Bits - CM-HHSM ZC471 Management Information Systems

BITS Pilani
Pilani Campus
BITSCMHHSM ZC471
Management Information
Systems
BITS Pilani
Pilani Campus

Lecture Session-5
16- 08-14
BITS Pilani, Pilani Campus
Securing the Enterprise and
Business Continuity
Chapter 5
3
BITS/CM/HHSM ZC471
16/08/2014
1. Recognize the business and financial value of
information security.
2. Understand IS vulnerabilities, threats, attack
methods, and cybercrime symptoms.
3. Factors that contribute to risk exposure and
methods to mitigate them.
4. Key methods of defending information
systems, networks, and wireless devices.
5. Describe internal control and fraud and related
legislation.
6. Importance of business continuity and disaster
recovery planning methods.
7. Role of IT in defending critical infrastructures.
Learning Objectives
4
BITS/CM/HHSM ZC471
16/08/2014
Opening Case: ChoicePoint
IT at work 5.1 $100 million data breach
CL 5.1 IT governance best practices
CL 5.2 Money laundering, organized crime and
terrorist funding
CL 5.3 Mobile workers and handheld devices
CL 5.4 Global IT security efforts
CL 5.5 1.4 Gigabytes of stolen data and email
CL 5.6 War driving
IT at work 5.2 How Watson Wyatt recovered
from a disaster?
Case: Weak internal controls contribute to
Nasdaq delisting (NEC)
Cases/Highlights in Chapter 5
5
BITS/CM/HHSM ZC471
16/08/2014
ChoicePoint leading data broker and
credentialing service; Maintains 19 billion public
records on 220 million citizens;
Buys personal data (names, social security numbers,
birthdates, employment data, and credit histories) sells it to
businesses and government agencies.
Roughly 70% of ChoicePoints revenue is
generated by selling consumer records for
insurance claim verifications and background
screenings
ChoicePoint was exposing the business to risk
by ignoring its policy to verify that customers
were legitimate;
6
BITS/CM/HHSM ZC471
16/08/2014
In early 2000 ChoicePoint provided the hackers
with customer accounts illegally access
databases and steal confidential data
Nigerian national living in California, Olatunji
Oluuwatosin, he was allowed to set up over 50
bogus business accounts; arrested in Feb 2005
and sentenced to 10 years;
In 2004, ChoicePoint was hit with the largest fine in
Federal Trade Commission (FTC) history $15
million;
Disclosure: in Feb. 2005, ChoicePoint has reported
that personal and financial data of 145,000
individuals compromised;
ChoicePoint
7
BITS/CM/HHSM ZC471
16/08/2014
By May 2008, it had cost over $55 million in fines,
compensation to potential victims of identity theft,
lawsuit settlements, and legal fees;
In June 2008, the co. also paid $10 million to settle
another action lawsuit
ChoicePoint reformed its business practices and
data security measure
Points: IT security the protection of information,
communication networks, traditional and e-
commerce operations to assure confidentiality,
integrity, availability and authorized use
Operational risk: is the risk of loss resulting from
inadequate/failed internal processes, people,
systems, or external events
ChoicePoint
8
BITS/CM/HHSM ZC471
16/08/2014
Solution Implement new procedures to
ensure that consumers are protected from
illegitimate access to personal data.
Establish & maintain comprehensive
information security program.
Obtain audits by
independent third-party
security professionals.

Taken over by Reed Elsevier ($3.6 b)
9
BITS/CM/HHSM ZC471
16/08/2014
IT security: the protection of information, communication
networks, traditional and e-commerce operations to assure
confidentiality, integrity, availability and authorized use
Operational risk: is the risk of loss resulting from
inadequate/failed internal processes, people, systems, or
external events
Hacking & Stealing
May 2006, a loptop Dept of Veteran Affairs
Jan 2007, TJX Co. 100 million credit & debit cards July
2005
May 2008 Walter Reed Army Medical Centre 1000 patients
stolen computer
June 2008 MS Windows XP and Vista
5.1 Data and Enterprise
Security Incidents
10
BITS/CM/HHSM ZC471
16/08/2014
Table 5.1 IT Security Terms
Sophisticated spyware; Mobile viruses; Time to
exploitation; MS releases service packs to patch up
In June 2006, former systems administrator at UBS
PaineWebber, Roger Duronio, was charged with
building, planting, and setting off a logic bomb
The logic bomb was designed to delete all files in the
host server and in every server in all branch offices.
March 4, 2002, at 9:30 a.m., stock market opened the
words cannot find on companys system in NJ.
That day, 2,000 servers went down, leaving about 17,000
brokers across the country unable to make trades.
Nearly 400 branch offices were affected.

