only for daisy

ch04.pptx

Home >Business & Finance homework help >Operations Management homework help >only for daisy

Information Security

Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one.

Compare and contrast human mistakes and social engineering, and provide a specific example of each one.

Discuss the 10 types of deliberate attacks.

Define the three risk mitigation strategies, and provide an example of each one in the context of owning a home.

Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.

[ LEARNING OBJECTIVES]

Introduction to Information Security

Unintentional Threats to Information Systems

Deliberate Threats to Information Systems

What Organizations Are Doing to Protect Information Resources

Information Security Controls

[ CHAPTER OUTLINE ]

Student PowerPoints for note taking

WileyPLUS Learning Space

E-Book

Author video lecture for each chapter section

Practice quizzes

Flash Cards for vocabulary review

Additional “What’s in IT for Me?” cases

Video interviews with managers

Lab Manuals - Microsoft Office 2010 & 2013

[ WEB RESOURCES]

[ Opening Case Sony Pictures Entertainment Hack]

The Problem

The Law Enforcement Response

The Sony Response

The Results

What We Learned From This Case

Questions

1. Was Sony’s response to the breach adequate? Why or why not?

2. Should the U.S. government help private organizations that are attacked (or allegedly attacked) by foreign governments? Why or why not?

Introduction to Information Security

4.1

Security

Information Security

Threat

Exposure

Vulnerability

Security: the degree of protection against criminal activity, danger, damage, and/or loss.

Information Security: all of the processes and policies designed to protect an organization’s information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.

Threat (to an information resource): any danger to which a system may be exposed.

Exposure: is the harm, loss, or damage that can result if a threat compromises an information resource.

Vulnerability (of an information resource): is the possibility that the system will be harmed by a threat.

Introduction to Information Security

Five Factors Contributing to Vulnerability

Today’s interconnected, interdependent, wirelessly networked business environment

Smaller, faster, cheaper computers & storage devices

Decreasing skills necessary to be a computer hacker

International organized crime taking over cybercrime

Lack of management support

Unintentional Threats to Information Systems

4.2

Human Errors

Social Engineering

Unintentional Threats: acts performed without malicious intent that nevertheless represent a serious threat to information security.

FIGURE 4.1: Security Threats

Human Errors

Higher level employees + greater access privileges = greater threat

Two areas pose significant threats

Human Resources

Information Systems

Other areas of threats:

Contract Labor, consultants, janitors, & guards

Human Errors

Common Human Error

Carelessness with Laptops

Carelessness with Computing Devices

Opening Questionable E-mail

Careless Internet Surfing

Poor Password Selection and Use

Carelessness with laptops: Losing or misplacing laptops, leaving them in taxis, and so on.

Carelessness with computing devices: Losing or misplacing these devices, or using them carelessly so that malware is introduced into an organization’s network.

Opening questionable e-mails: Opening e-mails from someone unknown, or clicking on links embedded in e-mails (see phishing attack in Table 4.2).

Careless Internet surfing: Accessing questionable Web sites; can result in malware and/or alien software being introduced into the organization’s network.

Poor password selection and use: Choosing and using weak passwords (see strong passwords in the “Authentication” section later in this chapter).

Human Errors

Common Human Error

Carelessness with One’s Office

Carelessness Using Unmanaged Devices

Carelessness with Discarded Equipment

Careless Monitoring of Environmental Hazards

Carelessness with one’s office: Leaving desks and filing cabinets unlocked when employees go home at night; not logging off the company network when leaving the office for any extended period of time.

Carelessness using unmanaged devices: Unmanaged devices are those outside the control of an organization’s IT department and company security procedures. These devices include computers belonging to customers and business partners, computers in the business centers of hotels, and so on.

Carelessness with discarded equipment: Discarding old computer hardware and devices without completely wiping the memory; includes computers, smartphones, BlackBerry® units, and digital copiers and printers.

Careless monitoring of environmental hazards: These hazards, which include dirt, dust, humidity, and static electricity, are harmful to the operation of computing equipment.

The Heartbleed Bug

4.1

[about business]

What are two lessons we can learn from the Heartbleed bug?

What actions should you (personally) take to combat the Heartbleed bug?

Social Engineering

Social Engineering:

an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords.

Example:

Kevin Mitnick, world famous hacker and former FBI’s most wanted.

