Assignment

ramsrpa4

ch071.pptx

Home >Information Systems homework help >Assignment

Managing and Using Information Systems: A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders, and Dennis Galletta

Chapter 7 Security

Opening Case

What are some important lessons from the opening case?

How long did the theft take? How did the theft likely occur?

How long did it take Office of Personnel Management (OPM) to detect the theft?

How damaging are the early reports of the data theft for the OPM?

The hackers did not carry out a dramatic and quick theft; they had a year to steal the records at their leisure.

The theft took place over a year, and the hackers stole a password.

It took many months for OPM to detect the theft.

Early reports say that at least 4 million, and as many as 14 million records were stolen. Each record contained 127-page security clearances that include sensitive medical, personal, and relationship information.

How Long Does it Take?

How long do you think it usually takes for someone to discover a security compromise in a system after the evidence shows up?

Several seconds

Several minutes

Several hours

Several days

Several months

A Mandiant study revealed that the median for 2014 was 205 days! That’s almost 7 months!

The record is 2,982 which is 11 years!

Timeline of a Breach - Fantasy

Hollywood has a fairly consistent script:

0: Crooks get password and locate the file

Minute 1: Crooks start downloading data and destroying the original

Minute 2: Officials sense the breach

Minute 3: Officials try to block the breach

Minute 4: Crooks’ download completes

Minute 5: Officials lose all data

Source: http://www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf

Timeline of a Breach - Reality

Source: http://www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf

IT Security Decision Framework

Decision	Who is Responsible	Why?	Otherwise?
Information Security Strategy	Business Leaders	They know business strategies	Security is an afterthought and patched on
Information Security Infrastructure	IT Leaders	Technical knowledge is needed	Incorrect infrastructure decisions
Information Security Policy	Shared: IT and Business Leaders	Trade-offs need to be handled correctly	Unenforceable policies that don’t fit the IT and the users
SETA (training)	Shared: IT and Business Leaders	Business buy-in and technical correctness	Insufficient training; errors
Information Security Investments	Shared: IT and Business Leaders	Evaluation of business goals and technical requirements	Over- or under-investment in security

How Have Big Breaches Occurred?

Date Detected	Company	What was stolen	How
November 2013	Target	40 million credit & debit cards	Contractor opened virus-laden email attachment
May 2014	Ebay #1	145 million user names, physical addresses, phones, birthdays, encrypted passwords	Employee’s password obtained
September 2014	Ebay #2	Small but unknown	Cross-site scripting
September 2014	Home Depot	56 million credit card numbers 53 million email addresses	Obtaining a vendor’s password/exploiting OS vulnerability
January 2015	Anthem Blue Cross	80 million names, birthdays, emails, Social security numbers, addresses, and employment data	Obtaining passwords from 5 or more high-level employees

Password Breaches

80% of breaches are caused by stealing a password.

You can steal a password by:

Phishing attack

Key logger (hardware or software)

Guessing weak passwords (123456 is most common)

Evil twin wifi

Insecurity of WiFi– a Dutch study

“We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.”

Had WiFi transmitter broadcasting “Starbucks” as ID

Because they were connected to him, he scanned for unpatched or vulnerable mobile devices or laptops

He also saw passwords and could lock them out of their own accounts.

The correspondent: “I will never again be connecting to an insecure public WiFi network without taking security measures.”

Slide 5-10

Other Approaches

Cross-site scripting (malicious code pointing to a link requiring log-in at an imposter site)

Third parties

Target’s HVAC system was connected to main systems

Contractors had access

Hackers gained contractors’ password

Malware captured customer credit card info before it could be encrypted

Cost of Breaches

Estimated at $145 to $154 per stolen record

Revenue lost when sales decline

Some costs can be recouped by insurance

Can You be Safe?

No, unless the information is permanently inaccessible

“You cannot make a computer secure” – from Dain Gary, former CERT chief

97% of all firms have been breached

Sometimes security makes systems less usable

What Motivates the Hackers?

