MIS Chapter 10
Securing Privacy
"The best way to solve a problem is not to have it." (Resist providing sensitive data., Don't collect data you don't need.) Gramm-Leach-Bliley (GLB) Act, 1999 Privacy Act of 1974 Health Insurance Portability and Accountability Act (HIPAA), 1996 Australian Privacy Act of 1988 (Government, healthcare data, records maintained by businesses with revenues in excess of AU$3 million.) business professionals must consider legality, ethics, and wisdom when requesting, storing, or disseminating data think carefully about email you open over public, wireless networks use long, strong, passwords if unsure, don't give the data
systems procedures
1. Normal Operation 2. Backup 3. Recovery procedures of each type exist for each information system reduce likelihood of computer crime and other malicious activity by insiders, and ensures that system's security policy is enforced exist for both users and operations personnel
HTTPS or SSL or TLS
1. your computer obtains public key of web site 2. your computer generates key for symmetric encryption 3. your computer encrypts symmetric key using web site's public key 4. web site decodes your message using its private key. Obtains key for symmetric encryption 5. all communications between you and web site use symmetric encryption
Target: How did they do it?
1.Bought malware 2.Spearphished users at Fazio to get login credentials on Target vendor server. 3.Attackers escalated privileges, accessed Target's internal network, and planted malware. 4.Trojan.POSRAM extracted data from POS terminals. 5.Sent data to drop servers
smart card
A plastic card similar to a credit card that has a microchip, holding much more data than a magnetic strip, loaded with identifying data; requires a PIN to be authenticated
Public Key Encryption
A special version of asymmetric encryption that is popular on the Internet. With this method, each site has a public key for encoding messages and a private key for decoding them.
encryption algorithm
Algorithms used to transform clear text into coded, unintelligible text for secure storage or communication; include DES, 3DES, AES
hiring and screening
Background checks, references, social media posts
Target: Damage
Card and pin numbers of 2 million cards for $26.85 each ($53.7M). Costs (Upgraded POS terminals to support chip-and-pin cards, Increased insurance premiums, Paid legal fees, Settled with credit card processors, Paid consumer credit monitoring, Paid regulatory fines.) Loss of customer confidence and drop in revenues (46% loss for quarter). Direct loss to Target as high as $450 million. CIO resigned, CEO paid $16 million to leave. Cost credit unions and banks more than $200 million to issue new cards. Insurers demand higher premiums, stricter controls, and more system auditing. Consumers must watch their credit card statements, and fill out paperwork if fraudulent charges appear.
Equifax
Credit Monitoring (You should have an automatic service but checking is good too) A Credit Freeze with the big 3 (By freezing your credit files, you can prevent criminals from using your information to wreak havoc on your financial life. Even if your info was not exposed by the Equifax hack, this is the best way to protect your identity and your money., Issues: They charge, You can't get credit unless you unlock your credit file, therefore you can't buy a new phone unless you pay cash.) A hack of this magnitude will undoubtedly impact millions of American consumers in some way or another. Criminals will use every tactic they've got to take advantage of this situation. With so many Americans worried about whether their information was exposed and if they are at risk, crooks are going to tap into that fear in order to trick you into handing over your personal information. If your information was not exposed, you still may receive a fake email, text or phone call from a criminal offering to help or asking for your information to either determine whether you were affected by the Equifax hack or to help you protect yourself. But even if you fall for one of these scams, with a credit freeze in place, the criminals won't be able to carry out fraud in your name. Be wary of unexpected emails containing links or attachments: If you receive an unexpected email claiming to be from your bank or other company that has your personal information, don't click on any of the links or attachments. It could be a scam. Instead, log in to your account separately to check for any new notices. Call the company directly: If you aren't sure whether an email notice is legit, call the company directly about the information sent via email to find out if it is real and/or if there is any urgent information you should know about. If you do end up on a website that asks for your personal information, make sure it is a secure website, which will have "https" at the beginning ("s" indicates secure). Look out for grammar and spelling errors: Scam emails often contain typos and other errors — which is a big red flag that it probably didn't come from a legitimate source. Never respond to a text message from a number you don't recognize: This could also make any information stored in your phone vulnerable to hackers. Do some research to find out who and where the text came from. Don't call back unknown numbers: If you get a missed call on your cell phone from a number you don't recognize, don't call it back. Here's what you need to know about this phone scam.