How Vulnerable Systems Are?
11
BITS/CM/HHSM ZC471
16/08/2014
The Sarbanes-Oxley Act
The Sarbanes-Oxley Act of 2002 is mandatory. ALL
organizations, large and small, MUST comply.
Regulation of financial practice and corporate governance
Integrity, confidentiality, availability and reliability
Debate continues over the perceived benefits and costs of
SOX.
Gramm-Leach-Bliley Act
The GrammLeachBliley Act (GLB), also known as
the Financial Services Modernization Act of 1999
Requires financial institutions that offer consumers financial
products or services like loans, financial or investment advice,
or insurance to explain their information-sharing practices to
their customers and to safeguard sensitive data.
Government Regulation
12
BITS/CM/HHSM ZC471
16/08/2014
Federal Information Security Management
Act
The Federal Information Security Management Act (FISMA)
is a legislation that defines a comprehensive framework to
protect government information, operations and assets
against natural or man-made threats.
FISMA was signed into law part of the Electronic
Government Act of 2002.
USA Patriot Act
The official title is "Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism (USA PATRIOT) Act of 2001.
To strengthen measures to prevent, detect and prosecute
international money laundering and financing of terrorism

13
BITS/CM/HHSM ZC471
16/08/2014
Canadas Personal Information Protection and
Electronic Documents Act
PIPEDA became law on 13 April 2000 to promote consumer
trust in electronic commerce.
The purpose of this Part is to establish, as IT increasingly
facilitates the circulation and exchange of information, rules
to
govern the collection, use and disclosure of personal
information in a manner that recognizes the right of privacy of
individuals and the need of organizations to collect, use or
disclose personal information for appropriate purposes
Indian Context
RBI, SEBI, IRDA, FMC, PFRDA, MoF, HLCC
What is the role of each? Find out!

14
BITS/CM/HHSM ZC471
16/08/2014
PCI DSS Payment Card Industry Data Security
Standard
Visa, MasterCard, American Express and Discover
June 2008, made operational
Retailers should ensure Web-facing applications
Having all custom made application code reviewed
Installing an application layer firewall in front of Web-
facing applications
To improve customer trust
2008, Computing Technology Industry Association
(CompTIA) companies in US, UK, Canada and
China
Industry Standards
15
BITS/CM/HHSM ZC471
16/08/2014
Key findings
Nearly 66% in US, 50% in UK, 50% in China, 40% in Canada
have implemented written security policies
Percentage of budget 7% in 2005 to 12% in 2007
78% in China require IT security certification; 33% of US
Breakdowns beyond company control
Cybercriminals launched an attack to extort money
from StormPay Two days 3 million customers
9/11 Many companies lost critical data
Mission critical systems and networks were down
Network and telephone connectivity
Verizone suffered massive damage

Industry Standards
16
BITS/CM/HHSM ZC471
16/08/2014
1. Senior management commitment and
support
Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
Internal control: process designed to provide
reasonable assurance of effective operations and
reliable financial reporting
IT Security and Internal
Control Model
17
BITS/CM/HHSM ZC471
16/08/2014
2. Security policies and training
Acceptable User Policy (AUP)
To prevent misuse
Reduce exposure
CompTIA report
3. Security procedures and enforcement
Enforcing of AUP
Risk Exposure Model for digital assets
Business Impact Analysis (BIA)
4. Security tools: Hardware and software
Multi layered security system
Spyware

Control Model
18
BITS/CM/HHSM ZC471
16/08/2014
Control Model
19
BITS/CM/HHSM ZC471
16/08/2014
Unintentional threats
Human errors
Environmental hazards (natural, man made)
Computer system failures
Intentional threats
Theft, Manipulation
Sabotage
Scope: economy or country level
Hackers & crackers social engineering
Top 5 SE Techniques -
http://www.symantec.com/connect/articles/social-
engineering-reloaded

5.2 IS Vulnerabilities and
Threats
20
BITS/CM/HHSM ZC471
16/08/2014
Data tampering
Programming attacks
Denial of Service (DoS) attacks
Types
Malware unwanted software that exploits flaws
Virus computer code
Worm can spread without human intervention
Trojan horse or RAT illegal access to a network
BOTNETS collection of bots
Zombies, Spyware, Adware, spam, phishing, DoS attacks, .
How viruses spread over systems?
Methods of Attack
21
BITS/CM/HHSM ZC471
16/08/2014

Spread of viruses
22
BITS/CM/HHSM ZC471
16/08/2014
1. Anti-malware technology
2. Intrusion Detection System (IDS)
3. Intrusion Prevention System (IPS)

Provider: Lavasaoft;
Malware Defense
23
BITS/CM/HHSM ZC471
16/08/2014
Adelphia $60 billion
Global Crossing - $1.5 billion stocks
Tyco corporate loans about $600 million

