1 / 24

Chapter 9 Information Security: Barbarians at the Gateway (and Just About Everywhere Else)

Chapter 9 Information Security: Barbarians at the Gateway (and Just About Everywhere Else) . Introduction . Business establishments are increasingly under risk of information security threats Network in TJX retail store was infiltrated via an insecure Wi-Fi base station

tokala
Download Presentation

Chapter 9 Information Security: Barbarians at the Gateway (and Just About Everywhere Else)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 9Information Security: Barbarians at the Gateway (and Just About Everywhere Else)

  2. Introduction • Business establishments are increasingly under risk of information security threats • Network in TJX retail store was infiltrated via an insecure Wi-Fi base station • 45.7 million credit and debit card numbers were stolen • Driver’s licenses and other private information pilfered from 450,000 customers • TJX suffered under settlement costs and court-imposed punitive action to the tune of $150 million

  3. The TJX Breach • Factors that amplified severity of TJX security breach are: • Personnel betrayal: An alleged FBI informant used insider information to mastermind the attacks • Technology lapse: TJX used WEP, a insecure wireless security technology • Procedural gaffe: TJX had received an extension on the rollout of mechanisms that might have discovered and plugged the hole before the hackers got in

  4. Lessons Learned • Information security must be a top organizational priority • Information security isn’t just a technology problem; a host of personnel and procedural factors can create and amplify a firm’s vulnerability • A constant vigilance regarding security needs to be part of individual skill sets and a key component of organizations’ culture Item number: 95409048

  5. Motivations for Criminals • Compromising computing assets for use in other crimes such as : • Sending spam from thousands of difficult-to-shut-down accounts • Launching tough-to-track click-fraud efforts • Distributed denial of service (DDoS) attacks • Extortionists might leverage botnets or hacked data to demand payment to avoid retribution

  6. Motivations for Criminals • Corporate espionage might be performed by insiders, rivals, or even foreign governments • Cyberwarfare • Devastating technology disruptions by terrorists that cut off power to millions • Terrorism • Compromising a key component in an oil refinery, force it to overheat, and cause an explosion • Taking out key components of vulnerable national power grids • Pranks involving setting off rumors that could have widespread repercussions • Protest hacking (hacktivism) • Revenge for disgruntled employees

  7. Response to Crime • Law enforcement agencies dealing with computer crime are increasingly outnumbered, out-skilled, and underfunded • Technically-weak personnel trained in a prior era’s crime fighting techniques • Governments rarely match pay scale and stock bonuses offered by private industry

  8. Understanding Vulnerabilities • A wide majority of security threats is posed by insiders • Rogue employees can steal secrets, install malware, or hold a firm hostage • Other insider threats to information security can come from • Contract employees • Temporary staffers • Outsourcing key infrastructure components • Partner firms such as clients and technology providers

  9. Security and Employees • Main threat? • From “inside the walls” • White-collar crime costs $400 billion per year • Average non-managerial embezzlement is $60,000 • Average managerial embezzlement is $250,000 • Two-thirds of insider fraud is not reported • 2 out of 5 businesses suffered 5+ fraud losses • One quarter of those cost more than $1 million

  10. Security and Employees • Computer-aided fraud • Vendor fraud • Writing payroll checks to fictitious employees • Claiming expense reimbursements for costs not incurred • Stealing security codes, credit card numbers, proprietary files • Stealing intellectual property • 10% completely honest, 10% will steal, 80% depends on circumstances • Theft committed by those strapped for cash, who have access to poorly protected funds, perceive low risk of getting caught

  11. Security and Employees • Triggers to unethical employee behavior • Efforts to balance work and family • Poor internal communications • Poor leadership • Work hours, work load • Lack of management support • Need to meet sales, budget, or profit goals • Little or no recognition of achievements • Company politics • Personal financial worries • Insufficient resources

  12. Social Engineering • Con games trick employees into revealing information or performing other tasks that compromise a firm • Examples of social engineering methods include: • Baiting someone to add, deny, or clarify information that can help an attacker • Using harassment, guilt, or intimidation • Social media sites are a major source of information for social engineering scammers