Equifax Data Breach
Equifax, one of the nation's three main credit reporting agencies (the other two are Experian and TransUnion), announced on September 7 it was the victim of a major hack that exposed the personal information of 143 million U.S. consumers — or two-thirds of all Americans with credit reports. According to Equifax, hackers exploited a security vulnerability in a U.S.-based application to gain access to consumers' personal files. The company has not yet said which application or which vulnerability was the source of the unauthorized breach Hackers were able to gain access to consumers' names, Social Security numbers, birth dates, addresses and, in some cases, driver's license and credit card numbers. Anyone impacted by the breach is now at risk of identity theft and fraud — as any piece of this personal information can be used by, or sold to, criminals who can use it to open credit cards, take out loans, make purchases in your name — or even drain your bank accounts.
honeypots
False targets for computer criminals to attack. To an intruder, a honeypot looks like a particularly valuable resource, such as an unprotected Web site, but in actuality the only site content is a program that determines the attacker's IP address.
Goal of InfoSec
Find appropriate trade-off between risk of loss and cost of implementing safeguards. Protective actions (Use antivirus software, Delete browser cookies?,Make appropriate trade-offs to protect yourself and your business) not let the future unfold without careful analysis and action as indicated by that analysis
Loss of Infrastructure
Human accidents Theft and terrorist events Disgruntled or terminated employee Natural disasters Advanced Persistent Threat (APT29 (Russia) and Deep Panda (China), Theft of intellectual property from U.S. firms)
Hitting the Target
Lost 40 million credit and debit card numbers. Later, announced additional 70 million customer accounts stolen that included names, emails, addresses, phone numbers, etc. 98 million customers affected. (31% of 318 million people in US.) Stolen from point-of-sale (POS) systems at Target stores during holiday shopping season.
Security Monitoring
Ongoing process. One method used is activity logs. Activity logs can be produced by firewalls and databases management systems. Logs show who accessed what and when, and can also provide information on unauthorized attempts to access data. Activity log analyses, security testing, and investigating and learning from security incidents honeypots changes whenever new systems are created through organizational structure change, acquiring or selling companies, or mergers, new technology development; constantly monitor the situation and determine if the existing security policy and safeguards are adequate. If changes are needed, security personnel need to take appropriate action
adware
Programs installed on the user's computer without the user's knowledge or permission that reside in the background and, unknown to the user, observe the user's actions and keystrokes, modify computer activity, and report the user's activities to sponsoring organizations. Most adware is benign in that it does not perform malicious acts or steal data. It does, however, watch user activity and produce pop-up ads.
Help Desk Policies
Provide means of authenticating users such as asking questions only the true users would know. Reduce strength of the security system and increase vulnerability
Denial of Service (DoS)
Security problem in which users are not able to access an information system; can be caused by human errors, natural disaster, or malicious activity. human error in following procedures or a lack of procedures
recovery
System Users - accomplish job tasks during failure. Know tasks to do during system recovery Operations personnel - recover systems from backed up data. Perform role of help desk during recovery
privacy
The freedom from being observed by other people.
insider (hacking)
Trusted insiders steal proprietary information for personal, financial, and ideological reasons
Advice to Consumers
Use an anti-virus/malware solution•Use the protections offered by web-based services (e.g., two-factor authentication) Ensure your operating system and applications are kept up to date (updates/patches) Triage your email - do not respond/click on links to unsolicited emails from suspicious sources Eliminate web-mail access•Use complex passwords - practice good password management or use a password manager Engage in a backup process to ensure ability to recover lost data (offline storage)
Malware Safeguards
Use antivirus and antispyware programs. Scan frequently. Update malware definitions. Open email attachments only from known sources. Install software updates. Browse only reputable Internet neighborhoods.
