Summary:
This chapter provides an overview of the major components of information
systems security. IS Security handles threats, vulnerability, safeguarding, and
targeting. No computer should connect to the Internet without firewall
protection. Many ISPs provide firewalls for their customers. Every organization
should have an incident-response plan as part of the security program.
Q1: What
is the goal of information systems security?
Major elements of IS security: Threat: person
or organization seeks to obtain data or other assets illegally, without owner’s
permission and often without owner’s knowledge Vulnerability:
opportunity for threats to gain access to individual or organizational
assets; for example, when you buy online, you provide your credit card data,
and as data is transmitted over Internet, it is vulnerable to threats. Safeguard:
measure individuals or organizations take to block threat from obtaining an
asset; not always effective, some threats achieve their goal in spite of
safeguards. Target: asset
desired by threat. Sources
of Threats: Loss: Unauthorized data disclosure, Incorrect data
modification, faulty service, Denial of service (DoS), Loss of infrastructure. Sources
of security threats: Human error examples: (1) employee
misunderstands operating procedures and accidentally deletes customer records;
(2) employee inadvertently installs an old database on top of current one while
doing backing up; (3) physical accidents, such as driving a forklift through
wall of a computer room. Computer crime: intentional destruction or
theft of data or other system components. Natural disasters: fires,
floods, hurricanes, earthquakes, tsunamis, avalanches, other acts of nature;
includes initial loss of capability and service, and losses recovery costs. What
Types of Security Loss Exists? Unauthorized Data Disclosure: Pretexting, Phishing,
Spoofing: IP spoofing, Email spoofing; Drive-by sniffers: Wardrivers; Hacking
& Natural disasters. Incorrect
Data Modification: Procedures incorrectly designed or not followed. Increasing
customer’s discount or incorrectly modifying employee’s salary. Placing
incorrect data on company Web site. Cause: Improper
internal controls on systems, System errors, Faulty recovery actions after a
disaster. Faulty
Service: (caused by incorrect system operation) Incorrect data
modification, Systems working incorrectly, Procedural mistakes, Programming
errors, IT installation errors, Usurpation: occurs when computer
criminals invade a computer system and replace legitimate programs with their
own unauthorized ones that shut down legitimate application and substitute
their own processing to spy, steal and manipulate data, or other purposes. Denial
of service: humans inadvertently shut down a Web server or corporate
gateway router by starting a computationally intensive application. Denial-of-service
attacks: (1) malicious hacker intentionally floods a Web server with
millions of bogus service requests; (2) user unintentionally shuts down Web
server or corporate gateway router by starting computationally intensive
application.Loss of
Infrastructure: Human accidents, Theft and terrorist events, Disgruntled
or terminated employee, Natural disasters, Advanced Persistent Threat (APT1): Theft
of intellectual property from U.S. firms.Goal of
Information Systems Security: Find appropriate trade-off between risk of
loss and cost of implementing safeguards. Protective actions: Use antivirus
software, Delete browser cookies, Make appropriate trade-offs to protect
yourself and your business.
Q2: How
big is the computer security problem?
The 6
most expensive types of attacks: Denial of Service (DoS), Malicious
Insiders, Web-based Attacks, Malicious Code, Phishing & Social Engineering,
Stolen Devices. Ponemon
Study Findings (2014): Malicious insiders increasingly serious security
threat. Business disruption and data loss primary costs of computer crime. Negligent
employees, connecting personal devices to corporate network, use of commercial
cloud-based applications pose significant security threats. Security safeguards
work.
Q3: How
should you respond to security threats?
Intrusion
detection system (IDS): a computer program that senses when another
computer is attempting to scan or access a computer or network.Personal
Security Safeguards: Take security serious; creates strong passwords; Use
multiple passwords; Send no valuable data vial Email/IM; Use https at trusted, reputable
vendors; Remove high-value assets from computers; Clear browsing history, temp.
files, and cookies; Regularly update antivirus software; Demonstrate security
concerns to your fellow workers; Follow org. security directives and guidelines;
Consider security for all business initiatives.So What?
