1 / 26

Chapter 6

Chapter 6. Assuring Reliable and Secure IT Services. Reliability. How will your business be affected by downtime? What can be quantified in terms of losses? What can not be quantified? Attributions may play into this. Reliability = Service Availability.

gudrun
Download Presentation

Chapter 6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 6 Assuring Reliable and Secure IT Services

  2. Reliability • How will your business be affected by downtime? • What can be quantified in terms of losses? • What can not be quantified? • Attributions may play into this

  3. Reliability = Service Availability • Decreases with number of components

  4. As the Number of Components Increases… 15 components = 25% downtime!

  5. Minutes Down per Day

  6. Days Down per Year

  7. Redundancy • Helps achieve desired level of availability

  8. Availability Decisions • Uninterruptible Electric Power Delivery • Physical Security • Climate Control and Fire Suppression • Network Connectivity • On Site Monitoring • Help Desk and Incident Response Procedures

  9. Redundancy of Mission-Critical Components • N+1 level • Service level in 99-99.9% range • N+N level • Service level in 99.999-99.9999% range • Decisions re: design of IT infrastructure • Which elements to make redundant? • Availability vs. Cost

  10. Security and Employees • Main threat? • From “inside the walls” • White-collar crime costs $400 billion per year • Average non-managerial embezzlement is $60,000 • Average managerial embezzlement is $250,000 • Two-thirds of insider fraud is not reported • 2 out of 5 businesses suffered 5+ fraud losses • One quarter of those cost more than $1 million

  11. Security and Employees • Computer-aided fraud • Vendor fraud • Writing payroll checks to fictitious employees • Claiming expense reimbursements for costs not incurred • Stealing security codes, credit card numbers, proprietary files • Stealing intellectual property • 10% completely honest, 10% will steal, 80% depends on circumstances • Theft committed by those strapped for cash, who have access to poorly protected funds, perceive low risk of getting caught

  12. Security and Employees • Triggers to unethical employee behavior • Efforts to balance work and family • Poor internal communications • Poor leadership • Work hours, work load • Lack of management support • Need to meet sales, budget, or profit goals • Little or no recognition of achievements • Company politics • Personal financial worries • Insufficient resources

  13. Security and Collaboration Partners • Increasingly internetworked infrastructures: • Need for concern about partners’, suppliers’, distributors’, customers’ computer security (and your own)

  14. Security and Outside Threats • In 2003, 90% of firms detected breaches in last 12 months • 75% acknowledged losses ($400K per company) • Hacking: unauthorized access to computers and computer information

  15. Types of Cyber Crime • Virus: software written with malicious intent to cause annoyance or damage • Benign or malicious • Worms are most prevalent type of virus • Spreads itself, from file to file, computer to computer via email and other Internet traffic • Love Bug worm and its variants: affected 300,000 Internet host computers, millions of individual PC users • File damage, lost time, high cost emergency repairs costing $8.7 billion • Klez, Nimda, Sircam

  16. Types of Cyber Crime • Denial-of-service attack (DoS): floods a web site with so many request for service that it slows down or crashes • Objective is to prevent legitimate customers from accessing target site • E*Trade, Yahoo!, Amazon.com have all been victims • Virus hoaxes • Sent to frighten people about a virus threat that is bogus • Panic, loss of time, loss of productivity • Computer professionals spend time looking for ‘non problem’

  17. What Viruses Can’t Do • Hurt your hardware (monitor, processor) • Hurt any files they weren’t designed to attack (designed for MS Outlook, won’t affect Eudora or other e-mail application) • Infect files on write-protected disks

  18. Security Precautions • Risk management • Identification of risks or threats • Implementation of security measures • Monitoring of those measures for effectiveness • Risk assessment • What can go wrong? • How likely is it to go wrong? • What are the possible consequences if it does go wrong? • Implementing right amount and type of security is a critical, but not an easy, matter • Backup procedures, anti-virus software, firewalls, access authentication, intrusion-detection software, system auditing

  19. Security Precautions • Backups • Process of making a copy of the information stored on a computer • Employee carelessness or ignorance cause 2/3 of the financial cost of lost or damaged information • Backups should be made methodically and regularly (at least once a week) • Anti-virus software • Detects and removes or quarantines computer viruses • Should be able to get rid of virus without destroying the software or information it came with • Needs to be updated frequently (new viruses every day)

  20. Security Precautions • Firewalls – keep outsiders out • Hardware and/or software that protects a computer or network from intruders • Examines each message as it seeks entrance to the network – only those with ‘right’ markings gain access • Can also detect computer communicating with the Internet without approval • Access Authentication – keep insiders out • Protects computer systems from unauthorized employees • Proving access rights: • What you know: password • What you have: ATM card • What you look like: biometrics (use of physical characteristics)

  21. Security Precautions • Encryption • Scrambles the contents of a file, which can’t be read without having the right decryption key • Public key encryption: use of 2 keys (1 public, 1 private) • Intrusion-detection software • Looks for people on the network who shouldn’t be there or who are acting suspiciously • Security-auditing software • Checks out computer or network for potential weaknesses

  22. Security Management Framework • Make deliberate security decisions • Security – a moving target (hire an attacker; check CERT) • Practice disciplined change management • Educate users • Use multilevel technical measures

  23. Why so expensive to defend/protect IS against threats? • Hundreds of potential threats exist. • Computing resources may be widely distributed. • Many individuals are involved and control assets. • Crimes are often hard to detect. • Technology changes so fast that some controls can become obsolete quickly. • Prevention and detection technology is expensive.

  24. Incident Management • Pre-crisis practices • Sound infrastructure design: recoverability and tolerance for failures • Disciplined execution of operating procedures • Accurate and up-to-date documentation • Established crisis management procedures • Rehearsing incident response

  25. Incident Management • During an incident • Technical difficulties AND psychological obstacles • Emotional responses (fear, denial, panic, confusion) • Wishful thinking and groupthink • Political maneuvering, diving for cover, ducking responsibility • Jumping to conclusions • PR inhibition

  26. Incident Management • After an incident • Infrastructure needs to be rebuilt – either partially or fully • Carefully documented procedures facilitates this process • To avert another attack: need to understand cause of incident • Can be a lengthy and arduous task, but it is necessary

More Related