1 / 35

Information Systems: A Manager ’ s Guide to Harnessing Technology By John Gallaugher

Information Systems: A Manager ’ s Guide to Harnessing Technology By John Gallaugher.

dung
Download Presentation

Information Systems: A Manager ’ s Guide to Harnessing Technology By John Gallaugher

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Systems: A Manager’s Guide to Harnessing TechnologyBy John Gallaugher

  2. This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA

  3. Chapter 13Information Security: Barbarians at the Gateway (and Just About Everywhere Else)

  4. Learning Objectives • Recognize that information security breaches are on the rise • Understand the potentially damaging impact of security breaches • Recognize that information security must be made a top organizational priority

  5. Learning Objectives • Understand the source and motivation of those initiating information security attacks • Relate examples of various infiltrations in a way that helps raise organizational awareness of threats • Recognize the potential entry points for security compromise

  6. Learning Objectives • Understand infiltration techniques such as social engineering, phishing, malware, Web site compromises (such as SQL injection), and more • Identify various methods and techniques to thwart infiltration • Identify critical steps to improve your individual and organizational information security

  7. Learning Objectives • Be a tips, tricks, and techniques advocate, helping make your friends, family, colleagues, and organization more secure • Recognize the major information security issues that organizations face, as well as the resources, methods, and approaches that can help make firms more secure

  8. Introduction • Business establishments are increasingly under risk of information security threats • Network in TJX retail store was infiltrated via an insecure Wi-Fi base station • 45.7 million credit and debit card numbers were stolen • Driver’s licenses and other private information pilfered from 450,000 customers • TJX suffered under settlement costs and court-imposed punitive action to the tune of $150 million

  9. Introduction • Factors that amplified severity of TJX security breach are: • Personnel betrayal: An alleged FBI informant used insider information to mastermind the attacks • Technology lapse: TJX used WEP, an insecure wireless security technology • Procedural gaffe: TJX had received an extension on the rollout of mechanisms that might have discovered and plugged the hole before the hackers got in

  10. Introduction • Information security must be a top organizational priority • Information security isn’t just a technology problem; a host of personnel and procedural factors can create and amplify a firm’s vulnerability • A constant vigilance regarding security needs to be part of individual skill sets and a key component of organizations’ culture

  11. Motivations for Criminals • Any Internet-connected network is susceptible to security attacks • Motivation for information security-related crimes vary widely • Account theft and illegal funds transfer • Some hackers steal data for personal use • Others sell stolen data to fraudsters who use it to buy (then resell) goods or create false accounts via identity theft • Stealing personal or financial data

  12. Motivations for Criminals • Compromising computing assets for use in other crimes such as: • Sending spam from thousands of difficult-to-shut-down accounts • Launching tough-to-track click-fraud efforts • Distributed denial of service (DDoS) attacks • Extortionists might leverage botnets or hacked data to demand payment to avoid retribution

  13. Motivations for Criminals • Corporate espionage might be performed by insiders, rivals, or even foreign governments • Cyberwarfare • Devastating technology disruptions by terrorists that cut off power to millions • Terrorism • Compromising a key component in an oil refinery, force it to overheat, and cause an explosion • Taking out key components of vulnerable national power grids

  14. Motivations for Criminals • Pranks involving setting off rumors that could have widespread repercussions • Protest hacking (hacktivism) • Revenge for disgruntled employees

  15. Response to Crime • Law enforcement agencies dealing with computer crime are increasingly outnumbered, outskilled, and underfunded • Technically weak personnel trained in a prior era’s crime fighting techniques • Governments rarely match pay scale and stock bonuses offered by private industry

  16. Understanding Vulnerabilities • A wide majority of security threats is posed by insiders • Rogue employees can steal secrets, install malware, or hold a firm hostage • Other insider threats to information security can come from • Contract employees • Temporary staffers • Outsourcing key infrastructure components • Partner firms such as clients and technology providers

  17. Social Engineering • Con games trick employees into revealing information or performing other tasks that compromise a firm • Examples of social engineering methods include: • Baiting someone to add, deny, or clarify information that can help an attacker • Using harassment, guilt, or intimidation • Social media sites are a major source of information for social engineering scammers

  18. Phishing • Phishing refers to cons executed through technology • The goal is to leverage reputation of a trusted firm or friend to trick a victim into performing an action or revealing information • Requests to reset passwords • Requests to update information • Requests to download malware • Spear phishing attacks specifically target a given organization or group of users

  19. Passwords • Most users employ inefficient and insecure password systems: • Using the same password for different accounts • Making only minor tweaks in passwords • Writing passwords down • Saving passwords in personal e-mail accounts or on unencrypted hard drives • Challenge questions offered by many sites to automate password distribution and resets offer flimsy protection

