Using MIS 10 th Edition Chapter 10 Information Systems Security Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-1 “I think you’ll see that we really take security seriously.” • Video conference with exercise equipment manufacturer CanyonBack Fitness (potential ARES partner) • Security concerns about integrating ARES with CanyonBack exercise bikes • Does ARES systems have acceptable level of security? • Can their bikes get hacked? Customers hurt? Personal data stolen? Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-2 “I think you’ll see that we really take security seriously.” (cont’d) • ARES implements secure coding practices and secure data backup • Users interact with radio buttons, dropdown menus, and other interactive AR elements • Reduces the possibility of an SQL injection attack New technology typically brings new risks Copyright â 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-3 Study Questions Q10-1 What is the goal of information systems security? Q10-2 How big is the computer security problem? Q10-3 How should you respond to security threats? Q10-4 How should organizations respond to security threats? Q10-5 How can technical safeguards protect against security threats? Q10-6 How can data safeguards protect against security threats? Q10-7 How can human safeguards protect against security threats? Q10-8 How should organizations respond to security incidents? Q10-9 2027? Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-4 Information Systems Security Threats Q10-1 What is the goal of information systems security? Figure 10-1 Threat/Loss Scenario Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-5 Examples of Threat/Loss Q10-1 What is the goal of information systems security? Threat/Target Vulnerability Safeguard Result Explanation Only access sites using No loss Effective safeguard None Loss of login credentials Ineffective safeguard Loss of sensitive data Ineffective safeguard https Hacker wants to steal your bank login credentials Hacker creates a phishing site nearly identical to your online banking site Employee posts sensitive data to Public access to not-secure Passwords public Google + group group Procedures Employee training Figure 10-2 Examples of Threat/Loss Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-6 What Are the Sources of Threats? Q10-1 What is the goal of information systems security? Threat Human Error Unauthorized data disclosure Procedural mistakes Computer Crime Pretexting Natural Disasters Disclosure during recovery Phishing Spoofing Sniffing Hacking Incorrect data modification Procedural mistakes Hacking Incorrect data recovery Usurpation Service improperly restored Incorrect procedures Ineffective accounting controls Loss System errors Faulty service Procedural mistakes Development and installation errors Denial of service (DoS) Accidents DoS attacks Service interruption Loss of infrastructure Accidents Theft Property loss Terrorist activity Figure 10-3 Security Problems and Sources Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-7 What Types of Security Loss Exists? Q10-1 What is the goal of information systems security? Unauthorized Data Disclosure Pretexting Phishing Spoofing IP spoofing Email spoofing Drive-by sniffers Wardrivers Hacking Natural disasters Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-8 Incorrect Data Modification Q10-1 What is the goal of information systems security? Procedures incorrectly designed or not followed Increasing customer’s discount or incorrectly modifying employee’s salary Placing incorrect data on company Web site Cause Improper internal controls on systems System errors Faulty recovery actions after a disaster Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-9 Faulty Service Q10-1 What is the goal of information systems security? Incorrect data modification Systems working incorrectly Procedural mistakes Programming errors IT installation errors Usurpation Denial of service (unintentional) Denial-of-service attacks (intentional) Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-10 Account Administration Q10-7 How can human safeguards protect against security threats? Account Management Standards for new user accounts, modification of account permissions, removal of unneeded accounts Password Management Users change passwords frequently Help Desk Policies Provide means of authenticating users Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-34 Sample Account Acknowledgment Form Q10-7 How can human safeguards protect against security threats? Figure 10-14 Sample Account Acknowledgment Form Source: National Institute of Standards and Technology, U.S Department of Commerce Introduction to Computer Security: The NIST Handbook, Publication 800–812 Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-35 Systems Procedures Q10-7 How can human safeguards protect against security threats? Normal operation Backup Recovery System Users Operations Personnel Use the system to perform job tasks, with security Operate data center equipment, manage networks, run Web servers, appropriate to sensitivity and related operational tasks Prepare for loss of system functionality Back up Web site resources, databases, administrative data, account and password data, and other data Accomplish job tasks during failure Know tasks to Recover systems from backed up data Perform role of help desk during during system