Acceptable Use Policy (AUP)
Acceptable uses of the firm's information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet. Identifies acceptable and unacceptable practices for all users.
Antivirus Software
Prevents, detects, and removes malware, including computer viruses, computer worms, Trojan horses, spyware, and adware. Must perform regular updates. (consider holistic protection)
Why Increase In Attacks
Speed of attacks
More sophisticated attacks
Simplicity of attack tools
Faster detection weaknesses
Delays in user patching
Distributed attacks
Attacks exploit user ignorance & confusion
Information
is an organizational asset - it must be protected
Security:
Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems
The protection of information from accidental or intentional misuse by persons inside or outside the organizatio
Controls:
Methods, policies, and organizational procedures that ensure safety of organization's assets; accuracy and reliability of its accounting records; and operational adherence to management standards
Factors Driving the importance of security ...
1. Evolution from mainframe environment to
today's interconnected, wireless, networked
infrastructure
2. Trend toward smaller, faster, cheaper, portable
computers and storage devices
3. Increased employee use of unmanaged devices
4. The computer skills ne
Computer Crime/Fraud
any violations of criminal law that involve knowledge of computer technology for their perpetration, investigation, or prosecution" [defined by U.S. Department of Justice]
Commission of illegal acts through use of computer or against a computer system -
Computers as Targets of Crime
- Breaching the confidentiality of protected
computerized data
- Accessing computer system without authority
- Knowingly accessing a protected computer to
commit fraud.
- Intentionally accessing a protected system and causing
damage, negligently or delibe
Computer as Instruments of Crime
- Theft of trade secrets
- Unauthorized copying of software or
copyrighted intellectual property, such as
articles, books, music, and video
- Schemes to defraud
- Using e-mail for threats or harassment
- Intentionally attempting to intercept electronic
co
Identity Theft
- A crime in which an impostor obtains key pieces
of personal information to impersonate someone
else
- The forging of someone's identity for the
purpose of fraud
- "total identity theft" ....
- Identity Theft Resource Center
Click fraud -
occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the advertiser or making a purchase
Click Farm -
a business that pays employees to click on website elements to artificially boost the status of a client's website or product
CAPTCHA
a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot. For example, humans can read distorted text, but current computer programs can't:
Hardware problems
Breakdowns, configuration errors, damage from improper use or crime, theft of devices
Software problems
Programming errors, installation errors, unauthorized changes
Disasters
Power failures, flood, fires, others ...
Use of networks and computers outside of firm's control
Domestic or offshore outsourcing vendors
Growing use of portable devices
Internet vulnerabilities
- Network open to anyone
- Size of Internet means abuses can have wide
impact
- Use of fixed Internet addresses with permanent
connections to Internet eases identification by
hackers
- E-mail attachments may contain malicious SW
(viruses, etc.)
- E-mail c
Wireless security challenges
- Radio frequency bands easy to scan
- Wi-Fi was designed to make it easy for stations
to find and hear each other
- SSIDs (service set identifiers) that identify the
access points in a Wi-Fi network are broadcast
multiple times and can be picked up easil
War driving
Eavesdroppers drive by buildings and try to intercept network traffic
When hacker gains access to SSID, has access to network's resources
WEP -
the initial security standard for Wi-Fi is relatively easy to crack ... WPA2 is better...
Can use something like Hotspot Shield to create a VPN to create a safer way to browse...
Malicious SW -
- types of Malware - SW written with malicious intent to cause annoyance or damage to a computer system or network
Viruses
Worms
Trojan Horse
SQL injection attacks
Ransomware
Spyware
Key loggers
Sniffers
Denial of Service Attacks
Spoofing
Phishing/Spear P
Viruses
Rogue software program that attaches itself to other software programs or data files in order to be executed
When the program or operating system containing the virus is used, the virus attaches itself to other files and is spread
Worms
Independent programs that copy themselves from one computer to others over a network
Do not have to be attached to a host program
Disrupt computer and network operations, slowing or halting system
Destroy data and other programs
Trojan Horse
SW program that appears to be benign (okay) but then does something other than expected
Contains code intended to disrupt a computer, network, or Web site
Malicious code hides inside a popular program or a program that appears to be useful
SQL injection attacks
Take advantage of vulnerabilities in poorly coded Web application SW to introduce malicious program code into a company's systems and networks
Used to attack databases through a website by including portions of SQL commands in a web form input field in or
Ransomware
A type of malware that tries to extort money from users by taking control of their computers or displaying annoying pop-up messages
Ex. CryptoLocker - encrypts an infected computer's files, forcing users to pay to regain access
Can get from downloading an
Spyware
Technology that aids in gathering information about a person or organization without their knowledge
SW that secretly gathers information about users while they browse the Web; can come hidden in free downloads; tracks online movements, mines the informat
Keyloggers -
monitor and record keystrokes & mouse clicks
Can steal serial numbers for SW, launch Internet
attacks, gain access to e-mail accounts, steal
passwords, credit card info ...
