MIS Chapter 10

Securing Privacy

"The best way to solve a problem is not to have it." (Resist providing sensitive data., Don't collect data you don't need.) Gramm-Leach-Bliley (GLB) Act, 1999 Privacy Act of 1974 Health Insurance Portability and Accountability Act (HIPAA), 1996 Australian Privacy Act of 1988 (Government, healthcare data, records maintained by businesses with revenues in excess of AU$3 million.) business professionals must consider legality, ethics, and wisdom when requesting, storing, or disseminating data think carefully about email you open over public, wireless networks use long, strong, passwords if unsure, don't give the data

systems procedures

1. Normal Operation 2. Backup 3. Recovery procedures of each type exist for each information system reduce likelihood of computer crime and other malicious activity by insiders, and ensures that system's security policy is enforced exist for both users and operations personnel

HTTPS or SSL or TLS

1. your computer obtains public key of web site 2. your computer generates key for symmetric encryption 3. your computer encrypts symmetric key using web site's public key 4. web site decodes your message using its private key. Obtains key for symmetric encryption 5. all communications between you and web site use symmetric encryption

Target: How did they do it?

1.Bought malware 2.Spearphished users at Fazio to get login credentials on Target vendor server. 3.Attackers escalated privileges, accessed Target's internal network, and planted malware. 4.Trojan.POSRAM extracted data from POS terminals. 5.Sent data to drop servers

smart card

A plastic card similar to a credit card that has a microchip, holding much more data than a magnetic strip, loaded with identifying data; requires a PIN to be authenticated

Public Key Encryption

A special version of asymmetric encryption that is popular on the Internet. With this method, each site has a public key for encoding messages and a private key for decoding them.

encryption algorithm

Algorithms used to transform clear text into coded, unintelligible text for secure storage or communication; include DES, 3DES, AES

hiring and screening

Background checks, references, social media posts

Target: Damage

Card and pin numbers of 2 million cards for $26.85 each ($53.7M). Costs (Upgraded POS terminals to support chip-and-pin cards, Increased insurance premiums, Paid legal fees, Settled with credit card processors, Paid consumer credit monitoring, Paid regulatory fines.) Loss of customer confidence and drop in revenues (46% loss for quarter). Direct loss to Target as high as $450 million. CIO resigned, CEO paid $16 million to leave. Cost credit unions and banks more than $200 million to issue new cards. Insurers demand higher premiums, stricter controls, and more system auditing. Consumers must watch their credit card statements, and fill out paperwork if fraudulent charges appear.

Equifax

Credit Monitoring (You should have an automatic service but checking is good too) A Credit Freeze with the big 3 (By freezing your credit files, you can prevent criminals from using your information to wreak havoc on your financial life. Even if your info was not exposed by the Equifax hack, this is the best way to protect your identity and your money., Issues: They charge, You can't get credit unless you unlock your credit file, therefore you can't buy a new phone unless you pay cash.) A hack of this magnitude will undoubtedly impact millions of American consumers in some way or another. Criminals will use every tactic they've got to take advantage of this situation. With so many Americans worried about whether their information was exposed and if they are at risk, crooks are going to tap into that fear in order to trick you into handing over your personal information. If your information was not exposed, you still may receive a fake email, text or phone call from a criminal offering to help or asking for your information to either determine whether you were affected by the Equifax hack or to help you protect yourself. But even if you fall for one of these scams, with a credit freeze in place, the criminals won't be able to carry out fraud in your name. Be wary of unexpected emails containing links or attachments: If you receive an unexpected email claiming to be from your bank or other company that has your personal information, don't click on any of the links or attachments. It could be a scam. Instead, log in to your account separately to check for any new notices. Call the company directly: If you aren't sure whether an email notice is legit, call the company directly about the information sent via email to find out if it is real and/or if there is any urgent information you should know about. If you do end up on a website that asks for your personal information, make sure it is a secure website, which will have "https" at the beginning ("s" indicates secure). Look out for grammar and spelling errors: Scam emails often contain typos and other errors — which is a big red flag that it probably didn't come from a legitimate source. Never respond to a text message from a number you don't recognize: This could also make any information stored in your phone vulnerable to hackers. Do some research to find out who and where the text came from. Don't call back unknown numbers: If you get a missed call on your cell phone from a number you don't recognize, don't call it back. Here's what you need to know about this phone scam.

