Chapter 10 Information Security Management “But How Do You Implement That Security?” • Video conference with potential PRIDE promoter and advertiser, San Diego Sports • PRIDE originally designed to store medical data • SDS wants to know if PRIDE systems provide acceptable level of security • Doesn’t want to be affiliated with company with major security problem • Criminals now focus attacks on inter-organizational systems Copyright © 2016 Pearson Education, Inc 10-2 PRIDE Design for Security Copyright © 2016 Pearson Education, Inc 10-3 Study Questions Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2025? Copyright © 2016 Pearson Education, Inc 10-4 Q1: What Is the Goal of Information Systems Security? Copyright © 2016 Pearson Education, Inc 10-5 Examples of Threat/Loss Copyright © 2016 Pearson Education, Inc 10-6 What Are the Sources of Threats? Copyright © 2016 Pearson Education, Inc 10-7 What Types of Security Loss Exists? • Unauthorized Data Disclosure • Pretexting • Phishing • Spoofing – IP spoofing – Email spoofing • Drive-by sniffers – Wardrivers • Hacking Copyright © 2016 Pearson Education, Inc 10-8 Incorrect Data Modification • • • • • • Procedures incorrectly designed or not followed Increasing a customer’s discount or incorrectly modifying employee’s salary Placing incorrect data on company Web site Improper internal controls on systems System errors Faulty recovery actions after a disaster Copyright © 2016 Pearson Education, Inc 10-9 Faulty Service • Incorrect data modification • Systems working incorrectly • Procedural mistakes • Programming errors • IT installation errors • Usurpation • Denial of service (unintentional) • Denial-of-service attacks (intentional) Copyright © 2016 Pearson Education, Inc 10-10 Systems Procedures Copyright © 2016 Pearson Education, Inc 10-35 Q8: How Should Organizations Respond to Security Incidents? Copyright © 2016 Pearson Education, Inc 10-36 Security Wrap Up • Be aware of threats to computer security as an individual, business professional and employee • • • • Know trade-offs of loss risks and cost of safeguards Ways to protect your computing devices and data Understand technical, data, and human safeguards Understand how organizations should respond to security incidents Copyright © 2016 Pearson Education, Inc 10-37 Q9: 2025 • APTs more common, inflicting serious damage • Continued concern about balance of national security and data privacy • Computer crimes targeting mobile devices leads to improved operating systems security • Improved security procedures and employee training • Criminals focus on less protected mid-sized and smaller organizations, and individuals • Electronic lawlessness by organized gangs • Strong local “electronic” sheriffs electronic border and enforce existing laws? Copyright © 2016 Pearson Education, Inc 10-38 Guide: A Look through NSA’s PRISM • Nine of the largest Internet services (Google, Microsoft, Yahoo!, Facebook, PalTalk, YouTube, Skype, AOL, and Apple) participate in PRISM program • Dates when PRISM began collecting data from each of these services • Types of data collected include email, videos, photos, video and voice chat, file transfers, VoIP, stored data, videoconferencing, login activity, social networking activity, and something called “special requests” • How information flows from around the world could be collected • How data flowed from service provider to NSA, CIA, or FBI http://www.wired.com/2013/06/snowden-powerpoint/#slideid-522485 Copyright â 2016 Pearson Education, Inc 10-39 Trade Offs • Social trade off – “I prefer dangerous freedom over peaceful slavery.” – "Freedom is Slavery" (G Orwell, 1984) • Organizations struggle with security – – – Users frustrated with stringent password policies Firewalls block users from remotely accessing certain resources Managers can’t access certain data without special permission Copyright © 2016 Pearson Education, Inc 10-40 Wrap Up Understand inherent trade-off between security and freedom Understand reach of government surveillance systems Understand ethical considerations surrounding spying and monitoring Copyright © 2016 Pearson Education, Inc 10-41 Guide: Phishing for Credit Cards, Identifying Numbers, Bank Accounts • Phishing scams commonplace • Target Corporation lost about 98 million user accounts to hackers in late 2013 – Attackers gained access to Target via a third-party vendor's credentials • Examples of phishing scams at PhishTank.com and ConsumerFraudReporting.org Copyright © 2016 Pearson Education, Inc 10-42 Wrap Up Phishing scams are popular and becoming more targeted You need to be able to identify and avoid phishing scams Copyright © 2016 Pearson Education, Inc 10-43 Active Review Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2025? Copyright © 2016 Pearson Education, Inc 10-44 Case 10: Hitting the Target • Lost 40 million credit and debit card numbers to attackers • Less than a month later Target announced an additional 70 million customer accounts stolen that included names, emails, addresses, phone numbers, and so on • About 98 million customers were affected – 31% of 318 million people in US • Stolen from point-of-sale (POS) systems at Target retail stores during the holiday shopping season Copyright © 2016 Pearson Education, Inc 10-45 Attackers escalated privileges to How Did They Do gain access to Target’s internal network It? Spearphished malware to gather keystrokes, login credentials, and screenshots from Fazio users Trojan.POSRAM extracted data from POS terminals Copyright © 2016 Pearson Education, Inc 10-46 Damage • Attackers sold about million credit cards for about $26.85 each for a total profit of $53.7 million • Target forced to take a loss on merchandise purchased using stolen credit cards • Upgraded payment terminals to support chip-and-PIN enabled cards, increased insurance premiums, paid legal fees, settled with credit card processors, paid consumer credit monitoring, and paid regulatory fines Copyright © 2016 Pearson Education, Inc 10-47 Damage (cont'd) • Target loss of customer confidence and drop in revenues (46% loss for quarter) • Analysts put direct loss to Target as high at $450 million • CIO resigned, CEO paid $16 million to leave • Cost credit unions and banks more than $200 million to issue new cards • Insurers demand higher premiums, stricter controls, and more system auditing • Consumers must watch their credit card statements, and fill out paperwork if fraudulent charges appear Copyright © 2016 Pearson Education, Inc 10-48 Copyright © 2016 Pearson Education, Inc 10-49 ... believe data on mobile devices poses significant risks Copyright © 2016 Pearson Education, Inc 10- 16 Ponemon 2013 Studies Summary • Median cost of computer crime increasing • Malicious insiders... Education, Inc 10- 12 Q2: How Big Is the Computer Security Problem? Computer Crime Costs per Organizational Respondent Copyright © 2016 Pearson Education, Inc 10- 13 Average Computer Crime Cost and... protocols, or systems from smartphones to ATMs • Encourage companies to fix product vulnerabilities and serve as educational forum for hackers, developers, manufacturers, and government agencies Copyright