password management
Users should change passwords frequently
virus
a computer program that replicates itself; consumes computer's resources, and take unwanted and harmful actions through a program called the payload
Intrusion Detection System (IDS)
a computer program that senses when another computer is attempting to scan or access a computer or network; IDS logs can record thousands of attempts each day
key escrow
a control procedure whereby a trusted party is given a copy of a key used to encrypt database data
Personal Identification Number (PIN)
a form of authentication whereby the user supplies a number that only he or she knows
threat
a person or organization that seeks to obtain or alter data or other IS assets illegally, without the owner's permission and often without the owner's knowledge
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
a protocol that uses both asymmetric and symmetric encryption. When in use, the browser address will begin with https:// symmetric encryption is fast and is preferred. But the two parties don't share a symmetric key. SO the two of you use public key encryption to share the same symmetric key. Once you both have that key, you use symmetric encryption for the remainder of the communication at the end of the session, your computer and the secure site discard the keys; using this strategy, the bulk of the secure communication occurs using the faster symmetric encryption. Also, because keys are used for short intervals, there is less likelihood they can be discovered. makes it safe to send sensitive data such as credit card numbers and bank balances
Advanced Persistent Threat (APT)
a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments; can be a means to engage in cyberwarfare and cyberespionage
key
a string of bits, like numbers or letters, used with an encryption algorithm to encrypt the data; unlocks a message
Phishing
a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail; also known as email spoofing
https
an indication that a web browser is using the SSL/TLS protocol to provide secure communications
vulnerability
an opportunity for threats to gain access to individual or organizational assets
spoofing
another term for someone pretending to be someone else
hacking
breaking into computers, servers, or networks to steal data
Malware
broad category of software that includes viruses, spyware, and adware
Payload
can delete programs or data—or, even worse, modify data in undetected ways.
incorrect data modification
can occur through human error when employees follow procedures incorrectly or when procedures have been designed incorrectly Procedures incorrectly designed or not followed Increasing a customer's discount or incorrectly modifying employee's salary Placing incorrect data on company Web site Cause: Improper internal controls on systems, System errors, Faulty recovery actions after a disaster, hacking into a computer system
key loggers
captures keystrokes to obtain usernames, passwords, account numbers, and other sensitive information
PRISM
code name for a secret global surveillance program by which the National Security Agency (NSA) requested and received data about Internet activities from major Internet providers
Termination
companies must establish security policies and procedures for employee termination friendly - occur as a result of retirement, promotion, or employee resignation to take on another position; ensure that systems administrators receive notification in advance of the employee's last day so that they can remove accounts and passwords; out-processing also includes recovering keys for encrypted data and any other special security requirements unfriendly - more difficult; systems administrators remove accounts and passwords before receiving notification in advance of the employee's last day; other actions may be needed to protect the company's data assets
firewall
computing devices located between public and private networks that prevent unauthorized access to or from the internal network. A firewall can be a special-purpose computer, or it can be a program on a general-purpose computer or on a router acts as a filter for network traffic
backup
concern the creation of backup data to be used in the event of failure system users - prepare for loss of system functionality operations personnel - back up web site resources, databases, administrative data, account and password data, and other data
account management
concerns the creation of new user accounts, the modification of existing account permissions, and the removal of unneeded accounts; account users have the responsibility to notify systems administrators of need for these actions
human safeguards for non employee personnel
contracts that govern the activity should call for security measures appropriate to the sensitivity of the data and the IS resources involved. Companies require vendors and partners to perform appropriate screening and security training, mention specific security responsibilities relevant to work performed, companies should provide accounts and passwords with the least privilege and remove those accounts hardening business relationship with public and some partners differs from that with temporary personnel and vendors -Account Administration: Manage accounts, Password management, Help desk policies -Systems Procedures: Normal operation, Backup, Recovery -Security Monitoring: Activity log analysis, Security testing, Investigating security incidents honeypots, which are false targets for computer criminals to attack
How big is the computer security problem?
