It strategy 7

winterishere

ch07.pdf

Home >Information Systems homework help >It strategy 7

Managing and Using Information Systems:

A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders, and Dennis Galletta

Chapter 7 Security

Opening Case

• What are some important lessons from the opening case?

• How long did the theft take? How did the theft likely occur?

• How long did it take Office of Personnel Management (OPM) to detect the theft?

• How damaging are the early reports of the data theft for the OPM?

How Long Does it Take?

• How long do you think it usually takes for someone to discover a security compromise in a system after the evidence shows up? A. Several seconds B. Several minutes C. Several hours

D. Several days E. Several months

A Mandiant study revealed that the median for 2014 was 205 days! That’s almost 7 months! The record is 2,982 which is 11 years!

Timeline of a Breach - Fantasy

• Hollywood has a fairly consistent script: • 0: Crooks get password and locate the file • Minute 1: Crooks start downloading data and

destroying the original • Minute 2: Officials sense the breach • Minute 3: Officials try to block the breach • Minute 4: Crooks’ download completes • Minute 5: Officials lose all data

Source: http://www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf

http://www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf

Timeline of a Breach - Reality

Source: http://www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf

http://www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf

IT Security Decision Framework Decision Who is

Responsible Why? Otherwise?

Information Security Strategy

Business Leaders They know business strategies

Security is an afterthought and patched on

Information Security Infrastructure

IT Leaders Technical knowledge is needed

Incorrect infrastructure decisions

Information Security Policy

Shared: IT and Business Leaders

Trade-offs need to be handled correctly

Unenforceable policies that don’t fit the IT and the users

SETA (training) Shared: IT and Business Leaders

Business buy-in and technical correctness

Insufficient training; errors

Information Security Investments

Shared: IT and Business Leaders

Evaluation of business goals and technical requirements

Over- or under- investment in security

How Have Big Breaches Occurred?

Date Detected Company What was stolen How

November 2013 Target 40 million credit & debit cards Contractor opened virus-laden email attachment

May 2014 Ebay #1 145 million user names, physical addresses, phones, birthdays, encrypted passwords

Employee’s password obtained

September 2014 Ebay #2 Small but unknown Cross-site scripting

September 2014 Home Depot

56 million credit card numbers 53 million email addresses

Obtaining a vendor’s password/exploiting OS vulnerability

January 2015 Anthem Blue Cross

80 million names, birthdays, emails, Social security numbers, addresses, and employment data

Obtaining passwords from 5 or more high-level employees

Password Breaches

• 80% of breaches are caused by stealing a password.

• You can steal a password by: • Phishing attack

• Key logger (hardware or software) • Guessing weak passwords (123456 is most common) • Evil twin wifi

Insecurity of WiFi– a Dutch study

• “We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.”

• Had WiFi transmitter broadcasting “Starbucks” as ID

• Because they were connected to him, he scanned for unpatched or vulnerable mobile devices or laptops

• He also saw passwords and could lock them out of their own accounts.

• The correspondent: “I will never again be connecting to an insecure public WiFi network without taking security measures.”

Other Approaches

• Cross-site scripting (malicious code pointing to a link requiring log-in at an imposter site)

• Third parties • Target’s HVAC system was connected to main

systems • Contractors had access • Hackers gained contractors’ password • Malware captured customer credit card info

before it could be encrypted

Cost of Breaches

• Estimated at $145 to $154 per stolen record

• Revenue lost when sales decline

• Some costs can be recouped by insurance

Can You be Safe?

• No, unless the information is permanently inaccessible • “You cannot make a computer secure” – from Dain Gary,

former CERT chief

• 97% of all firms have been breached

• Sometimes security makes systems less usable

What Motivates the Hackers?

• Sell stolen credit card numbers for up to $50 each • 2 million Target card numbers were sold for $20 each

on average • Street gang members can usually get $400 out of a

card • Some “kits” (card number plus SSN plus medical

information) sell for up to $1,000 • They allow opening new account cards

• Stolen cards can be sold for bitcoin on the Deep Web

What Should Management Do?

