Chapter 10 Information Security Management “But How Do You Implement that Security?” • Video conference with SDS (potential PRIDE promoter and advertiser) • PRIDE originally designed to store medical data • Does PRIDE systems have acceptable level of security? • Doesn’t want to affiliate with company with major security problem • Criminals focusing on inter-organizational systems Copyright © 2017 Pearson Education, Inc 10-2 PRIDE Design for Security Copyright © 2017 Pearson Education, Inc 10-3 Study Questions Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2026? Copyright © 2017 Pearson Education, Inc 10-4 Q1: What Is the Goal of Information Systems Security? Copyright © 2017 Pearson Education, Inc 10-5 Examples of Threat/Loss Copyright © 2017 Pearson Education, Inc 10-6 What Are the Sources of Threats? Copyright © 2017 Pearson Education, Inc 10-7 What Types of Security Loss Exists? • Unauthorized Data Disclosure – Pretexting – Phishing – Spoofing  IP spoofing  Email spoofing – Drive-by sniffers  Wardrivers – Hacking & Natural disasters Copyright © 2017 Pearson Education, Inc 10-8 Incorrect Data Modification • Procedures incorrectly designed or not followed • Increasing customer’s discount or incorrectly modifying employee’s salary • Placing incorrect data on company Web site • Cause – Improper internal controls on systems – System errors – Faulty recovery actions after a disaster Copyright © 2017 Pearson Education, Inc 10-9 Faulty Service • Incorrect data modification • Systems working incorrectly • Procedural mistakes • Programming errors • IT installation errors • Usurpation • Denial of service (unintentional) • Denial-of-service attacks (intentional) Copyright © 2017 Pearson Education, Inc 10-10 Security Monitoring (cont’d) • Employ utilities to assess vulnerabilities • Honeypots for computer criminals to attack • Investigate security incidents • Constantly monitor to determine adequacy of existing security policy and safeguards Copyright © 2017 Pearson Education, Inc 10-39 Q8: How Should Organizations Respond to Security Incidents? Copyright © 2017 Pearson Education, Inc 10-40 Q9: 2026? • APTs more common • Concern about balance of national security and data privacy • Security on devices will be improved • Skill level of cat-and-mouse activity increases substantially • Improved security at large organizations Strong local electronic sheriffs Copyright â 2017 Pearson Education, Inc 10-41 Guide: EMV to the Rescue • EMV chip-and-PIN • Changes way cards are verified • Chip verifies authenticity of physical card, PIN verifies identity of cardholder • What EMV can to protect you? Copyright © 2017 Pearson Education, Inc 10-42 Data Breach at Home Depot • Loss of 56 million customer credit card records and 53 million customer email addresses • Hackers gained access to Home Depot’s internal network using stolen credentials from a third-party vendor • Distributed malware to “scrape” credit card data from POS terminal RAM • Stolen data collected and moved out of Home Depot’s network Copyright © 2017 Pearson Education, Inc 10-43 Data Breach at Home Depot (cont’d) • HD used older version of antivirus software, • Lacked encryption between point-of-sale (POS) systems and central servers – Didn’t directly contribute to data breach • Real security weakness - access to residual credit card data stored in memory of the POS • EVM doesn’t store card data in memory – only transaction ID numbers Copyright © 2017 Pearson Education, Inc 10-44 Building Adoption Momentum • Adoption of EMV chip-and-PIN – – – – Western Europe - 99.9%, Canada - 84.7%, Asia – 71.4% U.S – 0.3% • U.S last user of older magnetic stripe card technology • Merchants liable for credit card fraud if POS terminals not support EMV, starting Oct 2015 Card and card reader costs increase Copyright â 2017 Pearson Education, Inc 10-45 Guide: Phishing for Credit Cards, Identifying Numbers, Bank Accounts • Phishing scams commonplace • Examples of phishing scams at PhishTank.com and ConsumerFraudReporting.org • You need to be able to identify and avoid phishing scams Copyright © 2017 Pearson Education, Inc 10-46 Phish Examples Copyright © 2017 Pearson Education, Inc 10-47 Active Review Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2026? Copyright © 2017 Pearson Education, Inc 10-48 Case 10: Hitting the Target • Lost 40 million credit and debit card numbers • Later, announced additional 70 million customer accounts stolen that included names, emails, addresses, phone numbers, etc • 98 million customers affected – 31% of 318 million people in US • Stolen from point-of-sale (POS) systems at Target stores during holiday shopping season Copyright © 2017 Pearson Education, Inc 10-49 Attackers escalated privileges to gain access to Target’s internal network How Did They Do It? Spearphished malware to gather keystrokes, login credentials, and screenshots from Fazio users Trojan.POSRAM extracted data from POS terminals Copyright © 2017 Pearson Education, Inc 10-50 Damage Card and pin numbers of million cards for $26.85 each ($53.7M) • Target took loss on merchandise purchased using stolen credit cards • Costs – – – – – – Upgraded POS terminals to support chip-and-pin cards, Increased insurance premiums, Paid legal fees, Settled with credit card processors, Paid consumer credit monitoring, Paid regulatory fines Copyright © 2017 Pearson Education, Inc 10-51 Damage (cont'd) • Loss of customer confidence and drop in revenues (46% loss for quarter) • Direct loss to Target as high at $450 million • CIO resigned, CEO paid $16 million to leave • Cost credit unions and banks more than $200 million to issue new cards • Insurers demand higher premiums, stricter controls, and more system auditing • Consumers must watch their credit card statements, and fill out paperwork if fraudulent charges appear Copyright © 2017 Pearson Education, Inc 10-52 Copyright © 2017 Pearson Education, Inc ... Education, Inc 10- 13 Average Computer Crime Cost and Percent of Attacks by Type (5 Most Expensive Types) Copyright © 2017 Pearson Education, Inc 10- 14 Ponemon Study Findings (2014) • Malicious insiders... forum for hackers, developers, manufacturers, and government agencies Copyright © 2017 Pearson Education, Inc 10- 17 Dan Geer Recommendations Mandatory reporting of security vulnerabilities Make... attack – User enters SQL statement into a form instead of a name or other data – Result SQL code becomes part of database commands issued Improper data disclosure, data damage and loss possible –