Julianne's MIS Blog: Chapter 10: Information Systems Security

Q10-1: What is the goal of information systems security?

Trade-off between security and freedom / cost and risk
The IS security threat/loss scenario

Threat - person or organization, without owner's permission or knowledge, seeking to obtain or alter data or other IS assets illegally
Vulnerability - opportunity for threats to obtain access to organizational or individual assets
Safeguard - some measure taken to block the threat from obtaining the asset > not always effective
Target - asset that the threat desires

What are the sources of threats?

Human errors and mistakes - employees / non-employees accidental
Computer crime - employees / non-employees intentional destroy
Natural events & disasters - fires, floods, earthquake etc.

What types of security loss exist?

Unauthorized data disclosure

Pretexting - when someone pretends to be someone else and deceives; e.g. they pretend to be credit card company
Phishing - pretexting via email to obtain unauthorized data

Phisher - sends an email pretending to be a legit company, requesting confidential data

Spoofing - someone pretending to be someone else, e.g. pretending to be mom for phone bill

IP spoofing - when an intruder masquerades as another site by using another site's IP address
Email spoofing - synonym for phishing

Sniffing - intercepting computer communications; need physical connection to network if wired networks

Wardrivers - search for unprotected wireless networks and take computers with wireless connections through an area

Hacking - stealing data such as customer lists, product inventory data, employee data, and other proprietary and confidential data by breaking into computers, servers, or networks

Incorrect data modification
Faulty service

Usurpation - when computer criminals invade computer system & replace legit programs with own, unauthorized ones to shut down legit apps and substitute their own processing to spy, steal, and manipulate data

Denial of service (DoS) - human error in following procedures or a lack of procedures
Loss of infrastructure

Advanced Persistent Threat (APT) - when large, well-funded organizations such as governments engage in sophisticated, long-running computer hack

Q10-2: How big is the computer security problem?

We don't know full extent of financial and data losses due to computer security threats
Losses due to natural disasters are enormous and impossible to compute
No one knows that cost of computer crime & all studies are based on surveys
6 most expensive types of computer crime:

Denial of service
Malicious insiders
Web-based attacks
Malicious code
Phishing & Social Engineering
Stolen devices

Q10-3: How should you respond to security threats?

Intrusion detection system (IDS) - computer program that sense when another computer is attempting to scan or access a computer or network
Brute force attack - password cracker tries every possible combination of characters
Cookies - when you visit Web sites, small files are received by your browser
Create strong passwords / create multiple
Send no valuable data via email or IM
Use https at trusted, reputable vendors
Clear browsing history, temporary files, and cookies
So what? Black Hat

Show how to exploit weaknesses in hardware, software, protocols, or systems from smartphones to ATMs
Serve as education forum for hackers, developers, manufactures, gov't
Dan Geer recommends:

Mandatory reporting of security vulnerabilities
Make software venders liable for damage their code causes after abandoned, or users allowed to see/have source code.
ISP liable for harmful, inspected content
Right to be forgotten - appropriate and advantageous
End-to-End Encrypted Email

Q10-4: How should organizations respond to security threats?

Senior management created company-wide policies:

What sensitive data will be stored?
How data processed?
Will data be shared?
Can employees / others obtain copies of data stored about them?
Can employees / others request changes to inaccurate data?

Senior management can't eliminate risk so > manages risk

Q10-5: How can technical safeguard protect against security threats?

Technical safeguards - involve the software and hardware components of an IS; primary safeguards include:

Identification and authentication

Identification - username identifies the user
Authentication - password authenticates that user
Smart cards - similar to credit card, plastic card that has a microchip, which holds far more data than magnetic strip

Personal identification number (PIN) - required by smart cards to be authenticated

Biometric authentication - uses fingerprints, facial features, and retinal scans (personal physical characteristics) to authenticate users

Encryption

Encryption - secure storage or communication by transforming clear text into coded, unintelligible text
Encryption algorithms - procedures for encrypting data
Key - encrypting data using a string a bits

Symmetric encryption - same key used to encode & decode
Asymmetric encryption - two keys are used, 1 encode & 1 decode

Public key encryption - used on the Internet, special asymmetrical encryption

https - protocol for most secure communication over the Internet
Secure Sockets Later (SSL) / Transport Layer Security (TLS) - protocol for encrypting data > uses a combo of public key encryption and symmetric encryption

Firewalls

Firewalls - computing device that prevents unauthorized network access
Perimeter firewall - sits outside the organizational network
Internal firewall - Inside organizational network
Packet-filtering firewall - examines each part of the message and determines whether to let that part pass; examines source address, destination address, and other data

Malware protection

Malware - Viruses, spyware, and adware that is a broad category of software
Virus - computer program that replicates itself
Payload - delete programs or data OR modify data in undetected ways
Trojan horses - viruses that masquerade as useful programs or files
Worm - virus that self-propagates using Internet or other computer network
Spyware - programs installed on you just computer without their knowledge or permission
Adware - also installed without user permission and resides in background observing user behavior
Ransomware - malicious software that blocks access to system or data until money is paid to the attacker

Design for secure applications
Malware Types and Spyware/Adware Symptoms

Slow system startup
Sluggish system performance
Pop-up advertisements
Suspicious browser homepage changes
Suspicious changes to taskbar and other system interfaces
Unusual hard-disk activity

Design for Secure Applications

SQL injection attack - User enters SQL statement into a form instead of a name or other data

SQL code becomes part of database commands issued
Improper data disclosure, data damage and loss possible

Q10-6: How can data safeguards protect against security threats?

Data safeguards - protect databases another organizational data

Define data policies
Data rights and responsibilities
Rights enforced by user accounts authenticated by passwords
Data encryption
Backup and recovery procedures
Physical Security

Data administration - organization-wide function in charge of developing their policies and enforcing data standards
Database administration - function that pertains to a particular database
Key escrow

Q10-7: How can human safeguards protect against security threats?

Human safeguards - procedure components and people of information systems; for employees:

Position definition
Hiring and screening
Dissemination and enforcement
Termination

Human safeguards for non-employee personnel

Temporary personnel, vendors, partner personnel (employees of business partners and the public > appropriate screening and security training

Provide accounts and passwords with least privilege and remove accounts as soon as possible

Hardening - taking extraordinary measures to reduce a system's vulnerability

Account administration

Account management - standards for new user accounts, modification of account permissions, removal of unneeded accounts
Password management - Users change passwords frequently
Help-desk policies - provides means of authenticating users

Systems procedures

Normal operation - Use the system to perform job tasks with security appropriate to sensitivity
Backup - Prepare for loss of system functionality
Recovery - Accomplish job tasks during failure. Know tasks to do during system recovery

Security monitoring

Honeypots - false targets for computer criminals to attack, created by companies

Q10-8: How should organizations respond to security incidents?

Factors in incident response:

Have a plan in place
Centralized reporting
Specific responses > speed, preparation, and don't make problem worse
Practice

Q10-9: 2026?

Concern about balance of national security of data privacy

PRISM - intelligence program by which National Security Agency (NSA) requested and received data about Internet activities from major Internet providers
Privacy - freedom from being observed
Security - free from danger

APTs more common
Security improved on devices and at large organizations
Strong, local "electronic" sheriffs