• Security strategy

• Infrastructure • Access tools * • Storage and transmission tools *

• Security policies *

• Training *

• Investments

* Described next

Access Tools

Access Tool Ubiquity Advantages Disadvantages

Physical locks Very high • Excellent if guarded

• Locks can be picked • Physical Access is often not

needed • Keys can be lost

Passwords Very high • User acceptance and familiarity

• Ease of use • Mature practices

• Poor by themselves • Sometimes forgotten • Sometimes stolen from users

using deception or key loggers

Biometrics Medium • Can be reliable • Never forgotten • Cannot be stolen • Can be

inexpensive

• False positives/negatives • Some are expensive • Some might change (e.g., voice) • Lost limbs • Loopholes (e.g., photo)

Access Tools (continued) Access Tool Ubiquity Advantages Disadvantages

Challenge questions

Medium (high in banking)

• Not forgotten • Multitude of

questions can be used

• Social networking might reveal some answers

• Personal knowledge of an individual might reveal the answers

• Spelling might not be consistent

Token Low • Stolen passkey is useless quickly

• Requires carrying a device

Text message Medium • Stolen passkey is useless

• Mobile phone already owned by users

• Useful as a secondary mechanism too

• Requires mobile phone ownership by all users

• Home phone option requires speech synthesis

• Requires alternative access control if mobile phone lost

Multi-factor authentication

Medium • Stolen password is useless

• Enhanced security

• Requires an additional technique if one of the two fails

Storage and Transmission Tools Tool Ubiquity Advantages Disadvantages

Antivirus/ antispyware

Very high • Blocks many known threats • Blocks some “zero-day”

threats

• Slow down operating system • “Zero day” threats can be

missed

Firewall High • Can prevent some targeted traffic

• Can only filter known threats • Can have well-known “holes”

System logs Very high • Can reveal IP address of attacker

• Can estimate the extent of the breach

• Hackers can conceal their IP address

• Hackers can delete logs • Logs can be huge • Irregular inspections

System alerts

High • Can help point to logs • Can detect an attack in

process • High sensitivity

• Low selectivity

Storage and Transmission Tools (continued)

Tool Ubiquity Advantages Disadvantages

Encryption Very high • Difficult to access a file without the key

• Long keys could take years to break

• Keys are unnecessary if password is known

• If the key is not strong, hackers could uncover it by trial and error

WEP/WPA Very high • Same as encryption • Most devices have the

capability • Provides secure wifi

connection

• Same as encryption • Some older devices have limited

protections • WEP is not secure, yet it is still

provided

VPN Medium • Trusted connection is as if you were connected on site

• Hard to decrypt

• Device could be stolen while connected

• Sometimes slows the connection

Security Policies

• Perform security updates promptly

• Separate unrelated networks

• Keep passwords secret

• Manage mobile devices (BYOD)

• Formulate data policies (retention and disposal)

• Manage social media (rules as to what can be shared, how to identify yourself)

• Use consultants (Managed Security Services Providers)

SETA (Security Education, Training, and Awareness)

• Training on access tools • Limitations of passwords • Formulating a password • Changing passwords periodically • Using multi-factor authentication • Using password managers

SETA (Security Education, Training, and Awareness)

• BYOD • Rules • How to follow them

• Social Media • Rules • How to follow them • Cases from the past that created problems

SETA (Security Education, Training, and Awareness)

• Vigilance: Recognizing: • Bogus warning messages • Phishing emails • Physical intrusions • Ports and access channels to examine

Classic Signs of Phishing

• Account is being closed

• Email in-box is full

• Winning a contest or lottery

• Inheritance or commission to handle funds

• Product delivery failed

• Odd URL when hovering

• Familiar name but strange email address

• Poor grammar/spelling

• Impossibly low prices

• Attachment with EXE, ZIP, or BAT (etc.)

Managing and Using Information Systems:

A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders, and Dennis Galletta