Equifax Data Breach

Equifax, one of the nation's three main credit reporting agencies (the other two are Experian and TransUnion), announced on September 7 it was the victim of a major hack that exposed the personal information of 143 million U.S. consumers — or two-thirds of all Americans with credit reports. According to Equifax, hackers exploited a security vulnerability in a U.S.-based application to gain access to consumers' personal files. The company has not yet said which application or which vulnerability was the source of the unauthorized breach Hackers were able to gain access to consumers' names, Social Security numbers, birth dates, addresses and, in some cases, driver's license and credit card numbers. Anyone impacted by the breach is now at risk of identity theft and fraud — as any piece of this personal information can be used by, or sold to, criminals who can use it to open credit cards, take out loans, make purchases in your name — or even drain your bank accounts.

honeypots

False targets for computer criminals to attack. To an intruder, a honeypot looks like a particularly valuable resource, such as an unprotected Web site, but in actuality the only site content is a program that determines the attacker's IP address.

Goal of InfoSec

Find appropriate trade-off between risk of loss and cost of implementing safeguards. Protective actions (Use antivirus software, Delete browser cookies?,Make appropriate trade-offs to protect yourself and your business) not let the future unfold without careful analysis and action as indicated by that analysis

Loss of Infrastructure

Human accidents Theft and terrorist events Disgruntled or terminated employee Natural disasters Advanced Persistent Threat (APT29 (Russia) and Deep Panda (China), Theft of intellectual property from U.S. firms)

Hitting the Target

Lost 40 million credit and debit card numbers. Later, announced additional 70 million customer accounts stolen that included names, emails, addresses, phone numbers, etc. 98 million customers affected. (31% of 318 million people in US.) Stolen from point-of-sale (POS) systems at Target stores during holiday shopping season.

Security Monitoring

Ongoing process. One method used is activity logs. Activity logs can be produced by firewalls and databases management systems. Logs show who accessed what and when, and can also provide information on unauthorized attempts to access data. Activity log analyses, security testing, and investigating and learning from security incidents honeypots changes whenever new systems are created through organizational structure change, acquiring or selling companies, or mergers, new technology development; constantly monitor the situation and determine if the existing security policy and safeguards are adequate. If changes are needed, security personnel need to take appropriate action

adware

Programs installed on the user's computer without the user's knowledge or permission that reside in the background and, unknown to the user, observe the user's actions and keystrokes, modify computer activity, and report the user's activities to sponsoring organizations. Most adware is benign in that it does not perform malicious acts or steal data. It does, however, watch user activity and produce pop-up ads.

Help Desk Policies

Provide means of authenticating users such as asking questions only the true users would know. Reduce strength of the security system and increase vulnerability

Denial of Service (DoS)

Security problem in which users are not able to access an information system; can be caused by human errors, natural disaster, or malicious activity. human error in following procedures or a lack of procedures

recovery

System Users - accomplish job tasks during failure. Know tasks to do during system recovery Operations personnel - recover systems from backed up data. Perform role of help desk during recovery

privacy

The freedom from being observed by other people.

insider (hacking)

Trusted insiders steal proprietary information for personal, financial, and ideological reasons

Advice to Consumers

Use an anti-virus/malware solution•Use the protections offered by web-based services (e.g., two-factor authentication) Ensure your operating system and applications are kept up to date (updates/patches) Triage your email - do not respond/click on links to unsolicited emails from suspicious sources Eliminate web-mail access•Use complex passwords - practice good password management or use a password manager Engage in a backup process to ensure ability to recover lost data (offline storage)

Malware Safeguards

Use antivirus and antispyware programs. Scan frequently. Update malware definitions. Open email attachments only from known sources. Install software updates. Browse only reputable Internet neighborhoods.