Sell stolen credit card numbers for up to $50 each

2 million Target card numbers were sold for $20 each on average

Street gang members can usually get $400 out of a card

Some “kits” (card number plus SSN plus medical information) sell for up to $1,000

They allow opening new account cards

Stolen cards can be sold for bitcoin on the Deep Web

What Should Management Do?

Security strategy

Infrastructure

Access tools *

Storage and transmission tools *

Security policies *

Training *

Investments

* Described next

Access Tools

Access Tool	Ubiquity	Advantages	Disadvantages
Physical locks	Very high	Excellent if guarded	Locks can be picked Physical Access is often not needed Keys can be lost
Passwords	Very high	User acceptance and familiarity Ease of use Mature practices	Poor by themselves Sometimes forgotten Sometimes stolen from users using deception or key loggers
Biometrics	Medium	Can be reliable Never forgotten Cannot be stolen Can be inexpensive	False positives/negatives Some are expensive Some might change (e.g., voice) Lost limbs Loopholes (e.g., photo)

Access Tools (continued)

Access Tool	Ubiquity	Advantages	Disadvantages
Challenge questions	Medium (high in banking)	Not forgotten Multitude of questions can be used	Social networking might reveal some answers Personal knowledge of an individual might reveal the answers Spelling might not be consistent
Token	Low	Stolen passkey is useless quickly	Requires carrying a device
Text message	Medium	Stolen passkey is useless Mobile phone already owned by users Useful as a secondary mechanism too	Requires mobile phone ownership by all users Home phone option requires speech synthesis Requires alternative access control if mobile phone lost
Multi-factor authentication	Medium	Stolen password is useless Enhanced security	Requires an additional technique if one of the two fails Temptation for easy password

Storage and Transmission Tools

Tool	Ubiquity	Advantages	Disadvantages
Antivirus/ antispyware	Very high	Blocks many known threats Blocks some “zero-day” threats	Slow down operating system “Zero day” threats can be missed
Firewall	High	Can prevent some targeted traffic	Can only filter known threats Can have well-known “holes”
System logs	Very high	Can reveal IP address of attacker Can estimate the extent of the breach	Hackers can conceal their IP address Hackers can delete logs Logs can be huge Irregular inspections
System alerts	High	Can help point to logs Can detect an attack in process High sensitivity	Low selectivity

Storage and Transmission Tools (continued)

Tool	Ubiquity	Advantages	Disadvantages
Encryption	Very high	Difficult to access a file without the key Long keys could take years to break	Keys are unnecessary if password is known If the key is not strong, hackers could uncover it by trial and error
WEP/WPA	Very high	Same as encryption Most devices have the capability Provides secure wifi connection	Same as encryption Some older devices have limited protections WEP is not secure, yet it is still provided
VPN	Medium	Trusted connection is as if you were connected on site Hard to decrypt	Device could be stolen while connected Sometimes slows the connection

Security Policies

Perform security updates promptly

Separate unrelated networks

Keep passwords secret

Manage mobile devices (BYOD)

Formulate data policies (retention and disposal)

Manage social media (rules as to what can be shared, how to identify yourself)

Use consultants (Managed Security Services Providers)

SETA (Security Education, Training, and Awareness)

Training on access tools

Limitations of passwords

Formulating a password

Changing passwords periodically

Using multi-factor authentication

Using password managers

SETA (Security Education, Training, and Awareness)

BYOD

Rules

How to follow them

Social Media

Rules

How to follow them

Cases from the past that created problems

SETA (Security Education, Training, and Awareness)

Vigilance: Recognizing:

Bogus warning messages

Phishing emails

Physical intrusions

Ports and access channels to examine

Classic Signs of Phishing

Account is being closed

Email in-box is full

Winning a contest or lottery

Inheritance or commission to handle funds

Product delivery failed

Odd URL when hovering

Familiar name but strange email address

Poor grammar/spelling

Impossibly low prices

Attachment with EXE, ZIP, or BAT (etc.)

Managing and Using Information Systems: A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders, and Dennis Galletta