BUSI 3700 Chapter 12

Identity Theft

• when vital info is stolen to facilitate impersonation and create a new identity

• can be done with name, address, DOB, social insurance number, and mother’s maiden name

PIPEDA

• Personal Information Protection and Electronic Documents Act

• Legislation that balances an individual’s right to the privacy of their personal information and organizations need to collect, use, or share it for business purposes

• Privacy Commissioner of Canada oversees it

3 sources of security threats

1. Human errors and mistakes

2. Malicious human activity

3. Natural events and disasters

Human errors and mistakes

• Accidental problems

  • Employee accidentally delete’s a customer's records due to misunderstanding operating procedure

  • Employee drives truck through wall of computer room

  • Poorly written software

Malicious human activity

• Intentional theft or destruction of data or systems components

• Hackers

  • Malicious software developers

• People who send unwanted emails (spam)

• Criminals

• Terrorists

Natural events and disasters

• Fires, floods, hurricanes, earthquakes, tsunamis, and other acts of nature

• Includes

  • Initial losses of capability and service

  • Losses from recovery actions

Unauthorized data disclosure

• Human error

  • Posting private info to the public

• Malicious release

  • Pretexting

• Ransome ware

Pretexting

• deceiving someone by pretending to be someone else

• examples:

  • phishing: via emails

  • spoofing: IP addresses and domain names

  • sniffing: unprotected wifis

Ransomware

malicious software that encrypts data and renders it useless unless a ransom payment is made

Incorrect Data Modification

Caused by human errors

• incorrect entries and information

• procedural problems

• systems errors

Hacking: unauthorized person gains access to system

Faulty Service

Incorrect system operation

• Procedural mistakes

• Incorrect system development

Denial of service

• Human error when following protocols

• Denial-of-service attacks causing spam

• Natural disasters shutting system down

Loss of infrastructure

• Accidental by staff

• Theft

• Terrorism

• Natural disasters

Elements of a Security Program

• Senior management involvement

  • Must establish a security and risk policy

• Safeguards

  • Protections against security threats

• Incident response

  • Must plan prior to incidents

Technical Safeguards

Involve hardware and software components of IS. Examples:

• Identification and authentication

  • Passwords

  • Single sign-on for multiple systems

• Encryption

• Firewalls

• Malware protection

Malware protection

• anti-virus and anti-spyware programs

• scan computer frequently

• open email attachments only from known sources

• install software and OS updates promptly

• browse only reputable websites

Data Safeguards

• Data component of IS

• Protect databases and other organizational data

• Data administration

  • Organization-wide

  • Data policies and enforcing data standards

• Database administration

  • For each database

  • Procedures for multi-user processing

  • Protection

Database Protection Methods

• Encryption

• Backups (store off-premise and check validity)

• Physical security (lock and control access to facility)

• 3rd party contracts

  • Safeguards are written into contracts

  • Right to inspect premises and interview personnel

Human Safeguards

• Involves people and procedure components of IS

• User access restriction requires authentication and account management

• Security considerations for:

  • Employees

  • Non-employee personnel

Human Safeguards for Employees

• User accounts considerations

  • Grant least possible privileges

• Hiring and screening employees

• Inform employees of policies and

  procedures

  • Employee training

• Enforcement of policies

  • Hold employees accountable

• Create policies and procedures for employee termination

  • Remove user accounts and passwords

Human Safeguards for Non-Employees

Temporary personnel and vendors

• Screen personnel

• Contract should include specific security provisions

Public users

• Harden website and facility

Protect public and partners that benefit from IS from internal company security problems

Hardening a site

Take extraordinary measures to reduce system’s vulnerability

Account Administration

• Account management procedures (for each system)

  • Creating new users and removing old users

  • Modifying existing users

• Password management

• Help-desk policies

  • Authentication of users who lost their password

System Procedures

Required for:

• Normal operation

• Backup

• Recovery

Each type should exist for each IS to reduce the likelihood of computer crime

Security Monitoring

• Activity log analyses

  • Firewall logs

  • Web server logs

• Security testing

  • In-house and external security professionals

• Investigation of incidents

• Lessons learned

Disaster Preparedness

• substantial loss of computing infrastructure caused by acts of nature, crime, or terrorist activity can be disastrous for an organization

  • best safeguard is appropriate location

  • backup data centres should be in seperate location

  • prepare remote backup facilities

Responding to Security Incidents

• Organization must have an incident-response plan

• Centralized reporting of incidents

• Speed is of the essence

• Identify critical employees and contact numbers

  • Train them

• Practice incidence response