password management

Users should change passwords frequently

virus

a computer program that replicates itself; consumes computer's resources, and take unwanted and harmful actions through a program called the payload

Intrusion Detection System (IDS)

a computer program that senses when another computer is attempting to scan or access a computer or network; IDS logs can record thousands of attempts each day

key escrow

a control procedure whereby a trusted party is given a copy of a key used to encrypt database data

Personal Identification Number (PIN)

a form of authentication whereby the user supplies a number that only he or she knows

threat

a person or organization that seeks to obtain or alter data or other IS assets illegally, without the owner's permission and often without the owner's knowledge

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

a protocol that uses both asymmetric and symmetric encryption. When in use, the browser address will begin with https:// symmetric encryption is fast and is preferred. But the two parties don't share a symmetric key. SO the two of you use public key encryption to share the same symmetric key. Once you both have that key, you use symmetric encryption for the remainder of the communication at the end of the session, your computer and the secure site discard the keys; using this strategy, the bulk of the secure communication occurs using the faster symmetric encryption. Also, because keys are used for short intervals, there is less likelihood they can be discovered. makes it safe to send sensitive data such as credit card numbers and bank balances

Advanced Persistent Threat (APT)

a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments; can be a means to engage in cyberwarfare and cyberespionage

key

a string of bits, like numbers or letters, used with an encryption algorithm to encrypt the data; unlocks a message

Phishing

a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail; also known as email spoofing

https

an indication that a web browser is using the SSL/TLS protocol to provide secure communications

vulnerability

an opportunity for threats to gain access to individual or organizational assets

spoofing

another term for someone pretending to be someone else

hacking

breaking into computers, servers, or networks to steal data

Malware

broad category of software that includes viruses, spyware, and adware

Payload

can delete programs or data—or, even worse, modify data in undetected ways.

incorrect data modification

can occur through human error when employees follow procedures incorrectly or when procedures have been designed incorrectly Procedures incorrectly designed or not followed Increasing a customer's discount or incorrectly modifying employee's salary Placing incorrect data on company Web site Cause: Improper internal controls on systems, System errors, Faulty recovery actions after a disaster, hacking into a computer system

key loggers

captures keystrokes to obtain usernames, passwords, account numbers, and other sensitive information

PRISM

code name for a secret global surveillance program by which the National Security Agency (NSA) requested and received data about Internet activities from major Internet providers

Termination

companies must establish security policies and procedures for employee termination friendly - occur as a result of retirement, promotion, or employee resignation to take on another position; ensure that systems administrators receive notification in advance of the employee's last day so that they can remove accounts and passwords; out-processing also includes recovering keys for encrypted data and any other special security requirements unfriendly - more difficult; systems administrators remove accounts and passwords before receiving notification in advance of the employee's last day; other actions may be needed to protect the company's data assets

firewall

computing devices located between public and private networks that prevent unauthorized access to or from the internal network. A firewall can be a special-purpose computer, or it can be a program on a general-purpose computer or on a router acts as a filter for network traffic

backup

concern the creation of backup data to be used in the event of failure system users - prepare for loss of system functionality operations personnel - back up web site resources, databases, administrative data, account and password data, and other data

account management

concerns the creation of new user accounts, the modification of existing account permissions, and the removal of unneeded accounts; account users have the responsibility to notify systems administrators of need for these actions

human safeguards for non employee personnel

contracts that govern the activity should call for security measures appropriate to the sensitivity of the data and the IS resources involved. Companies require vendors and partners to perform appropriate screening and security training, mention specific security responsibilities relevant to work performed, companies should provide accounts and passwords with the least privilege and remove those accounts hardening business relationship with public and some partners differs from that with temporary personnel and vendors -Account Administration: Manage accounts, Password management, Help desk policies -Systems Procedures: Normal operation, Backup, Recovery -Security Monitoring: Activity log analysis, Security testing, Investigating security incidents honeypots, which are false targets for computer criminals to attack

How big is the computer security problem?

