Monday, April 24, 2017

Chapter 10: Information Security Management



Summary: This chapter provides an overview of the major components of information systems security. IS Security handles threats, vulnerability, safeguarding, and targeting. No computer should connect to the Internet without firewall protection. Many ISPs provide firewalls for their customers. Every organization should have an incident-response plan as part of the security program.
Q1: What is the goal of information systems security?
Major elements of IS security: Threat: person or organization seeks to obtain data or other assets illegally, without owner’s permission and often without owner’s knowledge Vulnerability: opportunity for threats to gain access to individual or organizational assets; for example, when you buy online, you provide your credit card data, and as data is transmitted over Internet, it is vulnerable to threats. Safeguard: measure individuals or organizations take to block threat from obtaining an asset; not always effective, some threats achieve their goal in spite of safeguards. Target: asset desired by threat. Sources of Threats: Loss: Unauthorized data disclosure, Incorrect data modification, faulty service, Denial of service (DoS), Loss of infrastructure. Sources of security threats: Human error examples: (1) employee misunderstands operating procedures and accidentally deletes customer records; (2) employee inadvertently installs an old database on top of current one while doing backing up; (3) physical accidents, such as driving a forklift through wall of a computer room. Computer crime: intentional destruction or theft of data or other system components. Natural disasters: fires, floods, hurricanes, earthquakes, tsunamis, avalanches, other acts of nature; includes initial loss of capability and service, and losses recovery costs. What Types of Security Loss Exists? Unauthorized Data Disclosure: Pretexting, Phishing, Spoofing: IP spoofing, Email spoofing; Drive-by sniffers: Wardrivers; Hacking & Natural disasters. Incorrect Data Modification: Procedures incorrectly designed or not followed. Increasing customer’s discount or incorrectly modifying employee’s salary. Placing incorrect data on company Web site. Cause: Improper internal controls on systems, System errors, Faulty recovery actions after a disaster. Faulty Service: (caused by incorrect system operation) Incorrect data modification, Systems working incorrectly, Procedural mistakes, Programming errors, IT installation errors, Usurpation: occurs when computer criminals invade a computer system and replace legitimate programs with their own unauthorized ones that shut down legitimate application and substitute their own processing to spy, steal and manipulate data, or other purposes. Denial of service: humans inadvertently shut down a Web server or corporate gateway router by starting a computationally intensive application. Denial-of-service attacks: (1) malicious hacker intentionally floods a Web server with millions of bogus service requests; (2) user unintentionally shuts down Web server or corporate gateway router by starting computationally intensive application.Loss of Infrastructure: Human accidents, Theft and terrorist events, Disgruntled or terminated employee, Natural disasters, Advanced Persistent Threat (APT1): Theft of intellectual property from U.S. firms.Goal of Information Systems Security: Find appropriate trade-off between risk of loss and cost of implementing safeguards. Protective actions: Use antivirus software, Delete browser cookies, Make appropriate trade-offs to protect yourself and your business.
Q2: How big is the computer security problem?
The 6 most expensive types of attacks: Denial of Service (DoS), Malicious Insiders, Web-based Attacks, Malicious Code, Phishing & Social Engineering, Stolen Devices. Ponemon Study Findings (2014): Malicious insiders increasingly serious security threat. Business disruption and data loss primary costs of computer crime. Negligent employees, connecting personal devices to corporate network, use of commercial cloud-based applications pose significant security threats. Security safeguards work.
Q3: How should you respond to security threats?
Intrusion detection system (IDS): a computer program that senses when another computer is attempting to scan or access a computer or network.Personal Security Safeguards: Take security serious; creates strong passwords; Use multiple passwords; Send no valuable data vial Email/IM; Use https at trusted, reputable vendors; Remove high-value assets from computers; Clear browsing history, temp. files, and cookies; Regularly update antivirus software; Demonstrate security concerns to your fellow workers; Follow org. security directives and guidelines; Consider security for all business initiatives.So What? New from Black Hat 2014: Briefings on how to hack things. Show how to exploit weaknesses in hardware, software, protocols, or systems from smartphones to ATMs. Encourage companies to fix product vulnerabilities. Serve as educational forum for hackers, developers, manufacturers, and government agencies.Dan Geer Recommendations: 1) Mandatory reporting of security vulnerabilities. 2) Make software venders liable for damage their code causes after abandoned, or users allowed to see/have source code. 3) ISP liable for harmful, inspected content. 4) Right to be forgotten: “the right—under certain conditions—to ask search engines to remove links with personal information about them.” - appropriate and advantageous. 5) End-to-End Encrypted Email Hacking Smart Things: Automobiles wireless features and internal systems architecture allow hackers to access automated driving functions. Control hotel lights, thermostats, televisions, and blinds in 200+ rooms by reverse-engineering home automation protocol called KNX/IP. 70% of smart devices use unencrypted network services, 60% vulnerable to persistent XSS (cross-site scripting), and weak credentials.