  20. Passwords • Any firm not changing default accounts and passwords sold with any software purchased risks having an open door • Users setting systems for open access leave their firms vulnerable to attacks

  21. Technology Threats - Malware • Malware threatens any connected system running software such as embedded devices and a firm’s networking equipment • Methods of infection include: • Viruses • Worms • Trojans

  22. Technology Threats - Goals of Malware • Botnets or zombie networks • Malicious adware • Spyware • Keylogger • Screen capture • Blended threats

  23. Technology Threats - Compromising Web Sites • SQL injection technique exploits sloppy programming practices that do not validate user input • Problematic because of absence of deployed piece of security software that can protect a firm • Firms have to check the integrity of their Web sites for vulnerabilities • Related programming exploits: • Cross-site scripting attacks • HTTP header injection

  24. The Encryption Prescription • Scrambling data using a code or formula, known as a cipher, such that it is hidden from those who do not have the unlocking key • Even the largest known brute force attacks haven’t come close to breaking encryption that scrambles transmissions most browsers use in communication with banks and shopping sites

  25. Other Technology Threats • Push-Button Hacking • Hackers have created tools to make it easy for the criminally inclined to automate attacks • Hacking toolkits can probe systems for the latest vulnerabilities, and then launch appropriate attacks • Network Threats • The network itself may be a source of compromise (Example: TJX hack) • DNS cache poisoning exploits can redirect the DNS mapping

  26. Physical Threats • Dumpster diving: Sifting through trash to uncover valuable data or insights to facilitate attacks • Shoulder surfing: Looking over someone’s shoulder to glean password or other proprietary information on a computer screen • Eavesdropping - Listening into or recording conversations, transmissions, or keystrokes

  27. Taking Action as a User • Question links, enclosures, download requests, and the integrity of Web sites visited • Be on guard for phishing attacks, social engineering con artists, and other attempts for letting in malware • Turn on software update features for your operating system and any application you use • Install a full suite of security software and regularly update it • Encrypt all valuable and sensitive data

  28. Taking Action as a User • Do not turn on risky settings like unrestricted folder sharing • Home networks should be secured with password protection and a firewall • Use VPN software when accessing public hotspots • Maintain a strict password regimen involving regular updating and changing default passwords • Regularly back up systems and destroy data on removable devices after use

  29. Taking Action as an Organization • Security frameworks aim to take all measures to ensure security of firm for its customers, employees, shareholders, and others • ISO 27,000 series • Firms may also face compliance requirements—legal or professionally binding steps • Compliance does not equal security

  30. Taking Action as an Organization • Education, audit, and enforcement • Employees need to know a firm’s policies, be regularly trained, and understand that they will face strict penalties if they fail to meet their obligations • Include operations employees, R&D function, representatives from general counsel, audit, public relations, and human resources in security teams • Audits include real-time monitoring of usage, announced audits, and surprise spot checks

  31. Taking Action as an Organization • Information security should start with an inventory-style auditing and risk assessment • Firms should invest wisely in easily prevented methods to thwart common infiltration techniques • Security is an economic problem, involving attack likelihood, costs, and prevention benefits • Tightening security and lobbying for legislation to impose severe penalties on crooks helps raise adversary costs and lowers likelihood of breaches

  32. Role of technology • Patches • Pay attention to security bulletins and install software updates that plug existing holes • Legitimate concerns exist over ability of patches to unfavorably affect a firm’s systems • Lock down hardware • Reimage hard drives of end-user PCs • Disable boot capability of removable media • Prevent Wi-Fi use • Require VPN encryption for network transmissions

  33. Role of Technology • Lock down networks • Firewalls control network traffic, block unauthorized traffic and permit acceptable use • Intrusion detection systems monitor network use for hacking attempts and take preventive action • Honeypots are seemingly tempting, bogus targets meant to lure hackers • Blacklists deny the entry or exit of specific IP addresses and other entities • Whitelists permit communication only with approved entities or in an approved manner

  34. Role of Technology • Lock down partners • Insist on partner firms being compliant with security guidelines and audit them regularly • Use access controls to compartmentalize data access on a need-to-know basis • Use recording, monitoring, and auditing to hunt for patterns of abuse • Maintain multiple administrators to jointly control key systems

  35. Pointers for firms • Lock down systems • Audit for SQL injection and other application exploits • Have failure and recovery plans • Employ recovery mechanisms to regain control in the event that key administrators are incapacitated or uncooperative • Broad awareness of infiltration reduces organizational stigma in coming forward • Share knowledge on techniques used by cybercrooks with technology partners

More Related