5.3 Fraud and Computer-
Mediated/Identity Crimes
Table 5.4 Identity Crimes
24
BITS/CM/HHSM ZC471
16/08/2014
Defense Strategy:
1. Prevention and deterrence
2. Detection
3. Containment
4. Recovery
5. Correction
6. Awareness and compliance

5.4 IT Security Management
Practices
25
BITS/CM/HHSM ZC471
16/08/2014
Major Defense Controls
26
BITS/CM/HHSM ZC471
16/08/2014
Physical Controls
Design control
Shielding mechanism
Other basic physical facilities
Emergency controls
A/c; Anti physical intrusion
Access Controls
User Knows
User Has
User Is

General Control Mechanisms
27
BITS/CM/HHSM ZC471
16/08/2014
Biometric Controls
Thumbprint or fingerprint
Retinal scan
Voice scan
Signature
Administrative Controls
Intelligent agents
Table 5.5 Representative Administrative
Controls
Fostering company loyalty, random audits

Control Mechanisms
28
BITS/CM/HHSM ZC471
16/08/2014
Application Controls
29
BITS/CM/HHSM ZC471
16/08/2014
5.5 Network Security
30
BITS/CM/HHSM ZC471
16/08/2014
Two-factor authentication
Multi-factor authentication
1. Who are you?
2. Where?
3. What?
Securing wireless networks

Network Authentication &
Authorization
How Firewalls Work?
How Phishing Works?
Protection from Phishers
31
BITS/CM/HHSM ZC471
16/08/2014
Placing Defense Mechanism
32
BITS/CM/HHSM ZC471
16/08/2014
Internal Control Environment work atmosphere
Internal Control a process designed to achieve
Reliability (of financial reporting),
(Operational) efficiency,
Compliance (with laws),
Regulations and policies, and
Safeguarding (of assets)
Increasing role of IT in internal control.

5.6 Internal Control &
Compliance Management
33
BITS/CM/HHSM ZC471
16/08/2014
SOX Indian Perspective
SOX Compliance
http://220.227.161.86/10632may05p1439-47.pdf
34
BITS/CM/HHSM ZC471
16/08/2014
Financial Services Authority (FSA) UK
2007, FSA fined BNP Paribas 350,000 for failures
Securities Exchange Commission (SEC)
Basel II (Capital) Accord managing Operational risk
& internal fraud seven types of potential losses
1. Internal fraud
2. External fraud
3. Employment practices and workforce safety
4. Clients, products, and business practices
5. Damage to physical assets
6. Business disruption and systems failures
7. Execution, delivery and process management
WorldWide Anti-Fraud
Regulations
35
BITS/CM/HHSM ZC471
16/08/2014
The Preamble of the Securities and
Exchange Board of India describes the
basic functions of SEBI as
"...to protect the interests of investors
in securities and to promote the
development of, and to regulate the
securities market and for matters
connected therewith or incidental
thereto"

Indian context - SEBI
36
BITS/CM/HHSM ZC471
16/08/2014
Business continuity plan

Disaster avoidance

5.7 Business Continuity &
Disaster Recovery Planning
37
BITS/CM/HHSM ZC471
16/08/2014
Auditing
Are there sufficient control in system? Areas
not covered?
Controls not necessary?
Controls implemented properly?
Controls effective? Output checked?
Clear separation of duties?
Procedures to ensure compliance with
controls?
Procedures to ensure reporting and corrective
actions in

5.8 Auditing and Risk
Management
38
BITS/CM/HHSM ZC471
16/08/2014
Decision Support Systems
Expected Loss = P
A
x P
S
x L
P
A
Probability of attack
P
S
Probability of attack being successful
L Loss occurring if attack is successful
Example P
A
= 0.02; P
S
= 0.10 & L = Rs.1,000,000
Expected Loss = Rs.2000
Ethical issues
Respondeat superior
Duty of care
How IT benefits you? - Functional areas Find out!
Managerial issues
Risk Management Analysis
39
BITS/CM/HHSM ZC471
16/08/2014
Recognize the business and financial value of
information security.
Understand IS vulnerabilities, threats, attack
methods, and cybercrime symptoms.
Factors that contribute to risk exposure and
methods to mitigate them.
Key methods of defending information systems,
networks, and wireless devices.
Describe internal control and fraud and related
legislation.
Importance of business continuity and disaster
recovery planning methods.
Role of IT in defending critical infrastructures.
Managerial issues
Summary
40
BITS/CM/HHSM ZC471
40
BITS/CM/HHSM ZC471
16/08/2014

Bits - CM-HHSM ZC471 Management Information Systems

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bits - CM-HHSM ZC471 Management Information Systems

Uploaded by

Copyright:

Available Formats

BITS Pilani

You might also like