Chapter 12 Information Security Management “We Have to Design It for Privacy and Security.” • Tension between Maggie and Ajit regarding terminology to use with Dr Flores • Overly technical communication is a common problem for techies when talking with business professionals • Maggie and Ajit discuss security design later Copyright © 2015 Pearson Education, Inc 12-2 PRIDE Design for Security Copyright © 2015 Pearson Education, Inc 12-3 Study Questions Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2024? Copyright © 2015 Pearson Education, Inc 12-4 Q1: What Is the Goal of Information Systems Security? Copyright © 2015 Pearson Education, Inc 12-5 Examples of Threat/ Loss Copyright © 2015 Pearson Education, Inc 12-6 What Are the Sources of Threats? Copyright © 2015 Pearson Education, Inc 12-7 What Types of Security Loss Exists? • Unauthorized Data Disclosure – Pretexting – Phishing – Spoofing IP spoofing Email spoofing • Drive-by sniffers ã Hacking ã Natural disasters Copyright â 2015 Pearson Education, Inc 12-8 Incorrect Data Modification • Procedures incorrectly designed or not followed • Increasing a customer’s discount or incorrectly modifying employee’s salary • Placing incorrect data on company the Web site • Improper internal controls on systems • System errors ã Faulty recovery actions after a disaster Copyright â 2015 Pearson Education, Inc 12-9 Faulty Service • Incorrect data modification • Systems working incorrectly • Procedural mistakes • Programming errors • IT installation errors • Usurpation • Denial of service (unintentional) ã Denial-of-service attacks (intentional) Copyright â 2015 Pearson Education, Inc 12-10 Q7: How Can Human Safeguards Protect Against Security Threats? Copyright © 2015 Pearson Education, Inc 12-31 Account Administration • Account Management  Standards for new user accounts, modification of account permissions, and removal of accounts that are not needed • Password Management  Users should change passwords frequently ã Help Desk Policies Copyright â 2015 Pearson Education, Inc 12-32 Sample Account Acknowledgment Form Copyright © 2015 Pearson Education, Inc 12-33 Systems Procedures Copyright © 2015 Pearson Education, Inc 12-34 Q8: How Should Organizations Respond to Security Incidents? Copyright © 2015 Pearson Education, Inc 12-35 Security Wrap Up • Be aware of threats to computer security as an individual, business professional, or an employee • Know trade-offs of loss risks and the cost of safeguards • Ways to protect your computing devices and data • Understand technical, data, and human safeguards • Understand how organizations should respond to security incidents Copyright © 2015 Pearson Education, Inc 12-36 Q9: 2024 • APTs more common, inflicting serious damage • Continued concern about balance of national security and data privacy • Computer crimes targeting mobile devices leads to improved operating systems security • Improved security procedures and employee training • Criminals focus on less protected mid-sized and smaller organizations, and individuals • Electronic lawlessness by organized gangs • Strong local “electronic” sheriffs electronic border and enforce existing laws? Copyright © 2015 Pearson Education, Inc 12-37 Guide: Metasecurity • What are the security problems? • What are the managers’ responsibilities for controls over the security system? • All major software vendors are obvious targets for security attacks against their networks What these companies to prevent this? • What extra precautions can you take when you hire and manage employees such as white-hat hackers? Copyright © 2015 Pearson Education, Inc 12-38 Guide: The Final, Final Word • Routine work will migrate to countries with lower labor costs • Be a symbolic-analytic worker – Abstract thinking – How to experiment – Systems thinking – Collaboration • The best is yet to come! What you with it is up to you Copyright © 2015 Pearson Education, Inc 12-39 Active Review Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2024 Copyright © 2015 Pearson Education, Inc 12-40 Case 12: Will You Trust FIDO? • One-third of all people record passwords somewhere, whether on a sticky note or in a computer file • Malicious code searches for files that include "password" or some variant • Many web sites offer to authenticate you using your Facebook or other common credentials • Use credentials only at site where created Copyright © 2015 Pearson Education, Inc 12-41 Alternatives to Passwords • Biometric: Fingerprints, retinal scans, keystroke rhythm • Picture password in Windows User makes three gestures over a photo Asking user to name people in group photo or provide facts about people in photo • One defect: If user’s authentication compromised once, it is compromised for all sites where that authentication method used Copyright © 2015 Pearson Education, Inc 12-42 Fast Identity OnLine (FIDO) Copyright © 2015 Pearson Education, Inc 12-43 Will You Trust FIDO? Probably • FIDO does not eliminate need to send private data over the Internet, but substantially reduces it • Password or PIN never sent over a network • Forming open standards and asking the community to find holes and problems long before standard is implemented • Support of major, well-funded organizations Copyright © 2015 Pearson Education, Inc 12-44 12-45 ... Inc 12- 15 Ponemon 2 012 Studies Summary • • • • Median cost of computer crime increasing Malicious insiders increasingly serious security threat Data loss is principal cost of computer crime Survey... Attacks by Type (5 Most Expensive Types) Copyright © 2015 Pearson Education, Inc 12- 14 Ponemon Study Findings (2 012) • It is difficult to estimate the exact cost of a computer crime • Cost of computer... Education, Inc 12- 12 Q2: How Big Is the Computer Security Problem? Computer Crime Costs per Organizational Respondent Copyright © 2015 Pearson Education, Inc 12- 13 Average Computer Crime Cost and