Information Systems Security Notes

Goal of Information Systems Security

  • The goal is to safeguard against threats and vulnerabilities.

  • Safeguards should block threats; otherwise, loss occurs.

  • A target is vulnerable to threats if there are no effective safeguards.

Sources of Threats

  • Human Error: Includes procedural mistakes, incorrect procedures, and accidents.- Examples: Disclosure of data, incorrect data modification, loss of infrastructure.

  • Computer Crime: Includes unauthorized data disclosure, pretexting, phishing, spoofing, sniffing, and hacking.- Also covers incorrect data modification, system errors, faulty service, denial of service (DoS), usurpation, and loss of property.

  • Natural Disasters: Can lead to disclosure during recovery, incorrect data recovery, loss of infrastructure, and service interruption.

Specific Examples of Threats and Consequences

  • Incorrect Data Modification Procedures:- Incorrectly designed procedures or not followed results in increasing customer discounts, modifying employee salaries, or placing incorrect data on a company website.

    • Improper internal controls on systems.

    • Faulty recovery actions after a disaster.

  • Faulty Service:- Results in incorrect data modification, systems working incorrectly, programming errors, IT installation errors, unintentional denial of service, and intentional denial-of-service attacks.

  • Loss of Infrastructure:- Due to human accidents, theft and terrorist events, cyber warfare (e.g., Stuxnet), disgruntled or terminated employees, natural disasters, and Advanced Persistent Threats (APT).

    • APT involves sophisticated, long-running computer hacks by well-funded organizations.

Balancing Risk and Cost

  • The goal is to find an appropriate trade-off between the risk of loss and the cost of implementing safeguards.

  • Examples of safeguards: using antivirus software and deleting browser cookies.

  • Proactive security involves making appropriate trade-offs for personal and business contexts.

Statistics on Cyber Attacks

  • Attack Types: Malware, phishing & web-based attacks, malicious botnets, stolen devices, denial of service attacks, malicious insiders, ransomware, social engineering.- Source: Accenture, The Cost of Cyber Crime Study, March 2019.

Average Annual Computer Crime Costs by Attack Type

  • Covers malware, phishing & web-based attacks, malicious botnets, stolen devices, denial of service, malicious insiders, ransomware, and social engineering.- Source: Accenture, The Cost of Cyber Crime Study, March 2019.

Ponemon Study Findings

  • No one knows the exact cost of computer crime.

  • Data loss is the single most expensive consequence of computer crime.

  • 80% of respondents believe data on mobile devices poses significant risks.

  • Studies may be biased to promote a particular view or safeguard.

Ponemon 2019 Studies Summary

  • Ransomware and malicious insider attacks are increasingly serious security threats.

  • Information loss and business disruption are principal costs of computer crime.

  • Discovery and containment account for over half of the internal costs related to cyber intrusions.

  • Security safeguards work.

Organizational Response to Security Threats: Minimum Security Policy

  • What sensitive data will the organization store?

  • How will it process that data?

  • Will it share data with other organizations?

  • How can employees and others obtain copies of data stored about them?

  • How can employees and others request changes to inaccurate data?

Personal Security Safeguards

  • Take security seriously.

  • Create strong passwords and use multiple passwords.

  • Send no valuable data via email or IM.

  • Use https at trusted, reputable vendors.

  • Remove high-value assets from computers.

  • Clear browsing history, temporary files, and cookies (using CCleaner or equivalent).

  • Regularly update antivirus software.

  • Demonstrate security concern to your fellow workers.

  • Follow organizational security directives and guidelines.

  • Consider security for all business initiatives.

Technical Safeguards

  • Involve hardware, software, data, procedures, and people.

  • Include identification and authorization, encryption, firewalls, malware protection, and application design.

Data Safeguards

  • Data rights and responsibilities.

  • Passwords, encryption, backup, and recovery.

  • Physical security.

Human Safeguards

  • Hiring, training, education, procedure design, administration, assessment, compliance, and accountability.

Specific Technical Safeguards

  • Identification and Authentication

  • Encryption: Transforming clear text into coded, unintelligible text for secure storage or communication.- Symmetric encryption: Same key (a number) used to encode and decode (fast and preferred).

    • Asymmetric encryption (two keys): One key encodes the message, and the other key decodes the message.

  • Firewalls

  • Malware protection: Includes protection against spyware and adware.

  • Design for secure applications

Encryption

  • Symmetric encryption Uses the same key to encode and decode data. It is fast and preferred when speed is an issue.

  • Asymmetric encryption Uses two keys: one to encode a message and another to decode it. This provides enhanced security.

Use of Multiple Firewalls

  • Implementation often involves perimeter and internal firewalls, along with personal firewalls on individual computers, to create layered security.

Spyware and Adware Symptoms

  • Slow system startup.

  • Sluggish system performance.

  • Many pop-up advertisements.

  • Suspicious browser homepage changes.

  • Suspicious changes to the taskbar and other system interfaces.

  • Unusual hard-disk activity.

Malware Safeguards

  • Install antivirus and antispyware programs.

