Chapter 12 Information Security Management “We Have to Design It for Privacy and Security ” • Tension between Maggie and Ajit regarding terminology to use with Dr Flores • Common problem for techies when talking with business professionals – Use too much technical language Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-2 PRIDE Design for Security Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-3 Study Guide Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2023? Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-4 Q1: What Is the Goal of Information Systems Security? Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-5 Examples of Threat/Loss Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-6 What Are the Sources of Threats? Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-7 What Types of Security Loss Exist? • Unauthorized Data Disclosure – Pretexting – Phishing – Spoofing  IP spoofing  Email spoofing – Drive-by sniffers – Hacking – Natural disasters Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-8 Incorrect Data Modification • Procedures not followed or incorrectly designed • Increasing a customer’s discount or incorrectly modifying employee’s salary • Placing incorrect data on company Web site • Improper internal controls on systems • System errors • Faulty recovery actions after a disaster Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-9 Faulty Service • Incorrect data modification • Systems working incorrectly • Procedural mistakes • Programming errors • IT installation errors • Usurpation • Denial of service (unintentional) • Denial-of-service attacks (intentional) Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-10 Malware Types and Spyware and Adware Symptoms • Viruses  Payload  Trojan horses  Worms  Beacons Spyware & Adware Symptoms Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-25 Malware Safeguards Use antivirus and antispyware programs Scan frequently Update malware definitions Open email attachments only from known sources Install software updates Browse only reputable Internet neighborhoods Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-26 Design for Secure Applications • SQL injection attack – User enters SQL statement into a form instead of a name or other data – Improperly designed form accepts this code and makes it part of a database command that it issues – Result: Improper data disclosure and data damage and loss possible – Properly designed applications make injections ineffective Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-27 Q6: How Can Data Safeguards Protect Against Security Threats? Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-28 Q7: How can Human Safeguards Protect Against Security Threats? Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-29 Account Administration • Account Management – Standards for new user accounts, modification of account permissions, removal of unneeded accounts • Password Management – Users should change passwords frequently • Help Desk Policies Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-30 Sample Account Acknowledgment Form Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-31 Systems Procedures Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-32 Q8: How Should Organizations Respond to Security Incidents? Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-33 Q9: 2023 • APTs more common, inflicting serious damage • Security mobile devices improved • Improved security procedures and employee training • Criminals focus on less protected mid-sized and smaller organizations, and individuals • Electronic lawlessness by organized gangs • Electronic sheriffs patrol electronic borders Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-34 Guide: Metasecurity • What are the security problems? • What are the managers’ responsibilities for  controls over the security system? Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-35 Guide: The Final, Final Word • Routine work will migrate to low labor-cost countries • Be a symbolic-analytic worker – Abstract thinking – How to experiment – Systems thinking – Collaboration Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-36 Active Review Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2023? Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-37 Case 12: Moore’s Law, One More Time … • Doubling CPU speed helps criminals – Enables more powerful password crackers • iOS, Android phones, and millions of mobile devices increase data communications and exponential opportunities for computer criminals Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-38 Copyright © 2014 Pearson Education, Inc Publishing as Prentice Hall 12-39 ... Unauthorized Data Disclosure – Pretexting – Phishing – Spoofing  IP spoofing  Email spoofing – Drive -by sniffers – Hacking – Natural disasters Copyright © 2014 Pearson Education, Inc Publishing as... Hall 12-9 Faulty Service • Incorrect data modification • Systems working incorrectly • Procedural mistakes • Programming errors • IT installation errors • Usurpation • Denial of service (unintentional)... Administration • Account Management – Standards for new user accounts, modification of account permissions, removal of unneeded accounts • Password Management – Users should change passwords frequently