Managing Information SecurityChapter 11Slide 3Information SecurityThe Threats – some evidenceData Thefts: The Biggest Worry and Insider ThreatsScope of Security ManagementCase ExampleSingle Steps to Protect Credit CardsAn Array of PerilsSome Common AttacksSlide 12Other tricks…Security’s Five PillarsSecurity Five PillarsTechnical CountermeasuresSlide 17Technical Countermeasures, cont’dEncryptionEncryption, cont’dSlide 21VPNPlaying Cat and Mouse: Tools for Computer SecurityTools for Computer SecuritySlide 25Slide 26A Concept for Business ContinuityPlanning for Business ContinuitySlide 29Some Online ResourcesSecurity as a Core CompetencyConclusionSlide 33© 2009 Pearson Education, Inc. Publishing as Prentice HallManaging Information SecurityChapter 11Information Systems Management in Practice 8th Edition11-2© 2009 Pearson Education, Inc. Publishing as Prentice HallChapter 11IntroductionInformation SecurityThe ThreatsData Thefts: The Biggest Worry and Insider ThreatsScope of Security ManagementAn Array of PerilsSecurity’s Five PillarsTechnical CountermeasuresPlaying Cat and Mouse: Tools for Computer SecurityManagement Countermeasures11-3© 2009 Pearson Education, Inc. Publishing as Prentice HallChapter 11Planning for Business ContinuityUsing Internal ResourcesUsing External ResourcesSecurity as a Core CompetencyConclusion11-4© 2009 Pearson Education, Inc. Publishing as Prentice HallInformation SecurityInformation security is more than just protecting hardware and software from being crashed…It’s about protecting the information resources that keep the company operatingGoals are to ensure:Data integrity, availability and confidentialityBusiness continuity11-5© 2009 Pearson Education, Inc. Publishing as Prentice HallThe Threats – some evidence11-6© 2009 Pearson Education, Inc. Publishing as Prentice HallData Thefts: The Biggest Worry and Insider ThreatsHere are a few examples of possible criminal acts from an insider of a company:A computer staff illegally accesses employees’ e mails to steal information that could be used for malicious intentAn employee who is angry about the low bonus he receives brings down the entire company’s computer system by deleted sensitive data recordsA system administrator is not happy with his life and decides to change the code of legacy systems, creating bad dataA marketing salesperson steals sensitive data and sells them to a competitorThreats are getting more and more sophisticated, cat- and-mouse game11-7© 2009 Pearson Education, Inc. Publishing as Prentice HallScope of Security ManagementPersonnel security Application security Operating systems security Network security Middleware and Web services security Facility security Egress security should be enforced11-8© 2009 Pearson Education, Inc. Publishing as Prentice HallCase ExampleCredit card fraudOne Bug in a Software PackageTwo Foreign CybercriminalsSimple Steps to Protect Credit Card11-9© 2009 Pearson Education, Inc. Publishing as Prentice HallSingle Steps to Protect Credit CardsDo not lend cardDo not write PIN on cardDo not carry too many cards at the same timeWrite down telephone number of credit banks and keep them safe but handyImmediately report lost or stolen cardCheck your credit card activities frequently (online)Set automated alert/notification11-10© 2009 Pearson Education, Inc. Publishing as Prentice HallAn Array of PerilsCracking the passwordTricking someoneNetwork sniffingMisusing administrative toolsPlaying middlemanDenial of serviceViruses or wormsSpoofing11-11© 2009 Pearson Education, Inc. Publishing as Prentice HallSome Common AttacksVirus: A computer program that appears to perform a legitimate task, but is a hidden malwareE.g., wipe out a hard drive; send out an unauthorized email, etc.Sniffing: Interception and reading of electronic messages as they travel over the InternetE.g., copy passwords, or credit card information11-12© 2009 Pearson Education, Inc. Publishing as Prentice HallSome Common AttacksSpoofing: Masquerade a Web site and redirect traffic to a fraudulent siteDenial of Service: Attacks from coordinated computers that floods a site with so many requests until the site crashesE.g., thousands of email with large file attachments; simultaneous queries to overwhelm the database system11-13© 2009 Pearson Education, Inc. Publishing as Prentice HallOther tricks…Con artists: calling to offer credit card account to obtain info about email, SSN, etc.Phishing or Fishing: Fraudulent email attempt to obtain sensitive informationE.g., email notifying a bank account owner that s/he account had a security breach, and request the owner to log in a fraudulent website to “reset the password”11-14© 2009 Pearson Education, Inc. Publishing as Prentice HallSecurity’s Five PillarsAuthentication: Verifying the authenticity of usersE.g., verify authenticity of digital signature; biometric authentication (finger printing)Identification: Identifying users to grant them appropriate accessE.g., password protection, spywarePrivacy: Protecting information from being seenE.g., spyware installed without consent in a computer to collect information11-15© 2009 Pearson Education, Inc. Publishing as Prentice HallSecurity Five PillarsIntegrity: Keeping information in its original formE.g., Bots that alter document contents; Instant Messaging intercepted and alteredNon-repudiation: Preventing parties from denying actions they have takenE.g., proof-of-origin to prove that a particular message (placing a stock order) is associated with a particular individual11-16© 2009 Pearson Education, Inc. Publishing as Prentice HallTechnical CountermeasuresFirewalls: hardware/software to control access between networks / blocking unwanted accessE.g., Windows Vista two-way firewalls controlling both incoming and outgoing information trafficEncryption/decryption: Using an algorithm (cipher) to make a plain text unreadable to anyone that has a keyData Encryption Standards (IBM)RSA method11-17© 2009 Pearson Education, Inc. Publishing as Prentice HallTechnical CountermeasuresVirtual Private Networks (VPNs)Allow strong protection for data communicationsCheaper than private networks, but do not provide 100% end-to-end security11-18© 2009