Chapter 10

Information Security Management

“But How Do You Implement that Security?”
• Video conference with SDS (potential PRIDE promoter and
advertiser).
• PRIDE originally designed to store medical data.
• Does PRIDE systems have acceptable level of security?
• Doesn’t want to affiliate with company with major security
problem.
• Criminals focusing on inter-organizational systems.

Copyright © 2017 Pearson Education, Ltd. 10-2

PRIDE Design for Security

Copyright © 2017 Pearson Education, Ltd. 10-3

Study Questions
Q1: What is the goal of information systems security?
Q2: How big is the computer security problem?
Q3: How should you respond to security threats?
Q4: How should organizations respond to security threats?
Q5: How can technical safeguards protect against security threats?
Q6: How can data safeguards protect against security threats?
Q7: How can human safeguards protect against security threats?
Q8: How should organizations respond to security incidents?
Q9: 2026?

Copyright © 2017 Pearson Education, Ltd. 10-4

Q1: What Is the Goal of Information Systems
Security?

Copyright © 2017 Pearson Education, Ltd. 10-5

Examples of Threat/Loss

Copyright © 2017 Pearson Education, Ltd. 10-6

What Are the
Sources of Threats?

Copyright © 2017 Pearson Education, Ltd. 10-7

What Types of Security Loss Exists?
• Unauthorized Data Disclosure
– Pretexting
– Phishing
– Spoofing
 IP spoofing
 Email spoofing
– Drive-by sniffers
 Wardrivers
– Hacking & Natural disasters

Copyright © 2017 Pearson Education, Ltd. 10-8

Incorrect Data Modification
• Procedures incorrectly designed or not followed.
• Increasing customer’s discount or incorrectly modifying
employee’s salary.
• Placing incorrect data on company Web site.
• Cause
– Improper internal controls on systems.
– System errors.
– Faulty recovery actions after a disaster.

Copyright © 2017 Pearson Education, Ltd. 10-9

Faulty Service
• Incorrect data modification • Usurpation
• Systems working incorrectly • Denial of service
• Procedural mistakes (unintentional)
• Programming errors • Denial-of-service attacks
(intentional)
• IT installation errors

Copyright © 2017 Pearson Education, Ltd. 10-10

Loss of Infrastructure
• Human accidents
• Theft and terrorist events
• Disgruntled or terminated employee
• Natural disasters
• Advanced Persistent Threat (APT1)
– Theft of intellectual property from U.S. firms.

Copyright © 2017 Pearson Education, Ltd. 10-11

Goal of Information Systems Security

• Find appropriate trade-off between risk of loss and cost

of implementing safeguards.
• Protective actions
–Use antivirus software.
–Delete browser cookies?
–Make appropriate trade-offs to protect yourself and
your business.

Copyright © 2017 Pearson Education, Ltd. 10-12

Q2: How Big Is the Computer Security Problem?
Computer Crime Costs per Organizational Respondent

Copyright © 2017 Pearson Education, Ltd. 10-13

Average Computer Crime Cost and Percent of
Attacks by Type (5 Most Expensive Types)

Copyright © 2017 Pearson Education, Ltd. 10-14

Ponemon Study Findings (2014)
• Malicious insiders increasingly serious security threat.
• Business disruption and data loss primary costs of computer
crime.
• Negligent employees, connecting personal devices to
corporate network, use of commercial cloud-based applications
pose significant security threats.
• Security safeguards work.
• Ponemon Study 2014

Copyright © 2017 Pearson Education, Ltd. 10-15

Q3: How Should You Respond to Security
Threats?

Personal
Security
Safeguards

Copyright © 2017 Pearson Education, Ltd. 10-16

So What? New from Black Hat 2014
• Briefings on how to hack things.
• Show how to exploit weaknesses in hardware, software,
protocols, or systems from smartphones to ATMs.
• Encourage companies to fix product vulnerabilities.
• Serve as educational forum for hackers, developers,
manufacturers, and government agencies.

Copyright © 2017 Pearson Education, Ltd. 10-17

Dan Geer Recommendations
1. Mandatory reporting of security vulnerabilities.
2. Make software venders liable for damage their code causes
after abandoned, or users allowed to see/have source code.
3. ISP liable for harmful, inspected content.
4. “Right to be forgotten” - appropriate and advantageous.
5. End-to-End Encrypted Email

Copyright © 2017 Pearson Education, Ltd. 10-18

Hacking Smart Things
• Automobiles wireless features and internal systems architecture
allow hackers to access automated driving functions.
• Control hotel lights, thermostats, televisions, and blinds in 200+
rooms by reverse-engineering home automation protocol called
KNX/IP
• 70% of smart devices use unencrypted network services, 60%
vulnerable to persistent XSS (cross-site scripting), and weak
credentials.

