2 discussions and research paper


Managing and Using Information Systems: A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders, and Dennis Galletta

© Copyright 2016 John Wiley & Sons, Inc.

Chapter 7 Security


Opening Case

What are some important lessons from the opening case?

How long did the theft take? How did the theft likely occur?

How long did it take Office of Personnel Management (OPM) to detect the theft?

How damaging are the early reports of the data theft for the OPM?

© 2016 John Wiley & Sons, Inc.


The hackers did not carry out a dramatic and quick theft; they had a year to steal the records at their leisure.

The theft took place over a year, and the hackers stole a password.

It took many months for OPM to detect the theft.

Early reports say that at least 4 million, and as many as 14 million records were stolen. Each record contained 127-page security clearances that include sensitive medical, personal, and relationship information.


How Long Does it Take?

How long do you think it usually takes for someone to discover a security compromise in a system after the evidence shows up?

Several seconds

Several minutes

Several hours

Several days

Several months

A Mandiant study revealed that the median for 2014 was 205 days! That’s almost 7 months!

The record is 2,982 which is 11 years!

© 2016 John Wiley & Sons, Inc.


Timeline of a Breach - Fantasy

Hollywood has a fairly consistent script:

0: Crooks get password and locate the file

Minute 1: Crooks start downloading data and destroying the original

Minute 2: Officials sense the breach

Minute 3: Officials try to block the breach

Minute 4: Crooks’ download completes

Minute 5: Officials lose all data

Source: http:// www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf

© 2016 John Wiley & Sons, Inc.


Timeline of a Breach - Reality

IT Security Decision Framework

Decision Who is Responsible Why? Otherwise?
Information Security Strategy Business Leaders They know business strategies Security is an afterthought and patched on
Information Security Infrastructure IT Leaders Technical knowledge is needed Incorrect infrastructure decisions
Information Security Policy Shared: IT and Business Leaders Trade-offs need to be handled correctly Unenforceable policies that don’t fit the IT and the users
SETA (training) Shared: IT and Business Leaders Business buy-in and technical correctness Insufficient training; errors
Information Security Investments Shared: IT and Business Leaders Evaluation of business goals and technical requirements Over- or under-investment in security

© 2016 John Wiley & Sons, Inc.


How Have Big Breaches Occurred?

Date Detected Company What was stolen How
November 2013 Target 40 million credit & debit cards Contractor opened virus-laden email attachment
May 2014 Ebay #1 145 million user names, physical addresses, phones, birthdays, encrypted passwords Employee’s password obtained
September 2014 Ebay #2 Small but unknown Cross-site scripting
September 2014 Home Depot 56 million credit card numbers 53 million email addresses Obtaining a vendor’s password/exploiting OS vulnerability
January 2015 Anthem Blue Cross 80 million names, birthdays, emails, Social security numbers, addresses, and employment data Obtaining passwords from 5 or more high-level employees

© 2016 John Wiley & Sons, Inc.


Password Breaches

80% of breaches are caused by stealing a password.

You can steal a password by:

Phishing attack

Key logger (hardware or software)

Guessing weak passwords (123456 is most common)

Evil twin wifi

© 2016 John Wiley & Sons, Inc.


Insecurity of WiFi– a Dutch study

“We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.”

Had WiFi transmitter broadcasting “Starbucks” as ID

Because they were connected to him, he scanned for unpatched or vulnerable mobile devices or laptops

He also saw passwords and could lock them out of their own accounts.

The correspondent: “I will never again be connecting to an insecure public WiFi network without taking security measures.”

© 2016 John Wiley & Sons, Inc.

Slide 5-10

Other Approaches

Cross-site scripting (malicious code pointing to a link requiring log-in at an imposter site)

Third parties

Target’s HVAC system was connected to main systems

Contractors had access

Hackers gained contractors’ password

Malware captured customer credit card info before it could be encrypted

© 2016 John Wiley & Sons, Inc.


Cost of Breaches

Estimated at $145 to $154 per stolen record

Revenue lost when sales decline

Some costs can be recouped by insurance

© 2016 John Wiley & Sons, Inc.


Can You be Safe?

No, unless the information is permanently inaccessible

“You cannot make a computer secure” – from Dain Gary, former CERT chief

97% of all firms have been breached

Sometimes security makes systems less usable

© 2016 John Wiley & Sons, Inc.


What Motivates the Hackers?

