Embed Size (px)
Citation preview
Chapter 11
Information Security Management
Agenda
• Security Threats– Sources– Problems
• Security Program– Senior Management’s Security Role– Technical Safeguard– Data Safeguard– Human Safeguard– Disaster Preparedness– Incident Response
Sources of Security Threats
• Human error and mistakes– Employees and non-employees– Accidental problems– Poorly written application programs– Poorly designed procedures
• Malicious human activity– Employees, former employees, hackers, and outside criminals– Intentionally destroy data or other systems components– Steal for financial gain– Terrorism
• Natural events and disasters– Acts of nature– Loss of capability, service, and recovery
Problems of Security Threats
• Unauthorized data disclosure
• Incorrect data modification
• Faulty service
• Denial of service
• Loss of infrastructure
Unauthorized Data Disclosure
• Pretexting: someone pretending to be someone else
• Phishing: someone pretending a legitimate company and obtaining confidential data by email
• Spoofing: IP spoofing and Email spoofing• Sniffing: intercepting computer communication• Drive-by sniffers: intercepting unprotected
wireless network
Incorrect Data Modification
• Human error – employees follow procedures incorrectly – procedures have been incorrectly designed
• Hacking
Faulty Service
• Incorrect system operation– Human procedure mistake
• Usurpation– Unauthorized program in a computer system
Denial of Service
• Human error
• Malicious hacker
• Natural disasters
Loss of Infrastructure
• Human accidents
• Theft and terrorist events
• Natural disasters
Security Program
• Senior management involvement– Security policy– Cost and benefit analysis
• Safeguards of various kinds– Technical protection: hardware and software– Data protection: data– Human protection: people and procedure
• Incident response– Program response to security incident
Security Elements
• By National Institute of Standards and Technology (NIST)
• Support the mission of the organization• An integral element of sound management• Cost effective• Explicit security responsibilities and
accountability• Comprehensive and integrated approach• Periodically reassessing• Constrained by social factor
Senior Management Role
• Security policy– General policy: goals and assets– Issue-specific policy: computer and email usage– System-specific policy: specific information systems
• Risk management and assessment– Assets and vulnerability– Threats– Likelihood of an adverse occurrence– Consequences– Safeguard and cost– Probable loss
Technical Safeguard
• Identification and authentication
• Encryption
• Digital signature
• Firewall
• Malware protection
• Design secure application
Identification and Authentication
• Identification– User name
• Authentication– Pass word (what you know)– Smart card (what you have)– Biometric authentication: fingerprints, facial features,
retinal scans (what you are)– Single sign-on for multiple systems (Kerberos)– Wireless: WPA (Wi-Fi Protected Access) and WPA2
Encryption
• Symmetric encryption: one key• Asymmetric encryption: public key and private
key• Secure Socket Layer (SSL) and Transport Layer
Security (TLS): only client verify true Web site• Digital signature
– Hashing– Message digest (check digits)– Digital certificate and certificate authorities
Firewall
• Definition– A computing device to prevent unauthorized network
access• Device
– A special-purpose computer– A program on a general-purpose computer or on a
router• Type
– Perimeter firewall– Internal firewall– Packet-filtering firewall– Access control list (ACL)
Use of Multiple Firewalls
Malware
• Malware: viruses, worms, Trojan horses, spyware, and adware
• Spyware: programs installed without the user’s knowledge for spying
• Adware: installed without the user’s permission for observing user behavior and popping up ads
Spyware and Adware Symptoms
• Slow system start up
• Sluggish system performance
• Many pop-up ads
• Browser homepage changes, taskbar, and other interfaces
• Unusual hard disk activity
Malware Safeguard
• Install antivirus and antispyware programs• Scan computer frequently• Update malware definitions• Open email attachments only from known
sources• Promptly install software updates from
legitimate sources• Browse only in reputable Internet
neighborhoods
Data Safeguard
• Specifying user rights and responsibilities
• User account and password
• Store sensitive data in encrypted form
• Regular backup and practice recovery
• Backup copy at remote location
• Reside in locked, controlled-access facilities
Human Safeguard for Employee• Position definition
– Job tasks and responsibilities– Least possible privilege– Documenting security sensitivity for each position
• Hiring and Screening– Interviews, references, and background investigations
• Dissemination and enforcement– Security policies, procedures, and responsibilities awareness– Training– Security responsibility, accountability, and compliance
• Termination– Termination policies and procedures– Remove accounts and passwords– Recover keys for encrypted data
Human Safeguard for Non Employee
• Temporary personnel, vendors, partner personnel, and the public
• Require vendors and partners to perform appropriate screening and security training
• Harden (extraordinary measures to reduce a system’s vulnerability) the Web site or other facility against attack
Account Administration
• User accounts– Creation of new user accounts, modification of
existing account permissions, and removal of unneeded accounts
• Password– Change password– Use proper password
• Help-desk policies and procedures for user’s forgetting password
Systems Procedures
• Users and operations personnel
• Procedures for normal, backup, and recovery operations
Systems Monitoring
• Log analysis
• Security testing
• Investigating and learning from security incident
• In-house IT personal and outside security consultants
• Updating security: new technology and requirement
Disaster Preparedness
• Locate infrastructure in safe location• Identify mission-critical systems• Identify resources needed to run those systems• Prepare remote backup facility
– Hot sites: providing remote processing centers run by commercial disaster-recovery services
– Cold site: providing office space, but customers themselves provide and install the equipment needed to continue operations
• Train and rehearse
Incident Response
• Have a plan
• Critical personnel and off-hours contact information
• Centralized reporting
• Prepare specific response for speed
• Practice
Discussion
• Ethic guide (343a-b)– Address the proper ethic issues of a online retailer
related to its customer’s information.
• Problem solving (351a-b)– Address the security issues of hiring a white hat
hacker.
• Security guide (357a-b)– Address the meta security issues of any organization.
• Reflection guide (361a-b)– Address the future of IT and IS five years latter.
Case Study
• Case 11-1 Antiphishing Tactics (365-366): 2 only
Points to Remember
• Security Threats– Sources– Problems
• Security Program– Senior Management’s Security Role– Technical Safeguard– Data Safeguard– Human Safeguard– Disaster Preparedness– Incident Response
