Managing the Networked EnterpriseMGMT 230

WEEK 9: March 5

Internet Security for Emerging Managers

Today’s Class

● Internet Security for Emerging Managers

but first….

● How are the assignments coming along?

Laws that apply to traditional commerce apply equally to the online world

• Examples include:– business incorporation and name registration– taxation– consumer protection and deceptive advertising– importing/exporting– product safety and product standards– criminal code– trade treaties and trade embargos– intellectual property and liability

• Companies must comply with the law of any jurisdiction where it is considered to be “carrying on business.” (Source: Canada Revenue Agency)

Examples of legal issues of particular interest to online businesses

• Copyright law (discussed last week)

• Trademarks and domain names

• The downside of the user-generated web: Defamation / libel / incorrect information or damaging gossip

Enforcing trademarks and “cybersquatting”

• Should a brand or trademark owner have automatic rights to a related domain name?

• First come, first served?• Intention of registration (bad faith; what is the domain being used for?

Bruce Springsteen took this case to WIPO arbitration in 2001 (and lost)– BruceSpringsteen.com (fan site now taken down)– BruceSpringsteen.net (the official site)– BruceSpringstein.com (mis-spelling opportunity)

• Most countries have arbitration procedures to resolve domain name disputes

– Cheaper and faster than going to court• Marketers must be proactive and purchase domain name variants

www.googel.com

Defamation and the control of information

• How do you balance free speech rights with the right of an organization to protect its reputation from defamation?

• In a universe of “customer conversations” how do marketers control potentially damaging messages?

– WalmartSucks.org– Electronic Arts use of DRM in Spore resulted in an

Amazon review bomb– JP Morgan’s twitter disaster– Bad Yelp reviews (and reprisals)

Discussion

• What is the best reaction for an organization to take in response to possibly defamatory content on the web?

1. In comments on the company blog or company social network pages?

2. On third party websites or social networking sites?

THE “4 PILLARS” SECURITY FRAMEWORK FOR ONLINE BUSINESS

Managing key security issues – the 4 pillars of security

• eCommerce sites must guard their own data, and their customer’s data and create a secure and predictable environment for commercial exchange - they must create TRUST

• 4 pillars of basic security for eBusiness: ‘PAIN’– Privacy (and confidentiality)– Authentication and Authorization– Integrity– Non-repudiation

PAIN: Privacy and Confidentiality• Protecting data

• Customer data• Firms need to ensure that information that is private

or sensitive is kept secure and not used for any purpose other than that agreed to

– credit card numbers– health records etc

• Company data– trade secrets / proprietary information– business plans

• Data must be protected from intrusions and theft while it is stored

• Confidentiality during transactions is usually ensured by encryption

PAIN: Authentication• When someone submits something to your website, how can you

be sure that they are who they claim to be. eg.– using credit cards– making a contract or application– registering for an email newsletter

• Authentication is the process by which one entity verifies that another entity is who they claim to be

• Authentication requires evidence in the form of credentials: :– “something you have” plus “something you know” plus

something you are (biometrics) eg.• username and password• Two-factor authentication (Video - Gmail example)• credit card - match exact billing name and address• digital signatures, and digital certificates to authenticate

web servers• SSL Certificates: What are they? (video)

PAIN: Authorization

• Once a person has been authenticated, we need to be satisfied that she is authorized to access or do certain things on our site

• Does the person (or program) have the right to access particular data, programs, or system resources (particularly important when protecting a server from hackers)

• Authorization is usually determined by comparing information about the person or program with access control information associated with the resource being accessed (permissions)

PAIN: Integrity

• Integrity is the ability to prevent data from being altered or destroyed in an unauthorized or accidental manner– This could include hacking to deface a website

– Altering data held on your website or database

– Intercepting data

• The parties to a transaction must be assured that all data and documents connected with it cannot be altered without detection

PAIN: Non-repudiation

• The ability to ensure that neither side in a transaction can later claim that they for instance

– didn’t order something using a credit card– or didn’t accept an order or offer for something

• Non-repudiation ensures that neither side can back out of a transaction by claiming it never took place

– Particular problem with credit cards• Verified by Visa

• Non-repudiation is usually achieved by using digital signatures that make it difficult to claim that you weren’t involved in an exchange

MANAGING SECURITY IN eBUSINESS

Why is security an important management issue?

• Information is a key business asset– It needs to be accessible to all who need it– It needs to be protected

• Managers need to develop and implement an overall strategy for security

• Managers need to understand the threats• Managers need to understand specific techniques

for protecting systems• Particularly important as organizations move into

eBusiness and open up networks

McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

Risk targets can be divided into two broad categories

Servers / web sites

Malicious code

Physical infra-

structure

Moving across networks

Stored (at rest)

Data

Why is this such a high profile issue?

• eBusiness – inevitable exposure to additional vulnerabilities in using networks

• High profile websites and businesses under attack

• Sony Playstation 2011 hack – impacted 70m people

• Sony Pictures Entertainment 2014 – confidential data and embarrassing emails

• Target 2013 – 40 million stolen CC numbers (payments to banks alone cost them $40m)

• Ashley Madison 2015 – personal information, email addresses & CC numbers of millions of account holders

• Yahoo 2016 – “500 million of Yahoo’s user names, birthdates, email addresses and hashed passwords has been offered for sale on the dark web marketplace The Real Deal”

• Consumer impacts (credit cards exposed, viruses, malware, spyware etc) – resulting in loss of reputation, loss of brand equity, loss of customers, and loss of revenue

Management problem?

• “Airtight security is not possible because companies have to allow online commerce. They have to make trade-offs between absolute information security and efficient flow of information.”

McNurlin + Sprague

• The management challenge is that of finding the balance

• “..the key components for managing a security program are the likelihood and the likely impact of an attack.”

McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

https://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/_mgs/nfgrphcs-2012-10-19-eng.jpg

Problems with mobile exposure

https://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/_mgs/nfgrphcs-2012-10-19-eng.jpg

Consequences of cyber crime

https://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/_mgs/nfgrphcs-2012-10-19-eng.jpg

Risks to physical infrastructure

– Distributed Denial of Service attacks (DDoS)

• Wikileaks (2010)

• Anonymous attacks on Anti-Piracy Websites (2011) – “Operation Payback”

– Hacking – web site defacement• MIT website in 2013

Threats to corporate(and personal) infrastructure

• Malicious code• Viruses – piece of code attached to an executable file

that must be opened for the code to run. Viruses spread by human action (usually via attachments)

• Worms – similar to viruses, but worms replicate themselves

• Trojan Horses – a piece of downloaded software that initially looks innocuous and relies on people believing that it comes from a legitimate source

– Eg. CrypoLocker Ransomware some explanation of how it works from Ransomware as Fast as Possible

Ways that attacks on data happen

– Intercepted transmissions (eavesdropping / sniffing)

– Attacks related to insecure passwords - are “strong” passwords and frequent changes the answer?

– Social engineering and phishing• Ransomware - Anatomy of an Attack (video from

Cisco)

– Security holes related to BYOD (Bring your own device)

WHAT KIND OF PLANNING SHOULD BUSINESSES DO?

Strategies for dealing with security risk

• Calculate risk– Probability of particular types of attacks occurring

– Business impacts if they do occur

• Create an information security plan

• Train employees on security practices

• Have a business continuity and disaster recovery plan

• Keep recent backups according to a defined schedule

• Make sure that technical solutions are in place and all software is fully patched

Next Class

● Wednesday○ Working lab - website assignment

● Next Monday ○ Case study posted online

● Course Evaluation Links emailed○ Please fill these out