SecuritySecurity

If I get 7.5% interest on $5,349.44, how much do I If I get 7.5% interest on $5,349.44, how much do I get in a month?get in a month?

(.075/12) = .00625 * 5,349.44 = $33.434(.075/12) = .00625 * 5,349.44 = $33.434

What happens to the .004?What happens to the .004?.004+.004+.004=.012.004+.004+.004=.012.004 * 1,000,000 customers * 12 months = .004 * 1,000,000 customers * 12 months =

$48,000!!!!! Nice income supplement.$48,000!!!!! Nice income supplement.

Standard ExampleStandard Example

Computer CrimeComputer Crime

Computer crime losses estimated between Computer crime losses estimated between $15-$300 Billion annually.$15-$300 Billion annually.

““The playground bullies are learning how to The playground bullies are learning how to type” -- Forbes Magazine.type” -- Forbes Magazine.

BUT, crime is not the only BUT, crime is not the only security area!security area!

Three main concerns:Three main concerns: evil (crime)evil (crime) system limitationssystem limitations Carelessness / StupidityCarelessness / Stupidity

The First Line of Defense - The First Line of Defense - PeoplePeople

Organizations must enable employees, customers, and Organizations must enable employees, customers, and partners to access information electronicallypartners to access information electronically

The biggest issue surrounding information security is not The biggest issue surrounding information security is not a technical issue, but a people issuea technical issue, but a people issue

33% of security incidents originate within the organization33% of security incidents originate within the organization– InsidersInsiders – legitimate users who purposely or accidentally misuse – legitimate users who purposely or accidentally misuse

their access to the environment and cause some kind of business-their access to the environment and cause some kind of business-affecting incidentaffecting incident

The First Line of Defense - The First Line of Defense - PeoplePeople

The first line of defense an organization The first line of defense an organization should follow to help combat insider issues is should follow to help combat insider issues is to develop information security policies and to develop information security policies and an information security planan information security plan– Information security policiesInformation security policies – identify the rules – identify the rules

required to maintain information securityrequired to maintain information security– Information security planInformation security plan – details how an – details how an

organization will implement the information organization will implement the information security policiessecurity policies

The First Line of Defense - PeopleThe First Line of Defense - People Five steps to creating an information security Five steps to creating an information security

plan:plan:1.1. Develop the information security policiesDevelop the information security policies2.2. Communicate the information security policiesCommunicate the information security policies3.3. Identify critical information assets and risksIdentify critical information assets and risks– FirewallFirewall – hardware and/or software that guards a – hardware and/or software that guards a

private network by analyzing the information leaving private network by analyzing the information leaving and entering the networkand entering the network

– Intrusion detection software (IDS) Intrusion detection software (IDS) – searches out – searches out patterns in network traffic to indicate attacks and quickly patterns in network traffic to indicate attacks and quickly respond to prevent harmrespond to prevent harm

4.4. Test and reevaluate risksTest and reevaluate risks5.5. Obtain stakeholder supportObtain stakeholder support

The First Line of Defense - The First Line of Defense - PeoplePeople

Hackers frequently use “social Hackers frequently use “social engineering” to obtain passwordengineering” to obtain password

– Social engineering Social engineering – using one’s social skills – using one’s social skills to trick people into revealing access to trick people into revealing access credentials or other information valuable to credentials or other information valuable to the attackerthe attacker

The Second Line of Defense - The Second Line of Defense - TechnologyTechnology

Three primary information security areas:Three primary information security areas:1.1. Authentication and authorizationAuthentication and authorization

2.2. Prevention and resistancePrevention and resistance

3.3. Detection and responseDetection and response

AUTHENTICATION AND AUTHENTICATION AND AUTHORIZATIONAUTHORIZATION

AuthenticationAuthentication – a method for confirming users’ – a method for confirming users’ identitiesidentities

The most secure type of authentication involves The most secure type of authentication involves a combination of the following:a combination of the following:

1.1. Something the user knows such as a user ID and Something the user knows such as a user ID and passwordpassword

2.2. Something the user has such as a smart card or tokenSomething the user has such as a smart card or token3.3. Something that is part of the user such as a Something that is part of the user such as a

fingerprint or voice signaturefingerprint or voice signature

Something the User Knows such Something the User Knows such as a User ID and Passwordas a User ID and Password

This is the most common way to identify This is the most common way to identify individual users and typically contains a user ID individual users and typically contains a user ID and a passwordand a password

This is also the most This is also the most ineffectiveineffective form of form of authentication authentication

Over 50 percent of help-desk calls are password Over 50 percent of help-desk calls are password relatedrelated

Something the User Has such as Something the User Has such as a Smart Card or Tokena Smart Card or Token

Smart cards and tokens are more effective Smart cards and tokens are more effective than a user ID and a passwordthan a user ID and a password

– TokensTokens – small electronic devices that change – small electronic devices that change user passwords automaticallyuser passwords automatically

– Smart cardSmart card – a device that is around the same – a device that is around the same size as a credit card, containing embedded size as a credit card, containing embedded technologies that can store information and technologies that can store information and small amounts of software to perform some small amounts of software to perform some limited processinglimited processing

Something That Is Part of the User such as a Something That Is Part of the User such as a Fingerprint or Voice SignatureFingerprint or Voice Signature

This is by far the best and most effective This is by far the best and most effective way to manage authenticationway to manage authentication

