Chapter 10: Goal of Information Systems Security

security is op

Information systems security

involves trade-offs, especially a trade-off between security and freedom or between cost and risk

Threat

a person or organization that seeks to obtain or alter data or other IS assets illegally, without the owner’s permission and often without the owner’s knowledge

vulnerability

an opportunity for threats to gain access to individual or organizational assets

ex. buying something online, and sending your credit card data over the Internet

safeguard

some measure that individuals or organizations take to block the threat from obtaining the asset

• not always effective

target

the asset that is desired by the threat

What are the sources of threats?

• Human Error

• Computer Crime

• Natural Events and Disasters

Human error

include accidental problems caused by both employees and nonemployees

ex. an employee who misunderstands operating procedures and accidentally deletes customer records

ex2. an employee who, in the course of backing up a database, inadvertently installs an old database on top of the current one

Computer Crime

Includes employees and former employees who intentionally destroy data or other system components.

• Includes hackers and terrorists, plus those who break into a system to steal for financial gain

Natural events and disasters

This category includes fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature.

• Include initial loss of capability and service + losses stemming from actions to recover from the initial problem (recovery costs)

What types of security loss exist?

• Unauthorized data disclosure

• Incorrect data modification

• Faulty service

• Denial of service

• Loss of infrastructure

Unauthorized data disclosure

occurs when a threat obtains data that is supposed to be protected

• Can occur by human error when someone inadvertently releases data in violation of policy

ex. At a university is a department administrator who posts student names, identification numbers, and grades in a public place, when the releasing of names and grades violates state and federal law.

ex2. employees who unknowingly or carelessly release proprietary data to competitors or to the media.

• This security loss problem can include people inadvertently disclosing data during recovery from a natural disaster

  • During a recovery, everyone is so focused on restoring system capability that they might ignore normal security safeguards.

Pretexting

occurs when soneone deceives by pretending to be someone else

ex. a common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card numbers

Phising

a similar technique for obtaining data that uses pretexting via email. The phiser pretends to be a legitimate company and sends an email requesting confidential data

data examples: account numbers, social security numbers, account passwords…

Phisher

An individual or organization that spoofs legitimate companies in an attempt to illegally capture personal data, such as credit card numbers, email accounts, and driver’s license numbers

Spoofing

When someone pretends to be someone else with the intent of obtaining unathorized data

ex. If you pretend to be your professor, you are spoofing your professor

IP spoofing

occurs when an intruder uses another site’s IP address to masquerade as that other site

Email spoofing

a synonym for phishing

Sniffing

is a technique for intercepting computer communications.

• With wired networks, sniffing requires a physical connection to the network

• With wireless networks, no such connection is required

Wardrivers

People who use computers with wireless connections to search for unprotected wireless networks. They use packet sniffers, which are programs that capture network traffic to monitor and intercept traffic on unsecured wireless (or wired) networks,

Packet sniffers

A program that captures network traffic

Hacking

breaking into computers, servers, or networks to steal data such as customer lists, product inventory data, employee data, and other proprietary and confidential data

Incorrect data modification

Can occur through human error when employees follow procedures incorrectly or when procedures have been designed incorrectly.

• examples include incorrectly increasing a customer’s discount or incorrectly modifying an employee’s salary, earned days of vacation, or annual bonus

• other examples include placing incorrect information, such as incorrect price changes, on a company’s website or company portal

  • A final type of this security loss problem includes system errors. An example is the lost-update problem

  • Also, faulty recovery actions after a disaster can result in incorrect data changes

Faulty service

includes problems that result from incorrect system operation. 

• could include incorrect data modification

• could include systems that work incorrectly by sending the wrong goods to a customer or the ordered goods to the wrong customer, inaccurately billing customers, or sending the wrong information to employees

Humans can inadvertently cause _____ by making procedural mistakes. System devs can write programs incorrectly or make errors during the installation of hardware, software programs, and data

• ____ can also result when service is improperly restored duringn recovery from natural disasters

Usurpation

occurs when computer criminals invade a computer system and replace legitimate programs with their own, unauthorized ones that shut down legitimate applications and substitute their own processing to spy, steal and manipulate data, or achieve other purposes

Denial of service

Security problem in which users are not able to access an information system; can be caused by human errors, natural disaster, or malicious activity.

