Information Security
Lecture 20


Today Lecture
n

n

n

Information Security
¨ The Threats
¨ Security’s Five Pillars
¨ Management Countermeasures
¨ Technical Countermeasures
CREDIT CARD FRAUD
Case Example: Threats
AN INTERNET SERVICES COMPANY
Case Example: Security


Today Lecture….
n

n

n

n

PLYMOUTH ROCK ASSURANCE CORPORATION
Case Example: Use of a VPN (Security)
Planning for Business Continuity
Using Internal Resources
Planning for Business Continuity
Using External Resources
HOUSEHOLD INTERNATIONAL
Case Example: Planning for Business Continuity


Information Security
n

Used to be an arcane technical topic

n

Today even CEOs need to ‘know about it’ due to the
importance of electronic information in running their
businesses

n

Need to understand Internet-based threats and
countermeasures and continuously fund security work
to protect their businesses


Information Security


n

Since 1996 the Computer Security Institute have
conducted an annual survey of US security managers
¨

Spring 2004 survey report – 2 key findings:
1.

The unauthorized use of computers is declining

2.

The most expensive cybercrime was denial of
service


The Threats

Note: heaps of similar
Surveys e.g. KPMG



Information Security
The Threats
n
n
n


n
n

Threats are numerous
Websites are particularly vulnerable
Political activism is one motivation for Website
defacement
Theft of proprietary information is a major concern
Financial fraud is still a significant threat
¨ Especially credit card information
¨ No data of any value should be stored on web
servers


CREDIT CARD FRAUD
Case Example: Threats
n

In one case, MSNBC reported that a bug in one
shopping cart software product used by 4,000 ecommerce sites exposed customer records at those
sites
¨ One

small e-commerce site did not receive the
warning
¨ Within days, cyber criminals charged thousands of
dollars on the credit cards of users of this small
site



CREDIT CARD FRAUD
Case Example: Threats…
n

In another case, two foreigners stole 56,000 credit card
numbers, bank account information, and other personal
financial information from U.S. banks
¨ Then

tried to extort money from the cardholders and
the banks, threatening to publicize the sensitive
information they had unearthed


Information Security
The Threats cont.
n

Losses are increasing dramatically because
companies have rushed into e-commerce, often
with applications that do not have security built into
the architecture or procedures
¨ People

think security can be added later but it
really can’t be bolted on as an afterthought
¨ Best security = designed into applications via
checks during processing and at data transfer
points



Information Security
The Threats cont.
n

It is easier to guard a bank vault than to guard every
house in town
¨

n

That’s why many companies are outsourcing their data center
operations to data center specialists with vault-like security

Mobile computing and telecommunications increase the
possibility for crime


Information Security
The Threats cont.

¨ The

greater number of network openings provides
opportunities for illegal entry

n

The rise of e-commerce and e-business put more
communications online to the Internet, which is open to

everyone including crackers (evil hackers)

n

As the Internet doesn’t (currently?) have intrinsic
security protocols this public space is vulnerable


Information Security
The Threats cont.

n

The ‘hacker community’ (public club?)
¨

n

‘True’ Vs. Parasites

Approaches hackers use:
1. Cracking the password
2. Tricking someone (social engineering = ‘cute’
term!)
3. Network sniffing


Information Security
The Threats cont.
4.


Misusing administrative tools

5.

Playing middleman

6.

Denial of service

7.

Trojan horse

8.

Viruses


Information Security :
Security’s Five Pillars

2.

Authentication: verifying the authenticity of users
Identification: identifying users to grant them
appropriate access

3.


Privacy: protecting information from being seen

4.

Integrity: keeping information in its original form

5.

Nonrepudiation: preventing parties from denying
actions they have taken

1.


Information Security
Management Countermeasures
n

The major problem these days:
¨ Enterprises

cannot have both access to information
and airtight security at the same time

n

Companies must make tradeoffs between:
¨ Absolute
¨ The


information security and

efficient flow of information


Information Security
Management Countermeasures
n

Because airtight security is not possible:
¨ Companies

need to prioritize their risks and work on
safeguarding against the greatest threats
n

An example to consider is the case example of one
company from a Gartner Executive Programs
report


Information Security
Management Countermeasures cont.
n

Five major findings from the Computer Crime Survey:
1.

Most organizations evaluate the return on their

security expenditures

2.

Over 80% conduct security audits
–

3.

Including by ‘outsiders’ e.g. KPMG

The percentage reporting cybercrimes to law
enforcement declined


Information Security
Management Countermeasures cont.
–

Some = worries are
•

Damage to stock price / company reputation

•

Competitors using for their advantage

4. Most do not outsource cybersecurity
5.


Most respondents view security awareness training
as important


©2006 Barbara C. McNurlin. Published by

8-21


AN INTERNET SERVICES COMPANY
Case Example: Security
n

This firm’s starting point in protecting its systems is to
deny all access to and from the Internet

n

From there, it opens portals only where required, and
each opening has a firewall and only permits specific
functions

n

The security team constantly “checks the locks” by:
¨ Keeping
¨ Staying

track of the latest bugs found


up to date on the latest security attacks


AN INTERNET SERVICES COMPANY
Case Example: Security
¨ Subscribing
¨ Personally

to hacker e-mail lists and bulletin boards

exploring some risks

¨ Logging

and monitoring all incoming and outgoing
traffic, and

¨ Testing
n

the system monthly from a remote site

Most importantly, it educates employees and clients as
the greatest security precaution


Information Security:
Technical Countermeasures
n


The trend in computer security is toward defining
security policies and then centrally managing and
enforcing those policies via security products and
services or policy-based management

n

E.g. a user authenticates to a network once, and then
a “rights based system” gives that user access only to
the systems to which the user has been given rights
¨

Establishes basic control of segregation of duties

¨

The ‘computer’ (system) is the control