Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from...
-
Upload
terence-griffith -
Category
Documents
-
view
214 -
download
0
Transcript of Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from...
![Page 1: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/1.jpg)
Chapter 12
Information Security Management
![Page 2: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/2.jpg)
Someone’s stealing wedding presents, but only from weddings of club members.
Knew how to access system ,access database, and maybe some SQL.
Access: Mike has yellow stickies with passwords on his monitor; copies of key to server building.
Knowledge: Greenskeeper guy, “a techno-whiz,” created report for Anne. Knows how to query database, and known to access it prior to Anne’s project. (ch. 9)
Scenario video
This Could Happen to You: “Could Someone Be Getting to Our Data?”
12-2Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 3: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/3.jpg)
Q1: What are the sources and types of security threats?
Q2: What are the elements of a security program?
Q3: How can technical safeguards protect against security threats?
Q4: How can data safeguards protect against security threats?
Q5: How can human safeguards protect against security threats?
Q6: What is necessary for disaster preparedness?Q7: How should organizations respond to security
incidents?How does the knowledge in this chapter help Fox Lake and you?
Study Questions
12-3Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 4: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/4.jpg)
Q1: What Are the Sources and Types of Security Threats
12-4Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 5: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/5.jpg)
Unauthorized Data Disclosure
12-5Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 6: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/6.jpg)
• Incorrect entries and information• Procedural problems
Human errors
• Systems errors (lost-update problem)
Incorrect data modifications
• Unauthorized system accessHacking
• Human procedural mistakes•Errors in installation of hardware, software programs, or data
Faulty recovery actions
Incorrect Data Modifications
12-6Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Usurpation•Unauthorized programs invade computer system and replace legitimate programs
![Page 7: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/7.jpg)
• Inadvertently shut down web server, gateway router with computationally intensive application
• Example: OLAP application that uses operational DBMS blocks order-entry transaction
Human error
• Malicious attacks flood web server with millions of requests for web pages
• Computer worms• Natural disasters
Denial of service
Denial of Service (DOS)
12-7Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 8: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/8.jpg)
• Bulldozer cutting fiber-optic cable, floor buffer bangs web server
• Water line breaks or fire damage hardware
Accidental
• Disgruntled employee steals equipment
• Damages computer center
Theft and terrorists
• Floods, tornadoes, hurricanes, fire, earthquakes
Natural disasters
Loss of Infrastructure
12-8Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 9: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/9.jpg)
Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts
12-9Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 10: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/10.jpg)
Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d)
12-10Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 11: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/11.jpg)
2. Suppose you received the email in Figure 1 and mistakenly clicked See more details here. When you did so, you were taken to the web page shown in Figure 2. List every phishing symptom that you find in these two figures and explain why it is a symptom.
a. How would you learn that your organization is being attacked?
b. What steps should your organization take in response to the attack?
c. What liability, if any, do you think your organization has for damages to customers that result from a phishing attack that carries your brand and trademarks?
3. Suppose you work for an organization that is being phished.
Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d)
12-11Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 12: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/12.jpg)
4. Summarize why phishing is a serious problem to commerce today.
5. Describe actions that industry organizations, companies, governments, or individuals can take to help to reduce phishing.
Experiencing MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts (cont’d)
12-12Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 13: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/13.jpg)
•Must establish security policy•Manage riskBalancing costs and benefits of security measures
Senior managemen
t involvement
•Protections against security threats
Safeguards
•Priority plan for security incidents
Incident response
Q2: What Are the Elements of a Security Program?
12-13Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 14: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/14.jpg)
Effective security programs balance safeguards
Security Safeguards as They Relate to the Five Components
12-14Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 15: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/15.jpg)
Q3: How Can Technical Safeguards Protect Against Security Threats?
12-15Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 16: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/16.jpg)
• Password• Smart card• Biometric
Authentication methods
• Microchip embedded with identifying data
• Authentication by PINSmart cards
• Fingerprints, face scans, retina scans
• See http://searchsecurity.techtarget.com
Biometric authenticatio
n
• Authenticate to network and other servers
Single sign-on for
multiple systems
Identification and Authentication
12-16Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 17: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/17.jpg)
Encryption Terminology
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-17
![Page 18: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/18.jpg)
• Figure 12-4
Encryption—SSL/TLS
12-18Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 19: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/19.jpg)
Computing device that prevents unauthorized network accessMay be special-purpose computer or program on a general-purpose computer
Organizations may have multiple firewalls•Perimeter firewalls outside network•Internal firewalls inside network•Packet-filtering firewalls examine each part of a message
May filter both incoming and outgoing messages•Encoded rules stating IP addresses allowed in or out of networkDo not connect to Internet without firewall
protection!
Firewalls
12-19Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 20: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/20.jpg)
Use of Multiple Firewalls
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Use of Multiple Firewalls
12-20
![Page 21: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/21.jpg)
• Click for latest viruses, malware threats
Spyware programs
• Similar to spyware without malicious intent
• Watches users activity, produces pop-up ads, changes window, modifies search results
• Can slow computer performance• Remove with anti-spyware, anti-
adware programs
Adware
More on threats
Malware Protection
12-21Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 22: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/22.jpg)
Malware Protection
12-22Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Type Problems
MalwareViruses, worms, Trojan horses, spyware, and adware
VirusComputer program that replicates itself; take unwanted and harmful actions
Macro virusAttach themselves to word, excel, or other types of document; virus infects every file an application creates or processes
WormVirus propagates using Internet or other computer network; can choke a network
Spyware
Some capture keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Other spyware supports marketing analyses.