New from Black Hat 2014: Briefings on how to hack things. Show how to
exploit weaknesses in hardware, software, protocols, or systems from smartphones
to ATMs. Encourage companies to fix product vulnerabilities. Serve as
educational forum for hackers, developers, manufacturers, and government
agencies.Dan Geer
Recommendations: 1) Mandatory reporting of security vulnerabilities. 2) Make
software venders liable for damage their code causes after abandoned, or users
allowed to see/have source code. 3) ISP liable for harmful, inspected content.
4) Right to be forgotten: “the right—under certain conditions—to ask search
engines to remove links with personal information about them.” - appropriate
and advantageous. 5) End-to-End Encrypted Email Hacking
Smart Things: Automobiles wireless features and internal systems
architecture allow hackers to access automated driving functions. Control hotel
lights, thermostats, televisions, and blinds in 200+ rooms by
reverse-engineering home automation protocol called KNX/IP. 70% of smart
devices use unencrypted network services, 60% vulnerable to persistent XSS
(cross-site scripting), and weak credentials.
Q4: How
should organizations respond to security threats?
Senior
management creates company-wide policies: Which sensitive data will be stored, How
the will data be processed, If the data will be shared with other
organizations, How employees and others can obtain copies of data stored about
them, How employees and others request changes to inaccurate data. Senior
management manages risks. Security
Safeguards and the Five Components: Technical Safeguards (for
Hardware,Software): Identification and authorization, Encryption, Firewalls, Malware
protection, Application design. Data Safeguards (for Data): Data rights
and responsibilities, Passwords, Encryption, Backup and recovery, Physical
security. Human Safeguards (for Procedures, People): Hiring, Training,
Education, Procedure design, Administration, Assessment, Compliance,
Accountability
Q5: How
can technical safeguards protect against security threats?
Involving
hardware and software IS components: Identification and authorization,
Encryption, Firewalls, Malware protection, Application design.Essence
of https (SSL or TLS): Summary of how SSL/TLS works when you communicate
securely with a Web site: 1. Your computer obtains public key of Web site to
which it will connect. 2. Your computer generates a key for symmetric
encryption. 3. Your computer encodes key using Web site’s public key, then
sends encrypted symmetric key to Web site. 4. Web site decodes symmetric key
using its private key. 5. Now, your computer and Web site communicate using
symmetric encryption. With asymmetric encryption, two keys are used; one
key encodes the message, and the other key decodes the message. Symmetric
encryption is simpler and much faster than asymmetric encryption.Use of
Multiple Firewalls: Organizations normally use multiple firewalls.
Perimeter firewall sits outside organizational network; is first device that
Internet traffic encounters. Packet-filtering firewall examines each
part of a message and determines whether to let that part pass. To make this
decision, it examines source address, destination address(es), and other data.
Packet-filtering firewalls can prohibit outsiders from starting a session with
any user behind firewall, prohibit traffic from legitimate, but unwanted,
addresses, such as competitors’ computers, and filter outbound traffic. By
nature, firewalls are generic. Large organizations supplement such generic
firewalls with their own. Most home routers include firewalls, and Microsoft
Windows has a built-in firewall as well. Third parties also license firewall
products.
