Google - Cybersecurity
1
Information Security Management
Chapter 10
10-2
Study Questions
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
Q1: What is the goal of information systems security?
Q2: How big is the computer security problem?
Q3: How should you respond to security threats?
Q4: How should organizations respond to security threats?
Q5: How can technical safeguards protect against security threats?
Q6: How can data safeguards protect against security threats?
Q7: How can human safeguards protect against security threats?
Q8: How should organizations respond to security incidents?
How does the knowledge in this chapter help you?
2
10-3
Q1: What Is the Goal of Information Systems Security?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
10-4
Examples of Threat/Loss
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
3
10-5
What Are the Sources of Threats?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
10-6
What Types of Security Loss Exists?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Unauthorized Data Disclosure – Pretexting – Phishing – Spoofing IP spoofing Email spoofing
– Drive-by sniffers Wardrivers
– Hacking & Natural disasters
4
10-7
Incorrect Data Modification
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Procedures incorrectly designed or not followed
• Increasing a customer’s discount or incorrectly modifying employee’s salary
• Placing incorrect data on company Web site
• Improper internal controls on systems
• System errors
• Faulty recovery actions after a disaster
10-8
Faulty Service
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Incorrect data modification
• Systems working incorrectly
• Procedural mistakes
• Programming errors
• IT installation errors
• Usurpation
• Denial of service (unintentional)
• Denial-of-service attacks (intentional)
5
10-9
Loss of Infrastructure
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Human accidents
• Theft and terrorist events
• Disgruntled or terminated employee
• Natural disasters
• Advanced Persistent Threat (APT1) – Theft of intellectual property from U.S. firms
10-10
Goal of Information Systems Security
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Appropriate trade-off between risk of loss and cost of implementing safeguards
• Use antivirus software
• Deleting browser cookies (Worth it?)
• Get in front of security problems by making appropriate trade-offs
6
10-11
Q2: How Big Is the Computer Security Problem?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
10-12
Computer Crime Costs by Attack Type
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
7
10-13
Ponemon Study Findings (2014)
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Malicious insiders increasingly serious threat
• Business disruption and data loss principal costs of computer crime
• Negligent employees, personal devices connecting to corporate network, use of commercial cloud-based applications pose significant security threats
• Security safeguards work
• Ponemon Study 2014
10-14
Q3: How Should You Respond to Security Threats?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
Personal Security Safeguards
Intrusion detection system (IDS)
8
10-15
Security Safeguards and the Five Components
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
10-16
So What? New from Black Hat 2014
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Educational forum for hackers, developers, manufacturers, and government agencies
• Briefings on how things can be hacked
• Show how to exploit weaknesses in hardware, software, protocols, or systems from smartphones to ATMs
9
10-17
Keynote Speaker Recommendations
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
1. Mandatory reporting of security vulnerabilities
2. Software makers liable for damage their code causes after abandoned or users allowed to see it
3. ISP liable for harmful, inspected content
4. “Right to be forgotten” - appropriate and advantageous
5. End-to-End Encrypted Email
10-18
Hacking Smart Things
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Automobile wireless features and poor internal systems architecture allow hackers to access automated driving functions through features like car’s radio
• Control hotel lights, thermostats, televisions, and blinds in 200+ rooms by reverse-engineering home automation protocol called KNX/IP
• 70% smart devices use unencrypted network services, 60% vulnerable to persistent XSS (cross-site scripting), and weak credentials
10
10-19
Q4: How Should Organizations Respond to Security Threats?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Senior management creates company-wide policies: – What sensitive data will be stored? – How will data be processed? – Will data be shared with other organizations? – How can employees and others obtain copies of data stored
about them? – How can employees and others request changes to inaccurate
data?