Q4: How should organizations respond to security threats?
Senior management creates company-wide policies: Which sensitive data will be stored, How the will data be processed, If the data will be shared with other organizations, How employees and others can obtain copies of data stored about them, How employees and others request changes to inaccurate data. Senior management manages risks. Security Safeguards and the Five Components: Technical Safeguards (for Hardware,Software): Identification and authorization, Encryption, Firewalls, Malware protection, Application design. Data Safeguards (for Data): Data rights and responsibilities, Passwords, Encryption, Backup and recovery, Physical security. Human Safeguards (for Procedures, People): Hiring, Training, Education, Procedure design, Administration, Assessment, Compliance, Accountability
Q5: How can technical safeguards protect against security threats?
Involving hardware and software IS components: Identification and authorization, Encryption, Firewalls, Malware protection, Application design.Essence of https (SSL or TLS): Summary of how SSL/TLS works when you communicate securely with a Web site: 1. Your computer obtains public key of Web site to which it will connect. 2. Your computer generates a key for symmetric encryption. 3. Your computer encodes key using Web site’s public key, then sends encrypted symmetric key to Web site. 4. Web site decodes symmetric key using its private key. 5. Now, your computer and Web site communicate using symmetric encryption. With asymmetric encryption, two keys are used; one key encodes the message, and the other key decodes the message. Symmetric encryption is simpler and much faster than asymmetric encryption.Use of Multiple Firewalls: Organizations normally use multiple firewalls. Perimeter firewall sits outside organizational network; is first device that Internet traffic encounters. Packet-filtering firewall examines each part of a message and determines whether to let that part pass. To make this decision, it examines source address, destination address(es), and other data. Packet-filtering firewalls can prohibit outsiders from starting a session with any user behind firewall, prohibit traffic from legitimate, but unwanted, addresses, such as competitors’ computers, and filter outbound traffic. By nature, firewalls are generic. Large organizations supplement such generic firewalls with their own. Most home routers include firewalls, and Microsoft Windows has a built-in firewall as well. Third parties also license firewall products.
Malware Protection (Viruses, Spyware, Adware): 1) Antivirus and antispyware programs 2) Scan frequently 3) Update malware definitions 4) Open email attachments only from known sources. 5) Install software updates. 6)Browse only reputable Internet neighborhoods. Malware Types and Spyware and Adware Symptoms: Payload: program code that causes unwanted activity. It can delete programs or data, or modify data in undetected ways. Spyware programs are installed on the user’s computer without the user’s knowledge or permission. It resides in background and, unknown to the user, observes user’s actions and keystrokes, monitors computer activity, and reports the user’s activities to sponsoring organizations.Some malicious spyware, key loggers, captures keystrokes to obtain usernames, passwords, account numbers, and other sensitive information. Other spyware supports marketing analyses such as observing what users do, Web sites visited, products examined and purchased, and so forth. Most adware is benign in that it does not perform malicious acts or steal data. It does, however, watch user activity and produce pop-up ads. Adware can also change the user’s default window or modify search results and switch the user’s search engine. Design for Secure Application: SQL injection attack: User enters SQL statement into a form instead of a name or other data, Result- SQL code becomes part of database commands issued, Improper data disclosure, data damage and loss possible; Well designed applications make injections ineffective.
Q6: How can data safeguards protect against security threats?
Data safeguards protect databases and other organizational data. Two organizational units are responsible for data safeguards. Data administration refers to an organization-wide function that is in charge of developing data policies and enforcing data standards. When organizations store databases in the cloud, all of the safeguards should be part of the service contract. Key escrow: Trusted party should have a copy of encryption key. Also: Define data policies, Data rights and responsibilities, Rights enforced by user accounts authenticated by passwords, Data encryption, Backup and recovery procedures, Physical security
Q7: How can human safeguards protect against security threats?
