Using MIS
10
th
Edition
Chapter 10
Information Systems Security
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-1
“I think you’ll see that we really do take security seriously.”
• Video conference with exercise equipment manufacturer CanyonBack Fitness (potential
ARES partner).
• Security concerns about integrating ARES with CanyonBack exercise bikes.
• Does ARES systems have acceptable level of security?
• Can their bikes get hacked? Customers hurt? Personal data stolen?
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-2
“I think you’ll see that we really do take security seriously.” (cont’d)
• ARES implements secure coding practices and secure data backup.
• Users interact with radio buttons, dropdown menus, and other interactive AR elements.
• Reduces the possibility of an SQL injection attack.
• New technology typically brings new risks.
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-3
Study Questions
Q10-1 What is the goal of information systems security?
Q10-2 How big is the computer security problem?
Q10-3 How should you respond to security threats?
Q10-4 How should organizations respond to security threats?
Q10-5 How can technical safeguards protect against security threats?
Q10-6 How can data safeguards protect against security threats?
Q10-7 How can human safeguards protect against security threats?
Q10-8 How should organizations respond to security incidents?
Q10-9 2027?
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-4
Information Systems Security Threats
Q10-1 What is the goal of information systems security?
Figure 10-1 Threat/Loss Scenario
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-5
Examples of Threat/Loss
Q10-1 What is the goal of information systems security?
Threat/Target
Vulnerability
Safeguard
Result
Explanation
Only access sites using
No loss
Effective safeguard
None
Loss of login credentials
Ineffective safeguard
Loss of sensitive data
Ineffective safeguard
https
Hacker wants to steal your bank
login credentials
Hacker creates a phishing site
nearly identical to your online
banking site
Employee posts sensitive data to
Public access to not-secure
Passwords
public Google + group
group
Procedures
Employee training
Figure 10-2 Examples of Threat/Loss
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-6
What Are the Sources of Threats?
Q10-1 What is the goal of information systems security?
Threat
Human Error
Unauthorized data disclosure
Procedural mistakes
Computer Crime
Pretexting
Natural Disasters
Disclosure during recovery
Phishing
Spoofing
Sniffing
Hacking
Incorrect data modification
Procedural mistakes
Hacking
Incorrect data recovery
Usurpation
Service improperly restored
Incorrect procedures
Ineffective accounting controls
Loss
System errors
Faulty service
Procedural mistakes
Development and installation errors
Denial of service (DoS)
Accidents
DoS attacks
Service interruption
Loss of infrastructure
Accidents
Theft
Property loss
Terrorist activity
Figure 10-3 Security Problems and Sources
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-7
What Types of Security Loss Exists?
Q10-1 What is the goal of information systems security?
Unauthorized Data Disclosure
Pretexting
Phishing
Spoofing
IP spoofing
Email spoofing
Drive-by sniffers
Wardrivers
Hacking
Natural disasters
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-8
Incorrect Data Modification
Q10-1 What is the goal of information systems security?
Procedures incorrectly designed or not followed.
Increasing customer’s discount or incorrectly modifying employee’s salary.
Placing incorrect data on company Web site.
Cause
Improper internal controls on systems.
System errors.
Faulty recovery actions after a disaster.
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-9
Faulty Service
Q10-1 What is the goal of information systems security?
Incorrect data modification
Systems working incorrectly
Procedural mistakes
Programming errors
IT installation errors
Usurpation
Denial of service (unintentional)
Denial-of-service attacks (intentional)
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-10
Loss of Infrastructure
Q10-1 What is the goal of information systems security?
Human accidents
Theft and terrorist events
Disgruntled or terminated employee
Natural disasters
Advanced Persistent Threat
APT29 (Russia) and Deep Panda (China)
Theft of intellectual property from U.S. firms.
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-11
Goal of Information Systems Security
Q10-1 What is the goal of information systems security?
Find appropriate trade-off between risk of loss and cost of implementing safeguards.
Protective actions
Use antivirus software.
Delete browser cookies?
Make appropriate trade-offs to protect yourself and your business.
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-12
Average Computer Crime Cost and Percent of Attacks by Type
Q10-2 How big is the computer security problem?