• For ex, humans can inadvertently shut down a web server or corporate gateway router by starting a computationally intensive application. An OLAP application that uses the operational DBMS can consumer so many DBMS resources that order-entry transactions cannot get through

  • Natural disasters may cause systems to fail, resulting in ______

Loss of infrastructure

many times, human accidents cause _____, the last loss type.

ex: a bulldozer cutting a conduit of fiber-optic cables and a floor buffer crashing into a rack of web servers.

• Theft and terrorist events also cause____

  • ex. a disgruntled, terminated employee might walk off corporate data servers, routers, or other crucial equipment

  • terrorist events can also cause the loss of physical plants and equipment

• Natural disasters present the largest risk for ______

  • A fire, flood, earthquake, or similar event can destroy data centers and all they contain.

Advanced Persistent Threat (APT)

a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments

• APTs can be a means to engage in cyberwarfare and cyber-espionage

ex. a group called APT41 (Double Dragon), which is allegedly a covert, financially motivated, state-sponsored hacking group based out of China.

Goal of Information Systems Security

to find an appropriate trade-off between the risk of loss and the cost of implementing safeguards

Malware

the most common attack type (98%)

Common Attack Types

• Malware (98%)

• Phishing and Social Engineering (60-70%)

• Web-based Attacks (62-68%)

• Malicious Code (58-62%)

• Botnets (55-63%)

• Stolen Devices (40-50%)

• Malicious Insiders (35-40%)

• Ransomware (10-28%)

60% Cybercrime Internal cost percentages

• 36% discovery

• 24% containment

• 22% investigation

• 18% recovery

Personal Security Safeguards

• Take security seriously

• Create strong passwords

• Use multiple passwords

• Send no valuable data via email or IM

• Use https at trusted, repuable vendors

• Remove high-value assets from computers

• Clear browsing history, temporary files, and cookies (CCleaner or equivalent)

• Regulary update antivirus software

• Demonstrate security concern to your fellow workers

• Follow organizational security directives and guidelines 

• Consider security for all business initiatives

Intrusion Detection System (IDS)

is a computer program that senser when another computer is attempting to scan or access a computer or network

Brute force attack

A password-cracking program that tries every possible combination of characters

Credential stuffing

the automated injection of stolen usernames and passwords, to gain access to multiple websites

• Becoming very common because of password reuse, or the use of login information to access multiple sites

Cookies

Small files that your browser receives when you visit websites. Might contain data such as the data you last visited, whether you are currently signed in, or something else about your interaction with that site.

• Enable you to access websites without having to sign in every time, and they speed up processing of some sites

Third-party cookie

a cookie created by a site other than the one you visited.

• Generated in several ways, but the most common occurs when a web page includes content from multiple sources

  • ex. Amazon designs its pages so that one or more sections contain ads provided by the ad-serving company DoubleClick.

Generally do not contain the name or any value that identifies a particular user.

Instead, they include the IP address to which the content was delivered.

CCleaner

a free, open source product that will do a thorough job of securely removing all data

• you should make a backup of your data before using

Security policy

a document that states the rules and procedures that protect an organization’s information systems and data.

Minimum Security Policy Data Included

• What sensitive data the organization will store

• How it will process that data

• Whether data will be shared with other organizations

• How employees and others can obtain copies of data stored about them

• How employees and others can request changes to inaccurate data

Information Security Fatigue

A reluctance to deal with information security due to feeling overwhelmed

• Due to too many security policies

Risk management

Means to proactively balance the trade-off between risk and cost

• Risk cannot be eliminated

Technical safeguards

involves the hardware and software components of an information system

ex.

1.) Identification and authentication

2.) Encryption

3.) Firewalls

4.) Maleware protection

5.) Design for secure applications

Identification and Authentication

Every information system today should require users to sign on with a username and password. 