Copyright © 2017 Pearson Education, Ltd. 10-19

Q4: How Should Organizations Respond to
Security Threats?
• Senior management creates company-wide policies:
– What sensitive data will be stored?
– How will data be processed?
– Will data be shared with other organizations?
– How can employees and others obtain copies of data stored
about them?
– How can employees and others request changes to inaccurate
data?
• Senior management manages risks.

Copyright © 2017 Pearson Education, Ltd. 10-20

Security Safeguards and the Five Components

Copyright © 2017 Pearson Education, Ltd. 10-21

Ethics Guide: Securing Privacy
“The best way to solve a problem is not to have it.”
– Resist providing sensitive data.
– Don’t collect data you don’t need.
• Gramm-Leach-Bliley (GLB) Act, 1999
• Privacy Act of 1974
• Health Insurance Portability and Accountability Act (HIPAA), 1996
• Australian Privacy Act of 1988
– Government, healthcare data, records maintained by businesses with
revenues in excess of AU$3 million.

Copyright © 2017 Pearson Education, Ltd. 10-22

Ethics Guide: Securing Privacy: Wrap Up
• Business professionals must consider legality, ethics, and
wisdom when requesting, storing, or disseminating data.
• Think carefully about email you open over public, wireless
networks.
• Use long, strong passwords.
• If unsure, don’t give the data.

Copyright © 2017 Pearson Education, Ltd. 10-23

Q5: How Can Technical Safeguards Protect
Against Security Threats?

Copyright © 2017 Pearson Education, Ltd. 10-24

Essence of https (SSL or TLS)

Copyright © 2017 Pearson Education, Ltd. 10-25

Use of Multiple Firewalls

Packet-filtering Firewall

Copyright © 2017 Pearson Education, Ltd. 10-26

Malware Protection (Viruses, Spyware, Adware)
1. Antivirus and antispyware programs.
2. Scan frequently.
3. Update malware definitions.
4. Open email attachments only from known sources.
5. Install software updates.
6. Browse only reputable Internet neighborhoods.

Copyright © 2017 Pearson Education, Ltd. 10-27

Malware Types and Spyware and Adware
Symptoms
• Viruses
 Payload
 Trojan horses
 Worms
 Spyware
 Adware

Copyright © 2017 Pearson Education, Ltd. 10-28

Design for Secure Applications
• SQL injection attack
– User enters SQL statement into a form instead of a name or
other data.
– Result
SQL code becomes part of database commands issued.
Improper data disclosure, data damage and loss possible.
– Well designed applications make injections ineffective.

Copyright © 2017 Pearson Education, Ltd. 10-29

Q6: How Can Data Safeguards Protect Against
Security Threats?

• Data safeguards
• Data
administration
• Key escrow

Copyright © 2017 Pearson Education, Ltd. 10-30

Q7: How Can Human Safeguards Protect Against
Security Threats?

Copyright © 2017 Pearson Education, Ltd. 10-31

Q7: How Can Human Safeguards Protect Against
Security Threats? (cont' d)

Copyright © 2017 Pearson Education, Ltd. 10-32

Human Safeguards for Nonemployee Personnel
• Temporary personnel, vendors, partner personnel (employees
of business partners), and the public.
• Require vendors and partners to perform appropriate screening
and security training.
• Contract specifies security responsibilities.
• Provide accounts and passwords with least privilege and
remove accounts as soon as possible.

Copyright © 2017 Pearson Education, Ltd. 10-33

Public Users
• Web sites and other openly accessible information systems.
– Hardening
 Special versions of operating system.
 Lock down or eliminate operating systems features and
functions not required by application.
– Protect such users from internal company security problems.

Copyright © 2017 Pearson Education, Ltd. 10-34

Account Administration
• Account Management
– Standards for new user accounts, modification of account
permissions, removal of unneeded accounts.
• Password Management
– Users change passwords frequently.
• Help Desk Policies
– Provide means of authenticating users.

Copyright © 2017 Pearson Education, Ltd. 10-35

Sample Account Acknowledgment Form

Copyright © 2017 Pearson Education, Ltd. 10-36

Systems Procedures

Copyright © 2017 Pearson Education, Ltd. 10-37

Security Monitoring
• Server activity logs
– Firewall log
 Lists of all dropped packets, infiltration attempts,
unauthorized access, attempts from within the firewall.
– DBMS
 Successful and failed logins.
– Web servers
 Voluminous logs of Web activities.
• PC O/S produce record of log-ins and firewall activities.