do not know the full extent of the financial and data losses due to computer security threats and natural disasters are enormous and impossible to compute no one knows the cost of computer crime since there are no standards for tallying crime costs all studies on the cost of computer crime are based on surveys; different respondents interpret terms differently, some organizations don't report all their losses, and some won't report computer crime losses at all; absent standard definitions and a more accurate way of gathering crime data, we cannot rely on the accuracy of any particular estimate; look for trends by comparing year-to-year data, assuming the same methodology is used by the various types of survey respondents Malicious outsiders are an increasing serious security threat business disruption and data loss are principal costs of computer crime survey respondents believe negligent employees, personal devices connecting to the corporate network, and the use of commercial cloud-based applications pose a significant security threat security safeguards work
identification and authentification
every information system today should require users to sign on with a username and password identification - the process by which an information system identifies the user by requiring the user to sign on with a username and password authentication - the process by which an information system authenticates the user smart cards biometric authentication
packet-filtering firewall
examines each part of a message and determines whether to let that part pass; simplest type of firewall; can prohibit outsiders from starting a session with any user behind the firewall, disallow traffic from particular sites, prohibit traffic from legitimate, but unwanted, addresses, keep employees from accessing specific sites
internal firewalls
firewalls that sit inside the organizational network
Examples of Threat/Loss
hacker wants to steal your bank login credentials employee posts sensitive data to public google+ group
Who is doing the hacking?
hacktivism, crime, insider, espionage, terrorism, warfare
5 Components of Safeguards
hardware, software, data, procedures, people
How should organizations respond to security incidents?
have plan in place centralized reporting specific responses (speed, preparation pays, don't make problem worse) practice
Sources of Threats
human error, computer crime, natural disasters
human error
include accidental problems caused by both employees and nonemployees, poorly written application programs and poorly designed procedures, and physical accidents, such as driving a forklift through the wall of a computer room unauthorized data disclosure - procedural mistakes incorrect data modification - procedural mistakes, incorrect procedures, ineffective accounting controls, system errors faulty service - procedural mistakes, development and installation errors denial of service (DoS) - accidents Loss of infrastructure - accidents
natural disasters
include floods, earthquakes, fires, hurricanes, tsunamis, avalanches, and other acts of nature. Problems in this category include not only the initial loss of capability and service, but also losses stemming from actions to recover from the initial problem unauthorized data disclosure - disclosure during recovery incorrect data modification - incorrect data recovery faulty service - service improperly restored denial of service (DoS) - service interruption Loss of infrastructure - property loss
computer crime
includes employees and former employees who intentionally destroy data or other system components, hackers who break into a system and virus and worm writers who infect computer systems, and terrorists and those who break into a system to steal for financial gain unauthorized data disclosure - pretext, phishing, spoofing, sniffing, hacking incorrect data modification - hacking faulty service - usurpation denial of service (DoS) - DoS attacks Loss of infrastructure - theft, terrorist activity
Faulty Service
includes problems that result because of incorrect system operation Incorrect data modification Systems working incorrectly Procedural mistakes Programming errors IT installation errors Usurpation Denial of service (unintentional) Denial-of-service attacks (intentional)
crime (hacking)
individuals and sophisticated criminal enterprises steal personal information and extort victims for financial gain
Information technology security
information security applied to technology (most often some form of computer system). It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any device with a processor and some memory. Such devices can range from non-networked standalone devices as simple as calculators, to networked mobile computing devices such as smartphones and tablet computers. IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. They are responsible for keeping all of the technology within the company secure from malicious cyber attacks that often attempt to breach into critical private information or gain control of the internal systems.
