from 53% in 2005 and 29% in 2003 • 40% have the same executive overseeing computer and physical security • This is up from 31% in 2005 and 11% in 2003 Vara, Vauhini, Technology (A Special Report); Intruder Alerts: Physical security and information security have a lot in common; But melding the two isn’t always smooth: Wall Street Journal (Eastern edition). New York, October 23, 2006, pp. R. 10 “” IT Security & Privacy

  30. CSO Background CSO’s come from Information Systems background 63% of the time Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82. IT Security & Privacy

  31. CSO Qualifications • An intelligent, articulate and persuasive leader who can serve as an effective member of the senior management team and who is able to communicate security-related concepts to a broad range of technical and non-technical staff • Experience with business continuity planning, auditing and risk management, as well as contract and vendor negotiation • Strong working knowledge of pertinent law and the law enforcement community • A solid understanding of information technology and information security Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82. IT Security & Privacy

  32. How many CSO’s are there? • Last year, 16 percent of companies surveyed created a CISO position while 15 percent had a CSO position. • This year’s study finds that 20 percent currently employ a CISO and an additional 20 percent have a CSO. • N = 8,200 from 63 countries The State of Information Security, 2005, Part Two, CSO research reports, http://www.csoonline.com/csoresearch/report95.html. viewed November 26th, 2006. IT Security & Privacy

  33. IT Security: Behavior & Access POP QUIZ IT Security & Privacy

  34. IT Security: Behavior & Access • How many passwords do you have for work? • How many passwords do you have for your personal business? • How many of you have passwords written down? • How many of you have had passwords stolen? • How many of you know someone else’s passwords (ATM, log-ins, etc.)? IT Security & Privacy

  35. IT Security: Behavior & Access • Easy passwords are easy to hack • Written down passwords defeat the purpose of having a password • Weak passwords and security behaviors are a Clear and Present Danger to your office and your accounts. IT Security & Privacy

  36. IT Security: Behavior & Access • Strong passwords are a must • New UMSL requirements:* • Strong Passwords • For security reasons, you must choose a strong password that meets the following requirements. • Your password must be 8 or more characters long. • Your password must contain at least three out of four of the following categories of characters: • Uppercase letters (A-Z) • Lowercase letters (a-z) • Digits (0-9) • The following symbols/punctuation: ? . , ! _ - ~ $ % + = *UMSL My Gateway website https://sso.umsl.edu/perl/reset_pass.pl IT Security & Privacy

  37. IT Security: Behavior & Access • Some companies are utilizing stronger measures for passwords and log-ins: IT Security & Privacy

  38. IT Security: Behavior & Access Trusted Platform Module (TPM) System • A chipset in a device stores all passwords for a user • One password accesses all protected sites • Eliminates the need to remember or write down dozens of passwords: users need only one password IT Security & Privacy

  39. IT Security: Behavior & Access Biometrics • Soon to be the security standard • Fingerprint access: commonly appearing on phones, laptops, and PDAs • Optical scan: rare; for high security • Voice recognition: constantly improving • Facial recognition: limited use IT Security & Privacy

  40. IT Security: Threats & Remedies POP QUIZ IT Security & Privacy

  41. IT Security: Threats & Remedies • How many of your employers restrict downloads? • How many of your employers disable or remove USB ports on your PC or laptop? • How many have been affected at work or home by a virus? What was the extent of the damage? IT Security & Privacy

  42. IT Security: Threats & Remedies Threats to Information Systems • Hacks • Denial of Service Attacks • Viruses • Inadvertent and intentional sabotage from authorized users IT Security & Privacy

  43. IT Security: Threats & Remedies Remedies • Virus Protection • Strong passwords • Active countermeasures and monitoring • Limited user access to systems and hardware • Others? IT Security & Privacy

  44. IT Security: Hardware & Software Telecommuting • Rising in popularity: 23.5M million currently; 40M+ by 2010* • How do you secure your company’s systems with outside users? * Int’l Telework Association & Council, July 2006 IT Security & Privacy

  45. IT Security: Hardware & Software Virtual Private Network (VPN) • Secure channel established through the Internet • Encryption • Enables remote users to securely access their desktop at work IT Security & Privacy

  46. Diversified Financial Services, LLC IT Security: Case Study • Underwriter of commercial and agricultural equipment loans and leases • $300M in volume; income not disclosed (privately owned) • 100 employees in St. Louis and Omaha; 20 remote users IT Security & Privacy

  47. IT Security: Procedures Security is imperative • Personal credit bureaus • Financial statements • Credit applications with account numbers • Banking and commercial lending laws IT Security & Privacy

  48. IT Security: Procedures • All remote users must be approved by Vice President • Approvals forwarded to Chief Operating Officer • VPN information and setups are given to employee by network administrator • Same passwords and logins are used remotely as in the office IT Security & Privacy

  49. IT Security: Procedures Other Security Measures: • Tough password standards; changed monthly • USB ports disabled • Network administrator limits access • No downloads permitted; emailed documents scanned and macros disabled prior to opening • Virus and network protection IT Security & Privacy

  50. After Disaster Strikes The Federal Emergency Management Agency (FEMA) states that • Between 1976 and 2001, a total of 906 major disasters were declared in the United States. • Of all the businesses damaged by Hurricane Andrew in 1992, 80 percent of those lacking a business continuity plan (BCP) failed within two years of the storm. A study by Data Pro Research Company found that • 43 percent of companies hit by severe crises never reopen • another 29 percent fail within two years. Virginia Cerullo and Michael J. Cerullo, “Business Continuity Planning: A Comprehensive Approach” www.ism-journal.com, Summer 2004 IT Security & Privacy

More Related