Copyright © 2017 Pearson Education, Ltd. 10-38

Security Monitoring (cont’d)
• Employ utilities to assess vulnerabilities.
• Honeypots for computer criminals to attack.
• Investigate security incidents.
• Constantly monitor to determine adequacy of existing security
policy and safeguards.

Copyright © 2017 Pearson Education, Ltd. 10-39

Q8: How Should Organizations Respond to
Security Incidents?

Copyright © 2017 Pearson Education, Ltd. 10-40

Q9: 2026?
• APTs more common.
• Concern about balance of national security and data
privacy.
• Security on devices will be improved.
• Skill level of cat-and-mouse activity increases substantially.
• Improved security at large organizations.
• Strong local “electronic” sheriffs.

Copyright © 2017 Pearson Education, Ltd. 10-41

Guide: EMV to the Rescue
• EMV chip-and-PIN.
• Changes way cards are verified.
• Chip verifies authenticity of physical card, PIN verifies
identity of cardholder.
• What EMV can do to protect you?

Copyright © 2017 Pearson Education, Ltd. 10-42

Data Breach at Home Depot
• Loss of 56 million customer credit card records and 53 million
customer email addresses.
• Hackers gained access to Home Depot’s internal network using
stolen credentials from a third-party vendor.
• Distributed malware to “scrape” credit card data from POS
terminal RAM.
• Stolen data collected and moved out of Home Depot’s network.

Copyright © 2017 Pearson Education, Ltd. 10-43

Data Breach at Home Depot (cont’d)
• HD used older version of antivirus software,
• Lacked encryption between point-of-sale (POS) systems and
central servers.
– Didn’t directly contribute to data breach.
• Real security weakness - access to residual credit card data
stored in memory of the POS.
• EVM doesn’t store card data in memory – only transaction ID
numbers.

Copyright © 2017 Pearson Education, Ltd. 10-44

Building Adoption Momentum
• Adoption of EMV chip-and-PIN
– Western Europe - 99.9%,
– Canada - 84.7%,
– Asia – 71.4%
– U.S. – 0.3%
• U.S. last user of older magnetic stripe card technology.
• Merchants liable for credit card fraud if POS terminals do not
support EMV, starting Oct. 2015.
• Card and card reader costs increase.

Copyright © 2017 Pearson Education, Ltd. 10-45

Guide: Phishing for Credit Cards, Identifying
Numbers, Bank Accounts
• Phishing scams commonplace.
• Examples of phishing scams at PhishTank.com and
ConsumerFraudReporting.org
• You need to be able to identify and avoid phishing scams.

Copyright © 2017 Pearson Education, Ltd. 10-46

Phish Examples

Copyright © 2017 Pearson Education, Ltd. 10-47

Active Review
Q1: What is the goal of information systems security?
Q2: How big is the computer security problem?
Q3: How should you respond to security threats?
Q4: How should organizations respond to security threats?
Q5: How can technical safeguards protect against security threats?
Q6: How can data safeguards protect against security threats?
Q7: How can human safeguards protect against security threats?
Q8: How should organizations respond to security incidents?
Q9: 2026?

Copyright © 2017 Pearson Education, Ltd. 10-48

Case 10: Hitting the Target
• Lost 40 million credit and debit card numbers.
• Later, announced additional 70 million customer accounts
stolen that included names, emails, addresses, phone numbers,
etc.
• 98 million customers affected.
– 31% of 318 million people in US.
• Stolen from point-of-sale (POS) systems at Target stores during
holiday shopping season.

Copyright © 2017 Pearson Education, Ltd. 10-49

 Attackers escalated
privileges to gain
How Did access to Target’s
internal network.
They Do It?

Spearphished
malware to gather
keystrokes, login
credentials,
and screenshots
Trojan.POSRAM
from Fazio users. extracted data
from POS terminals

Copyright © 2017 Pearson Education, Ltd. 10-50

Damage
Card and pin numbers of 2 million cards for $26.85 each ($53.7M).
• Target took loss on merchandise purchased using stolen credit
cards.
• Costs
– Upgraded POS terminals to support chip-and-pin cards,
– Increased insurance premiums,
– Paid legal fees,
– Settled with credit card processors,
– Paid consumer credit monitoring,
– Paid regulatory fines.

Copyright © 2017 Pearson Education, Ltd. 10-51

Damage (cont'd)
• Loss of customer confidence and drop in revenues (46% loss for quarter).
• Direct loss to Target as high at $450 million.
• CIO resigned, CEO paid $16 million to leave.
• Cost credit unions and banks more than $200 million to issue new cards.
• Insurers demand higher premiums, stricter controls, and more system
auditing.
• Consumers must watch their credit card statements, and fill out paperwork
if fraudulent charges appear.

Copyright © 2017 Pearson Education, Ltd. 10-52