Information Systems Security

Information Systems Security

Introduction

• Chapter 10 focuses on information systems security.

• Copyright © 2019, 2017, 2016 Pearson Education, Inc. All Rights Reserved

• Slides in this presentation contain hyperlinks. JAWS users should be able to get a list of links by using INSERT+F7.

• A video conference discusses security concerns about integrating ARES with CanyonBack exercise bikes.

• Key questions include whether ARES systems have an acceptable level of security, the potential for bikes to be hacked, customer safety, and personal data security.

• ARES implements secure coding practices and secure data backup.

• Users interact with radio buttons, dropdown menus, and other interactive AR elements, reducing the possibility of an SQL injection attack.

• New technology typically brings new risks.

Study Questions

• Q10-1: What is the goal of information systems security?

• Q10-2: How big is the computer security problem?

• Q10-3: How should you respond to security threats?

• Q10-4: How should organizations respond to security threats?

• Q10-5: How can technical safeguards protect against security threats?

• Q10-6: How can data safeguards protect against security threats?

• Q10-7: How can human safeguards protect against security threats?

• Q10-8: How should organizations respond to security incidents?

• How does the knowledge in this chapter help you?

Information Systems Security Threats

• Figure 10-1 depicts a Threat/Loss Scenario.

• Figure 10-2 provides examples of Threat/Loss scenarios.

Sources of Threats

• Figure 10-3 outlines security problems and sources.

• Losses are categorized by source: Human Error, Computer Crime, and Natural Disasters.

  • Unauthorized data disclosure: occurs due to procedural mistakes, pretexting, phishing, spoofing, sniffing, or hacking.

  • Incorrect data modification: stems from procedural mistakes, incorrect procedures, ineffective accounting controls, system errors, or hacking.

  • Faulty service: results from incorrect data recovery, faulty service, procedural mistakes, or development and installation errors, usurpation, denial of service (DoS), accidents, or DoS attacks.

  • Loss of infrastructure: is caused by accidents, theft, terrorist activity, or natural disasters.

Types of Security Loss

• Unauthorized Data Disclosure:

  • Pretexting

  • Phishing

  • Spoofing

    • IP spoofing

    • Email spoofing

  • Drive-by sniffers

    • Wardrivers

  • Hacking

  • Natural disasters

Incorrect Data Modification

• Occurs when procedures are incorrectly designed or not followed.

• Examples: Increasing a customer’s discount or incorrectly modifying an employee’s salary.

• Placing incorrect data on the company's website.

• Causes:

  • Improper internal controls on systems.

  • System errors.

  • Faulty recovery actions after a disaster.

Faulty Service

• Includes incorrect data modification and systems working incorrectly.

• Procedural mistakes and programming errors contribute.

• IT installation errors and usurpation.

• Denial of service (unintentional) and denial-of-service attacks (intentional).

Loss of Infrastructure

• Caused by human accidents, theft, and terrorist events.

• Actions of disgruntled or terminated employees.

• Natural disasters.

• Advanced Persistent Threats (APT): APT29 (Russia) and Deep Panda (China) which involve the theft of intellectual property from U.S. firms.

Goal of Information Systems Security

• Finding an appropriate trade-off between the risk of loss and the cost of implementing safeguards.

• Protective actions, such as using antivirus software and deleting browser cookies.

• Making appropriate trade-offs to protect oneself and one's business.

Computer Crime Costs & Attack Types

• Figure 10-4 illustrates the average computer crime cost and percent of attacks by type (six most expensive types).

• Denial of Service:

  • 2011: $187,506$ (17%)

  • 2012: $172,238$ (20%)

  • 2013: $243,913$ (21%)

  • 2014: $166,545$ (18%)

  • 2015: $255,470$ (16%)

  • 2016: $133,453$ (16%)

• Malicious Insiders:

  • 2010: $100,300$ (11%)

  • 2011: $105,352$ (9%)

  • 2012: $166,251$ (8%)

  • 2013: $198,769$ (8%)

  • 2014: $213,542$ (8%)

  • 2015: $179,805$ (10%)

  • 2016: $167,890$ (11%)

• Web-based Attacks:

  • 2010: $143,209$ (15%)

  • 2011: $141,647$ (12%)

  • 2012: $125,795$ (13%)

  • 2013: $125,101$ (12%)

  • 2014: $116,424$ (14%)

  • 2015: $125,630$ (12%)

  • 2016: $88,145$ (12%)

• Malicious Code:

  • 2010: $124,083$ (26%)

  • 2011: $126,787$ (23%)

  • 2012: $109,533$ (26%)

  • 2013: $102,216$ (21%)

  • 2014: $91,500$ (23%)

  • 2015: $164,500$ (24%)

  • 2016: $92,336$ (24%)

• Phishing & Social Engineering:

  • 2010: $35,514$ (12%)

  • 2011: $30,397$ (9%)

  • 2012: $18,040$ (7%)

  • 2013: $21,094$ (11%)

  • 2014: $45,959$ (13%)

  • 2015: $23,470$ (14%)

  • 2016: $95,821$ (15%)

• Stolen Devices:

  • 2010: $25,663$ (17%)

  • 2011: $24,968$ (13%)

  • 2012: $23,541$ (12%)

  • 2013: $20,070$ (9%)

  • 2014: $43,565$ (10%)

  • 2015: $16,588$ (7%)

  • 2016: $31,870$ (6%)

• Source: Data from Ponemon Institute, 2016 Cost of Cyber Crime Study: United States, October 2016, p. 10.

