MIS 2 Chapter 10

(dissemination and enforcement)

Three interdependent factors: 1. responsibility 2. accountability 3. compliance

-design for secure applications

SQL injection attack

-firewalls

a computing device that prevents unauthorized network access. simply a filter -it can be a special purpose computer or it can be a program on a general purpose computer or on a router -permiter firewall: sit outside the org network -internal firewall: inside the org network -packet-filtering firewall: examines each part of a message and determines whether to let that part pass *simplest type

human error

accidental problems caused by both employees and non employees -misunderstanding operating producers and accidentally deleting customer records -in the course of backing up a database, inadvertently installs an old database on top of the current one -poorly written application programs and design procedures -physical accidents

-security monitoring

activity log analyses security testing investigating and learning from security incidents -honeypots: false targets for computer criminals to attack

vulnerability

an opportunity for threats to gain access to individual or organizational assets -credit card data

-spoofing

another term for someone pretending to be someone else -IP spoofing -Email spoofing

target

asset that is desired by the threat

summary of above

below:

-hacking

breaking into computers, servers, or networks to steal data such as customer lists, product inventory data, employee data, etc

-malware

broad category of software that includes viruses, spyware, and adware -virus: computer program that replicates itself -payload: program code that causes the unwanted actions -trojan horses: viruses that masquerade as useful programs or files -worm: virus that self-propogrates using the internet or other computer network -spyware: programs are installed on the user's computer without the user's knowledge or permission -key loggers: captures keystrokes to obtain usernames, passwords, account numbers -adware: installed without the users permission and resides in the background and observes user behavior -ransomware: blocks access to a system or data until money is paid to the attacker

-human safeguards for non employee personnel

can't screen vendors -best safeguard threat from public users is to harden the website -hardening: hardening a site means to take extraordinary measures to reduce a system's vulnerability

intrusion detection system (IDS)

computer program that senses when another computer is attempting to scan or access a computer or network

single most important safeguard

create and use strong passwords -use long passwords with no words, 10 or more characters, and a mix of letters, numbers, and special characters

Data Safeguards

data -define data policies -data rights and responsibilities -rights enforced by user accounts authenticated by passwords -data encryption -backup and recovery -physical security

computer crime

employees and former employees who intentionally destroy data or other system components. Also hackers who break into a system and virus and worm writers who infect computer systems -terrorist and financial gain

Goal of information systems security

find an appropriate trade-off between the risk of loss and the cost of implementing safeguards

natural events and disasters

fires, floods, hurricanes, earthquakes, tsunamis, avalanches, etc -problems: initial loss of capability and service, and losses stemming from actions to recover from the initial problem

(termination)

friendly unfriendly

Technical Safeguards

hardware software -identification and authorization -encryption -firewalls -malware protection -application design

denial of service

human error in following procedures or a lack of procedures results in this -inadvertently shut down a web server or corporate gateway router by starting a computationally intensive application -computer criminals can launch an intentional DoS attack -computer worms can infiltrate a network with so much artificial traffic -natural disasters cause

-system procedures

normal operation backup recovery

unauthorized data disclosure

occurs when a threat obtains data that is supposed to be protected -occurs by human error of inadvertently releasing data in violation of policy -occurs by popularity and efficacy of search engines

-usurpation

occurs when computer criminals invade a computer system and replace legit programs with their own, unauthorized ones that shut down legit applications and substitute their own processing to spy, steal, and manipulate data, etc. Also can result from improper restoration from a disaster

-pretexting

occurs when someone deceives by pretending to be someone else -telephone caller (fake)

-malware definitions

patterns that exist in malware code

threat

person or organization that seeks to obtain or alter data or other IS assets illegally, without the owner's permission and often without the owner's knowledge

-human safeguards for employees

position definitions hiring and screening disssemination and enforcement termination

Human Safeguards

procedures people -hiring and training -education -procedure design -admin -assessment -compliance -accountability

-encryption

process of transforming clear text into coded, unintelligible text for secure storage or communication -encryption algorithms -key: sting of bits used to encrypt the data -symmetric encryption: same key is used to encode and decode -asymmetric encryption: two keys are used; one encodes and one decodes -public key encryption: used on the internet, special version of asymmetric -https (SSL or TLS)

how should ORGANIZATIONS respond to security threats

senior management needs to address two critical security functions 1. security policy 2. risk management

(position definition)

separate duties and authorities determine least privilege document position sensitivity

