Managing Information SecurityChapter 11Slide 3Information SecurityThe Threats – some evidenceData Thefts: The Biggest Worry and Insider ThreatsScope of Security ManagementCase ExampleSingle Steps to Protect Credit CardsAn Array of PerilsSome Common AttacksSlide 12Other tricks…Security’s Five PillarsSecurity Five PillarsTechnical CountermeasuresSlide 17Technical Countermeasures, cont’dEncryptionEncryption, cont’dSlide 21VPNPlaying Cat and Mouse: Tools for Computer SecurityTools for Computer SecuritySlide 25Slide 26A Concept for Business ContinuityPlanning for Business ContinuitySlide 29Some Online ResourcesSecurity as a Core CompetencyConclusionSlide 33© 2009 Pearson Education, Inc. Publishing as Prentice HallManaging Information SecurityChapter 11Information Systems Management in Practice 8th Edition11-2© 2009 Pearson Education, Inc. Publishing as Prentice HallChapter 11IntroductionInformation SecurityThe ThreatsData Thefts: The Biggest Worry and Insider ThreatsScope of Security ManagementAn Array of PerilsSecurity’s Five PillarsTechnical CountermeasuresPlaying Cat and Mouse: Tools for Computer SecurityManagement Countermeasures11-3© 2009 Pearson Education, Inc. Publishing as Prentice HallChapter 11Planning for Business ContinuityUsing Internal ResourcesUsing External ResourcesSecurity as a Core CompetencyConclusion11-4© 2009 Pearson Education, Inc. Publishing as Prentice HallInformation SecurityInformation security is more than just protecting hardware and software from being crashed…It’s about protecting the information resources that keep the company operatingGoals are to ensure:Data integrity, availability and confidentialityBusiness continuity11-5© 2009 Pearson Education, Inc. Publishing as Prentice HallThe Threats – some evidence11-6© 2009 Pearson Education, Inc. Publishing as Prentice HallData Thefts: The Biggest Worry and Insider ThreatsHere are a few examples of possible criminal acts from an insider of a company:A computer staff illegally accesses employees’ e mails to steal information that could be used for malicious intentAn employee who is angry about the low bonus he receives brings down the entire company’s computer system by deleted sensitive data recordsA system administrator is not happy with his life and decides to change the code of legacy systems, creating bad dataA marketing salesperson steals sensitive data and sells them to a competitorThreats are getting more and more sophisticated, cat- and-mouse game11-7© 2009 Pearson Education, Inc. Publishing as Prentice HallScope of Security ManagementPersonnel security Application security Operating systems security Network security Middleware and Web services security Facility security Egress security should be enforced11-8© 2009 Pearson Education, Inc. Publishing as Prentice HallCase ExampleCredit card fraudOne Bug in a Software PackageTwo Foreign CybercriminalsSimple Steps to Protect Credit Card11-9© 2009 Pearson Education, Inc. Publishing as Prentice HallSingle Steps to Protect Credit CardsDo not lend cardDo not write PIN on cardDo not carry too many cards at the same timeWrite down telephone number of credit banks and keep them safe but handyImmediately report lost or stolen cardCheck your credit card activities frequently (online)Set automated alert/notification11-10© 2009 Pearson Education, Inc. Publishing as Prentice HallAn Array of PerilsCracking the passwordTricking someoneNetwork sniffingMisusing administrative toolsPlaying middlemanDenial of serviceViruses or wormsSpoofing11-11© 2009 Pearson Education, Inc. Publishing as Prentice HallSome Common AttacksVirus: A computer program that appears to perform a legitimate task, but is a hidden malwareE.g., wipe out a hard drive; send out an unauthorized email, etc.Sniffing: Interception and reading of electronic messages as they travel over the InternetE.g., copy passwords, or credit card information11-12© 2009 Pearson Education, Inc. Publishing as Prentice HallSome Common AttacksSpoofing: Masquerade a Web site and redirect traffic to a fraudulent siteDenial of Service: Attacks from coordinated computers that floods a site with so many requests until the site crashesE.g., thousands of email with large file attachments; simultaneous queries to overwhelm the database system11-13© 2009 Pearson Education, Inc. Publishing as Prentice HallOther tricks…Con artists: calling to offer credit card account to obtain info about email, SSN, etc.Phishing or Fishing: Fraudulent email attempt to obtain sensitive informationE.g., email notifying a bank account owner that s/he account had a security breach, and request the owner to log in a fraudulent website to “reset the password”11-14© 2009 Pearson Education, Inc. Publishing as Prentice HallSecurity’s Five PillarsAuthentication: Verifying the authenticity of usersE.g., verify authenticity of digital signature; biometric authentication (finger printing)Identification: Identifying users to grant them appropriate accessE.g., password protection, spywarePrivacy: Protecting information from being seenE.g., spyware installed without consent in a computer to collect information11-15© 2009 Pearson Education, Inc. Publishing as Prentice HallSecurity Five PillarsIntegrity: Keeping information in its original formE.g., Bots that alter document contents; Instant Messaging intercepted and alteredNon-repudiation: Preventing parties from denying actions they have takenE.g., proof-of-origin to prove that a particular message (placing a stock order) is associated with a particular individual11-16© 2009 Pearson Education, Inc. Publishing as Prentice HallTechnical CountermeasuresFirewalls: hardware/software to control access between networks / blocking unwanted accessE.g., Windows Vista two-way firewalls controlling both incoming and outgoing information trafficEncryption/decryption: Using an algorithm (cipher) to make a plain text unreadable to anyone that has a keyData Encryption Standards (IBM)RSA method11-17© 2009 Pearson Education, Inc. Publishing as Prentice HallTechnical CountermeasuresVirtual Private Networks (VPNs)Allow strong protection for data communicationsCheaper than private networks, but do not provide 100% end-to-end security11-18© 2009
View Full Document