• Figure 10-5 shows computer crime costs.

Ponemon Study Findings (2016)

• Phishing and social engineering are increasingly serious security threats.

• Data loss and business disruption are principal costs of computer crime.

• Detection and recovery account for more than half of the internal costs related to cyber intrusions.

• Security safeguards work.

Personal Security Safeguards

• Figure 10-6 lists personal security safeguards.

• Take security seriously.

• Create strong passwords and use multiple passwords.

• Send no valuable data via email or IM.

• Use https at trusted, reputable vendors.

• Remove high-value assets from computers.

• Clear browsing history, temporary files, and cookies (CCleaner or equivalent).

• Regularly update antivirus software.

• Demonstrate security concern to fellow workers.

• Follow organizational security directives and guidelines.

• Consider security for all business initiatives.

Security Policies

• Senior management creates company-wide policies:

  • What sensitive data will be stored?

  • How will data be processed?

  • Will data be shared with other organizations?

  • How can employees and others obtain copies of data stored about them?

  • How can employees and others request changes to inaccurate data?

• Senior management manages risks.

Security Safeguards and the Five Components

• Figure 10-7 shows security safeguards as they relate to the five components.

Black Hat 2016

• Briefings on how to hack things.

• Demonstrations on exploiting weaknesses in hardware, software, protocols, or systems including smartphones, IoT devices, cars, etc.

• Encourages companies to fix product vulnerabilities.

• Serves as an educational forum for hackers, developers, manufacturers, and government agencies.

• Researchers Brian Wallace and Xuan Zhao showed how machine learning can be used to improve information security.

  • Train machine learning systems to autonomously identify malware and malicious command and control (C&C).

  • Machine learning can be used to sift through information on social media sites to create customized spear-phishing attacks.

Technical Safeguards

• Figure 10-8 outlines technical safeguards.

• Figure 10-9 illustrates the essence of https (SSL or TLS).

• Figure 10-10 illustrates the use of multiple firewalls.

Malware Protection (Viruses, Spyware, Adware)

1. Antivirus and antispyware programs.

2. Scan frequently.

3. Update malware definitions.

4. Open email attachments only from known sources.

5. Install software updates.

6. Browse only reputable Internet neighborhoods.

Spyware/Adware Symptoms and Types of Malware

• Figure 10-11 lists spyware and adware symptoms.

• Malware:

  • Viruses

  • Trojan horses

  • Worms

  • Spyware

  • Adware

  • Ransomware

  • Payload

• Symptoms:

  • Slow system startup

  • Sluggish system performance

  • Many pop-up advertisements

  • Suspicious browser homepage changes

  • Suspicious changes to the taskbar and other system interfaces

  • Unusual hard-disk activity

Design for Secure Applications

• SQL injection attack:

  • User enters SQL statement into a form instead of a name or other data.

  • Result:

    • SQL code becomes part of database commands issued.

    • Improper data disclosure, data damage, and loss are possible.

  • Well-designed applications make injections ineffective.

Data Safeguards

• Figure 10-12 outlines data safeguards.

• Data administration

• Key escrow

• Define data policies

• Data rights and responsibilities

• Rights enforced by user accounts authenticated by passwords

• Data encryption

• Backup and recovery procedures

• Physical security

Security Policies for In-House Staff

• Figure 10-13 outlines security policy for in-house staff.

• Position definition:

  • Separate duties and authorities

  • Determine least privilege

  • Document position sensitivity

• Hiring and screening

• Dissemination and enforcement:

  • Responsibility

  • Accountability

  • Compliance

• Termination:

  • Friendly

  • Unfriendly

Human Safeguards for Nonemployee Personnel

• Temporary personnel, vendors, partner personnel (employees of business partners), and the public.

• Require vendors and partners to perform appropriate screening and security training.

• The contract specifies security responsibilities.

• Provide accounts and passwords with least privilege and remove accounts as soon as possible.

Public Users

• Web sites and other openly accessible information systems.

  • Hardening

    • Special versions of the operating system.

    • Lock down or eliminate operating systems features and functions not required by the application.

  • Protect such users from internal company security problems.

Account Administration

• Account Management:

  • Standards for new user accounts, modification of account permissions, removal of unneeded accounts.