  13. Phishing • Phishing refers to cons executed through technology • The goal is to leverage reputation of a trusted firm or friend, in order to trick a victim into performing an action or revealing information • Requests to reset passwords • Requests to update information • Requests to download malware • Spear phishing attacks specifically target a given organization or group of users Item number: 90846368

  14. Passwords • Most users employ inefficient and insecure password systems: • Using the same password for different accounts • Making only minor tweaks in passwords • Writing passwords down • Saving passwords in personal e-mail accounts or on unencrypted hard drives • Challenge questions offered by many sites to automate password distribution and resets offer flimsy protection • Any firm not changing default accounts and passwords sold with any software purchased risks having an open door • Users setting systems for open access leave their firms vulnerable to attacks

  15. Physical Threats Item number: 92050975 • Dumpster diving: Sifting through trash to uncover valuable data or insights to facilitate attacks • Shoulder surfing: Looking over someone’s shoulder to glean password or other proprietary information on a computer screen • Eavesdropping: Listening into or recording conversations, transmissions, or keystrokes

  16. Taking Action as a User • Question links, enclosures, download requests, and the integrity of Web sites visited • Be on guard for phishing attacks, social engineering con artists, and other attempts for letting in malware • Turn on software update features for your operating system and any application you use • Install a full suite of security software and regularly update it • Encrypt all valuable and sensitive data

  17. Taking Action as a User • Do not turn on risky settings like unrestricted folder sharing • Home networks should be secured with password protection and a firewall • Use VPN software when accessing public hotspots • Maintain a strict password regimen involving regular updating and changing default passwords • Regularly back up systems and destroy data on removable devices after use

  18. Taking Action as an Organization • Security frameworks aim to take all measures to ensure security of firm for its customers, employees, shareholders, and others • ISO 27,000 series • Firms may also face compliance requirements — legal or professionally binding steps • Compliance does not equal security

  19. Taking Action as an Organization • Education, audit, and enforcement • Employees need to know a firm’s policies, be regularly trained, and understand that they will face strict penalties if they fail to meet their obligations • Include operations employees, R&D function, representatives from general counsel, and audit in security teams • Audits include real-time monitoring of usage, announced audits, and surprise spot checks

  20. Taking Action as an Organization • Information security should start with an inventory-style auditing and risk assessment • Firms should invest wisely in easily prevented methods to thwart common infiltration techniques • Security is an economic problem; involving attack likelihood, costs, and prevention benefits • Tightening security and lobbying for legislation to impose severe penalties on crooks helps raise adversary costs and lowers likelihood of breaches

  21. Role of technology • Patches • Pay attention to security bulletins and install software updates that plug existing holes • Legitimate concerns exist over ability of patches to unfavorably affect a firm’s systems • Lock down hardware • Reimage hard drives of end-user PCs • Disable boot capability of removable media • Prevent Wi-Fi use • Require VPN encryption for network transmissions Item number: 98296819

  22. Role of Technology Item number: 100726564 • Lock down networks • Firewalls control network traffic, block unauthorized traffic and permit acceptable use • Intrusion detection systems monitor network use for hacking attempts and take preventive action • Honeypots are seemingly tempting, bogus targets meant to lure hackers • Blacklists deny the entry or exit of specific IP addresses and other entities • Whitelists permit communication only with approved entities or in an approved manner

  23. Role of Technology • Increasingly internetworked infrastructures: • Need for concern about partners’, suppliers’, distributors’, customers’ computer security (and your own) • Lock down partners • Insist on partner firms being compliant with security guidelines and audit them regularly • Use access controls to compartmentalize data access on a need-to-know basis • Use recording, monitoring, and auditing to hunt for patterns of abuse • Maintain multiple administrators to jointly control key systems

  24. Pointers for firms • Lock down systems • Audit for SQL injection and other application exploits • Have failure and recovery plans • Employ recovery mechanisms to regain control in the event that key administrators are incapacitated or uncooperative • Broad awareness of infiltration reduces organizational stigma in coming forward • Share knowledge on techniques used by cybercrooks with technology partners

More Related