Đang tải... (xem toàn văn)
This chapter presents the following content: Information security, the threats, security’s five pillars, management countermeasures, technical countermeasures, credit card fraud, an internet services company, planning for business continuity, planning for business continuity, household international.
Information Security Lecture 20 Today Lecture n n n Information Security ă The Threats ă Securitys Five Pillars ă Management Countermeasures ă Technical Countermeasures CREDIT CARD FRAUD Case Example: Threats AN INTERNET SERVICES COMPANY Case Example: Security Today Lecture… n n n n PLYMOUTH ROCK ASSURANCE CORPORATION Case Example: Use of a VPN (Security) Planning for Business Continuity Using Internal Resources Planning for Business Continuity Using External Resources HOUSEHOLD INTERNATIONAL Case Example: Planning for Business Continuity Information Security n Used to be an arcane technical topic n Today even CEOs need to ‘know about it’ due to the importance of electronic information in running their businesses n Need to understand Internet-based threats and countermeasures and continuously fund security work to protect their businesses Information Security n Since 1996 the Computer Security Institute have conducted an annual survey of US security managers ă Spring 2004 survey report key findings: The unauthorized use of computers is declining The most expensive cybercrime was denial of service The Threats Note: heaps of similar Surveys e.g KPMG Information Security The Threats n n n n n Threats are numerous Websites are particularly vulnerable Political activism is one motivation for Website defacement Theft of proprietary information is a major concern Financial fraud is still a significant threat ă Especially credit card information ¨ No data of any value should be stored on web servers CREDIT CARD FRAUD Case Example: Threats n In one case, MSNBC reported that a bug in one shopping cart software product used by 4,000 ecommerce sites exposed customer records at those sites ă One small e-commerce site did not receive the warning ă Within days, cyber criminals charged thousands of dollars on the credit cards of users of this small site CREDIT CARD FRAUD Case Example: Threats… n In another case, two foreigners stole 56,000 credit card numbers, bank account information, and other personal financial information from U.S banks ă Then tried to extort money from the cardholders and the banks, threatening to publicize the sensitive information they had unearthed Planning for Business Continuity Using Internal Resources n Organizations that rely on internal resources for IT disaster recovery generally see this planning as a normal part of systems planning and development They use : ă Multiple data centers n Move to have all computing in ‘one location’ = now under question ă Distributed processing ă Backup telecommunication facilities ¨ Local area networks n One LAN can be used to backup servers for other networks Planning for Business Continuity Using External Resources n Cost Vs Risk may not justify permanent resources so companies use the services of a disaster recovery firm: ă Integrated disaster recovery services ă Specialized ă Online disaster recovery services and off-line data storage facilities HOUSEHOLD INTERNATIONAL Case Example: Planning for Business Continuity n Typical of a large financial services institution, Household justified its disaster recovery planning based upon legal and regulatory requirements and the need to maintain uninterrupted customer service n Company established full time staff to prepare, maintain and test disaster recovery plans HOUSEHOLD INTERNATIONAL Case Example: Planning for Business Continuity n Comdisco Disaster Recovery Services was relied on as it’s a major supplier of alternate site data processing services in North America n Heaps of rain in Chicago: large number of disasters declared Household declared a disaster quickly– it enabled close relocation n HOUSEHOLD INTERNATIONAL Case Example: Planning for Business Continuity cont Lessons Learnt: n Consider the risks of a natural disaster in selecting a data center location n Create a plan to return to the primary site after a disaster n Do not expect damaged equipment, disks, and tapes to always be replaced, monitor equipment n Plan for alternate telecommunications n Test site under full workload conditions n Maintain critical data at the alternate site Conclusion n The subject of managing computer operations is, perhaps surprisingly, at an all-time high because of: ¨ The emergence of e-commerce ¨ The increasing use of outsourcing ă News-grabbing viruses ă Attacks on major websites, and ¨ The terrorists acts on September 11th, October 12th etc Conclusion cont n n n n As enterprises increasingly rely on computing and telecom to work closely with others, they open themselves up to more threats by electronic means Companies must be increasingly vigilant to outside threats In short, the view of operations is shifting from managing inward to managing outward It’s ‘essential’ but often ‘forgotten’ and it’s not easy Key = MANAGEMENT Part II Discussion Case MANAGING INFORMATION SECURITY ON A SHOESTRING BUDGET Summary n n n Information Security ă The Threats ă Securitys Five Pillars ă Management Countermeasures ă Technical Countermeasures CREDIT CARD FRAUD Case Example: Threats AN INTERNET SERVICES COMPANY Case Example: Security Summary… n n n n PLYMOUTH ROCK ASSURANCE CORPORATION Case Example: Use of a VPN (Security) Planning for Business Continuity Using Internal Resources Planning for Business Continuity Using External Resources HOUSEHOLD INTERNATIONAL Case Example: Planning for Business Continuity ... to information and airtight security at the same time n Companies must make tradeoffs between: ă Absolute ă The information security and efficient flow of information Information Security Management. .. to understand Internet-based threats and countermeasures and continuously fund security work to protect their businesses Information Security n Since 1996 the Computer Security Institute have... for Business Continuity Information Security n Used to be an arcane technical topic n Today even CEOs need to ‘know about it’ due to the importance of electronic information in running their businesses