Position definition: Separate duties and authorities, Determine least privilege, Document position sensitivity; Hiring and screening; Dissemination and enforcement: responsibility, Accountability, Compliance; Termination: friendly/unfriendly policies and procedures for termination. Human Safeguards for Nonemployee Personnel: Temporary personnel, vendors, partner personnel (employees of business partners), and the public. Require vendors and partners to perform appropriate screening and security training. Contract specifies security responsibilities. Provide accounts and passwords with least privilege and remove accounts as soon as possible. Public Users: Web sites and other openly accessible information systems. Hardening: Special versions of operating system, Lock down or eliminate operating systems features and functions not required by application. Protect such users from internal company security problems. Account Administration: Account Management: Standards for new user accounts, modification of account permissions, removal of unneeded accounts. Create new user accounts, modify existing account permissions, remove unneeded accounts. Improve your relationship with IS personnel by providing early and timely notification of needed account changes. Password Management: Users change passwords frequently. Users should change passwords every 3 months or less. Help Desk Policies: Provide means of authenticating users. Set policy for means of authenticating a user. Security Monitoring: Server activity logs- Firewall log: Lists of all dropped packets, infiltration attempts, unauthorized access, attempts from within the firewall. DBMS: Successful and failed logins. Web servers - Voluminous logs of Web activities. PC O/S produce record of log-ins and firewall activities. Employ utilities to assess vulnerabilities. Honeypots for computer criminals to attack. Investigate security incidents. Constantly monitor to determine adequacy of existing security policy and safeguards.
Q8: How should organizations respond to security incidents?
Have plan in place; Centralized reporting; Specific responses: Speed, Preparation pays, Don’t make problem worse; Practice. No organization should wait until some asset has been lost or compromised before deciding what to do. The plan should include how employees are to respond to security problems, whom they should contact, the reports to make, and steps to reduce further loss. Identify critical personnel and their off-hours contact information
Q9: 2026?
APTs more common. Concern about balance of national security and data privacy. Security on devices will be improved. Skill level of cat-and-mouse activity increases substantially. Improved security at large organizations. Strong local “electronic” sheriffs.
Three Things I learned:
1. APT1 is based out of Shanghai. In 2014 the U.S. Department of Justice indicted five individuals involved with APT1 for theft of intellectual property from U.S. firms.
2. Intrusion Detection System logs can record thousands of attempts each day. It amazes me that there’s that many happening all the time.
3. Security Threat policy specifics depend on whether the organization is governmental or nongovernmental, publicly held or private, organization’s industry, relationship of management to employees, and other factors.

Monday, April 17, 2017

Chapter 9: Business Intelligence Systems



Summary: This chapter focuses on business intelligence (BI) systems: information systems that can produce patterns, relationships, and other information from organizational structured and unstructured social data as well as from external, purchased data. Another source of knowledge is employees themselves; a large amount of collective knowledge exists in the employees. BI is the key technology supporting such marketing technology.
Q1: How do organizations use business intelligence (BI) systems?
Five standard IS components are present in BI systems: hardware, software, data, procedures, and people. The boundaries of BI systems are blurry. BI is used for collaborative tasks: Project Management, Problem Solving, Deciding, and Informing. Falcon Security could use BI to determine whether it could save costs by rerouting its drone flights. What Are Typical Uses for BI?: (invoves classification/prediction) Identifying changes in purchasing patterns. Ex. Important life events change what customers buy. Entertainment Ex: Netflix has data on watching, listening, and rental habits; Classify customers by viewing patterns. Predictive policing: Analyze data on past crimes - location, date, time, day of week, type of crime, and related data. Just-in-Time Medical Reporting: EX- Injection notification services: Software analyzes patient’s records, if injections needed, recommends as exam progresses; Blurry edge of medical ethics.
Q2: What are the three primary activities in the BI process?
The four fundamental categories of BI analysis are reporting, data mining, BigData, and knowledge management. Push publishing delivers business intelligence to users without any request from the users; the BI results are delivered according to a schedule or as a result of an event or particular data condition. Pull publishing requires the user to request BI results. Using Business Intelligence to Find Candidate Parts at Falcon Security: Identify parts that might qualify: Provided by vendors who make part design files available for sale, Purchased by larger customers, Frequently ordered parts, and Ordered in small quantities; Used part weight and price surrogates for simplicity.