– BiometricsBiometrics – the identification of a user based – the identification of a user based on a physical characteristic, such as a on a physical characteristic, such as a fingerprint, iris, face, voice, or handwritingfingerprint, iris, face, voice, or handwriting

Unfortunately, this method can be costly Unfortunately, this method can be costly and intrusiveand intrusive

PREVENTION AND PREVENTION AND RESISTANCERESISTANCE

Downtime can cost an organization Downtime can cost an organization anywhere from $100 to $1 million per houranywhere from $100 to $1 million per hour

Technologies available to help prevent and Technologies available to help prevent and build resistance to attacks include:build resistance to attacks include:

1.1. Content filteringContent filtering

2.2. EncryptionEncryption

3.3. FirewallsFirewalls

Content FilteringContent Filtering

Organizations can use content filtering Organizations can use content filtering technologies to filter e-mail and prevent e-technologies to filter e-mail and prevent e-mails containing sensitive information from mails containing sensitive information from transmitting and stop spam and viruses from transmitting and stop spam and viruses from spreading.spreading.

– Content filteringContent filtering – occurs when organizations – occurs when organizations use software that filters content to prevent the use software that filters content to prevent the transmission of unauthorized informationtransmission of unauthorized information

– SpamSpam – a form of unsolicited e-mail – a form of unsolicited e-mail

ENCRYPTIONENCRYPTION

If there is an information security breach If there is an information security breach and the information was encrypted, the and the information was encrypted, the person stealing the information would be person stealing the information would be unable to read itunable to read it

– EncryptionEncryption – scrambles information into an – scrambles information into an alternative form that requires a key or alternative form that requires a key or password to decrypt the informationpassword to decrypt the information

SENDER SCRAMBLED MESSAGE

RECIPIENT

Encrypt with public key

Decrypt with private key

PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION

SECURITY AND THE INTERNETSECURITY AND THE INTERNET

FIREWALLSFIREWALLS

One of the most common defenses for One of the most common defenses for preventing a security breach is a firewallpreventing a security breach is a firewall

– FirewallFirewall – hardware and/or software that – hardware and/or software that guards a private network by analyzing the guards a private network by analyzing the information leaving and entering the networkinformation leaving and entering the network

FIREWALLSFIREWALLS Sample firewall architecture connecting systems located Sample firewall architecture connecting systems located

in Chicago, New York, and Bostonin Chicago, New York, and Boston

DETECTION AND RESPONSEDETECTION AND RESPONSE

If prevention and resistance strategies fail If prevention and resistance strategies fail and there is a security breach, an and there is a security breach, an organization can use detection and organization can use detection and response technologies to mitigate the response technologies to mitigate the damagedamage

Antivirus software is the most common Antivirus software is the most common type of detection and response technologytype of detection and response technology

DETECTION AND RESPONSEDETECTION AND RESPONSE Some of the most damaging forms of security Some of the most damaging forms of security

threats to e-business sites include:threats to e-business sites include:– MaliciousMalicious codecode – includes a variety of threats such as – includes a variety of threats such as

viruses, worms, and Trojan horsesviruses, worms, and Trojan horses– Hoaxes Hoaxes – attack computer systems by transmitting a – attack computer systems by transmitting a

virus hoax, with a real virus attachedvirus hoax, with a real virus attached– SpoofingSpoofing – the forging of the return address on an e- – the forging of the return address on an e-

mail so that the e-mail message appears to come from mail so that the e-mail message appears to come from someone other than the actual sendersomeone other than the actual sender

– SnifferSniffer – a program or device that can monitor data – a program or device that can monitor data traveling over a networktraveling over a network

Providing Security - ProceduralProviding Security - Procedural

Keep an electronic audit trailKeep an electronic audit trail Separate duties.Separate duties. Never allow too much power to one individual. Never allow too much power to one individual.

In ES, don’t allow the expert to update the In ES, don’t allow the expert to update the knowledge base.knowledge base.

Continually asses threats, risks, exposures, and Continually asses threats, risks, exposures, and vulnerabilities.vulnerabilities.

Have standard procedures and documentation.Have standard procedures and documentation. Strict authorization requirements.Strict authorization requirements.

Providing Security - ProceduralProviding Security - Procedural

Outside audits.Outside audits. ““Security is everybody’s business” -- give Security is everybody’s business” -- give

awards, etc.awards, etc. Have a disaster recovery plan. Lacked by Have a disaster recovery plan. Lacked by

60% of all businesses!60% of all businesses! Use intelligent systems capability of firm to Use intelligent systems capability of firm to

flag problems.flag problems.

Providing Security - PhysicalProviding Security - Physical All hard drives will eventually crash. This fact should be All hard drives will eventually crash. This fact should be

your first to consider. Everything else doesn’t count if your first to consider. Everything else doesn’t count if you’ve forgotten this.you’ve forgotten this.

Secure systems physically.Secure systems physically. Separate systems physically.Separate systems physically. Have off site storage.Have off site storage. Backups -files more than programs.Backups -files more than programs. Fault tolerance - UPS.Fault tolerance - UPS. Don’t let your corporate knowledge get lost. This is WAY Don’t let your corporate knowledge get lost. This is WAY

more important for DSS than TPS… should figure 2:1 on more important for DSS than TPS… should figure 2:1 on physical security procedures.physical security procedures.