Chapter 10: Information Security Management

Summary: This chapter provides an overview of the major components of information systems security. IS Security handles threats, vulnerability, safeguarding, and targeting. No computer should connect to the Internet without firewall protection. Many ISPs provide firewalls for their customers. Every organization should have an incident-response plan as part of the security program.

Q1: What is the goal of information systems security?

Major elements of IS security: Threat: person or organization seeks to obtain data or other assets illegally, without owner’s permission and often without owner’s knowledge Vulnerability: opportunity for threats to gain access to individual or organizational assets; for example, when you buy online, you provide your credit card data, and as data is transmitted over Internet, it is vulnerable to threats. Safeguard: measure individuals or organizations take to block threat from obtaining an asset; not always effective, some threats achieve their goal in spite of safeguards. Target: asset desired by threat. Sources of Threats: Loss: Unauthorized data disclosure, Incorrect data modification, faulty service, Denial of service (DoS), Loss of infrastructure. Sources of security threats: Human error examples: (1) employee misunderstands operating procedures and accidentally deletes customer records; (2) employee inadvertently installs an old database on top of current one while doing backing up; (3) physical accidents, such as driving a forklift through wall of a computer room. Computer crime: intentional destruction or theft of data or other system components. Natural disasters: fires, floods, hurricanes, earthquakes, tsunamis, avalanches, other acts of nature; includes initial loss of capability and service, and losses recovery costs. What Types of Security Loss Exists? Unauthorized Data Disclosure: Pretexting, Phishing, Spoofing: IP spoofing, Email spoofing; Drive-by sniffers: Wardrivers; Hacking & Natural disasters. Incorrect Data Modification: Procedures incorrectly designed or not followed. Increasing customer’s discount or incorrectly modifying employee’s salary. Placing incorrect data on company Web site. Cause: Improper internal controls on systems, System errors, Faulty recovery actions after a disaster. Faulty Service: (caused by incorrect system operation) Incorrect data modification, Systems working incorrectly, Procedural mistakes, Programming errors, IT installation errors, Usurpation: occurs when computer criminals invade a computer system and replace legitimate programs with their own unauthorized ones that shut down legitimate application and substitute their own processing to spy, steal and manipulate data, or other purposes. Denial of service: humans inadvertently shut down a Web server or corporate gateway router by starting a computationally intensive application. Denial-of-service attacks: (1) malicious hacker intentionally floods a Web server with millions of bogus service requests; (2) user unintentionally shuts down Web server or corporate gateway router by starting computationally intensive application.Loss of Infrastructure: Human accidents, Theft and terrorist events, Disgruntled or terminated employee, Natural disasters, Advanced Persistent Threat (APT1): Theft of intellectual property from U.S. firms.Goal of Information Systems Security: Find appropriate trade-off between risk of loss and cost of implementing safeguards. Protective actions: Use antivirus software, Delete browser cookies, Make appropriate trade-offs to protect yourself and your business.

Q2: How big is the computer security problem?

The 6 most expensive types of attacks: Denial of Service (DoS), Malicious Insiders, Web-based Attacks, Malicious Code, Phishing & Social Engineering, Stolen Devices. Ponemon Study Findings (2014): Malicious insiders increasingly serious security threat. Business disruption and data loss primary costs of computer crime. Negligent employees, connecting personal devices to corporate network, use of commercial cloud-based applications pose significant security threats. Security safeguards work.

Q3: How should you respond to security threats?

Intrusion detection system (IDS): a computer program that senses when another computer is attempting to scan or access a computer or network.Personal Security Safeguards: Take security serious; creates strong passwords; Use multiple passwords; Send no valuable data vial Email/IM; Use https at trusted, reputable vendors; Remove high-value assets from computers; Clear browsing history, temp. files, and cookies; Regularly update antivirus software; Demonstrate security concerns to your fellow workers; Follow org. security directives and guidelines; Consider security for all business initiatives.So What? New from Black Hat 2014: Briefings on how to hack things. Show how to exploit weaknesses in hardware, software, protocols, or systems from smartphones to ATMs. Encourage companies to fix product vulnerabilities. Serve as educational forum for hackers, developers, manufacturers, and government agencies.Dan Geer Recommendations: 1) Mandatory reporting of security vulnerabilities. 2) Make software venders liable for damage their code causes after abandoned, or users allowed to see/have source code. 3) ISP liable for harmful, inspected content. 4) Right to be forgotten: “the right—under certain conditions—to ask search engines to remove links with personal information about them.” - appropriate and advantageous. 5) End-to-End Encrypted Email Hacking Smart Things: Automobiles wireless features and internal systems architecture allow hackers to access automated driving functions. Control hotel lights, thermostats, televisions, and blinds in 200+ rooms by reverse-engineering home automation protocol called KNX/IP. 70% of smart devices use unencrypted network services, 60% vulnerable to persistent XSS (cross-site scripting), and weak credentials.

Q4: How should organizations respond to security threats?

Senior management creates company-wide policies: Which sensitive data will be stored, How the will data be processed, If the data will be shared with other organizations, How employees and others can obtain copies of data stored about them, How employees and others request changes to inaccurate data. Senior management manages risks. Security Safeguards and the Five Components: Technical Safeguards (for Hardware,Software): Identification and authorization, Encryption, Firewalls, Malware protection, Application design. Data Safeguards (for Data): Data rights and responsibilities, Passwords, Encryption, Backup and recovery, Physical security. Human Safeguards (for Procedures, People): Hiring, Training, Education, Procedure design, Administration, Assessment, Compliance, Accountability

Q5: How can technical safeguards protect against security threats?