2010
2011
2012
2013
2014
2015
Denial of Service
NA
$187,506 (17%)
$172,238 (20%)
$243,913 (21%)
$166,545 (18%)
$255,470 (16%)
Malicious Insiders
$100,300 (11%)
$105,352 (9%)
$166,251 (8%)
$198,769 (8%)
$213,542 (8%)
$179,805 (10%)
Web-based Attacks
$143,209 (15%)
$141,647 (12%)
$125,795 (13%)
$125,101 (12%)
$116,424 (14%)
$125,630 (12%)
Malicious Code
$124,083 (26%)
$126,787 (23%)
$109,533 (26%)
$102,216 (21%)
$91,500 (23%)
$164,500 (24%)
Phishing & Social Engineering
$35,514 (12%)
$30,397 (9%)
$18,040 (7%)
$21,094 (11%)
$45,959 (13%)
$23,470 (14%)
Stolen Devices
$25,663 (17%)
$24,968 (13%)
23,541 (12%)
$20,070 (9%)
$43,565 (10%)
$16,588 (7%)
Figure 10-4 Average Computer Crime Cost and Percent of Attacks by Type (Six Most Expensive Types)
Source: Data from Ponemon Institute. 2015 Cost of Cyber Crime Study: United States, October 2015, p. 12.
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-13
Severity of Computer Crime
Q10-2 How big is the computer security problem?
Figure 10-5 Computer Crime Costs
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-14
Ponemon Study Findings (2015)
Q10-2 How big is the computer security problem?
Most of the increase in computer crime over the past year are from malicious code and denial-of-service attacks.
Information loss was the single most expensive consequence of computer crime.
Detection and recovery account for more than half of the internal costs related to cyber intrusions.
Security safeguards work.
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-15
Personal Security Safeguards
Q10-3 How should you respond to security threats?
Figure 10-6 Personal Security Safeguards
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-16
New from Black Hat 2015
So What?
Briefings on how to hack things.
Show how to exploit weaknesses in hardware, software, protocols, or systems including smartphones, IoT devices, cars, etc.
Encourage companies to fix product vulnerabilities.
Serves as educational forum for hackers, developers, manufacturers, and government agencies.
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-17
New from Black Hat 2015 (cont’d)
So What?
Keynote presentation by Jennifer Granick (Stanford)
Internet is becoming less free and open due to increased centralization.
A few big companies are controlling the majority of Internet behavior
These few companies can be used to censor, surveil, and control user behavior.
Not wise to allow a few centralized companies total control over our lives.
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-18
Security Policies
Q10-4 How should organizations respond to security threats?
Senior management creates company-wide policies:
What sensitive data will be stored?
How will data be processed?
Will data be shared with other organizations?
How can employees and others obtain copies of data stored about them?
How can employees and others request changes to inaccurate data?
Senior management manages risks.
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-19
Security Safeguards and the Five Components
Q10-4 How should organizations respond to security threats?
Figure 10-7 Security Safeguards as They Relate to the Five Components
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-20
Securing Privacy
Ethics Guide
“The best way to solve a problem is not to have it.”
Resist providing sensitive data.
Don’t collect data you don’t need.
Gramm-Leach-Bliley (GLB) Act, 1999
Privacy Act of 1974
Health Insurance Portability and Accountability Act (HIPAA), 1996
Australian Privacy Act of 1988
Government, healthcare data, records maintained by businesses with revenues in excess of AU$3
million.
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-21
Securing Privacy: Wrap Up
Ethics Guide
Business professionals must consider legality, ethics, and wisdom when requesting, storing, or disseminating data.
Think carefully about email you open over public, wireless networks.
Use long, strong passwords.
If unsure, don’t give the data.
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-22
Technical Safeguards
Q10-5 How can technical safeguards protect against security threats?
Figure 10-8 Technical Safeguards
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-23
Essence of https (SSL or TLS)
Q10-5 How can technical safeguards protect against security threats?
Figure 10-9 The Essence of https (SSL or TLS)
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-24
Use of Multiple Firewalls
Q10-5 How can technical safeguards protect against security threats?
Packet-filtering Firewall
Figure 10-10 Use of Multiple Firewalls
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
10-25