technical safeguards
involve the hardware and software components of an information system identification and authorization, encryption, firewalls, malware protection, application design contains both hardware and software
human safeguards
involve the people and procedure components of information systems Steps taken to protect against security threats by establishing appropriate procedures for users to follow during system use. hiring, training, education, procedure design, administration, assessment, compliance, accountability contains procedures and people
Ransomware
malicious software that blocks access to a system or data until money is paid to the attacker
espionage (hacking)
nation-state actors conduct computer intrusions to steal sensitive state secrets and proprietary information from private companies
warfare (hacking)
nation-state actors sabotage military and critical infrastructure systems to gain an advantage in the event of conflict
unauthorized data disclosure
occurs when a threat obtains data that is supposed to be protected. Can occur by human error when someone inadvertently releases data in violation of privacy Pretexting Phishing Spoofing (i.e. IP spoofing, Email spoofing) Drive-by sniffers (i.e. Wardrivers) Hacking occur through popularity and efficacy of search engines or through natural disasters
IP spoofing
occurs when an intruder uses another site's IP address to masquerade as that other site
usurpation
occurs when computer criminals invade a computer system and replace legitimate programs with their own, unauthorized ones that shut down legitimate applications and substitute their own processing to spy, steal and manipulate data, or achieve other purposes; or when service is improperly restored during recovery from natural disasters
pretexting
occurs when someone deceives by pretending to be someone else
malware definitions
patterns that exist in malware code-should be downloaded frequently.
motivations and incentives of hackers
personally identifiable information payment card industry protected health information Business Intelligence MPNI Intellectual Property (IP) defense, national security, critical infrastructure
phisher
pretends to be a legitimate company and sends an email requesting confidential data
spyware
programs installed on the user's computer without the user's knowledge or permission that reside in the background and, unknown to the user, observe the user's actions and keystrokes, modify computer activity, and report the user's activities to sponsoring organizations. Malicious spyware captures keystrokes to obtain usernames, passwords, account numbers, and other sensitive information. Used for marketing analyses, observing what users do, web sites visited, products examined and purchased, and so forth
data safeguards
protect databases and other organizational data. Two organizational units are responsible for data safeguards. define data policies, data rights and responsibilities, rights enforced by user accounts authenticated by passwords, data encryption, backup and recovery procedures, physical security data rights and responsibilities, passwords, encryption, backup and recovery, physical security contains data
safeguards
protections against security threats; expensive to create and maintain; reduce work efficiency by making common tasks more difficult, adding additional labor expense
Normal Operation
provide safeguards appropriate to the sensitivity of the information system System Users - Use the system to perform job tasks, with security appropriate to sensitivity Operations Personnel - operate data center equipment, manage networks, run web servers, and do related operational tasks
database administration
refers to a function that pertains to a particular database A person or department that develops procedures and practices to ensure efficient and orderly multiuser processing of the database, to control changes to database structure, and to protect the database. Database design and management group responsible for defining and organizing the structure and content of the database, and maintaining the database.
data administration
refers to an organization-wide function that is in charge of developing data policies and enforcing data standards
Dissemination and Enforcement
responsibility, accountability, and compliance uses training to help employees be aware of security policies, procedures, and responsibilities, and be amplified in accordance to position's sensitivity and responsibilities; used, even during promotions; user accounts and passwords not given until training completed management attitude is crucial: employee compliance is greater when management demonstrates a serious concern for security; effective security is a continuing management responsibility. Regular reminders about security are essential
How should organizations respond to security threats?