• Senior management manages risks
10-20
Q5: How Can Technical Safeguards Protect Against Security Threats?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
11
10-21
Technical safeguards
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Identification and authentication – Smart Cards – Biometric authentication
• Single sign-on for multiple systems
• Encryption – Symmetric encryption – Asymmetric encryption Public key encryption - special version
10-22
Essence of https (SSL or TLS)
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
12
10-23
Use of Multiple Firewalls
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
Packet-filtering Firewall
10-24
Malware Types and Spyware and Adware Symptoms
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Viruses Payload Trojan horses Worms Spyware Adware
13
10-25
Malware Safeguards
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Install antivirus and antispyware software
• Scan your computer frequently
• Update malware definitions
• Open email attachments only from known sources
• Promptly install software updates from legitimate sources
• Browse only reputable web sites
10-26
Design for Secure Applications
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• SQL injection attack
– User enters SQL statement into a form instead of a name or other data
– Accepted code becomes part of database commands issued
– Improper data disclosure, data damage and loss possible
– Well designed applications make injections ineffective
14
10-27
Q6: How Can Data Safeguards Protect Against Security Threats?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Data safeguards • Data administration • Key escrow
10-28
Q7: How Can Human Safeguards Protect Against Security Threats?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
15
10-29
Human Safeguards for Nonemployee Personnel
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Temporary personnel, vendors, partner personnel (employees of business partners), and public
• Require vendors and partners to perform appropriate screening and security training
• Contract specifies security responsibilities
• Least privilege accounts and passwords, remove accounts as soon as possible
10-30
Public Users
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Web sites and other openly accessible information systems. – Hardening Special versions of operating system that lock down or
eliminate operating systems features and functions not required by application
– Protect public users from internal company security problems
16
10-31
Account Administration
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Account Management – Standards for new user accounts, modification of account
permissions, removal of unneeded accounts
• Password Management – Users change passwords frequently
• Help Desk Policies – Provide means of authenticating users
10-32
Sample Account Acknowledgment Form
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
17
10-33
Systems Procedures
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
10-34
Security Monitoring
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Activity logs – Firewall log Lists of all dropped packets, infiltration attempts,
unauthorized access, attempts from within the firewall – DBMS Successful and failed logins
– Web servers Voluminous logs of Web activities
• PC O/S produce logs of log-ins and firewall activities
18
10-35
Security Monitoring (cont’d)
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Employ utilities to assess their vulnerabilities
• Honeypots for computer criminals to attack
• Investigate security incidents
• Constantly monitor existing security policy and safeguards
10-36
Q8: How Should Organizations Respond to Security Incidents?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
19
10-37
How Does the Knowledge in This Chapter Help You?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Awareness of: – Threats to computer security as an individual, business
professional, employer – Risk trade offs – Technical, data, human safeguards to protect computing
devices and data – How organizations should respond to security threats – How organizations should respond to security incidents – Importance of creating and using strong passwords!
10-38
Ethics Guide: Hacking Smart Things
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Unintended risks associated IoT
• 26 billion IoT devices by 2020
• Hackers access automated driving functions through features like car’s radio – Via automobile wireless features with poor internal systems
architecture
• Control hotel lights, thermostats, televisions, room blinds by reverse-engineering home automation protocol (KNX/IP)
20
10-39
Ethics Guide: Hacking Smart Things
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Threats to securing home, appliances, your car – 70% smart devices use unencrypted network services – 60% vulnerable to persistent XSS (cross-site scripting) and
weak credentials
10-40
Guide: EMV to the Rescue
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• EMV chip-and-PIN.
• Changes way cards are verified
• Chip verifies authenticity of physical card, PIN verifies identity of cardholder
• What EMV can do to protect you?
21
10-41
Case Study 10: Hitting the Target
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Lost 40 million credit and debit card numbers
• Less than a month later, announced additional 70 million customer accounts stolen that included names, emails, addresses, phone numbers, etc
• 98 million customers affected – 31% of 318 million in US
• Stolen from point-of-sale (POS) systems at Target stores during holiday shopping season
10-42
Hitting the Target (cont’d)
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Spear-phished third party vendor, Fazio Mechanical Services
• Malware gathered keystrokes, login credentials, screenshots from Fazio users
• Used stolen login credentials to access vendor server on Target’s network
• Escalated privileges to gain access to Target’s internal network
• Compromised internal Windows file server
• Installed malware named Trojan.POSRAM
22
10-43
Hitting the Target (cont’d)
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Customer data continuously sent from POS terminals to an extraction server within Target’s network
• Funneled out of Target’s network to drop servers in Russia, Brazil, and Miami
• Data sold on black market
10-44
How Did They Do It?
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
Spearphished malware to gather keystrokes, login credentials, and screenshots from Fazio users
Attackers escalated privileges to gain access to Target’s internal network.
Trojan.POSRAM extracted data from POS terminals
23
10-45
Damage
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Attackers sold about 2 million cards for $26.85 each ($53.7M) • Target took loss on merchandise purchased using stolen credit cards • Costs
– Upgraded POS terminals to support chip-and-pin cards – Increased insurance premiums – Paid legal fees – Settled with credit card processors – Paid consumer credit monitoring – Paid regulatory fines
10-46
Damage (cont'd)
C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .
• Target loss of customer confidence and drop in revenues (46% loss for quarter)
• Direct loss to Target as high at $450 million
• CIO resigned, CEO paid $16 million to leave
• Cost credit unions and banks more than $200 million to issue new cards
• Insurers demand higher premiums, stricter controls, more system auditing
• Consumers must watch their credit card statements, and fill out paperwork if fraudulent charges appear