• The username identifies the user (process of identification)

• The password authenticates the user (process of authentication)

Identification

The process whereby an information system identifies a user by requiring the user to sign on with a username and password

Authentication

The process whereby an information system verifies (validates) a user

Smart card

is a plastic card similar to an older credit card with a magnetic stripe but with an embedded microchip

Personal Identification Number (PIN)

A form of authentication whereby the user supplies a number that only he or she knows

Biometric Authentication

uses personal physical characteristics such as fingerprints, facial features, and retinal scans to authenticate users

• Provides strong authentication, but the required equipment is expensive

• Users often resist because they feel it is invasive

Encryption

is the process of transforming clear text into coded, unintelligible text for secure storage or communication

Encryption algorithms (procedures for encrypting data)

Algorithms used to transform clear text into coded, unintelligible text for secure storage or communication

key

is a string of bits used to encrypt the data

• called a ____ because it unlocks a message, but it is a strong of bits, expressed as numbers of letters, used with an encryption algorithm

• not physical

Symmetric Encryption

An encryption method whereby the same key is used to encode and to decode the message

Asymmetric Encryption

An encryption method where two keys are used; one key encodes the message, and the other key decodes the message

Public key encryption

A special version of asymmetric encryption that is popular on the Internet. With this method, each site has a public key for encoding messages and a private key for decoding them.

Secure Sockets Layer (SSL)

A protocol that uses both asymmetric and symmetric encryption

Uses a combination of public key encryption and symmetric encryption

• When SSL is in use, the browser address will begin with https://

• The most recent version of SSL is called TLS

Transport Layer Security (TLS)

The new name for a later version of Secure Sockets Layer

• Uses a combination of public key encryption and symmetric encryption

Firewall

a computing device that prevents unathorized network access

• can be a special-purpose computer, or it can be a program on a general-purpose computer or on a router

• is simply a filter

Perimeter firewall

sits outside the organizational network; it is the first device that Internet traffic encounters

Internal firewalls

Firewalls that sit inside the organizational network

Packet-filtering firewall

examines each part of a message and determines whether to let that part pass

• to make this decision, it examines the source address, the destination address(es), and other data

Maleware

a broad category of software that includes viruses, spyware, and adware

Virus

It is a computer program that replicates itself. Unchecked replication is like computer cancer

Payload

can delete programs or data—or, even worse, modify data in undetected ways

Trojan horses

are viruses that masquerade as useful programs or files

• The name refers to the gigantic mock-up of a horse that was filled with soldiers and moved into Troy during the Trojan War

  • Typical Trojan Horses appear to be computer games, MP3 music files, or some other useful, innocuous program.

Worm

is a virus that self-propagates using the Internet or other computer networks

• spreads faster than other virus types because they can replicate themselves

• Actively use the network to spread

• can propagate so quickly that they overload and crash a network

Spyware

programs are installed on the user’s computer without the user’s knowledge or permission

• resides in the background and, unknown to the user, observes the user’s actions and keystrokes, monitors computer activity, and reports the user’s activities to sponsoring organizations.

Key loggers

captures keystrokes to obtain usernames, passwords, account numbers, and other sensitive information

Adware

similar to spyware in that it is installed without the user’s permission and resides in the background and observes user behavior

• most is benign in that it doesn’t perform malicious acts or stead data

• does watch user activity and produce pop-up ads

• can also change the user’s default window or modify search results and switch the user’s search engine

Ransomware

Malicious software that blocks access to a system or data until money is paid to the attacker

• Some forms, like crypto malware, encrypt your data and prevent you from accessing it until the ransom is paid

Spyware and Adware Symptoms

• Slow system startup

• Sluggish system performance

• Many pop-up advertisements

• Suspicious browser homepage changes

• Suspicious changes to the taskbar and other system interfaces

• Unusual hard-disk activity

Malware Safeguards

1.) Install antivirus and anti-spyware programs on your computer

2.) Set up your antimalware programs to scan your computer frequently

3.) Update malware definitions

4.) Open email attachments only from known sources

5.) Promptly install software updates from legitimate sources

6.) Browse only reputable websites

Malware definitons

Patterns that exist in malware code should be downloaded frequently. Antimalware vendors continually update these definitions, and you should install the updates as they become available.

SQL injection attack

occurs when users enter a SQL statement into a form intended for entering a name or other data

• The situation occurs when a user obtains unauthorized access to data by entering a SQL statement into a form in which one is supposed to enter a name or other data. If the program is improperly designed, it will accept this statement and make it part of the SQL command that it issues to the DBMS.

Data safeguards

protect databases and other organizational data. Two organizational units are responsible for data safeguards.

• Includes

  • Define data policies

  • Data rights and responsibilities

  • Rights enforced by user accounts authenticated by passwords

  • Data encryption

  • Backup and recovery procedures

  • Physical security

Data administration

Organization-wide function that is in charge of developing data policies and enforcing data standards. 