Can be used by companies to track employees'
use of e-mail and the Internet
Some a
Sniffer
Type of eavesdropping program that monitors information traveling over a network
SW used to capture and record network traffic
Common type is a "password sniffer"
Can be used for legitimate purposes to help identify potential network trouble spots, monito
Denial-of-Service Attack (DoS)
Floods a network server or web server with thousands of false service requests to crash the network
Prevents legitimate users' access to the system
Distributed denial-of-service (DDoS) attack
Hundreds or thousands of computers work together to bombard a Web site with thousands of requests for information in a short period
Difficult to trace
Zombie - a computer working under the control of an outside party
Botnets - networks of "zombie" PC's in
Spoofing -
A way to misrepresenting oneself by using a fake e-mail address, or masquerading as someone else
Often involves forging the return address of an e-mail so that the message appears to come from someone other than the actual sender ...
Attempting to gain ac
Phishing -
A high tech scam in which an e-mail requests the update or confirmation of sensitive personal information by clicking a link to a fake web site
e-mails that seem to come from legitimate
sources
direct e-mail recipients to false Web sites in
order to captu
Spear phishing -
a more targeted form of phishing - messages appear to come from a trusted source, increasing the likelihood they will be opened
Variations of Phishing -
Pharming
A type of phishing technique
Redirects users to a bogus Web page, even
when an individual types the correct Web page
address into the browser
Variations of Phishing -
Evil Twins
A type of phishing technique
Wireless networks that pretend to offer
trustworthy Wi-Fi connections to the Internet to
entice users to log on and reveal passwords or
other personal information
Insiders -
legitimate users who purposely or accidentally misuse their access to information or resources and cause some kind of business-affecting event
Employees, consultants, contract labor,
maintenance staff, guards, etc.
Access to inside knowledge/procedures
Ta
Hackers ....
People very knowledgeable about computers who use their skills to gain unauthorized access to a computer system
Black hat hackers ("crackers", criminal hackers)
www.2600.com
White hat hackers (ethical hackers)
Script kiddies or script bunnies
Hactivists
C
Commercial software contains flaws that create security vulnerabilities
Hidden bugs or program code defects
Zero defects cannot be achieved because
complete testing is not possible with large
programs
Flaws can open networks to intruders
Patches
Small pieces of software released by a SW vendor to repair flaws
However, amount of software in use can mean exploits created faster than patches can be released & implemented
Business Value of Security and Control Measures
Failed computer systems can lead to significant or total loss of business function.
Firms now more vulnerable than ever.
A security breach may cut into firm's market value almost immediately.
Inadequate security and controls also bring forth issues of lia
Legal and Regulatory Requirements for Electronic Records Management
Firms face new legal obligations for the retention and storage of electronic records as well as for privacy protection
HIPAA:
Medical security and privacy rules and procedures
Gramm-Leach-Bliley Act:
Requires financial institutions to ensure the security and confidentiality of customer data
Sarbanes-Oxley Act:
Imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally
Electronic Evidence and Computer Forensics
Evidence for white collar crimes often found in digital form
Data stored on computer devices, e-mail, instant
messages, e-commerce transactions
Proper control of data can save time, money when responding to legal discovery request
Computer forensics:
Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law
Includes recovery of ambient and hidden data
General controls -
Govern design, security, and use of computer programs and security of data files in general throughout organization's information technology infrastructure.
Apply to all computerized applications.