Malware
Protection (Viruses, Spyware, Adware): 1) Antivirus and antispyware
programs 2) Scan frequently 3) Update malware definitions 4) Open email
attachments only from known sources. 5) Install software updates. 6)Browse only
reputable Internet neighborhoods. Malware
Types and Spyware and Adware Symptoms: Payload:
program code that causes unwanted activity. It can delete programs or data, or
modify data in undetected ways. Spyware programs are installed on the
user’s computer without the user’s knowledge or permission. It resides in
background and, unknown to the user, observes user’s actions and keystrokes,
monitors computer activity, and reports the user’s activities to sponsoring
organizations.Some
malicious spyware, key loggers, captures keystrokes to obtain usernames,
passwords, account numbers, and other sensitive information. Other spyware
supports marketing analyses such as observing what users do, Web sites visited,
products examined and purchased, and so forth. Most adware
is benign in that it does not perform malicious acts or steal data. It does,
however, watch user activity and produce pop-up ads. Adware can also change the
user’s default window or modify search results and switch the user’s search
engine. Design
for Secure Application: SQL injection attack: User enters SQL statement
into a form instead of a name or other data, Result- SQL code becomes part of
database commands issued, Improper data disclosure, data damage and loss
possible; Well designed applications make injections ineffective.
Q6: How can
data safeguards protect against security threats?
Data
safeguards protect databases and other organizational data. Two
organizational units are responsible for data safeguards. Data
administration refers to an organization-wide function that is in charge of
developing data policies and enforcing data standards. When organizations store
databases in the cloud, all of the safeguards should be part of the service
contract. Key escrow: Trusted party should have a copy of encryption key.
Also: Define data policies, Data rights and responsibilities, Rights enforced
by user accounts authenticated by passwords, Data encryption, Backup and
recovery procedures, Physical security
Q7: How
can human safeguards protect against security threats?
Position
definition: Separate duties and authorities, Determine least privilege,
Document position sensitivity; Hiring and screening; Dissemination and
enforcement: responsibility, Accountability, Compliance; Termination:
friendly/unfriendly policies and procedures for termination. Human
Safeguards for Nonemployee Personnel: Temporary personnel, vendors, partner
personnel (employees of business partners), and the public. Require vendors and
partners to perform appropriate screening and security training. Contract
specifies security responsibilities. Provide accounts and passwords with least
privilege and remove accounts as soon as possible. Public
Users: Web sites and other openly accessible information systems. Hardening:
Special versions of operating system, Lock down or eliminate operating
systems features and functions not required by application. Protect such users
from internal company security problems. Account
Administration: Account Management: Standards for new user accounts,
modification of account permissions, removal of unneeded accounts. Create new
user accounts, modify existing account permissions, remove unneeded accounts.
Improve your relationship with IS personnel by providing early and timely
notification of needed account changes. Password Management: Users
change passwords frequently. Users should change passwords every 3 months or
less. Help Desk Policies: Provide means of authenticating users. Set
policy for means of authenticating a user. Security
Monitoring: Server activity logs- Firewall log: Lists of all dropped
packets, infiltration attempts, unauthorized access, attempts from within the
firewall. DBMS: Successful and failed logins. Web servers - Voluminous logs of
Web activities. PC O/S produce record of log-ins and firewall activities. Employ
utilities to assess vulnerabilities. Honeypots for computer criminals to
attack. Investigate security incidents. Constantly monitor to determine
adequacy of existing security policy and safeguards.
Q8: How should
organizations respond to security incidents?
Have plan in
place; Centralized reporting; Specific responses: Speed, Preparation pays, Don’t
make problem worse; Practice. No organization should wait until some asset has
been lost or compromised before deciding what to do. The plan should include
how employees are to respond to security problems, whom they should contact,
the reports to make, and steps to reduce further loss. Identify critical
personnel and their off-hours contact information
Q9: 2026?
APTs more
common. Concern about balance of national security and data privacy. Security
on devices will be improved. Skill level of cat-and-mouse activity increases
substantially. Improved security at large organizations. Strong local
“electronic” sheriffs.
Three
Things I learned:
1. APT1
is based out of Shanghai. In 2014 the U.S. Department of Justice indicted five
individuals involved with APT1 for theft of intellectual property from U.S.
firms.
2. Intrusion
Detection System logs can record thousands of attempts each day. It amazes me
that there’s that many happening all the time.
3. Security
Threat policy specifics depend on whether the organization is governmental or nongovernmental, publicly held or private, organization’s industry, relationship of management
to employees, and other factors.
