(for Expert_Researcher)

Question 1

Discuss some human safeguards for employees that can ensure the security of information systems. Your response should be at least 200 words in length. You are required to use at least your textbook as source material for your response. All sources used, including the textbook, must be referenced; paraphrased and quoted material must have accompanying citations.

Question 2

How should organizations respond to security threats? Your response should be at least 200 words in length. You are required to use at least your textbook as source material for your response. All sources used, including the textbook, must be referenced; paraphrased and quoted material must have accompanying citations.

Question 3

Research disaster recovery plans (IS). Be sure to review your lessons and assigned readings. • Assume there are two generic companies, one with and the other without a disaster recovery plan. • Title your response under one of the following headings: oReasons why the company survived oReasons why the company did not survive • Explain the type of disaster, the plan your company had in place, and why the company did or did not survive. • Be sure to use your research to support your post.

Your response should be at least 200 words in length. You are required to use at least your textbook as source material for your response. All sources used, including the textbook, must be referenced; paraphrased and quoted material must have accompanying citations.

Could Someone Be Getting To Our Data?

•Stealing only from weddings of club members

•Knowledge: How to access system and database and SQL

•Access: Passwords on yellow stickies; many copies of key to server building

•Suspect: Greens keeper guy’s “a techno-whiz,” created report for Anne, knows SQL and how to access database

What Types of Security Loss Exists? Unauthorized Data Disclosure

•Pretexting

•Phishing

•Spoofing

–IP spoofing

–Email spoofing

•Drive-by sniffers

•Hacking

•Natural disasters

Incorrect Data Modification

•Procedures not followed or incorrectly designed procedures

•Increasing a customer’s discount or incorrectly modifying employee’s salary

•Placing incorrect data on company Web site

•Improper internal controls on systems

•System errors

•Faulty recovery actions after a disaster

Faulty Service

•Incorrect data modification

•Systems working incorrectly

•Procedural mistakes

•Programming errors

•IT installation errors

•Usurpation

•Denial of service (unintentional)

•Denial-of-service attacks (intentional)

Loss of Infrastructure Human accidents Theft and terrorist events Disgruntled or terminated employees Natural disasters

Goal of Information Systems Security

•Threats can be stopped, or at least threat loss reduced

•Safeguards are expensive and reduce work efficiency

•Find trade-off between risk of loss and cost of safeguards

Using MIS InClass 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts

•In this exercise, you and a group of your fellow students will investigate phishing attacks.

•Search the Web for phishing, be aware that your search may bring the attention of an active phisher.

•Therefore, do not give any data to any site that you visit as part of this exercise!

What Are the Elements of a Security Policy? Elements of Security Policy

Managing Risks

•Risk — threats & consequences we know about

•Uncertainty — things we do not know that we do not know

1.General statement of organization’s security program

2.Issue-specific policy

3.System-specific policy

Risk Assessment and Management Risk Assessment

•Tangible consequences.

•Intangible consequences

•Likelihood

•Probable loss

Risk-Management Decisions

•Given probable loss, what to protect?

•Which safeguards inexpensive and easy?

•Which vulnerabilities expensive to eliminate?

•How to balance cost of safeguards with benefits of probable loss reduction?

Ethics Guide: Security Privacy Legal requirements to protect customer data

•Gramm-Leach-Bliley (GLB) Act (1999)

•Privacy Act of 1974

•Health Insurance Portability and Accountability Act (HIPAA) (1996)

•Privacy Principles of the Australian Privacy Act of 1988

Ethics Guide: Security Privacy What requirements does your university have on data it maintains about you?

•No federal law

•Responsibility to provide public access to graduation records

•Class work, email, exam answers not covered under privacy law

•Research covered under copyright law, not privacy law

System Access Protocols Kerberos

•Single sign-on for multiple systems

•Authenticates users without sending passwords across network.

•“Tickets” enable users to obtain services from multiple networks and servers.

•Windows, Linux, Unix employ Kerberos Wireless Access

•VPNs and special security servers

•WEP (Wired-Equivalent Privacy)

•WPA, WPA2 (WiFI Protected Access)

Malware Safeguards

1.Antivirus and antispyware programs

2.Scan frequently

3.Update malware definitions

4.Open email attachments only from known sources

5.Install software updates

6.Browse only reputable Internet neighborhoods

Bots, Botnets, and Bot Herders

•Bot

Surreptitiously installed, takes actions unknown and uncontrolled by user

Some very malicious, others annoying

•Botnet

Network of bots

Bot herder

Serious problems for commerce and national security

Human Safeguards for Nonemployee Personnel

•Nonemployee personnel

Least privileged accounts

•Contract personnel

Specify security responsibilities

•Public Users

Hardening site

Account Administration

•Account Management

Standards for new user accounts, modification of account permissions, removal of unneeded accounts.

•Password Management

Users should change passwords frequently

•Help Desk Policies

Security Monitoring Functions

•Activity log analyses

Firewall, DBMS, Web server

•In-house and external Security testing

Investigation of incidents

Create “honeypots”

Responding to Security Incidents

•Human error & Computer crimes

Procedures for how to respond to security problems, whom to contact, data to gather, and steps to reduce further loss

•Centralized reporting of all security incidents

•Incident-response plan

•Emergency procedures

Q7: 2022?

•Challenges likely to be iOS and other intelligent portable devices

•Harder for the lone hacker to find vulnerability to exploit

•Continued investment in safeguards

•Continued problem of electronically porous national borders

Guide: Security Assurance, Hah!

•Employees who never change password or use some simpleton word like “Sesame” or “MyDogSpot” or something equally absurd

•Notes with passwords in top drawer of desks

•Management talks about security risk assurance and should enforce real security

Guide: The Final, Final Word

•Routine work will migrate to lower-labor-cost countries

•Be a symbolic-analytic worker

Abstract thinking

How to experiment

Systems thinking

Collaboration

Case 12: Moore’s Law, One More Time …

•Doubling CPU speed helps criminals

Enables more powerful password crackers

•iOS, Android phones, and millions of mobile devices increase data communications and exponential opportunities for computer criminals.