• Password Management:

  • Users change passwords frequently.

• Help Desk Policies:

  • Provide means of authenticating users.

• Figure 10-14 shows a sample account acknowledgment form.

Systems Procedures

• Figure 10-15 outlines systems procedures.

• System Users:

  • Normal Operation: Use the system to perform job tasks, with security appropriate to sensitivity.

  • Backup: Prepare for the loss of system functionality.

  • Recovery: Accomplish job tasks during failure. Know tasks to do during system recovery.

• Operations Personnel:

  • Normal Operation: Operate data center equipment, manage networks, run Web servers, and do related operational tasks.

  • Backup: Back up Web site resources, databases, administrative data, account and password data, and other data.

  • Recovery: Recover systems from backed up data. Perform the role of help desk during recovery.

Security Monitoring

• Server activity logs:

  • Firewall log: Lists of all dropped packets, infiltration attempts, unauthorized access, attempts from within the firewall.

  • DBMS: Successful and failed logins.

  • Web servers: Voluminous logs of Web activities.

• PC O/S produce a record of log-ins and firewall activities.

• Employ utilities to assess vulnerabilities.

• Honeypots for computer criminals to attack.

• Investigate security incidents.

• Constantly monitor to determine the adequacy of existing security policy and safeguards.

Factors in Incident Response

• Figure 10-16 lists factors in incident response.

• Have a plan in place.

• Centralized reporting.

• Specific responses:

  • Speed

  • Preparation pays

  • Don’t make the problem worse

• Practice

How Does the Knowledge in This Chapter Help You?

• Awareness of:

  • Threats to computer security as an individual, business professional, employer.

  • Risk trade-offs.

  • Technical, data, and human safeguards to protect computing devices and data.

  • How organizations should respond to security threats.

  • How organizations should respond to security incidents.

  • Importance of creating and using strong passwords!

Exhaustive Cheating (Ethics Guide)

• Possible to manipulate the inner workings of a vehicle without the changes being noticed (Black Box).

• Potentially damaging, harmful, or illegal system.

• VW was found exploiting the black box nature of cars to improve the emissions performance of its vehicles.

  • Effectively circumventing industry regulations.

  • It is unclear exactly who was involved in the emissions cheating at Volkswagen.

• Software was designed to temporarily improve fuel savings and reduce torque and acceleration in order to pass the emissions test.

• Software was installed on 11 million vehicles.

• Could intelligent machines autonomously carry out this type of deceptive action?

IT Security Analyst Career Guide

• Marianne Olsen at PwC

• Q. What attracted you to this field?

• A. “Information security as a whole is constantly growing to meet the ever-changing threat landscape, which is very exciting. Consulting gives you the freedom to work across many different organizations and see solutions in play. This makes it easier to see what is and isn’t working and to understand the field and the technologies more deeply.”

• Q. What advice would you give to someone who is considering working in your field?

• A. “Begin to understand who you are and what you want your life to look like. In consulting, there are more opportunities than you have time for, so you need to understand where you want to go.”

Active Review

• Q10-1: What is the goal of information systems security?

• Q10-2: How big is the computer security problem?

• Q10-3: How should you respond to security threats?

• Q10-4: How should organizations respond to security threats?

• Q10-5: How can technical safeguards protect against security threats?

• Q10-6: How can data safeguards protect against security threats?

• Q10-7: How can human safeguards protect against security threats?

• Q10-8: How should organizations respond to security incidents?

Hitting the Target Case Study

• Lost 40 million credit and debit card numbers.

• Later, announced an additional 70 million customer accounts stolen that included names, emails, addresses, phone numbers, etc.

• 98 million customers affected.

  • 31% of 318 million people in the U.S.

• Stolen from point-of-sale (POS) systems at Target stores during the holiday shopping season.

How Did They Do It? (Target Case Study)

1. Bought malware.

2. Spearphished users at Fazio to get login credentials on the Target vendor server.

3. Attackers escalated privileges, accessed Target’s internal network, and planted malware.

4. Trojan.POSRAM extracted data from POS terminals.

5. Sent data to drop servers.

Damage (Target Case Study)

• Card and pin numbers of 2 million cards for $26.85$ each ($53.7M$).

• Costs:

  • Upgraded POS terminals to support chip-and-pin cards.

  • Increased insurance premiums.

  • Paid legal fees.

  • Settled with credit card processors.

  • Paid consumer credit monitoring.

  • Paid regulatory fines.

• Loss of customer confidence and drop in revenues (46% loss for the quarter).

• Direct loss to Target as high as $450$ million.

• CIO resigned, the CEO paid $16$ million to leave.

• Cost credit unions and banks more than $200$ million to issue new cards.

• Insurers demand higher premiums, stricter controls, and more system auditing.

• Consumers must watch their credit card statements and fill out paperwork if fraudulent charges appear.Copyright