Acquire Data: Extracted Order Data: Query: Sales (Customer Name, Contact, Title, Bill Yr., # orders, Units, Revenue, Source, Part #), Part (Part, Shipping Weight, Vendor). IS department extracted the data.Actually wouldn’t need all of the data columns in the Sales table. Data was divided into different billing years, which wouldn’t affect analysis. Analyze: First step was to combine the data in the two tables into a single table that contained both the sales and part data. Creating a Customer Summary Query sums the revenue, units, and average price for each customer. Publish Results: Qualifying Parts Query Results- Publish results is the last activity in the BI process. Publish Results: Sales History for Selected Parts: Importance of the human component of an IS. Business intelligence is only as intelligent as the people creating it.
Q3: How do organizations use data warehouses and data marts to acquire data?
Functions of a data warehouse: (a facility for managing an organization’s BI data) Obtain data from operational, internal and external databases, Cleanse data, Organize and relate data, Catalog data using metadata. Components: Programs read operational and other data and extract, clean, and prepare that data for BI processing. An organization might use Oracle for its operational processing, but use SQL Server for its data warehouse. Other organizations use SQL Server for operational processing, but use DBMSs from statistical package vendors such as SAS or SPSS in the data warehouse. Purchase of data about other organizations is not unusual or particularly concerning from a privacy standpoint. Some companies choose to buy personal, consumer data from data vendors Examples of Purchasable Consumer Data: Name, Address, Phone, Age, Gender, Ethnicity, Religion, Income, Education, Voter registration, Home ownership, Vehicles, Magazine subscriptions, Hobbies, Catalog orders, Marital Status, life stage, Height, Weight, hair and eye color, Spouse name, birth date, Children’s names and birth dates. Possible Problems with Source Data: Dirty data, missing values, inconsistent data, Data not integrated, wrong granularity: too fine/not fine enough, Too much data: too many attributes/data points. Data Warehouses V.s. Data Marts: The data analysts who work with a data warehouse are experts at data management, data cleaning, data transformation, data relationships, and the like. However, they are not usually experts in a given business function. A data mart is a subset of a data warehouse. A date mart addresses a particular component or functional area of the business
Q4: How do organizations use reporting applications?
Reporting application: a BI application that inputs data from one or more sources and applies reporting operations to that data to produce business intelligence. Create meaningful information from disparate data sources. Deliver information to user on time. Basic operations: Sorting, Filtering, Grouping, Calculating, and Formatting. RFM Analysis: considers how recently (R) a customer has ordered, how frequently (F) a customer ordered, and how much money (M) the customer has spent.
RFM Analysis Classification Scheme: To produce an RFM score, a program sorts customer purchase records by date of most recent (R) purchase, divides sorts into quintiles, and gives customers a score of 1 to 5. Process is repeated for Frequently and Money. (Top 20%, Mid 20%, Bottom 20%)
Q5: How do organizations use data mining applications?
Source disciplines: Statistics/mathematics, Huge databases, Cheap computer Processing and storage Artificial Intelligence machine learning, Data management tech., Sophisticated marketing, finance, and other business professionals. Sometimes people use the term knowledge discovery in databases (KDD) as a synonym for data mining.There are many interesting and rewarding careers for business professionals who are knowledgeable about data mining techniques. Unsupervised Data Mining: Not a priori hypothesis or model. Findings obtained solely by data analysis. Hypothesized model created to explain patterns found. Example: Cluster analysis: Statistical technique to identify groups of entities with similar characteristics; used to find groups of similar customers from customer order and demographic data. Supervised Data Mining: Uses a priori model. Prediction, such as regression analysis. Ex: Cell Phone Weekend Minutes = (12 + (17.5*Customer Age) + (23.7*Number Months of Account) = 12 + 17.5*21 + 23.7*6 = 521.7 minutes. Market-Basket Analysis: Identify sales patterns in large volumes of data, Identify what products customers tend to buy together, Computes probabilities of purchases, and Identify cross-selling opportunities. Customers who bought fins also bought a mask.Decision Trees: used to select attributes most useful for classifying entities. Unsupervised data mining technique, Hierarchical arrangement of criteria to predict a value or classification, Basic idea- Select attributes most useful for classifying “pure groups.” Creates decision rules. Decision Rules for Accepting or Rejecting Offer to Purchase Loans: If percent past due is less than 50 percent, then accept loan. If percent past due is greater than 50 percent and, If Credit Score is greater than 572.6 and, If Current LTV is less than .94, then accept loan. Otherwise, reject loan.