Deliberate Threats to Information Systems

4.3

Espionage or Trespass

Information Extortion

Sabotage or Vandalism

Theft of Equipment or Information

Identity Theft

Compromises to Intellectual Property

Espionage or Trespass: occurs when an unauthorized individual attempts to gain illegal access to organizational information.

Information Extortion: occurs when an attacker either threatens to steal, or actually steals, information from a company. The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information.

Sabotage and Vandalism: deliberate acts that involve defacing an organization’s Web site, potentially damaging the organization’s image and causing its customers to lose faith.

Theft of Equipment or Information: Computing devices and storage devices are becoming smaller yet more powerful with vastly increased storage and as a result these devices are becoming easier to steal and easier for attackers to use to steal information.

Dumpster Diving: rummaging through commercial or residential trash to find discarded information.

Identity Theft: is the deliberate assumption of another person’s identity, usually to gain access to his or her financial information or to frame him or her for a crime.

Compromises to Intellectual Property:

Trade Secret: an intellectual work, such as a business plan, that is a company secret and is not based on public information.

Patent: an official document that grants the holder exclusive rights on an invention or a process for a specified period of time.

Copyright: a statutory grant that provides the creators or owners of intellectual property with ownership of the property, also for a designated period.

Intellectual Property: the property created by individuals or corporations that is protected under trade secret, patent, and copyright laws.

Deliberate Threats to Information Systems

4.3

Software Attacks

Alien Software

Supervisory Control and Data Acquisition (SCADA) Attacks

Cyberterrorism and Cyberwarfare

7. Software Attacks

8. Alien Software: clandestine soft ware that is installed on your computer through duplicitous methods.

9. Supervisory Control and Data Acquisition Attacks (SCADA): refers to a large-scale, distributed measurement and control system. SCADA systems are used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants.

10. Cyberterrorism and Cyberwarfare: refer to malicious acts in which attackers use a target’s computer systems, particularly via the Internet, to cause physical, real-world harm or severe disruption, often to carry out a political agenda.

Software Attacks

Remote Attacks Requiring User Action

Virus

Worm

Phishing Attack

Spear Phishing Attack

(1) Remote Attacks Requiring User Action

Virus: Segment of computer code that performs malicious actions by attaching to another computer program.

Worm: Segment of computer code that performs malicious actions and will replicate, or spread, by itself (without requiring another computer program).

Phishing Attack: Phishing attacks use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages.

Spear Phishing: Phishing attacks target large groups of people. In spear phishing attacks, attack the perpetrators find out as much information about an individual as possible to improve their chances that phishing techniques will obtain sensitive, personal information

Software Attacks

Remote Attacks Needing No User Action

Denial of Service Attack

Distributed Denial of Service Attack

(2) Remote Attacks Needing No User Action

Denial-of-Service Attack: An attacker sends so many information requests to a target computer system that the target cannot handle them successfully and typically crashes (ceases to function).

Distributed Denial-of-Service Attack: An attacker first takes over many computers, typically by using malicious soft ware. These computers are called zombies or bots. The attacker uses these bots—which form a botnet—to deliver a coordinated stream of information requests to a target computer, causing it to crash.

Software Attacks

Attacks by a Programmer Developing a System

Trojan Horse

Back Door

Logic Bomb

(3) Attacks by a Programmer Developing a System

Trojan Horse: Software programs that hide in other computer programs and reveal their designed behavior only when they are activated.

Back Door: Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to go through any security procedures (also called a trap door).

Logic bomb: A segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time or date.

Shodan: Good Tool or Bad Tool?

4.2

[about business]

Is Shodan more useful for hackers or for security defenders? Provide specifi c examples to support your choice.

What impact should Shodan have on the manufacturers of devices that connect to the Internet?

As an increasingly large number of devices are connected to the Internet, what will Shodan’s impact be? Provide examples to support your answer.

Explain how Shodan can be used to conduct a SCADA attack.

Alien Software

Adware

Spyware

Keyloggers

Spamware

Tracking cookies

. Alien Software: clandestine software that is installed on your computer through duplicitous methods.

Adware: software that causes pop-up advertisements to appear on your screen.

Spyware: soft ware that collects personal information about users without their consent. Two common types of spyware are keystroke loggers and screen scrapers.