senior management needs to address two critical security functions: security policy and risk management Senior management must establish company-wide security policies, which should stipulate what sensitive data the organization will store, how it will process that data, whether data will be shared with other organizations, how employees and others can obtain copies of data stored about them, how employees and others can request changes to inaccurate data; specifics of the policy depend on whether the organization is governmental or nongovernmental, publically held or private, on the organization's industry, on the relationship of management to employees, and on other factors seek out employer's security policy if not discussed in new-employee training manage risk is to proactively balance the trade-off between risk and cost, varying from industry to industry and from organization to organization trade-off decisions made when organizations create an inventory of the data and hardware they want to protect and then evaluate safeguards relative to the probability of each potential threat, which the organization uses to decide how much risk it wishes to take or which security safeguards it wishes to implement
position definition
separate duties and authorities, determine least privilege, document position sensitivity
Single sign-on for multiple systems
sign on to local computer and provide authentication data; from that point on your operating system authenticates you to another network or server, which can authenticate you to yet another network and server, and so forth
wardrivers
simply take computers with wireless connections through an area and search for unprotected wireless networks. Can monitor and intercept traffic on unsecured wireless networks or protected wired networks; i.e. spyware and adware
perimeter firewall
sits outside the organizational network; it is the first device that internet traffic encounters
spyware and adware symptoms
slow system startup sluggish system performance many pop-up advertisements suspicious browser homepage changes suspicious changes to the taskbar and other system interfaces unusual hard-disk activity
cookies
small computer programs left behind on your computer when you visit a website; enable you to access websites without having to sign in every time, and they speed up processing of some sites; can contain sensitive security data
safeguard
some measure that individuals or organizations take to block the threat from obtaining the asset; not always effective
Personal Security Safeguards
take security seriously create strong passwords use multiple passwords send no valuable data via email or IM use https at trusted, reputable vendors remove high-value assets from computers clear browsing history, temporary files, and cookies (CCleaner or equivalent) regularly update antivirus software demonstrate security concern to your fellow workers follow organizational security directives and guidelines consider security for all business initiatives signs of compromise include bogus charges on credit card or messages from friends complaining about disgusting email from your email account Computer security professionals use intrusion detection systems to detect attacks use reasonable safeguards never send valuable data via email or IM because not protected by encryption buy only from vendors using a secure https connection
three types of safeguards
technical, data, human
sniffing
technique for intercepting computer communications; requires physical connection with wired networks, no physical connection required for wireless networks
terrorism (hacking)
terrorist groups sabotage the computer systems that operate our critical infrastructure, such as the electric grid
target
the asset that is desired by the threat
brute force attack
the password cracker tries every possible combination of characters
Information security (InfoSec)
the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)
Encryption
the process of transforming clear text into coded, unintelligible text for secure storage or communication
Symmetric Encryption
the same key is used to encode and decode; simpler and faster
SQL injection attack
the situation that occurs when a user obtains unauthorized access to data by entering a SQL statement into a form in which one is supposed to enter a name or other data. If the program is improperly designed, it will accept this statement and make it part of the sql command that it issues to the DBMS
security
the state of being free from danger or threat
information systems security
trade-off between security and freedom/cost and risk
Assymetric Encryption
two keys are used: one key codes and a different key decodes
Types of Losses
unauthorized data disclosure, incorrect data modification, faulty service, denial of service (DoS), loss of infrastructure
Hacktivism
use computer network exploitation to advance their political or social causes
biometric authentication
uses personal physical characteristics such as fingerprints, facial features, and retinal scans to authenticate users; provides strong authentication, but required equipment is expensive; biometric identification resisted because people feel it is invasive
worm
virus that self-propagates using the Internet or other computer network; spread faster than other virus types; can overload and crash a network
Trojan horses
viruses that masquerade as useful programs or files
hacker wants to steal your bank login credentials
vulnerability - hacker creates a phishing site nearly identical to your online banking site safeguard, path 1 - only access sites using https safeguard, path 2 - none result, path 1 - no loss result, path 2 - loss of login credentials explanation, path 1 - effective safeguard explanation, path 1 - ineffective safeguard
employee posts sensitive data to public google+ group
vulnerability - public access to not-secure group safeguard - passwords, procedures, employee training result - loss of sensitive data explanation - ineffective safeguard
Stuxnet
worked: 1. infection (enters system via USB stick and proceeds to infect all machines using microsoft windows. By brandishing a digital certificate that seems to show that it comes from a reliable company, the worm is able to evade automated-detection systems) 2. search (checks whether a given machine is part of the targeted industrial control systems made by siemens; such systems are deployed in Iran to run high-speed centrifuges that help to enrich nuclear fuel) 3. update (if system isn't a target, stuxnet does nothing. If it is, the worm attempts to access the internet and download a more recent version of itself) 4. compromise (the worm then compromises the target system's logic controllers, exploiting "zero day" vulnerabilities - software weaknesses that haven't been identified by security experts) 5. control (spies on operations of the targeted system in the beginning. Then it uses the information it has gathered to take control of the centrifuges, making them spin themselves to failure) 6. deceive and destroy (meanwhile, it provides false feedback to outside controllers, ensuring that they won't know what's going wrong until it's too late to do anything about it)