Chapter 10
Information Security Management
“But How Do You Implement that Security?”
• Video conference with SDS (potential PRIDE promoter and
advertiser).
• PRIDE originally designed to store medical data.
• Does PRIDE systems have acceptable level of security?
• Doesn’t want to affiliate with company with major security
problem.
• Criminals focusing on inter-organizational systems.
Copyright © 2017 Pearson Education, Inc.
10-2
PRIDE Design for Security
Copyright © 2017 Pearson Education, Inc.
10-3
Study Questions
Q1: What is the goal of information systems security?
Q2: How big is the computer security problem?
Q3: How should you respond to security threats?
Q4: How should organizations respond to security threats?
Q5: How can technical safeguards protect against security threats?
Q6: How can data safeguards protect against security threats?
Q7: How can human safeguards protect against security threats?
Q8: How should organizations respond to security incidents?
Q9: 2026?
Copyright © 2017 Pearson Education, Inc.
10-4
Q1: What Is the Goal of Information Systems
Security?
Copyright © 2017 Pearson Education, Inc.
10-5
Examples of Threat/Loss
Copyright © 2017 Pearson Education, Inc.
10-6
What Are the
Sources of Threats?
Copyright © 2017 Pearson Education, Inc.
10-7
What Types of Security Loss Exists?
• Unauthorized Data Disclosure
– Pretexting
– Phishing
– Spoofing
IP spoofing
Email spoofing
– Drive-by sniffers
Wardrivers
– Hacking & Natural disasters
Copyright © 2017 Pearson Education, Inc.
10-8
Incorrect Data Modification
• Procedures incorrectly designed or not followed.
• Increasing customer’s discount or incorrectly modifying
employee’s salary.
• Placing incorrect data on company Web site.
• Cause
– Improper internal controls on systems.
– System errors.
– Faulty recovery actions after a disaster.
Copyright © 2017 Pearson Education, Inc.
10-9
Faulty Service
• Incorrect data modification
• Systems working incorrectly
• Procedural mistakes
• Programming errors
• IT installation errors
• Usurpation
• Denial of service (unintentional)
• Denial-of-service attacks (intentional)
Copyright © 2017 Pearson Education, Inc.
10-10
Loss of Infrastructure
• Human accidents
• Theft and terrorist events
• Disgruntled or terminated employee
• Natural disasters
• Advanced Persistent Threat (APT1)
– Theft of intellectual property from U.S. firms.
Copyright © 2017 Pearson Education, Inc.
10-11
Goal of Information Systems Security
• Find appropriate trade-off between risk of loss and cost
of implementing safeguards.
• Protective actions
–Use antivirus software.
–Delete browser cookies?
–Make appropriate trade-offs to protect yourself and
your business.
Copyright © 2017 Pearson Education, Inc.
10-12
Q2: How Big Is the Computer Security Problem?
Computer Crime Costs per Organizational Respondent
Copyright © 2017 Pearson Education, Inc.
10-13
Average Computer Crime Cost and Percent of
Attacks by Type (5 Most Expensive Types)
Copyright © 2017 Pearson Education, Inc.
10-14
Ponemon Study Findings (2014)
• Malicious insiders increasingly serious security threat.
• Business disruption and data loss primary costs of computer
crime.
• Negligent employees, connecting personal devices to
corporate network, use of commercial cloud-based applications
pose significant security threats.
• Security safeguards work.
• Ponemon Study 2014
Copyright © 2017 Pearson Education, Inc.
10-15
Q3: How Should You Respond to Security
Threats?
Personal
Security
Safeguards
Copyright © 2017 Pearson Education, Inc.
10-16
So What? New from Black Hat 2014
• Briefings on how to hack things.
• Show how to exploit weaknesses in hardware, software,
protocols, or systems from smartphones to ATMs.
• Encourage companies to fix product vulnerabilities.
• Serve as educational forum for hackers, developers,
manufacturers, and government agencies.
Copyright © 2017 Pearson Education, Inc.
10-17
Dan Geer Recommendations
1. Mandatory reporting of security vulnerabilities.
2. Make software venders liable for damage their code causes
after abandoned, or users allowed to see/have source code.
3. ISP liable for harmful, inspected content.
4. “Right to be forgotten” - appropriate and advantageous.
5. End-to-End Encrypted Email
Copyright © 2017 Pearson Education, Inc.
10-18
Hacking Smart Things
• Automobiles wireless features and internal systems architecture
allow hackers to access automated driving functions.
• Control hotel lights, thermostats, televisions, and blinds in 200+
rooms by reverse-engineering home automation protocol called
KNX/IP
• 70% of smart devices use unencrypted network services, 60%
vulnerable to persistent XSS (cross-site scripting), and weak
credentials.
Copyright © 2017 Pearson Education, Inc.
10-19
Q4: How Should Organizations Respond to
Security Threats?
• Senior management creates company-wide policies:
– What sensitive data will be stored?
– How will data be processed?
– Will data be shared with other organizations?
– How can employees and others obtain copies of data stored about
them?
– How can employees and others request changes to inaccurate
data?
• Senior management manages risks.
Copyright © 2017 Pearson Education, Inc.
10-20
Security Safeguards and the Five Components
Copyright © 2017 Pearson Education, Inc.
10-21
Ethics Guide: Securing Privacy
“The best way to solve a problem is not to have it.”
– Resist providing sensitive data.
– Don’t collect data you don’t need.
• Gramm-Leach-Bliley (GLB) Act, 1999
• Privacy Act of 1974
• Health Insurance Portability and Accountability Act (HIPAA), 1996
• Australian Privacy Act of 1988
– Government, healthcare data, records maintained by businesses with
revenues in excess of AU$3 million.
Copyright © 2017 Pearson Education, Inc.
10-22
Ethics Guide: Securing Privacy: Wrap Up
• Business professionals must consider legality, ethics, and
wisdom when requesting, storing, or disseminating data.
• Think carefully about email you open over public, wireless
networks.
• Use long, strong passwords.
• If unsure, don’t give the data.
Copyright © 2017 Pearson Education, Inc.
10-23
Q5: How Can Technical Safeguards Protect
Against Security Threats?
Copyright © 2017 Pearson Education, Inc.
10-24
Essence of https (SSL or TLS)
Copyright © 2017 Pearson Education, Inc.
10-25