Combination of hardware, software, and manual
procedures t
Application controls -
Specific controls unique to each computerized application, such as payroll or order processing; ensure that only authorized data are completely and accurately processed by that application
Include input, processing and output controls
Risk assessment
Determines level of risk to the firm if specific activity or process is not properly controlled
Types of threats
Probability of occurrence during year
Potential losses, value of threat
Expected annual loss
Security policy
Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals
Drives other policies
Acceptable use policy (AUP)
Defines acceptable uses of firm's information resources and computing equipment
Authorization policies
Determine differing levels of user access to information assets
Incorporated in the firm's Identity Management Systems
Disaster recovery planning:
devises plans for restoration of disrupted services
Backup -
copies of critical systems and data, done on a regular basis
Hot site -
separate & fully equipped facility where the firm can move immediately after a disaster and resume business
Cold site -
separate facility without any computer equipment but is a place employees can move after a disaster
- provides a shell to get started - "computer
ready
Business continuity planning:
Focuses on restoring business operations after
Identify firm's most critical systems
Business impact analysis to determine impact of
an outage
Management must determine which systems to
restore first
Determine action plans for handling mission-
critical f
Information Systems audit
Examines firm's overall security environment as well as controls governing individual information systems
Reviews technologies, procedures, documentation, training, and personnel
May even simulate disaster to test response of technology, IS staff, other e
Identity Management Systems
Support the organization's Security and Authorization policies
Include business processes and technologies for identifying valid users of systems
Establish where and when a user is permitted to access certain parts of a Web site or corporate database
Allo
Identity Management, Authentication & Access Control
Policies and procedures to prevent improper access to systems by unauthorized insiders and outsiders
To gain access a user must be authorized and authenticated
Authentication -
the ability to know that a person is who he or she claims to be; a method of confirming users' identities
Authorization -
determines what actions, rights, or privileges the user has, based on the verified identity
Common types of Access Controls
User IDs, passwords, passphrases
Cognitive Passwords
Two-step Authentication
Token (security token)
Smart Card
Biometrics
Terminal Resource Security
Password
Combination of numbers, characters, and symbols used to allow access to a system
Length and complexity determine its vulnerability to discovery
Guidelines for strong passwords ...
Passphrase-
Series of characters that is longer than a password but is still easy to memorize
Can serve as a password itself, or be used to create a strong password
Which is better?
Xp4!e% or thisisaverylongpassword
Length always trumps complexity!
Password management applications -
Allow user to store username and password, along with other account details
Application is itself protected by a single strong password, and can even require the presence of a file on a USB flash drive before the program will open
Allows user to retrieve
Cognitive Password (aka security questions)
Requires a user to answer a question to verify their identity; commonly used as a form of secondary access
Typical cognitive password questions:
What is your mother's maiden name?
What is your dog's name?
Two-step Authentication
In addition to username (ID) and password, a short, randomly generated verification code is sent to you via text or e-mail that you need to enter to allow access
Token (Security Token)
A small electronic device to change user passwords automatically
Designed to prove the identity of a single user
Smart Card
a device about the same size as a credit card, containing a chip formatted with access permission and other data - a reader device interprets the data on the card and allows or denies access
Terminal resource security
Software feature that erases the screen and signs the user off automatically after a specified length of inactivity
Biometrics -
Systems that read and interpret individual human traits to enhance security measures - are unique to a person and can't be stolen or lost; may be physical or behavioral
Issues in choosing a biometric technique:
Cost
Accuracy
Perceived intrusiveness
Effort required on part of user
Cultural preferences/issues
Context/environmental situation
Firewall -
Combination of hardware and software that controls the flow of incoming and outgoing network traffic
Acts as a filter or barrier between a private network and external computers or networks
Network administrator defines rules for access
Examines data pass
Intrusion Detection Systems:
Monitor hot spots on corporate networks to detect and deter intruders.
Examine events as they are happening to discover attacks in progress.
Antivirus and Antispyware software:
Check computers for presence of malware and can often eliminate it as well.
Require continual updating
Unified Threat Management Systems (UTM):
Combination of security tools including firewalls, intrusion detection systems, VPN's, web content filtering, and anti-spam SW
Encryption:
Process of encoding messages before they enter the network & then decoding at the receiving end
Transforming (encrypting) text or data, called "plaintext" or "cleartext" into "cipher text" that cannot be read by unintended recipients
The data or text is t
Digital certificate:
Data file or electronic document used to establish the identity of users and electronic assets for protection of online transactions
Uses a trusted third party, Certificate Authority (CA), to validate a user's identity
The CA verifies user's identity, sto
Security verification icons: SysTrust and WebTrust Seals
International set of principles and criteria for systems and e-commerce
Online transaction processing
requires 100 percent availability, no downtime.
Fault-tolerant computer systems
Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service
Ex. RAID, UPS, duplicate/backup HW
Use special SW routines or self-checking logic built into their circuitry to de
Controlling network traffic
Deep packet inspection (DPI)
sorts out low-priority online material (music and video downloads) while assigning a higher priority to business-critical files and data; less important traffic can be blocked or delayed
Security outsourcing -
using managed security service providers (MSSPs)
Cloud Computing Security -
accountability and responsibility for privacy and security reside with the Cloud user, although the Cloud provider is actually doing the hosting ...
Security of Mobile Computing devices -
must be secured like other in-house, non-mobile resources against malware, theft, accidental loss, unauthorized access, and hacking attempts
Software Metrics:
Objective assessments of a system in the form of quantified measurements, such as:
Number of transactions processed per minute
Online response time
Payroll checks printed per hour
Known bugs per hundred lines of code
Ongoing use of metrics
facilitates measurement of system performance and problem identification
Early and regular testing
contributes to system quality by checking the correctness of operations as well as identifying errors or bugs
Information systems controls are both manual and automated and consist of general and application controls.
What best describes general controls?
General controls govern the design, security, and use of computer programs and the security of data files in general throughout the organization's information technology infrastructure.
What best describes a security policy?
A security policy consists of statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals.
What best describes public key encryption?
Public key encryption is a more secure form of encryption that uses two keys, one shared and one totally private. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key.
Describe a scenario that illustrates a drive-by download
Milly copies a file from the Internet to her PC, and, in the process, her PC gets infected by malware.
__________ defines acceptable uses of the firm's information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet, and specifies consequences for noncompliance.
An acceptable use policy (AUP)
Computer criminals use denial-of-service attacks on information systems to __________.
prevent legitimate users from using the system's resources
An individual posing as an online gamer accesses information stored in an unsuspecting user's computer by placing a program in his hard disk that appears to be legitimate. The system functions normally with the program performing underlying functions.
The
Trojan horse
__________ focuses on how the company can restore business operations after a disaster strikes.
Business continuity planning
Describe a firewall.
It is a combination of hardware and software that controls the flow of incoming and outgoing network traffic.
Describe HIPAA.
HIPAA outlines medical security and privacy rules and procedures for simplifying the administration of health care billing and automating the transfer of health care data between health care providers, payers, and plans.
Describe the Gramm-Leach-Bliley Act.
The Gramm-Leach-Bliley Act requires financial institutions to ensure the security and confidentiality of customer data. Data must be stored on a secure medium, and special security measures must be enforced to protect such data on storage media and during
__________ imposes responsibility on companies and their management to protect investors by safeguarding the accuracy and integrity of financial information that is used internally and released externally.
The Sarbanes-Oxley Act
Which of the following statements about information systems security vulnerability is true?
Hackers can unleash denial-of-service (DoS) attacks or penetrate corporate networks, causing serious system disruptions.
__________ refers to software that covertly gathers information about a user through an Internet connection without the user's knowledge.
Spyware
Which of the following statements about the business value of security and control is true?
Lack of sound security and control can cause firms relying on computer systems for their core business functions to lose sales and productivity.
A particular malware threat looks for weaknesses in poorly coded Web application software that get exposed when the Web application fails to filter the data entered by a user on a Web page. This results in malicious program code entering into the company'
SQL injection attack
Describe risk assessment.
Risk assessment determines the potential frequency of the occurrence of a problem and the potential damage if the problem were to occur. It is used to determine the cost/benefit of a control.
At GearUp, criminals accessed the company's improperly-secured wireless system and stole customers' credit card information as well as employee social security numbers. What kind of computer crime did GearUp face?
Sniffing. Sniffing occurs when computer communications are intercepted and data is disclosed to unauthorized people.
You also look into another recent data security problem GearUp faced when many customers were denied service from its web site after IT ran a software update at peak usage time. How can you characterize the cause of this problem?
Human error. IT personnel made a mistake by running a software update at peak usage time, causing the web site to crash resulting in a temporary denial of service.
What is your first step in implementing GearOn's improved security?
Develop a company-wide security policy. This step should be implemented first, before additional steps are taken.
What technical safeguards will you use to allow GearOn employees to securely access the database that stores members' credit card data?
Smart card and pin. This was the best choice, as it fulfills Eliot's clear directive to protect members' data.
You consider installing a firewall or multiple firewalls as technical safeguards for secure access to the database. How many firewalls will you install?
A perimeter firewall and an internal firewall. This was the best choice. Multiple firewalls are necessary to protect an organization.
You learn that in a previous security breach at GearUp, a disgruntled employee destroyed the encryption key that had been used to protect data. How will you prevent a similar data safeguard problem at GearOn?
Implement a key escrow procedure. This was the best choice, because a key escrow procedure is when a trusted party has a copy of the encryption key. If GearOn's copy of the key were destroyed, a key escrow procedure would allow it to be easily re-implemen
What is the most effective way to begin setting up human security safeguards?
Effective human safeguards begin with definitions of job tasks and responsibilities.
Several employees come to you complaining that the passwords they must use are too long, too complex, and must be changed too often. What do you tell them?
These measures are necessary for security to be strong.
This was the best choice. For passwords to be effective security measures, they must be long, complex, and changed often. Frequent password changes reduce not only the risk of password loss but also
Which of the following? examine(s) data files and sorts out? low-priority online material while assigning higher priority to? business-critical files?
Deep packet inspection