recovery recovery Figure 10-15 Systems Procedures Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-36 Security Monitoring Q10-7 How can human safeguards protect against security threats? Server activity logs Firewall log Lists of all dropped packets, infiltration attempts, unauthorized access, attempts from within the firewall DBMS Successful and failed logins Web servers Voluminous logs of Web activities PC O/S produce record of log-ins and firewall activities Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-37 Security Monitoring (cont’d) Q10-7 How can human safeguards protect against security threats? Employ utilities to assess vulnerabilities Honeypots for computer criminals to attack Investigate security incidents Constantly monitor to determine adequacy of existing security policy and safeguards Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-38 Factors in Incident Response Q10-8 How should organizations respond to security incidents? Figure 10-16 Factors in Incident Response Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-39 Information Systems Security in 2027 Q10-9 2027? APTs more common Concern about balance of national security and data privacy Security on devices will be improved Skill level of cat-and-mouse activity increases substantially Improved security at large organizations Strong local “electronic” sheriffs Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-40 Exhaustive Cheating Security Guide Employees (possibly managers) created deceptive software to cheat standardized emissions testing Black-box software made it difficult to detect the malicious software Embedded software was designed to: Temporarily improve fuel savings Reduce torque and acceleration When normal performance resumed, emissions output rose well above legal levels Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-41 IT Security Analyst Career Guide Stefanie at Overstock.com Q What attracted you to this field? A “I was first attracted to the field of IT security as a sophomore in college when I took my initial MIS class In one session, the professor deployed a honeypot, and we watched as attackers scanned the system for vulnerabilities There were so many scans! I liked the idea that I could find and stop attackers from taking advantage of people.” Q What advice would you give to someone who is considering working in your field? A “Read, read, read—and start playing with toys! I’ve seen so many potential analysts tank in interviews because they didn’t have the foundational building blocks of security down.” Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-42 Active Review Q10-1 What is the goal of information systems security? Q10-2 How big is the computer security problem? Q10-3 How should you respond to security threats? Q10-4 How should organizations respond to security threats? Q10-5 How can technical safeguards protect against security threats? Q10-6 How can data safeguards protect against security threats? Q10-7 How can human safeguards protect against security threats? Q10-8 How should organizations respond to security incidents? Q10-9 2027? Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-43 Hitting the Target Case Study 10 Lost 40 million credit and debit card numbers Later, announced additional 70 million customer accounts stolen that included names, emails, addresses, phone numbers, etc 98 million customers affected 31% of 318 million people in US Stolen from point-of-sale (POS) systems at Target stores during holiday shopping season Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-44 How Did They Do It? Case Study 10 Bought malware Spearphished users at Fazio to get login credentials on Target vendor server Attackers escalated privileges, accessed Target’s internal network, and planted malware Trojan.POSRAM extracted data from POS terminals Sent data to drop servers Figure 10-18 Target Data Breach Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-45 Damage Case Study 10 Card and pin numbers of million cards for $26.85 each ($53.7M) Costs Upgraded POS terminals to support chip-and-pin cards, Increased insurance premiums, Paid legal fees, Settled with credit card processors, Paid consumer credit monitoring, Paid regulatory fines Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-46 Damage (cont’d) Case Study 10 Loss of customer confidence and drop in revenues (46% loss for quarter) Direct loss to Target as high as $450 million CIO resigned, CEO paid $16 million to leave Cost credit unions and banks more than $200 million to issue new cards Insurers demand higher premiums, stricter controls, and more system auditing Consumers must watch their credit card statements, and fill out paperwork if fraudulent charges appear Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10-47 ... Rights Reserved 10- 9 Faulty Service Q10-1 What is the goal of information systems security? Incorrect data modification Systems working incorrectly Procedural mistakes Programming errors IT installation... Reserved 10- 13 Severity of Computer Crime Q10-2 How big is the computer security problem? Figure 10- 5 Computer Crime Costs Copyright © 2018, 2017, 2016 Pearson Education, Inc All Rights Reserved 10- 14... Reserved 10- 3 Study Questions Q10-1 What is the goal of information systems security? Q10-2 How big is the computer security problem? Q10-3 How should you respond to security threats? Q10-4 How