Spamware: pestware that uses your computer as a launch pad for spammers.

Spam: unsolicited e-mail, usually advertising for products and services

Cookies: small amounts of information that Web sites store on your computer, temporarily or more or less permanently

What Organizations Are Doing to Protect Information Resources

4.4

Risk

Risk Analysis

Risk Mitigation

Risk: the probability that a threat will impact an information resource.

Risk Management: identifies, controls, and minimizes the impact of threats. In other words, risk management seeks to reduce risk to acceptable levels.

Risk Analyses: ensures IS security programs are cost effective.

Risk Mitigation: the organization takes concrete actions against risks which has two functions:

implementing controls to prevent identified threats from occurring

developing a means of recovery if the threat becomes a reality

Risk Management: identifies, controls, and minimizes the impact of threats. In other words, risk management seeks to reduce risk to acceptable levels.

Three Processes of Risk management:

risk analysis

risk mitigation

controls evaluation

Risk Analyses: ensures IS security programs are cost effective.

Three Steps of Risk Analysis:

assessing the value of each asset being protected

estimating the probability that each asset will be compromised

comparing the probable costs of the asset’s being compromised with the costs of protecting that asset

Catching a Hacker

4.3

[about business]

Why did the FBI need to “argue with law enforcement officials in various countries”?

Describe the diffi culties that investigators encounter in bringing cybercriminals to justice.

Risk Mitigation

Risk Acceptance

Risk Limitation

Risk Transference

Information Security Controls

4.5

Physical Controls

Access Controls

Communication Controls

Business Continuity Planning

Information Systems Auditing

Physical Controls: prevent unauthorized individuals from gaining access to a company’s facilities. Common physical controls include walls, doors, fencing, gates, locks, badges, guards, and alarm systems.

Access Controls: restrict unauthorized individuals from using information resources and involve two major functions: authentication and authorization.

Communication Controls (also called network controls): secure the movement of data across networks and consist of firewalls, anti-malware systems, whitelisting and blacklisting, encryption, virtual private networks (VPNs), secure socket layer (SSL), and employee monitoring systems.

Business Continuity: the chain of events linking planning to protection and to recovery.

Business Continuity Plan: purpose is to provide guidance to people who keep the business operating after a disaster occurs.

Physical Controls

Prevent unauthorized individuals from gaining access to a company’s facilities.

Walls

Doors

Fencing

Gates

Locks

Badges

Guards

Alarm systems

FIGURE 4.2 Where defense mechanisms are located.

Access Controls

Authentication

Authorization

Access Controls: restrict unauthorized individuals from using information resources and involve two major functions: authentication and authorization.

Authentication: confirms the identity of the person requiring access.

Authorization: determines which actions, rights, or privileges the person has, based on his or her verifi ed identity.

Authentication:

Something the user is: also known as biometrics, is an authentication method that examines a person’s innate physical characteristics (e.g., fingerprint scans, palm scans, retina scans, iris recognition, and facial recognition).

Something the user has: is an authentication mechanism that includes regular identifi cation (ID) cards, smart ID cards, and tokens.

Something the user does: is an authentication mechanism that includes voice and signature recognition.

Something the user knows: is an authentication mechanism that includes passwords and passphrases.

Authentication

Something the user is

Something the user has

Something the user does

Something the user knows

Passwords

Access Controls: restrict unauthorized individuals from using information resources and involve two major functions: authentication and authorization.

Authentication: confirms the identity of the person requiring access.

Authorization: determines which actions, rights, or privileges the person has, based on his or her verifi ed identity.

Authentication:

Something the user has: is an authentication mechanism that includes regular identifi cation (ID) cards, smart ID cards, and tokens.

Something the user does: is an authentication mechanism that includes voice and signature recognition.

Something the user knows: is an authentication mechanism that includes passwords and passphrases.

Basic Guidelines for Passwords

difficult to guess.

long rather than short.

They should have uppercase letters, lowercase letters, numbers, and special characters.

not recognizable words.

not the name of anything or anyone familiar, such as family names or names of pets.

not a recognizable string of numbers, such as a Social Security number or a birthday.

Let’s Kill the Password!

4.4

[about business]

What are the advantages, if any, of any of our FIDO examples over strong passwords?

