Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?”...

49
Information Security Management Chapter 10

Transcript of Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?”...

Page 1: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

Information Security Management

Chapter 10

Page 2: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-2

“But How Do You Implement That Security?”

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

• Video conference with potential PRIDE promoter and advertiser, San Diego Sports

• PRIDE originally designed to store medical data.

• SDS wants to know if PRIDE systems provide acceptable level of security.

• Doesn’t want to be affiliated with company with major security problem.

• Criminals now focus attacks on inter-organizational systems.

Page 3: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-3

PRIDE Design for Security

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

Page 4: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-4

Study Questions

Q1: What is the goal of information systems security?Q2: How big is the computer security problem?Q3: How should you respond to security threats?Q4: How should organizations respond to security threats?Q5: How can technical safeguards protect against security threats?Q6: How can data safeguards protect against security threats?Q7: How can human safeguards protect against security threats?Q8: How should organizations respond to security incidents?Q9: 2025?

Page 5: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-5

Q1: What Is the Goal of Information Systems Security?

Page 6: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-6

Examples of Threat/Loss

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

Page 7: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-7

What Are the Sources of Threats?

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

Page 8: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-8

What Types of Security Loss Exists?

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

• Unauthorized Data Disclosure• Pretexting• Phishing• Spoofing

– IP spoofing– Email spoofing

• Drive-by sniffers–Wardrivers

• Hacking

• Natural disasters

Page 9: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-9

Incorrect Data Modification

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

• Procedures incorrectly designed or not followed

• Increasing a customer’s discount or incorrectly modifying employee’s salary

• Placing incorrect data on company Web site

• Improper internal controls on systems

• System errors

• Faulty recovery actions after a disaster

Page 10: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-10

Faulty Service

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

• Incorrect data modification

• Systems working incorrectly

• Procedural mistakes

• Programming errors

• IT installation errors

• Usurpation

• Denial of service (unintentional)

• Denial-of-service attacks (intentional)

Page 11: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-11

Loss of Infrastructure

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

• Human accidents

• Theft and terrorist events

• Disgruntled or terminated employee

• Natural disasters

• Advanced Persistent Threat (APT)– Sophisticated, possibly long-running computer

hack perpetrated by large, well-funded organizations

Page 12: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-12

Goal of Information Systems Security

• Find appropriate trade-off between risk of loss and cost of implementing safeguards

• Use antivirus software

• Deleting browser cookies?

• Get in front of security problem by making appropriate trade-offs for your life and your business

Page 13: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-13

Q2: How Big Is the Computer Security Problem?

Computer Crime Costs per Organizational Respondent

Page 14: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-14

Average Computer Crime Cost and Percent of Attacks by Type (5 Most Expensive Types)

Page 15: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-15

Computer Crime Costs

Page 16: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-16

Ponemon Study Findings (2013)

• No one knows exact cost of computer crime

• Cost of computer crime based on surveys

• Data loss single most expensive consequence of computer crime, accounting for 44% of costs in 2013

• 80% of respondents believe data on mobile devices poses significant risks.

Page 17: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-17

Ponemon 2013 Studies Summary

• Median cost of computer crime increasing

• Malicious insiders increasingly serious security threat

• Data loss is principal cost of computer crime

• Survey respondents believe mobile device data a significant security threat

• Security safeguards work

• Ponemon Study 2014

Page 18: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-18

Q3: How Should You Respond to Security Threats?

Personal Security Safeguards

Page 19: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-19

So What? The Latest from Black Hat

• Annual security conference caters to hackers, security professionals, corporations, and government entities

• Briefings on how things can be hacked

• Show how to exploit weaknesses in hardware, software, protocols, or systems from smartphones to ATMs

• Encourage companies to fix product vulnerabilities and serve as educational forum for hackers, developers, manufacturers, and government agencies

Page 20: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-20

Q4: How Should Organizations Respond to Security Threats?

Page 21: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-21

Security Policy Should Stipulate

• What sensitive data the organization will store• How it will process that data• Whether data will be shared with other organizations• How employees and others can obtain copies of data stored

about them• How employees and others can request changes to inaccurate

data• What employees can do with their own mobile devices at work As a new hire, seek out your employer’s security policy

Page 22: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-22

Ethics Guide: Securing Privacy

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

“The best way to solve a problem is not to have it.”– Resist providing sensitive data– Don’t collect data you don’t need

• Gramm-Leach-Bliley (GLB) Act, 1999

• Privacy Act of 1974

• Health Insurance Portability and Accountability Act (HIPAA), 1996

• Australian Privacy Act of 1988 – Government, healthcare data, records maintained by

businesses with revenues in excess of AU$3 million.

Page 23: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-23

Ethics Guide: Securing Privacy: Wrap Up

• Business professionals have responsibility to consider legality, ethics, and wisdom when you request, store, or disseminate data

• Think carefully about email you open over public, wireless networks

• Use long, strong passwords

Page 24: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-24

Q5: How Can Technical Safeguards Protect Against Security Threats?

Page 25: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-25

Essence of https (SSL or TLS)

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

Page 26: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-26

Use of Multiple Firewalls

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

Page 27: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-27

Malware Protection

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

1. Antivirus and antispyware programs

2. Scan frequently

3. Update malware definitions

4. Open email attachments only from known sources

5. Install software updates

6. Browse only reputable Internet neighborhoods

Page 28: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-28

Malware Types and Spyware and Adware Symptoms

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

• Viruses Payload Trojan horses Worms Beacons

Page 29: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-29

Design for Secure Applications

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

• SQL injection attack – User enters SQL statement into a form instead of a

name or other data– Accepted code becomes part of database

commands issued– Improper data disclosure, data damage and loss

possible– Well designed applications make injections

ineffective

Page 30: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-30

Q6: How Can Data Safeguards Protect Against Security Threats?