Key escrow

A control procedure whereby a trusted party is given a copy of a key used to encrypt database data

Payment Card Industry Data Security Standard (PCIDSS)

Standard that governs the secure storage and processing of credit card data

Gramm-Leach-Bliley Act (GLBA)

passed by Congress in 1999, protects consumer financial data stored by financial institutions, which are defined as banks; securities firms; insurance companies; and organizations that supply financial advice, prepare tax returns, and provide similar financial services

Health Insurance Portability and Accountability Act (HIPPA)

The privacy provisions of this 1996 act give individuals the right to access health data created by doctors and other healthcare providers

• also sets rules and limits on who can read and receive a person’s health information

General Data Protection Regulation (GDPR)

is an EU privacy law enacted in 2018 that outlines data protection regulations designed to protect personal data

Human safeguards

involve the people and procedure components of information systems

• Steps taken to protect against security threats by establishing appropriate procedures for users to follow during system use

Security Policy for In-House Staff

• Position definition

  • Separate duties and authorities

  • Determine least privilege

  • Document position sensitivity

• Hiring and screening

• Dissemination and Enforcement

  • Responsibility

  • Accountability

  • Compliance

• Termination

  • Friendly

  • Unfriendly

Human Safeguards for Nonemployee Personnel

• Business reqs may necessitate opening information systems to non-employee personnel—temporary personnel, vendors, partner personnel (employees of business partners), and the public.

• Examples of _______

  • Account Administration

  • Account Management

  • Password Management

  • Help-Desk Policies

  • Systems Procedures

  • Security Monitoring

Hardening

A term used to describe server operating systems that have been modified to make it especially difficult for them to be infiltrated by malware

Account Administration

The administration of user accounts, passwords, and help-desk policies and procedures is another important human safeguard

Account Management

Concerns the creation of new user accounts, the modification of existing account permissions, and the removal of unneeded accounts.

• IS Administrators perform all of these tasks, but account users have the responsibility to notify these tasks, but account users have the responsibility to notify the administrators of the need for these actions

• The existence of accounts that are no longer necessary is a serious security threat

Password Management

Passwords are the primary means of authentication. They are important not just for access to the user’s computer, but also for authentication to other networks and servers to which the user may have access.

• When an account is created, users should immediately change the password they are given to one of their own

• Users should change passwords frequently thereafter

  • Some systems will require a password change every 3 months or perhaps more frequently

• Some users create two passwords and switch back and forth between those two

Help-Desk policies

The representative is given a means of authenticating the user

• Typically, the ____ information system has answers to questions that only the true user would know, such as the user’s birthplace, mother’s maiden name, or last four digits of an important account number.

• Problem: They have no way of determining that they are talking with the true user and not someone spoofing a true user

• Resolution: Many systems give the help-desk representative a means of authenticating the user

• All such help-desk measures reduce the strength of the security system, and, if they employee’s position is sufficiently sensitive, they may create too large a vulnerability.

System Procedures

The definition and use of standardized procedures reduce the likelihood of computer crime and other malicious activity by insiders. Also ensures that the system’s security policiy is enforced

• Exist for both users and operations personnel

• Includes normal operation, backup, and recovery

  • Procedures of each type should exist for each information system

• Normal-use procedures should provide safeguards appropriate to the sensitivity of the information system

• Backup procedures concern the creation of backup data to be used in the event of failure

• System recovery:

  • How will the department manage its affairs when a critical system is unavailable?

  • How will department respond to customer orders?

  • Once system is returned to service, how will records of business activities during the outage be entered into the system?

  • How will the service be resumed?

Security Monitoring

• The last of the human safeguards

• Important monitoring functions are activity log analyses, security testing, and investigating and learning from security incidents

• Many information system programs produce activity logs. Firewalls produce logs of their activities, including lists of all dropped packets, infiltration attempts, and unauthorized access attempts from within the firewall. 

Honeypots

False targets for computer criminals to attack

• To an intruder, a honeypot looks like a particularly valuable resource, such as an unprotected website, but in actuality the only site content is a program that determines the attacker’s IP address.

Factors in Incident Response

• Have plan in place

• Centralized reporting

• Specific responses

  • Speed

  • Preparation pays

  • Don’t make problem worse

• Practice

The plan should include how employees are to respond to security problems, whom they should contact, the reports they should make, and steps they can take to reduce further loss