do not know the full extent of the financial and data losses due to computer security threats and natural disasters are enormous and impossible to compute no one knows the cost of computer crime since there are no standards for tallying crime costs all studies on the cost of computer crime are based on surveys; different respondents interpret terms differently, some organizations don't report all their losses, and some won't report computer crime losses at all; absent standard definitions and a more accurate way of gathering crime data, we cannot rely on the accuracy of any particular estimate; look for trends by comparing year-to-year data, assuming the same methodology is used by the various types of survey respondents Malicious outsiders are an increasing serious security threat business disruption and data loss are principal costs of computer crime survey respondents believe negligent employees, personal devices connecting to the corporate network, and the use of commercial cloud-based applications pose a significant security threat security safeguards work

identification and authentification

every information system today should require users to sign on with a username and password identification - the process by which an information system identifies the user by requiring the user to sign on with a username and password authentication - the process by which an information system authenticates the user smart cards biometric authentication

packet-filtering firewall

examines each part of a message and determines whether to let that part pass; simplest type of firewall; can prohibit outsiders from starting a session with any user behind the firewall, disallow traffic from particular sites, prohibit traffic from legitimate, but unwanted, addresses, keep employees from accessing specific sites

internal firewalls

firewalls that sit inside the organizational network

Examples of Threat/Loss

hacker wants to steal your bank login credentials employee posts sensitive data to public google+ group

Who is doing the hacking?

hacktivism, crime, insider, espionage, terrorism, warfare

5 Components of Safeguards

hardware, software, data, procedures, people

How should organizations respond to security incidents?

have plan in place centralized reporting specific responses (speed, preparation pays, don't make problem worse) practice

Sources of Threats

human error, computer crime, natural disasters

human error

include accidental problems caused by both employees and nonemployees, poorly written application programs and poorly designed procedures, and physical accidents, such as driving a forklift through the wall of a computer room unauthorized data disclosure - procedural mistakes incorrect data modification - procedural mistakes, incorrect procedures, ineffective accounting controls, system errors faulty service - procedural mistakes, development and installation errors denial of service (DoS) - accidents Loss of infrastructure - accidents

natural disasters

include floods, earthquakes, fires, hurricanes, tsunamis, avalanches, and other acts of nature. Problems in this category include not only the initial loss of capability and service, but also losses stemming from actions to recover from the initial problem unauthorized data disclosure - disclosure during recovery incorrect data modification - incorrect data recovery faulty service - service improperly restored denial of service (DoS) - service interruption Loss of infrastructure - property loss

computer crime

includes employees and former employees who intentionally destroy data or other system components, hackers who break into a system and virus and worm writers who infect computer systems, and terrorists and those who break into a system to steal for financial gain unauthorized data disclosure - pretext, phishing, spoofing, sniffing, hacking incorrect data modification - hacking faulty service - usurpation denial of service (DoS) - DoS attacks Loss of infrastructure - theft, terrorist activity

Faulty Service

includes problems that result because of incorrect system operation Incorrect data modification Systems working incorrectly Procedural mistakes Programming errors IT installation errors Usurpation Denial of service (unintentional) Denial-of-service attacks (intentional)

crime (hacking)

individuals and sophisticated criminal enterprises steal personal information and extort victims for financial gain

Information technology security

information security applied to technology (most often some form of computer system). It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any device with a processor and some memory. Such devices can range from non-networked standalone devices as simple as calculators, to networked mobile computing devices such as smartphones and tablet computers. IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. They are responsible for keeping all of the technology within the company secure from malicious cyber attacks that often attempt to breach into critical private information or gain control of the internal systems.

technical safeguards

involve the hardware and software components of an information system identification and authorization, encryption, firewalls, malware protection, application design contains both hardware and software

human safeguards

involve the people and procedure components of information systems Steps taken to protect against security threats by establishing appropriate procedures for users to follow during system use. hiring, training, education, procedure design, administration, assessment, compliance, accountability contains procedures and people