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

Page 31: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-31

Q7: How Can Human Safeguards Protect Against Security Threats?

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

Page 32: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-32

Q7: How Can Human Safeguards Protect Against Security Threats? (cont' d)

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

Page 33: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-33

Account Administration

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

• Account Management– Standards for new user accounts, modification

of account permissions, removal of unneeded accounts

• Password Management– Users should change passwords frequently

• Help Desk Policies

Page 34: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-34

Sample Account Acknowledgment Form

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

Page 35: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-35

Systems Procedures

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

Page 36: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-36

Q8: How Should Organizations Respond to Security Incidents?

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

Page 37: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-37

Security Wrap Up

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

• Be aware of threats to computer security as an individual, business professional and employee

• Know trade-offs of loss risks and cost of safeguards• Ways to protect your computing devices and data• Understand technical, data, and human safeguards• Understand how organizations should respond to

security incidents

Page 38: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-38

Q9: 2025

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

• APTs more common, inflicting serious damage

• Continued concern about balance of national security and data privacy

• Computer crimes targeting mobile devices leads to improved operating systems security

• Improved security procedures and employee training

• Criminals focus on less protected mid-sized and smaller organizations, and individuals

• Electronic lawlessness by organized gangs

• Strong local “electronic” sheriffs electronic border and enforce existing laws?

Page 39: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-39

Guide: A Look through NSA’s PRISM

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

• Nine of the largest Internet services (Google, Microsoft, Yahoo!, Facebook, PalTalk, YouTube, Skype, AOL, and Apple) participate in PRISM program

• Dates when PRISM began collecting data from each of these services

• Types of data collected include email, videos, photos, video and voice chat, file transfers, VoIP, stored data, videoconferencing, login activity, social networking activity, and something called “special requests”

• How information flows from around the world could be collected

• How data flowed from service provider to NSA, CIA, or FBI

• http://www.wired.com/2013/06/snowden-powerpoint/#slideid-522485

Page 40: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-40

Trade Offs

• Social trade off– “I prefer dangerous freedom over peaceful slavery.”– "Freedom is Slavery" (G. Orwell, 1984)

• Organizations struggle with security– Users frustrated with stringent password policies– Firewalls block users from remotely accessing certain resources– Managers can’t access certain data without special permission

Page 41: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-41

Wrap Up

1. Understand inherent trade-off between security and freedom

2. Understand reach of government surveillance systems

3. Understand ethical considerations surrounding spying and monitoring

Page 42: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-42

Guide: Phishing for Credit Cards, Identifying Numbers, Bank Accounts

• Phishing scams commonplace

• Target Corporation lost about 98 million user accounts to hackers in late 2013

– Attackers gained access to Target via a third-party vendor's credentials

• Examples of phishing scams at PhishTank.com and ConsumerFraudReporting.org

Page 43: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-43

Wrap Up

1. Phishing scams are popular and becoming more targeted.

2. You need to be able to identify and avoid phishing scams.

Page 44: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-44

Active Review

Q1: What is the goal of information systems security?Q2: How big is the computer security problem?Q3: How should you respond to security threats?Q4: How should organizations respond to security threats?Q5: How can technical safeguards protect against security threats?Q6: How can data safeguards protect against security threats?Q7: How can human safeguards protect against security threats?Q8: How should organizations respond to security incidents?Q9: 2025?

Page 45: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

10-45

Case 10: Hitting the Target

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c .

• Lost 40 million credit and debit card numbers to attackers

• Less than a month later Target announced an additional 70 million customer accounts stolen that included names, emails, addresses, phone numbers, and so on

• About 98 million customers were affected– 31% of 318 million people in US

• Stolen from point-of-sale (POS) systems at Target retail stores during the holiday shopping season

Page 46: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-46

How Did They Do It?

Spearphished malware to gather keystrokes, login credentials,and screenshots from Fazio users

Attackers escalated privileges to gain access to Target’s internal network

Trojan.POSRAM extracted datafrom POS terminals

Page 47: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-47

Damage

• Attackers sold about 2 million credit cards for about $26.85 each for a total profit of $53.7 million

• Target forced to take a loss on merchandise purchased using stolen credit cards

• Upgraded payment terminals to support chip-and-PIN enabled cards, increased insurance premiums, paid legal fees, settled with credit card processors, paid consumer credit monitoring, and paid regulatory fines

Page 48: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-48

Damage (cont'd)

• Target loss of customer confidence and drop in revenues (46% loss for quarter).

• Analysts put direct loss to Target as high at $450 million

• CIO resigned, CEO paid $16 million to leave

• Cost credit unions and banks more than $200 million to issue new cards

• Insurers demand higher premiums, stricter controls, and more system auditing

• Consumers must watch their credit card statements, and fill out paperwork if fraudulent charges appear

Page 49: Information Security Management Chapter 10. 10-2 “But How Do You Implement That Security?” Copyright © 2016 Pearson Education, Inc. Video conference with.

C o p y r i g h t © 2 0 1 6 P e a r s o n E d u c a t i o n , I n c . 10-49