Information Security
Lecture 20
Today Lecture
n
n
n
Information Security
¨ The Threats
¨ Security’s Five Pillars
¨ Management Countermeasures
¨ Technical Countermeasures
CREDIT CARD FRAUD
Case Example: Threats
AN INTERNET SERVICES COMPANY
Case Example: Security
Today Lecture….
n
n
n
n
PLYMOUTH ROCK ASSURANCE CORPORATION
Case Example: Use of a VPN (Security)
Planning for Business Continuity
Using Internal Resources
Planning for Business Continuity
Using External Resources
HOUSEHOLD INTERNATIONAL
Case Example: Planning for Business Continuity
Information Security
n
Used to be an arcane technical topic
n
Today even CEOs need to ‘know about it’ due to the
importance of electronic information in running their
businesses
n
Need to understand Internet-based threats and
countermeasures and continuously fund security work
to protect their businesses
Information Security
n
Since 1996 the Computer Security Institute have
conducted an annual survey of US security managers
¨
Spring 2004 survey report – 2 key findings:
1.
The unauthorized use of computers is declining
2.
The most expensive cybercrime was denial of
service
The Threats
Note: heaps of similar
Surveys e.g. KPMG
Information Security
The Threats
n
n
n
n
n
Threats are numerous
Websites are particularly vulnerable
Political activism is one motivation for Website
defacement
Theft of proprietary information is a major concern
Financial fraud is still a significant threat
¨ Especially credit card information
¨ No data of any value should be stored on web
servers
CREDIT CARD FRAUD
Case Example: Threats
n
In one case, MSNBC reported that a bug in one
shopping cart software product used by 4,000 ecommerce sites exposed customer records at those
sites
¨ One
small e-commerce site did not receive the
warning
¨ Within days, cyber criminals charged thousands of
dollars on the credit cards of users of this small
site
CREDIT CARD FRAUD
Case Example: Threats…
n
In another case, two foreigners stole 56,000 credit card
numbers, bank account information, and other personal
financial information from U.S. banks
¨ Then
tried to extort money from the cardholders and
the banks, threatening to publicize the sensitive
information they had unearthed
Information Security
The Threats cont.
n
Losses are increasing dramatically because
companies have rushed into e-commerce, often
with applications that do not have security built into
the architecture or procedures
¨ People
think security can be added later but it
really can’t be bolted on as an afterthought
¨ Best security = designed into applications via
checks during processing and at data transfer
points
Information Security
The Threats cont.
n
It is easier to guard a bank vault than to guard every
house in town
¨
n
That’s why many companies are outsourcing their data center
operations to data center specialists with vault-like security
Mobile computing and telecommunications increase the
possibility for crime
Information Security
The Threats cont.
¨ The
greater number of network openings provides
opportunities for illegal entry
n
The rise of e-commerce and e-business put more
communications online to the Internet, which is open to
everyone including crackers (evil hackers)
n
As the Internet doesn’t (currently?) have intrinsic
security protocols this public space is vulnerable
Information Security
The Threats cont.
n
The ‘hacker community’ (public club?)
¨
n
‘True’ Vs. Parasites
Approaches hackers use:
1. Cracking the password
2. Tricking someone (social engineering = ‘cute’
term!)
3. Network sniffing
Information Security
The Threats cont.
4.
Misusing administrative tools
5.
Playing middleman
6.
Denial of service
7.
Trojan horse
8.
Viruses
Information Security :
Security’s Five Pillars
2.
Authentication: verifying the authenticity of users
Identification: identifying users to grant them
appropriate access
3.
Privacy: protecting information from being seen
4.
Integrity: keeping information in its original form
5.
Nonrepudiation: preventing parties from denying
actions they have taken
1.
Information Security
Management Countermeasures
n
The major problem these days:
¨ Enterprises
cannot have both access to information
and airtight security at the same time
n
Companies must make tradeoffs between:
¨ Absolute
¨ The
information security and
efficient flow of information
Information Security
Management Countermeasures
n
Because airtight security is not possible:
¨ Companies
need to prioritize their risks and work on
safeguarding against the greatest threats
n
An example to consider is the case example of one
company from a Gartner Executive Programs
report
Information Security
Management Countermeasures cont.
n
Five major findings from the Computer Crime Survey:
1.
Most organizations evaluate the return on their
security expenditures
2.
Over 80% conduct security audits
–
3.
Including by ‘outsiders’ e.g. KPMG
The percentage reporting cybercrimes to law
enforcement declined
Information Security
Management Countermeasures cont.
–
Some = worries are
•
Damage to stock price / company reputation
•
Competitors using for their advantage
4. Most do not outsource cybersecurity
5.
Most respondents view security awareness training
as important
©2006 Barbara C. McNurlin. Published by
8-21
AN INTERNET SERVICES COMPANY
Case Example: Security
n
This firm’s starting point in protecting its systems is to
deny all access to and from the Internet
n
From there, it opens portals only where required, and
each opening has a firewall and only permits specific
functions
n
The security team constantly “checks the locks” by:
¨ Keeping
¨ Staying
track of the latest bugs found
up to date on the latest security attacks
AN INTERNET SERVICES COMPANY
Case Example: Security
¨ Subscribing
¨ Personally
to hacker e-mail lists and bulletin boards
exploring some risks
¨ Logging
and monitoring all incoming and outgoing
traffic, and
¨ Testing
n
the system monthly from a remote site
Most importantly, it educates employees and clients as
the greatest security precaution
Information Security:
Technical Countermeasures
n
The trend in computer security is toward defining
security policies and then centrally managing and
enforcing those policies via security products and
services or policy-based management
n
E.g. a user authenticates to a network once, and then
a “rights based system” gives that user access only to
the systems to which the user has been given rights
¨
Establishes basic control of segregation of duties
¨
The ‘computer’ (system) is the control