Adware Can slow computer performance
Click for latest viruses, malware threats
![Page 23: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/23.jpg)
Spyware and Adware Symptoms
12-23Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 24: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/24.jpg)
Install antivirus and anti-spyware programs on your computer
Set up your anti-malware programs to scan your computer frequently
Update malware definitions
Open email attachments only from known sources
Promptly install software updates from legitimate sources
Browse only in reputable Internet neighborhoods
Malware Safeguards
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-24
![Page 25: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/25.jpg)
Q4: How Can Data Safeguards Protect Against Security Threats?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Data Safeguards
12-25
![Page 26: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/26.jpg)
•Least privilege possiblePosition
Definitions•Extensive interviews and background checks for high-sensitivity positions
Hiring & Screening Employees
•Make employees aware of security policies and procedures
Dissemination & Enforcement
•Establish security policies and procedures for employee termination
•HR dept. giving IS early notification
Termination
Q5: How Can Human Safeguards Protect Against Security Threats?
12-26Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 27: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/27.jpg)
How Can Human Safeguards Protect Against Security Threats? (cont’d)
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-27
![Page 28: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/28.jpg)
How Can Human Safeguards Protect Against Security Threats? (cont’d)
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-28
![Page 29: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/29.jpg)
Administration of user accounts, passwords, and help-desk policies and procedures
• Creation of new user accounts, modification of existing account permissions, removal of unneeded accounts.
• Improve your relationship with IS personnel by providing early and timely notification of need for account changes.
Account Management
• Users should change passwords every three months or more frequently.
Password Management
Account Administration
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-29
![Page 30: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/30.jpg)
User signs statement like this.
National Institute of Standards and Technology (NIST) Recommendation
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-30
![Page 31: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/31.jpg)
Systems Procedures
12-31Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 32: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/32.jpg)
•Firewall logs•DBMS log-in records•Web server logs
Activity log analyses
•In-house and external security professionalsSecurity testing
•How did the problem occur? Investigation of incidents
•Indication of potential vulnerability and needed corrective actions
Learn from incidences
Review and update security and safeguard policies
Security Monitoring Functions
12-32Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 33: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/33.jpg)
12-33
Q6: What Is Necessary for Disaster Preparedness?
• Disaster― Substantial loss of
infrastructure caused by acts of nature, crime, or terrorism
• Appropriate location― Avoid places prone to floods,
earthquakes, tornadoes, hurricanes, avalanches, car/truck accidents
― Not in unobtrusive buildings, basements, backrooms, physical perimeter
― Fire-resistant buildings
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 34: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/34.jpg)
Q6: What Is Necessary for Disaster Preparedness? (cont’d)
12-34Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Backup processing centers in geographically removed site
Create backups for critical resources
Contract with “hot site” or “cold site” provider• Hot site provides all equipment needed to continue
operations there• Cold site provides space but you set up and install
equipment• www.ragingwire.com/managed_services?=recovery
Periodically train and rehearse cutover of operations
![Page 35: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/35.jpg)
Q7: How Should Organizations Respond to Security Incidents?
12-35Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 36: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/36.jpg)
Knowledge in Chapter 11 and Chapter 12 could help Jeff and Mike better protect Fox Lake computing infrastructure.
Mike would have known to protect his passwords better.
Would have known the dangers of having someone like Jason producing reports for Anne. If you work in a small business, take Fox Lake example to heart. Remembering these problems, you can do a better job of protecting your computing assets.
How Does the Knowledge in This Chapter Help Fox Lake and You?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12-36
![Page 37: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/37.jpg)
ChoicePoint provides motor vehicle reports, claim histories, and similar data to automobile insurance industry, general business, and government agencies. Offers data for volunteer and job-applicant screening and data to assist in location of missing children.
ChoicePoint has over 4,000 employees, and its 2007 revenue was $982 million.ChoicePoint was victim of a spoofing attack in which unauthorized individuals posed as legitimate customers and obtained personal data on more than 145,000 individuals.Example of authentication failure, not a network break in.
Case Study 12:The ChoicePoint Attack
12-37Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 38: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/38.jpg)
If ChoicePoint had quietly shut down data access for illegitimate businesses, no one would have known. However . . .
145,000 customers whose identities were compromised would be unknowing victims of identity theft, but thefts could have been tracked back to ChoicePoint.
ChoicePoint Attack (cont’d)
12-38Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
![Page 39: Chapter 12 Information Security Management. Someone’s stealing wedding presents, but only from weddings of club members. Knew how to access system,access.](https://reader036.fdocuments.in/reader036/viewer/2022062717/56649e605503460f94b5b5ea/html5/thumbnails/39.jpg)
Firewalls and other safeguards were not overcome.
Criminals spoofed legitimate businesses by obtaining valid California business licenses.
Undetected for months until unusual processing activity was detected.
Contacted police and cooperated in attempt to apprehend the criminals.
Resulted in public relations nightmare, considerable expense, class-action lawsuit, Senate investigation, and 20% drop in share price.
ChoicePoint Attack (cont’d)
12-39Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall