Outline how businesses have protected themselves from cybe

1

Information Security Management

Chapter 10

10-2

Study Questions

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

Q1: What is the goal of information systems security?

Q2: How big is the computer security problem?

Q3: How should you respond to security threats?

Q4: How should organizations respond to security threats?

Q5: How can technical safeguards protect against security threats?

Q6: How can data safeguards protect against security threats?

Q7: How can human safeguards protect against security threats?

Q8: How should organizations respond to security incidents?

 How does the knowledge in this chapter help you?

2

10-3

Q1: What Is the Goal of Information Systems Security?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

10-4

Examples of Threat/Loss

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

3

10-5

What Are the Sources of Threats?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

10-6

What Types of Security Loss Exists?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Unauthorized Data Disclosure – Pretexting – Phishing – Spoofing  IP spoofing  Email spoofing

– Drive-by sniffers Wardrivers

– Hacking & Natural disasters

4

10-7

Incorrect Data Modification

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Procedures incorrectly designed or not followed

• Increasing a customer’s discount or incorrectly modifying employee’s salary

• Placing incorrect data on company Web site

• Improper internal controls on systems

• System errors

• Faulty recovery actions after a disaster

10-8

Faulty Service

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Incorrect data modification

• Systems working incorrectly

• Procedural mistakes

• Programming errors

• IT installation errors

• Usurpation

• Denial of service (unintentional)

• Denial-of-service attacks (intentional)

5

10-9

Loss of Infrastructure

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Human accidents

• Theft and terrorist events

• Disgruntled or terminated employee

• Natural disasters

• Advanced Persistent Threat (APT1) – Theft of intellectual property from U.S. firms

10-10

Goal of Information Systems Security

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Appropriate trade-off between risk of loss and cost of implementing safeguards

• Use antivirus software

• Deleting browser cookies (Worth it?)

• Get in front of security problems by making appropriate trade-offs

6

10-11

Q2: How Big Is the Computer Security Problem?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

10-12

Computer Crime Costs by Attack Type

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

7

10-13

Ponemon Study Findings (2014)

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Malicious insiders increasingly serious threat

• Business disruption and data loss principal costs of computer crime

• Negligent employees, personal devices connecting to corporate network, use of commercial cloud-based applications pose significant security threats

• Security safeguards work

• Ponemon Study 2014

10-14

Q3: How Should You Respond to Security Threats?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

Personal Security Safeguards

Intrusion detection system (IDS)

8

10-15

Security Safeguards and the Five Components

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

10-16

So What? New from Black Hat 2014

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Educational forum for hackers, developers, manufacturers, and government agencies

• Briefings on how things can be hacked

• Show how to exploit weaknesses in hardware, software, protocols, or systems from smartphones to ATMs

9

10-17

Keynote Speaker Recommendations

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

1. Mandatory reporting of security vulnerabilities

2. Software makers liable for damage their code causes after abandoned or users allowed to see it

3. ISP liable for harmful, inspected content

4. “Right to be forgotten” – appropriate and advantageous

5. End-to-End Encrypted Email

10-18

Hacking Smart Things

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Automobile wireless features and poor internal systems architecture allow hackers to access automated driving functions through features like car’s radio

• Control hotel lights, thermostats, televisions, and blinds in 200+ rooms by reverse-engineering home automation protocol called KNX/IP

• 70% smart devices use unencrypted network services, 60% vulnerable to persistent XSS (cross-site scripting), and weak credentials

10

10-19

Q4: How Should Organizations Respond to Security Threats?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Senior management creates company-wide policies: – What sensitive data will be stored? – How will data be processed? – Will data be shared with other organizations? – How can employees and others obtain copies of data stored

about them? – How can employees and others request changes to inaccurate

data?

• Senior management manages risks

10-20

Q5: How Can Technical Safeguards Protect Against Security Threats?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

11

10-21

Technical safeguards

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Identification and authentication – Smart Cards – Biometric authentication

• Single sign-on for multiple systems

• Encryption – Symmetric encryption – Asymmetric encryption  Public key encryption – special version

10-22

Essence of https (SSL or TLS)

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

12

10-23

Use of Multiple Firewalls

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

Packet-filtering Firewall

10-24

Malware Types and Spyware and Adware Symptoms

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Viruses  Payload  Trojan horses  Worms  Spyware  Adware

13

10-25

Malware Safeguards

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Install antivirus and antispyware software

• Scan your computer frequently

• Update malware definitions

• Open email attachments only from known sources

• Promptly install software updates from legitimate sources

• Browse only reputable web sites

10-26

Design for Secure Applications

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• SQL injection attack

– User enters SQL statement into a form instead of a name or other data

– Accepted code becomes part of database commands issued

– Improper data disclosure, data damage and loss possible

– Well designed applications make injections ineffective

14

10-27

Q6: How Can Data Safeguards Protect Against Security Threats?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Data safeguards • Data administration • Key escrow

10-28

Q7: How Can Human Safeguards Protect Against Security Threats?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

15

10-29

Human Safeguards for Nonemployee Personnel

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Temporary personnel, vendors, partner personnel (employees of business partners), and public

• Require vendors and partners to perform appropriate screening and security training

• Contract specifies security responsibilities

• Least privilege accounts and passwords, remove accounts as soon as possible

10-30

Public Users

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Web sites and other openly accessible information systems. – Hardening  Special versions of operating system that lock down or

eliminate operating systems features and functions not required by application

– Protect public users from internal company security problems

16

10-31

Account Administration

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Account Management – Standards for new user accounts, modification of account

permissions, removal of unneeded accounts

• Password Management – Users change passwords frequently

• Help Desk Policies – Provide means of authenticating users

10-32

Sample Account Acknowledgment Form

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

17

10-33

Systems Procedures

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

10-34

Security Monitoring

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Activity logs – Firewall log  Lists of all dropped packets, infiltration attempts,

unauthorized access, attempts from within the firewall – DBMS  Successful and failed logins

– Web servers  Voluminous logs of Web activities

• PC O/S produce logs of log-ins and firewall activities

18

10-35

Security Monitoring (cont’d)

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Employ utilities to assess their vulnerabilities

• Honeypots for computer criminals to attack

• Investigate security incidents

• Constantly monitor existing security policy and safeguards

10-36

Q8: How Should Organizations Respond to Security Incidents?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

19

10-37

How Does the Knowledge in This Chapter Help You?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Awareness of: – Threats to computer security as an individual, business

professional, employer – Risk trade offs – Technical, data, human safeguards to protect computing

devices and data – How organizations should respond to security threats – How organizations should respond to security incidents – Importance of creating and using strong passwords!

10-38

Ethics Guide: Hacking Smart Things

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Unintended risks associated IoT

• 26 billion IoT devices by 2020

• Hackers access automated driving functions through features like car’s radio – Via automobile wireless features with poor internal systems

architecture

• Control hotel lights, thermostats, televisions, room blinds by reverse-engineering home automation protocol (KNX/IP)

20

10-39

Ethics Guide: Hacking Smart Things

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Threats to securing home, appliances, your car – 70% smart devices use unencrypted network services – 60% vulnerable to persistent XSS (cross-site scripting) and

weak credentials

10-40

Guide: EMV to the Rescue

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• EMV chip-and-PIN.

• Changes way cards are verified

• Chip verifies authenticity of physical card, PIN verifies identity of cardholder

• What EMV can do to protect you?

21

10-41

Case Study 10: Hitting the Target

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Lost 40 million credit and debit card numbers

• Less than a month later, announced additional 70 million customer accounts stolen that included names, emails, addresses, phone numbers, etc

• 98 million customers affected – 31% of 318 million in US

• Stolen from point-of-sale (POS) systems at Target stores during holiday shopping season

10-42

Hitting the Target (cont’d)

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Spear-phished third party vendor, Fazio Mechanical Services

• Malware gathered keystrokes, login credentials, screenshots from Fazio users

• Used stolen login credentials to access vendor server on Target’s network

• Escalated privileges to gain access to Target’s internal network

• Compromised internal Windows file server

• Installed malware named Trojan.POSRAM

22

10-43

Hitting the Target (cont’d)

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Customer data continuously sent from POS terminals to an extraction server within Target’s network

• Funneled out of Target’s network to drop servers in Russia, Brazil, and Miami

• Data sold on black market

10-44

How Did They Do It?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

Spearphished malware to gather keystrokes, login credentials, and screenshots from Fazio users

Attackers escalated privileges to gain access to Target’s internal network.

Trojan.POSRAM extracted data from POS terminals

23

10-45

Damage

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Attackers sold about 2 million cards for $26.85 each ($53.7M) • Target took loss on merchandise purchased using stolen credit cards • Costs

– Upgraded POS terminals to support chip-and-pin cards – Increased insurance premiums – Paid legal fees – Settled with credit card processors – Paid consumer credit monitoring – Paid regulatory fines

10-46

Damage (cont'd)

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Target loss of customer confidence and drop in revenues (46% loss for quarter)

• Direct loss to Target as high at $450 million

• CIO resigned, CEO paid $16 million to leave

• Cost credit unions and banks more than $200 million to issue new cards

• Insurers demand higher premiums, stricter controls, more system auditing

• Consumers must watch their credit card statements, and fill out paperwork if fraudulent charges appear

1

Data Breaches

Chapter Extension 14

ce14-2

Study Questions

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

Q1: What is a data breach?

Q2: How do data breaches happen?

Q3: How should organizations respond to data breaches?

Q4: What are the legal consequences of a data breach?

Q5: How can data breaches be prevented?

2

ce14-3

Q1: What is A Data Breach?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Data breach – Unauthorized person views, alters, or steals secured data

• 1+ billion people affected in past 5 years, 75% of breaches happened in US

• Average cost of a single data breach $3.5 million • Average costs per stolen record

Healthcare ($359), Pharmaceutical ($227 Communications industries ($177)

Education ($294) Financial ($206)

ce14-4

Costs of Handling a Data Breach

Direct Costs

• Notification

• Detection

• Escalation

• Remediation

• Legal fees and consultation

Indirect Costs • Loss of reputation • Abnormal customer

turnover • Increased customer

acquisition activities • Additional $3.3 million

per incident in US

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

3

ce14-5

What Are the Odds?

• More likely to lose smaller amounts of data than larger amounts of data  22% chance of losing 10,000 records over any 24-month

period  <1% chance of losing 100,000 records over same period

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-6

Well-known Data Breaches

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

4

ce14-7

Why Do Data Breaches Happen?

• 67% are hackers trying to make money from: – Personally identifiable information (PII)  Names, addresses, dates of birth, Social Security

numbers, credit card numbers, health records, bank account numbers, PINs, email addresses

• Rogue internal employees

• Credit card fraud, identity theft, extortion, industrial espionage

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-8

Q2: How Do Data Breaches Happen?

• Attack vectors – Phishing scam – Trick users into donating funds for a natural disaster – Exploit new software vulnerability

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

5

ce14-9

Hitting Target

• Lost 40 million credit and debit card numbers to attackers (Dec. 18, 2013)

• Less than a month later, announced additional 70 million customer names, emails, addresses, phone numbers stolen – Total 98 million customers affected

• Stolen from point-of-sale (POS) systems at Target retail stores

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-10

How Did They Do It?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

6

ce14-11

The Damage

• Attackers sold about 2 million credit card numbers and PINs for about $26.85 each (total $53.7 million)

• Sold in batches of 100,000 card numbers

• Cost Target $450 million – Upgraded POS terminals to support chip-and-PIN enabled cards – Increased insurance premiums, legal fees, credit card processors

settlement, pay for consumer credit monitoring, regulatory fines – Lost sales, 46% drop in next quarter revenues

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-12

Collateral Damage

• Credit unions and banks – Spent more than $200 million issuing new cards

• Consumers – Enrolled in credit monitoring, continually watch their credit,

and fill out paperwork if fraudulent charges appear on statements

• Increased insurance premiums, stricter controls, and more system auditing for organizations similar to Target

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

7

ce14-13

Q3: How Should Organizations Respond To Data Breaches?

• Respond Quickly – Stop hackers from doing more damage  Exfiltration or illegally transferring data out

– Immediately notify affected users

• Plan for a Data Breach – Walkthroughs, business continuity planning, computer

security incident response team (CSIRT)

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-14

Q3: How Should Organizations Respond To Data Breaches? (cont'd)

• Get experts to perform an effective forensic investigation

• Identify additional technical and law enforcement professionals needed

• Be honest about the breach

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

8

ce14-15

Best Practices for Notifying Users of a Data Breach

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-16

Q4: What Are The Legal Consequences of a Data Breach?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

9

ce14-17

Regulatory Laws Govern the Secure Storage of Data in Certain Industries • Federal Information Security Management Act (FISMA)

– Requires security precautions for government agencies

• Gramm-Leach-Bliley Act (GLBA), a.k.a., Financial Services Modernization Act – Requires data protection for financial institutions

• Health Information Portability and Accountability Act (HIPAA) – Requires data protection for healthcare institutions

• Payment Card Industry Data Security Standard (PCI DSS) – Governs secure storage of cardholder data

• Family Educational Rights and Privacy Act (FERPA) – Provides protection for student education records

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-18

Q5: How Can Data Breaches Be Prevented?

• Use countermeasures software or procedures to prevent an attack

• Better phishing detection software

• Better authentication (i.e., multifactor authentication

• Network intrusion detection system (NIDS) to examine traffic passing through internal network

• Data loss prevention systems (DLP) to prevent sensitive data from being released to unauthorized persons

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

10

ce14-19

Q5: How Can Data Breaches Be Prevented? (cont'd) • Appoint a chief information security officer (CISO) to ensure

sufficient executive support and resources

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

CYBER SECURITY PRIMER

CYBER SECURITY PRIMER

A brief introduction to cyber security for students who are new to the field.

Network outages, data compromised by hackers, computer viruses and other incidents affect our lives in ways that range from inconvenient to life-threatening. As the number of mobile users, digital applications and data networks increase, so do the opportunities for exploitation.

WHAT IS CYBER SECURITY? Cyber security, also referred to as information technology security, focuses on protecting computers, networks, programs and data from unintended or unauthorized access, change or destruction.

WHY IS CYBER SECURITY IMPORTANT? Governments, military, corporations, financial institutions, hospitals and other businesses collect, process and store a great deal of confidential information on computers and transmit that data across networks to other computers. With the growing volume and sophistication of cyber attacks, ongoing attention is required to protect sensitive business and personal information, as well as safeguard national security.

During a Senate hearing in March 2013, the nation's top intelligence officials warned that cyber attacks and digital spying are the top threat to national security, eclipsing terrorism.

CYBER SECURITY GLOSSARY OF TERMS Learn cyber speak by familiarizing yourself with cyber security terminology.1

Access − The ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains or to control system components and functions.

Active Attack − An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources, its data or its operations.

Blacklist − A list of entities that are blocked or denied privileges or access.

Bot − A computer connected to the Internet that has

Information Assurance − The measures that protect and defend information and information systems by ensuring their availability, integrity and confidentiality.

Intrusion Detection − The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has occurred.

Key − The numerical value used to control cryptographic operations, such as decryption, encryption, signature generation or signature verification.

Malware −

been surreptitiously/secretly compromised with malicious logic to perform activities under the remote command and control of a remote administrator.

Cloud Computing − A model for enabling on-demand network access to a shared pool of configurable computing capabilities or resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Critical Infrastructure − The systems and assets, whether physical or virtual, so vital to society that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment or any combination of these matters.

Cryptography − The use of mathematical techniques to provide security services, such as confidentiality, data integrity, entity authentication and data origin authentication.

Cyber Space − The interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems and embedded processors and controllers.

Data Breach − The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.

Digital Forensics − The processes and specialized techniques for gathering, retaining and analyzing system- related data (digital evidence) for investigative purposes.

Enterprise Risk Management − A comprehensive approach to risk management that engages people, processes and systems across an organization to improve the quality of decision making for managing risks that may hinder an organization's ability to achieve its objectives.

Software that compromises the operation of a system by performing an unauthorized function or process.

Passive Attack − An actual assault perpetrated by an intentional threat source that attempts to learn or make use of information from a system but does not attempt to alter the system, its resources, its data or its operations.

Penetration Testing − An evaluation methodology whereby assessors search for vulnerabilities and attempt to circumvent the security features of a network and/or information system.

Phishing − A digital form of social engineering to deceive individuals into providing sensitive information.

Root − A set of software tools with administrator-level access privileges installed on an information system and designed to hide the presence of the tools, maintain the access privileges and conceal the activities conducted by the tools.

Software Assurance − The level of confidence that software is free from vulnerabilities, e

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.