Involving hardware and software IS components: Identification and authorization, Encryption, Firewalls, Malware protection, Application design.Essence of https (SSL or TLS): Summary of how SSL/TLS works when you communicate securely with a Web site: 1. Your computer obtains public key of Web site to which it will connect. 2. Your computer generates a key for symmetric encryption. 3. Your computer encodes key using Web site’s public key, then sends encrypted symmetric key to Web site. 4. Web site decodes symmetric key using its private key. 5. Now, your computer and Web site communicate using symmetric encryption. With asymmetric encryption, two keys are used; one key encodes the message, and the other key decodes the message. Symmetric encryption is simpler and much faster than asymmetric encryption.Use of Multiple Firewalls: Organizations normally use multiple firewalls. Perimeter firewall sits outside organizational network; is first device that Internet traffic encounters. Packet-filtering firewall examines each part of a message and determines whether to let that part pass. To make this decision, it examines source address, destination address(es), and other data. Packet-filtering firewalls can prohibit outsiders from starting a session with any user behind firewall, prohibit traffic from legitimate, but unwanted, addresses, such as competitors’ computers, and filter outbound traffic. By nature, firewalls are generic. Large organizations supplement such generic firewalls with their own. Most home routers include firewalls, and Microsoft Windows has a built-in firewall as well. Third parties also license firewall products.

Malware Protection (Viruses, Spyware, Adware): 1) Antivirus and antispyware programs 2) Scan frequently 3) Update malware definitions 4) Open email attachments only from known sources. 5) Install software updates. 6)Browse only reputable Internet neighborhoods. Malware Types and Spyware and Adware Symptoms: Payload: program code that causes unwanted activity. It can delete programs or data, or modify data in undetected ways. Spyware programs are installed on the user’s computer without the user’s knowledge or permission. It resides in background and, unknown to the user, observes user’s actions and keystrokes, monitors computer activity, and reports the user’s activities to sponsoring organizations.Some malicious spyware, key loggers, captures keystrokes to obtain usernames, passwords, account numbers, and other sensitive information. Other spyware supports marketing analyses such as observing what users do, Web sites visited, products examined and purchased, and so forth. Most adware is benign in that it does not perform malicious acts or steal data. It does, however, watch user activity and produce pop-up ads. Adware can also change the user’s default window or modify search results and switch the user’s search engine. Design for Secure Application: SQL injection attack: User enters SQL statement into a form instead of a name or other data, Result- SQL code becomes part of database commands issued, Improper data disclosure, data damage and loss possible; Well designed applications make injections ineffective.

Q6: How can data safeguards protect against security threats?

Data safeguards protect databases and other organizational data. Two organizational units are responsible for data safeguards. Data administration refers to an organization-wide function that is in charge of developing data policies and enforcing data standards. When organizations store databases in the cloud, all of the safeguards should be part of the service contract. Key escrow: Trusted party should have a copy of encryption key. Also: Define data policies, Data rights and responsibilities, Rights enforced by user accounts authenticated by passwords, Data encryption, Backup and recovery procedures, Physical security

Q7: How can human safeguards protect against security threats?

Position definition: Separate duties and authorities, Determine least privilege, Document position sensitivity; Hiring and screening; Dissemination and enforcement: responsibility, Accountability, Compliance; Termination: friendly/unfriendly policies and procedures for termination. Human Safeguards for Nonemployee Personnel: Temporary personnel, vendors, partner personnel (employees of business partners), and the public. Require vendors and partners to perform appropriate screening and security training. Contract specifies security responsibilities. Provide accounts and passwords with least privilege and remove accounts as soon as possible. Public Users: Web sites and other openly accessible information systems. Hardening: Special versions of operating system, Lock down or eliminate operating systems features and functions not required by application. Protect such users from internal company security problems. Account Administration: Account Management: Standards for new user accounts, modification of account permissions, removal of unneeded accounts. Create new user accounts, modify existing account permissions, remove unneeded accounts. Improve your relationship with IS personnel by providing early and timely notification of needed account changes. Password Management: Users change passwords frequently. Users should change passwords every 3 months or less. Help Desk Policies: Provide means of authenticating users. Set policy for means of authenticating a user. Security Monitoring: Server activity logs- Firewall log: Lists of all dropped packets, infiltration attempts, unauthorized access, attempts from within the firewall. DBMS: Successful and failed logins. Web servers - Voluminous logs of Web activities. PC O/S produce record of log-ins and firewall activities. Employ utilities to assess vulnerabilities. Honeypots for computer criminals to attack. Investigate security incidents. Constantly monitor to determine adequacy of existing security policy and safeguards.

Q8: How should organizations respond to security incidents?

Have plan in place; Centralized reporting; Specific responses: Speed, Preparation pays, Don’t make problem worse; Practice. No organization should wait until some asset has been lost or compromised before deciding what to do. The plan should include how employees are to respond to security problems, whom they should contact, the reports to make, and steps to reduce further loss. Identify critical personnel and their off-hours contact information

Q9: 2026?

APTs more common. Concern about balance of national security and data privacy. Security on devices will be improved. Skill level of cat-and-mouse activity increases substantially. Improved security at large organizations. Strong local “electronic” sheriffs.

Three Things I learned:

1. APT1 is based out of Shanghai. In 2014 the U.S. Department of Justice indicted five individuals involved with APT1 for theft of intellectual property from U.S. firms.

2. Intrusion Detection System logs can record thousands of attempts each day. It amazes me that there’s that many happening all the time.

3. Security Threat policy specifics depend on whether the organization is governmental or nongovernmental, publicly held or private, organization’s industry, relationship of management to employees, and other factors.