Sell stolen credit card numbers for up to $50 each

2 million Target card numbers were sold for $20 each on average

Street gang members can usually get $400 out of a card

Some “kits” (card number plus SSN plus medical information) sell for up to $1,000

They allow opening new account cards

Stolen cards can be sold for bitcoin on the Deep Web

© 2016 John Wiley & Sons, Inc.


What Should Management Do?

Security strategy


Access tools *

Storage and transmission tools *

Security policies *

Training *


* Described next

© 2016 John Wiley & Sons, Inc.


Access Tools

Access Tool Ubiquity Advantages Disadvantages
Physical locks Very high Excellent if guarded Locks can be picked Physical Access is often not needed Keys can be lost
Passwords Very high User acceptance and familiarity Ease of use Mature practices Poor by themselves Sometimes forgotten Sometimes stolen from users using deception or key loggers
Biometrics Medium Can be reliable Never forgotten Cannot be stolen Can be inexpensive False positives/negatives Some are expensive Some might change (e.g., voice) Lost limbs Loopholes (e.g., photo)

© 2016 John Wiley & Sons, Inc.


Access Tools (continued)

Access Tool Ubiquity Advantages Disadvantages
Challenge questions Medium (high in banking) Not forgotten Multitude of questions can be used Social networking might reveal some answers Personal knowledge of an individual might reveal the answers Spelling might not be consistent
Token Low Stolen passkey is useless quickly Requires carrying a device
Text message Medium Stolen passkey is useless Mobile phone already owned by users Useful as a secondary mechanism too Requires mobile phone ownership by all users Home phone option requires speech synthesis Requires alternative access control if mobile phone lost
Multi-factor authentication Medium Stolen password is useless Enhanced security Requires an additional technique if one of the two fails Temptation for easy password

© 2016 John Wiley & Sons, Inc.


Storage and Transmission Tools

Tool Ubiquity Advantages Disadvantages
Antivirus/ antispyware Very high Blocks many known threats Blocks some “zero-day” threats Slow down operating system “Zero day” threats can be missed
Firewall High Can prevent some targeted traffic Can only filter known threats Can have well-known “holes”
System logs Very high Can reveal IP address of attacker Can estimate the extent of the breach Hackers can conceal their IP address Hackers can delete logs Logs can be huge Irregular inspections
System alerts High Can help point to logs Can detect an attack in process High sensitivity Low selectivity

© 2016 John Wiley & Sons, Inc.


Storage and Transmission Tools (continued)

Tool Ubiquity Advantages Disadvantages
Encryption Very high Difficult to access a file without the key Long keys could take years to break Keys are unnecessary if password is known If the key is not strong, hackers could uncover it by trial and error
WEP/WPA Very high Same as encryption Most devices have the capability Provides secure wifi connection Same as encryption Some older devices have limited protections WEP is not secure, yet it is still provided
VPN Medium Trusted connection is as if you were connected on site Hard to decrypt Device could be stolen while connected Sometimes slows the connection

© 2016 John Wiley & Sons, Inc.


Security Policies

Perform security updates promptly

Separate unrelated networks

Keep passwords secret

Manage mobile devices (BYOD)

Formulate data policies (retention and disposal)

Manage social media (rules as to what can be shared, how to identify yourself)

Use consultants (Managed Security Services Providers)

© 2016 John Wiley & Sons, Inc.


SETA (Security Education, Training, and Awareness)

Training on access tools

Limitations of passwords

Formulating a password

Changing passwords periodically

Using multi-factor authentication

Using password managers

© 2016 John Wiley & Sons, Inc.


SETA (Security Education, Training, and Awareness)



How to follow them

Social Media


How to follow them

Cases from the past that created problems

© 2016 John Wiley & Sons, Inc.


SETA (Security Education, Training, and Awareness)

Vigilance: Recognizing:

Bogus warning messages

Phishing emails

Physical intrusions

Ports and access channels to examine

© 2016 John Wiley & Sons, Inc.


Classic Signs of Phishing

Account is being closed

Email in-box is full

Winning a contest or lottery

Inheritance or commission to handle funds

Product delivery failed

Odd URL when hovering

Familiar name but strange email address

Poor grammar/spelling

Impossibly low prices

Attachment with EXE, ZIP, or BAT (etc.)

© 2016 John Wiley & Sons, Inc.


Managing and Using Information Systems: A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders, and Dennis Galletta

© Copyright 2016 John Wiley & Sons, Inc.