Ransomware

malicious software that blocks access to a system or data until money is paid to the attacker

espionage (hacking)

nation-state actors conduct computer intrusions to steal sensitive state secrets and proprietary information from private companies

warfare (hacking)

nation-state actors sabotage military and critical infrastructure systems to gain an advantage in the event of conflict

unauthorized data disclosure

occurs when a threat obtains data that is supposed to be protected. Can occur by human error when someone inadvertently releases data in violation of privacy Pretexting Phishing Spoofing (i.e. IP spoofing, Email spoofing) Drive-by sniffers (i.e. Wardrivers) Hacking occur through popularity and efficacy of search engines or through natural disasters

IP spoofing

occurs when an intruder uses another site's IP address to masquerade as that other site

usurpation

occurs when computer criminals invade a computer system and replace legitimate programs with their own, unauthorized ones that shut down legitimate applications and substitute their own processing to spy, steal and manipulate data, or achieve other purposes; or when service is improperly restored during recovery from natural disasters

pretexting

occurs when someone deceives by pretending to be someone else

malware definitions

patterns that exist in malware code-should be downloaded frequently.

motivations and incentives of hackers

personally identifiable information payment card industry protected health information Business Intelligence MPNI Intellectual Property (IP) defense, national security, critical infrastructure

phisher

pretends to be a legitimate company and sends an email requesting confidential data

spyware

programs installed on the user's computer without the user's knowledge or permission that reside in the background and, unknown to the user, observe the user's actions and keystrokes, modify computer activity, and report the user's activities to sponsoring organizations. Malicious spyware captures keystrokes to obtain usernames, passwords, account numbers, and other sensitive information. Used for marketing analyses, observing what users do, web sites visited, products examined and purchased, and so forth

data safeguards

protect databases and other organizational data. Two organizational units are responsible for data safeguards. define data policies, data rights and responsibilities, rights enforced by user accounts authenticated by passwords, data encryption, backup and recovery procedures, physical security data rights and responsibilities, passwords, encryption, backup and recovery, physical security contains data

safeguards

protections against security threats; expensive to create and maintain; reduce work efficiency by making common tasks more difficult, adding additional labor expense

Normal Operation

provide safeguards appropriate to the sensitivity of the information system System Users - Use the system to perform job tasks, with security appropriate to sensitivity Operations Personnel - operate data center equipment, manage networks, run web servers, and do related operational tasks

database administration

refers to a function that pertains to a particular database A person or department that develops procedures and practices to ensure efficient and orderly multiuser processing of the database, to control changes to database structure, and to protect the database. Database design and management group responsible for defining and organizing the structure and content of the database, and maintaining the database.

data administration

refers to an organization-wide function that is in charge of developing data policies and enforcing data standards

Dissemination and Enforcement

responsibility, accountability, and compliance uses training to help employees be aware of security policies, procedures, and responsibilities, and be amplified in accordance to position's sensitivity and responsibilities; used, even during promotions; user accounts and passwords not given until training completed management attitude is crucial: employee compliance is greater when management demonstrates a serious concern for security; effective security is a continuing management responsibility. Regular reminders about security are essential

How should organizations respond to security threats?

senior management needs to address two critical security functions: security policy and risk management Senior management must establish company-wide security policies, which should stipulate what sensitive data the organization will store, how it will process that data, whether data will be shared with other organizations, how employees and others can obtain copies of data stored about them, how employees and others can request changes to inaccurate data; specifics of the policy depend on whether the organization is governmental or nongovernmental, publically held or private, on the organization's industry, on the relationship of management to employees, and on other factors seek out employer's security policy if not discussed in new-employee training manage risk is to proactively balance the trade-off between risk and cost, varying from industry to industry and from organization to organization trade-off decisions made when organizations create an inventory of the data and hardware they want to protect and then evaluate safeguards relative to the probability of each potential threat, which the organization uses to decide how much risk it wishes to take or which security safeguards it wishes to implement

position definition

separate duties and authorities, determine least privilege, document position sensitivity