  • Set up anti-malware programs to scan frequently.

  • Update malware definitions.

  • Open email attachments only from known sources.

  • Promptly install software updates from legitimate sources.

  • Browse only in reputable Internet neighborhoods.

Data Safeguards

  • Define data policies.

  • Establish data rights and responsibilities, enforced by user accounts authenticated by passwords.

  • Implement data encryption.

  • Establish backup and recovery procedures.

  • Ensure physical security.

Human Safeguards

  • Position definition: Separate duties and authorities and determine least privilege.

  • Document position sensitivity.

  • Hiring and screening processes.

  • Dissemination and enforcement: Responsibility, accountability, and compliance.

  • Termination procedures (friendly and unfriendly).

Human Safeguards for Non-Employee Personnel

  • Harden site: Use special versions of operating systems by locking down or eliminating features and functions not required by the application.

  • Temporary personnel and vendors should have accounts and passwords with least privilege, and accounts terminated once the contract ends.

Account Administration

  • Account Management: Standards for new user accounts, modification of account permissions, and removal of unneeded accounts.

  • Password Management: Users should change passwords frequently.

  • Help Desk Policies.

What is a Data Breach

  • Data breach: Unauthorized person views, alters, or steals secured data.

  • 1+ billion people affected by data breaches in the past 5 years, 75% of breaches happened in US

  • Average cost of a single data breach 3.5 million.

  • Average costs per stolen record in healthcare (359), education (294), pharmaceutical (227), financial (206), and communications (177) industries.

Costs of Handling a Data Breach

  • Direct Costs: Notification, detection, escalation, remediation, legal fees, and consultation.

  • Indirect Costs: Loss of reputation, abnormal customer turnover, and increased customer acquisition activities.

  • An additional 3.3 million per incident in the US.

Odds of Data Breaches

  • 22% chance of losing 10,000 records over any given 24-month period.

  • Less than 1% chance of losing 100,000 records over the same period.

  • More likely to lose smaller amounts of data than larger amounts of data.

Why Do Data Breaches Happen?

  • 67% are hackers trying to make money.

  • Personally identifiable information (PII): Names, addresses, dates of birth, Social Security numbers, credit card numbers, health records, bank account numbers, PINs, email addresses.

  • Rogue internal employees: Credit card fraud, identity theft, extortion, industrial espionage.

How Do Data Breaches Happen?

  • Phishing scam: Trick users into donating funds for a natural disaster.

  • Exploit new software vulnerability.

How Should Organizations Respond To Data Breaches?

  • Respond Quickly: Stop hackers from doing more damage (exfiltration or illegally transferring data out).

  • Immediately notify affected users.

  • Plan for a Data Breach: Walkthroughs, business continuity planning, and computer security incident response team (CSIRT).

Best Practices for Notifying Users of a Data Breach

  1. Be transparent in your activity and demonstrate that you are getting the word out.- The Right Way: Directly email every affected user with details about the data breach and include a popup advisory on the company's most visited page.

    • The Wrong Way: Include a vague reference in a rarely-read press release that includes plenty of technical jargon. Only send the notification to a small number of users.

  2. Follow your normal media routine.- The Right Way: Notification is set to local reporters that usually report on the organization as well as a typical press release.

    • The Wrong Way: Only send the notification to a small number of users.

  3. Avoid absolutes.- The Right Way: State that, so far, the data breach has affected a certain number of users, but the investigation is still ongoing.

    • The Wrong Way: State that the breach only affected a certain number of users, and no more.

  4. Avoid misleading statements.- The Right Way: "We are investigating the possibility of lost credit card data."

    • The Wrong Way: "We don't have any evidence that credit cards have been compromised." But you've received notification from a credit processor that an investigation is under way."

  5. Don't attempt to withhold key details.- The Right Way: "It appears that at least 40 percent of user accounts were compromised."

    • The Wrong Way: "I can't comment on the number of accounts compromised at this time."

  6. Stay focused and concise.- The Right Way: Give a brief, concise, and factual statement about the data breach.

    • The Wrong Way: Provide extraneous details about failings of internal backup, off-site data policies, and unrelated criminal investigations.

Regulatory Laws

  • Federal Information Security Management Act (FISMA): Requires security precautions for government agencies.

  • Gramm-Leach-Bliley Act (GLBA): Requires data protection for financial institutions.

  • Health Information Portability and Accountability Act (HIPAA): Requires data protection for healthcare institutions.

  • Payment Card Industry Data Security Standard (PCI DSS): Governs secure storage of cardholder data.

  • Family Educational Rights and Privacy Act (FERPA): Provides protection for student education records.

Preventing Data Breaches

  • Countermeasures are software or procedures used to prevent an attack.- Better phishing detection software

    • Better authentication (i.e., multifactor authentication)

    • Network intrusion detection system (NIDS) to examine traffic passing through the internal network

    • Data loss prevention systems (DLP) to prevent sensitive data from being released to unauthorized persons

Preventing Data Breaches (cont’d)

  • Appoint a chief information security officer (CISO) to ensure sufficient executive support and resources.