MIS 2 Chapter 10
(dissemination and enforcement)
Three interdependent factors: 1. responsibility 2. accountability 3. compliance
-design for secure applications
SQL injection attack
-firewalls
a computing device that prevents unauthorized network access. simply a filter -it can be a special purpose computer or it can be a program on a general purpose computer or on a router -permiter firewall: sit outside the org network -internal firewall: inside the org network -packet-filtering firewall: examines each part of a message and determines whether to let that part pass *simplest type
human error
accidental problems caused by both employees and non employees -misunderstanding operating producers and accidentally deleting customer records -in the course of backing up a database, inadvertently installs an old database on top of the current one -poorly written application programs and design procedures -physical accidents
-security monitoring
activity log analyses security testing investigating and learning from security incidents -honeypots: false targets for computer criminals to attack
vulnerability
an opportunity for threats to gain access to individual or organizational assets -credit card data
-spoofing
another term for someone pretending to be someone else -IP spoofing -Email spoofing
target
asset that is desired by the threat
summary of above
below:
-hacking
breaking into computers, servers, or networks to steal data such as customer lists, product inventory data, employee data, etc
-malware
broad category of software that includes viruses, spyware, and adware -virus: computer program that replicates itself -payload: program code that causes the unwanted actions -trojan horses: viruses that masquerade as useful programs or files -worm: virus that self-propogrates using the internet or other computer network -spyware: programs are installed on the user's computer without the user's knowledge or permission -key loggers: captures keystrokes to obtain usernames, passwords, account numbers -adware: installed without the users permission and resides in the background and observes user behavior -ransomware: blocks access to a system or data until money is paid to the attacker
-human safeguards for non employee personnel
can't screen vendors -best safeguard threat from public users is to harden the website -hardening: hardening a site means to take extraordinary measures to reduce a system's vulnerability
intrusion detection system (IDS)
computer program that senses when another computer is attempting to scan or access a computer or network
single most important safeguard
create and use strong passwords -use long passwords with no words, 10 or more characters, and a mix of letters, numbers, and special characters
Data Safeguards
data -define data policies -data rights and responsibilities -rights enforced by user accounts authenticated by passwords -data encryption -backup and recovery -physical security
computer crime
employees and former employees who intentionally destroy data or other system components. Also hackers who break into a system and virus and worm writers who infect computer systems -terrorist and financial gain
Goal of information systems security
find an appropriate trade-off between the risk of loss and the cost of implementing safeguards
natural events and disasters
fires, floods, hurricanes, earthquakes, tsunamis, avalanches, etc -problems: initial loss of capability and service, and losses stemming from actions to recover from the initial problem
(termination)
friendly unfriendly
Technical Safeguards
hardware software -identification and authorization -encryption -firewalls -malware protection -application design
denial of service
human error in following procedures or a lack of procedures results in this -inadvertently shut down a web server or corporate gateway router by starting a computationally intensive application -computer criminals can launch an intentional DoS attack -computer worms can infiltrate a network with so much artificial traffic -natural disasters cause
-system procedures
normal operation backup recovery
unauthorized data disclosure
occurs when a threat obtains data that is supposed to be protected -occurs by human error of inadvertently releasing data in violation of policy -occurs by popularity and efficacy of search engines
-usurpation
occurs when computer criminals invade a computer system and replace legit programs with their own, unauthorized ones that shut down legit applications and substitute their own processing to spy, steal, and manipulate data, etc. Also can result from improper restoration from a disaster
-pretexting
occurs when someone deceives by pretending to be someone else -telephone caller (fake)
-malware definitions
patterns that exist in malware code
threat
person or organization that seeks to obtain or alter data or other IS assets illegally, without the owner's permission and often without the owner's knowledge
-human safeguards for employees
position definitions hiring and screening disssemination and enforcement termination
Human Safeguards
procedures people -hiring and training -education -procedure design -admin -assessment -compliance -accountability
-encryption
process of transforming clear text into coded, unintelligible text for secure storage or communication -encryption algorithms -key: sting of bits used to encrypt the data -symmetric encryption: same key is used to encode and decode -asymmetric encryption: two keys are used; one encodes and one decodes -public key encryption: used on the internet, special version of asymmetric -https (SSL or TLS)
how should ORGANIZATIONS respond to security threats
senior management needs to address two critical security functions 1. security policy 2. risk management
(position definition)
separate duties and authorities determine least privilege document position sensitivity
-phishing