Single sign-on for multiple systems

sign on to local computer and provide authentication data; from that point on your operating system authenticates you to another network or server, which can authenticate you to yet another network and server, and so forth

wardrivers

simply take computers with wireless connections through an area and search for unprotected wireless networks. Can monitor and intercept traffic on unsecured wireless networks or protected wired networks; i.e. spyware and adware

perimeter firewall

sits outside the organizational network; it is the first device that internet traffic encounters

spyware and adware symptoms

slow system startup sluggish system performance many pop-up advertisements suspicious browser homepage changes suspicious changes to the taskbar and other system interfaces unusual hard-disk activity

cookies

small computer programs left behind on your computer when you visit a website; enable you to access websites without having to sign in every time, and they speed up processing of some sites; can contain sensitive security data

safeguard

some measure that individuals or organizations take to block the threat from obtaining the asset; not always effective

Personal Security Safeguards

take security seriously create strong passwords use multiple passwords send no valuable data via email or IM use https at trusted, reputable vendors remove high-value assets from computers clear browsing history, temporary files, and cookies (CCleaner or equivalent) regularly update antivirus software demonstrate security concern to your fellow workers follow organizational security directives and guidelines consider security for all business initiatives signs of compromise include bogus charges on credit card or messages from friends complaining about disgusting email from your email account Computer security professionals use intrusion detection systems to detect attacks use reasonable safeguards never send valuable data via email or IM because not protected by encryption buy only from vendors using a secure https connection

three types of safeguards

technical, data, human

sniffing

technique for intercepting computer communications; requires physical connection with wired networks, no physical connection required for wireless networks

terrorism (hacking)

terrorist groups sabotage the computer systems that operate our critical infrastructure, such as the electric grid

target

the asset that is desired by the threat

brute force attack

the password cracker tries every possible combination of characters

Information security (InfoSec)

the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)

Encryption

the process of transforming clear text into coded, unintelligible text for secure storage or communication

Symmetric Encryption

the same key is used to encode and decode; simpler and faster

SQL injection attack

the situation that occurs when a user obtains unauthorized access to data by entering a SQL statement into a form in which one is supposed to enter a name or other data. If the program is improperly designed, it will accept this statement and make it part of the sql command that it issues to the DBMS

security

the state of being free from danger or threat

information systems security

trade-off between security and freedom/cost and risk

Assymetric Encryption

two keys are used: one key codes and a different key decodes

Types of Losses

unauthorized data disclosure, incorrect data modification, faulty service, denial of service (DoS), loss of infrastructure

Hacktivism

use computer network exploitation to advance their political or social causes

biometric authentication

uses personal physical characteristics such as fingerprints, facial features, and retinal scans to authenticate users; provides strong authentication, but required equipment is expensive; biometric identification resisted because people feel it is invasive

worm

virus that self-propagates using the Internet or other computer network; spread faster than other virus types; can overload and crash a network

Trojan horses

viruses that masquerade as useful programs or files

hacker wants to steal your bank login credentials

vulnerability - hacker creates a phishing site nearly identical to your online banking site safeguard, path 1 - only access sites using https safeguard, path 2 - none result, path 1 - no loss result, path 2 - loss of login credentials explanation, path 1 - effective safeguard explanation, path 1 - ineffective safeguard

employee posts sensitive data to public google+ group

vulnerability - public access to not-secure group safeguard - passwords, procedures, employee training result - loss of sensitive data explanation - ineffective safeguard

Stuxnet

worked: 1. infection (enters system via USB stick and proceeds to infect all machines using microsoft windows. By brandishing a digital certificate that seems to show that it comes from a reliable company, the worm is able to evade automated-detection systems) 2. search (checks whether a given machine is part of the targeted industrial control systems made by siemens; such systems are deployed in Iran to run high-speed centrifuges that help to enrich nuclear fuel) 3. update (if system isn't a target, stuxnet does nothing. If it is, the worm attempts to access the internet and download a more recent version of itself) 4. compromise (the worm then compromises the target system's logic controllers, exploiting "zero day" vulnerabilities - software weaknesses that haven't been identified by security experts) 5. control (spies on operations of the targeted system in the beginning. Then it uses the information it has gathered to take control of the centrifuges, making them spin themselves to failure) 6. deceive and destroy (meanwhile, it provides false feedback to outside controllers, ensuring that they won't know what's going wrong until it's too late to do anything about it)