Examine the strength of the passwords you use. How vulnerable are your passwords to guessing? To brute-force hacking?

Does the security burden fall primarily on the user? On the company that the user is doing business with? On both? Support your answer.

Is it possible to ever have complete security in your online transactions? Why or why not? Explain your answer.

Communication Controls

Firewalls

Anti-malware Systems

Whitelisting and Blacklisting

Encryption

Virtual Private Networking

Secure Socket Layer

Employee Monitoring Systems

Firewall: a system that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company’s network.

Anti-malware Systems (or antivirus software): software packages that attempt to identify and eliminate viruses and worms, and other malicious software.

Whitelisting: a process in which a company identifies the soft ware that it will allow to run on its computers and permits acceptable soft ware to run, and it either prevents any other soft ware from running or lets new soft ware run only in a quarantined environment until the company can verify its validity.

Blacklist: includes certain types of software that are not allowed to run in the company environment.

Encryption: the process of converting an original message into a form that cannot be read by anyone except the intended receiver.

Virtual Private Network: a private network that uses a public network (usually the Internet) to connect users. VPNs essentially integrate the global connectivity of the Internet with the security of a private network and thereby extend the reach of the organization’s networks. VPNs are called virtual because they have no separate physical existence.

FIGURE 4.3 (a) Basic firewall for home computer. (b) Organization with two firewalls and demilitarized zone.

FIGURE 4.3

(a) Basic firewall for home computer.

(b) Organization with two firewalls and demilitarized zone.

FIGURE 4.4 How public key encryption works.

FIGURE 4.4 How public key encryption works. (Omnisec AG.)

FIGURE 4.5 How digital certificates work.

FIGURE 4.5 How digital certificates work. Sony and Dell, business partners, use a digital Certificate from VeriSign for authentication.

FIGURE 4.6 Virtual private network (VPN) and tunneling.

Business Continuity Planning

Disaster Recovery Plan

Hot Site

Cold Site

Business Continuity: the chain of events linking planning to protection and to recovery.

Business Continuity Plan: purpose is to provide guidance to people who keep the business operating after a disaster occurs.

These strategies include:

Hot Sites: a fully configured computer facility with all of the company’s services, communications links, and physical plant operations. A hot site duplicates computing resources, peripherals, telephone systems, applications, and workstations. Hot sites reduce risk to the greatest extent, but they are the most expensive option.

Warm Site: A warm site provides many of the same services and options as the hot site. However, it typically does not include the actual applications the company needs. A warm site includes computing equipment such as servers, but it often does not include user workstations.

Cold Site: A cold site provides only rudimentary services and facilities, such as a building or a room with heating, air conditioning, and humidity control. This type of site provides no computer hardware or user workstations. Cold sites reduce risk the least, but they are the least expensive option.

Information Systems Auditing

Types of Auditors and Audits

How is Auditing Executed?

Two Types of Auditors and Audits:

Internal: IS auditing is usually a part of accounting internal auditing, and it is frequently performed by corporate internal auditors.

External: An external auditor reviews the findings of the internal audit as well as the inputs, processing, and outputs of information systems. The external audit of information systems is frequently a part of the overall external auditing performed by a certified public accounting (CPA) firm.

How Is Auditing Executed? IS auditing procedures fall into three categories: (1) auditing around the computer: verifying processing by checking for known outputs using specific inputs. This approach is most effective for systems with limited outputs.

(2) auditing through the computer: auditors check inputs, outputs, and processing. They review program logic, and they test the data contained within the system.

(3) auditing with the computer: using a combination of client data, auditor software, and client and auditor hardware. This approach enables the auditor to perform tasks such as simulating payroll program logic using live data.

IS auditing considers:

All of the potential hazards and controls in information systems

Focuses on issues such as operations, data integrity, software applications, security and privacy, budgets and expenditures, cost control, and productivity.

Guidelines are available to assist auditors in their jobs, such as those from the Information Systems Audit and Control Association (www.isaca.org).

[ Closing Case Lessons Learned from the Target Data Breach]

The Business Problem

Target’s Response

The Results from the Breach

Questions

Describe the flaws in Target’s security system that enabled the breach.

Was Target’s response to the breach appropriate? Why or why not?

What should you do as a consumer to protect yourself against losing your personal data from establishments where you shop?