similar technique for obtaining unauthorized data that uses pretexting via email -the phisher, pretends to be a legit company and sends an email requesting confidential data, such as account numbers, social security numbers, account passwords, etc
-wardrivers
simply take computers with wired connections through an area and search for unprotected wireless networks -monitor and intercept traffic on unsecured wireless networks
cookies
small files that your browser receives when you visit web sites -enable you to access web sites without having to sign in every time -great example of trade off of improved security and cost
safeguard
some measure that individuals or organizations take to block the threat from obtaining the asset -not always effective; some threats achieve their goal despite safeguards -expensive, reduce work efficiency by making common tasks more difficult
(recovery)
system user: accomplish job tasks during failure. know tasks to do during recovery operations personnel: recover systems from backed up data. perform a role of help desk during recovery
(backup)
system user: prepare for loss of system functionality operations personnel: back up web site resources, databases, admin data, account and password data
(normal operation)
system user: use the system to perform job tasks with security appropriate to sensitivity operations personnel: operate data center equipment, manage networks, run web servers, and do related operational tasks
-sniffing
technique for intercepting computer communications -with wired networks, it requires a physical connection to the network -with wireless, theres no connection needed -spyware and adware
brute force attack
which the password cracker tries every possible combination of characters
types of security losses
-unauthorized data disclosure -incorrect data modification -faulty service -denial of service (DoS) -loss of infrastructure
1. security policies
-what sensitive data the org will store -how it will process the data -whether data will be shared with other org -how employees and others can obtain copies of data stored about them -how employees and others can request changes in inaccurate data
loss of infrastructure
-Advanced Persistent Threat (APT)
-account administration
-account management: concerns of new user accounts, modification of existing account permissions, and the removal of unneeded accounts -password management: primary means of authentication -help desk policies:
how should organizations respond to security incidents
-have plan in place -centralized reporting -specific responses: speed, preparation pays, don't make problem worse -practice
sources of threats
-human error -computer crime -natural events and disasters
incorrect data modification
-incorrectly increasing a customer's discount or incorrectly modifying an employee's salary, earned days of vacation, or annual bonuses -occur through human error when employees follow procedures incorrectly or when they are designed incorrectly -need separation of duties -caused by system errors: lost update problems -computer criminals can make unauthorized changes -faulty recovery actions after a disaster
ponemon study
-malicious insiders are an increasingly serious security threat -business disruption and data loss are the principal costs of computer crime -survey respondents believe negligent employees, personal devices connecting to the corporate network, and the use of commercial could based apps post a significant security threat -security safeguards work
faulty service
-problems that result because of incorrect system operation: incorrect data modification, systems sending wrong goods to people, inaccurately billing -humans can cause this by making procedural mistakes or writing programs incorrectly
2. risk management
-risk cannot be eliminated -must proactively balance the trade-off between risk and cost
-identification and authentication
-smart card: plastic card similar to a credit card with a microchip loaded with identifying data -personal identification number (PIN) -biometric authentication: uses personal physical characteristics such as fingerprints, facial features, and retinal scans to authenticate users (expensive)
-two organizational units are responsible for data safeguards
1. data admin: organization wide function that is in charge of developing data policies and enforcing data standards 2. database administration: function that pertains to a particular database (ERP, CRM, MRP)
-malware safegaurds
1. install antivirus and antispyware programs 2. set up antimalware frequently 3. update malware definitions 4. open email attachments only from known source 5. promptly install software updates from legit sources 6. browse only reputable web sites
how should YOU respond to security threats
1. take security seriously 2. create strong passwords 3. use multiple passwords 4. send no valuable data via email or IM 5. use https at trusted reputable vendors 6. remove high-value assets from computers 7. clear browsing history, temp files, and cookies 8. regularly update antivirus software 9. demonstrate security concern to workers 10. follow org security directives and guidelines 11. consider security for all business initiatives
loss: denial of service (DoS)
threat: -human error: accidents -computer crime: DoS attacks -natural disasters: service interruption
loss: loss of infrastructure
threat: -human error: accidents -computer crime: theft, terrorist activity -natural disasters: property loss
loss: unauthorized data disclose
threat: -human error: procedural mistakes -computer crime: pretexting, phishing, spoofing, sniffing, hacking -natural disasters: disclosure during recovery
loss: faulty service
threat: -human error: procedural mistakes, development and installation errors -computer crime: usurpation -natural disasters: service improperly restored
loss: incorrect data modification
threat: -human error: procedural mistakes, incorrect procedures, ineffective accounting controls, system errors -computer crime: hacking -natural disasters: incorrect data recovery