Q6: How do organizations use Big Data applications?
Huge volume – petabyte and larger. Rapid velocity – generated rapidly. Great variety   
- Structured data, free-form text, log files, graphics, audio, and video. MapReduce Processing Summary: Technique for harnessing power of thousands of computers working in parallel. Big Data collection is broken into pieces, and hundreds or thousands of independent processors search these pieces for something of interest.Hadoop: Open-source program supported by Apache Foundation2. Manages thousands of computers. Implements MapReduce- Written in Java.Amazon.com supports Hadoop as part of EC3 cloud. Query language entitled Pig (platform for large dataset analysis): Easy to master, Extensible, Automatically optimizes queries on map-reduce level. Experts are required to use it; you may be involved, however, in planning a Big Data study or in interpreting results.
Q7: What is the role of knowledge management systems?
Knowledge Management (KM): Creating value from intellectual capital and sharing knowledge with those who need that capital. Preserving organizational memory: Capturing and storing lessons learned and best practices of key employees. Scope of KM same as SM in hyper-social organizations. Benefits: Improve process quality, Increase team strength. Goal: Enable employees to use organization’s collective knowledge. What Are Expert Systems? : Expert systems are rule-based systems that encode human knowledge as If/Then rules. Expert systems shells – programs that process a set of rules. Drawbacks: 1) Difficult and expensive to develop: Labor intensive, Ties up domain experts. 2) Difficult to maintain: Changes cause unpredictable outcomes, Constantly need expensive changes. 3) Don’t live up to expectations: Can’t duplicate diagnostic abilities of humans What are Content Management System (CMS)? : (huge, complex) Support management and delivery of documents, other expressions of employee knowledge. Challenges of Content Management: Huge databases, Dynamic content, Documents refer to one another, Perishable contents, In many languages. What are CMS Application Alternatives? : In-house custom development: Customer support develops in-house database applications to track customer problems. Off-the-shelf: Horizontal market products (SharePoint). Vertical market applications. Ex: Horizontal market: An accounting firm, for example, may license a vertical market application to manage document flow for the processing of tax returns or the management of audit documents. Public search engine: Google, Bing. How Do Hyper-Social Organizations Manage Knowledge? : Hyper-social knowledge management:Social media, and related applications, for management and delivery of organizational knowledge resources. Hyper-organization theory: Framework for understanding KM. Focus shifts from knowledge and content to fostering authentic relationships among knowledge creators and users. Rich directory: an employee directory that includes not only the standard name, email, phone, and address but also organizational structure and expertise. Particularly useful in large organizations where people with particular expertise are unknown. Resistance to knowledge Sharing: Employees reluctant to exhibit their ignorance. Employee competition. Remedy: Strong management endorsement, Strong positive feedback, “Nothing wrong with praise or cash . . . especially cash.”
Q8: What are the alternatives for publishing BI?
Server                                 Report Type            Push Option            Skill Level Needed
Email/collaboration tool     Static                         Manual                                 Low
Web server                        Static/Dynamic           Alert/RSS               Low = static/High = dynamic
SharePo                         Static/Dynamic       Alert/RSS, Workflow     Low = static/High = dynamic
By Server                            Dynam              Alert/RSS, Subscription              High
Q9: 2026?
Exponentially more information about customers, better data mining techniques. Companies buy and sell your purchasing habits and psyche. Singularity: Computer systems adapt and create their own software without human assistance. Machines will possess and create information for themselves.
Three things I learn:
1. An organization can encourage knowledge sharing through a strong management who endorses it and provides positive feedback to its employees.
2. Progressive organizations actually encourages their employees to Tweet, post on Facebook or other social media sites, write blogs, and post videos on YouTube, etc.
3. Big Data is characterized by volumes, velocities, and variations, which exceeds farther than those of traditional reporting and data mining.