-phishing

similar technique for obtaining unauthorized data that uses pretexting via email -the phisher, pretends to be a legit company and sends an email requesting confidential data, such as account numbers, social security numbers, account passwords, etc

-wardrivers

simply take computers with wired connections through an area and search for unprotected wireless networks -monitor and intercept traffic on unsecured wireless networks

cookies

small files that your browser receives when you visit web sites -enable you to access web sites without having to sign in every time -great example of trade off of improved security and cost

safeguard

some measure that individuals or organizations take to block the threat from obtaining the asset -not always effective; some threats achieve their goal despite safeguards -expensive, reduce work efficiency by making common tasks more difficult

(recovery)

system user: accomplish job tasks during failure. know tasks to do during recovery operations personnel: recover systems from backed up data. perform a role of help desk during recovery

(backup)

system user: prepare for loss of system functionality operations personnel: back up web site resources, databases, admin data, account and password data

(normal operation)

system user: use the system to perform job tasks with security appropriate to sensitivity operations personnel: operate data center equipment, manage networks, run web servers, and do related operational tasks

-sniffing

technique for intercepting computer communications -with wired networks, it requires a physical connection to the network -with wireless, theres no connection needed -spyware and adware

brute force attack

which the password cracker tries every possible combination of characters

types of security losses

-unauthorized data disclosure -incorrect data modification -faulty service -denial of service (DoS) -loss of infrastructure

1. security policies

-what sensitive data the org will store -how it will process the data -whether data will be shared with other org -how employees and others can obtain copies of data stored about them -how employees and others can request changes in inaccurate data

loss of infrastructure

-Advanced Persistent Threat (APT)

-account administration

-account management: concerns of new user accounts, modification of existing account permissions, and the removal of unneeded accounts -password management: primary means of authentication -help desk policies:

how should organizations respond to security incidents

-have plan in place -centralized reporting -specific responses: speed, preparation pays, don't make problem worse -practice

sources of threats

-human error -computer crime -natural events and disasters

incorrect data modification

-incorrectly increasing a customer's discount or incorrectly modifying an employee's salary, earned days of vacation, or annual bonuses -occur through human error when employees follow procedures incorrectly or when they are designed incorrectly -need separation of duties -caused by system errors: lost update problems -computer criminals can make unauthorized changes -faulty recovery actions after a disaster

ponemon study

-malicious insiders are an increasingly serious security threat -business disruption and data loss are the principal costs of computer crime -survey respondents believe negligent employees, personal devices connecting to the corporate network, and the use of commercial could based apps post a significant security threat -security safeguards work

faulty service

-problems that result because of incorrect system operation: incorrect data modification, systems sending wrong goods to people, inaccurately billing -humans can cause this by making procedural mistakes or writing programs incorrectly

2. risk management

-risk cannot be eliminated -must proactively balance the trade-off between risk and cost

-identification and authentication

-smart card: plastic card similar to a credit card with a microchip loaded with identifying data -personal identification number (PIN) -biometric authentication: uses personal physical characteristics such as fingerprints, facial features, and retinal scans to authenticate users (expensive)

-two organizational units are responsible for data safeguards

1. data admin: organization wide function that is in charge of developing data policies and enforcing data standards 2. database administration: function that pertains to a particular database (ERP, CRM, MRP)

-malware safegaurds

1. install antivirus and antispyware programs 2. set up antimalware frequently 3. update malware definitions 4. open email attachments only from known source 5. promptly install software updates from legit sources 6. browse only reputable web sites

how should YOU respond to security threats

1. take security seriously 2. create strong passwords 3. use multiple passwords 4. send no valuable data via email or IM 5. use https at trusted reputable vendors 6. remove high-value assets from computers 7. clear browsing history, temp files, and cookies 8. regularly update antivirus software 9. demonstrate security concern to workers 10. follow org security directives and guidelines 11. consider security for all business initiatives

loss: denial of service (DoS)

threat: -human error: accidents -computer crime: DoS attacks -natural disasters: service interruption

loss: loss of infrastructure

threat: -human error: accidents -computer crime: theft, terrorist activity -natural disasters: property loss

loss: unauthorized data disclose

threat: -human error: procedural mistakes -computer crime: pretexting, phishing, spoofing, sniffing, hacking -natural disasters: disclosure during recovery

loss: faulty service

threat: -human error: procedural mistakes, development and installation errors -computer crime: usurpation -natural disasters: service improperly restored

loss: incorrect data modification

threat: -human error: procedural mistakes, incorrect procedures, ineffective accounting controls, system errors -computer crime: hacking -natural disasters: incorrect data recovery