Information Security

Management

Threats to Information
Security and what we
can do about it
Before we start our Conversation

Ordering a Pizza?
 What are the threats to information security?

In order to adequately Human error and

protect information mistakes
resources, managers must
be aware of the sources of
Malicious human
threats to those resources,
the types of security activity
problems the threats
present, and how to Natural events and
safeguard against both. The disasters.
three most common
sources of threats are:
 Human error and mistakes stem from
employees and nonemployees.

They may misunderstand operating procedures and

inadvertently cause data to be deleted.

Poorly written application programs and poorly

designed procedures may allow employees to enter
data incorrectly or misuse the system.

Employees may make physical mistakes like

unplugging a piece of hardware that causes the
system to crash.
 Human Threats
Malicious human Breaking into systems
activity results from with the intent of
stealing, altering or
employees, former
destroying data.
employees, and hackers
who intentionally
Introducing viruses
destroy data or system and worms into a
components. These system.
actions include:
Acts of terrorism.
 Natural Events and Disasters
The last source of threats to information security are
those caused by natural events and disasters. These
threats pose problems stemming not just from the
initial loss of capability and service but also problems a
company may experience as it recovers from the initial
problem. They include:

Fires
Floods
Hurricanes
Earthquakes
and
Other acts of nature
 This chart shows some of the security problems a company may
experience and the possible sources of the problems.
 What are unauthorized data disclosure
threats?
For example, a new university dept.
administrator posts student names, numbers,
and grades in a public place.

Or, an employee unknowingly posts restricted

data on a company website that can be
reached by search engines over the Web.
Malicious unauthorized data disclosure threats

Pre-texting: when Spoofing: is pretending to be

someone deceives by someone else. Email spoofing
pretending to be someone is a synonym for phishing
else

Phishing: the phisher

pretends to be a legitimate
company and sends an
email requesting
confidential data such as
account numbers, social
security numbers,
passwords, and so forth.
 Sniffing: is a technique for intercepting computer
communications.

With wireless networks, drive-by sniffers simply

take computers with wireless connections through
an area and search for unprotected wireless
networks.

They can monitor and intercept wireless traffic at

will.
 There are three components of a sound
organizational security program:

1. Senior management must establish a security policy

and manage risks.

2. Safeguards of various kinds must be established for

all five components of an IS as the figure on the next
slide demonstrates.

3. The organization must plan its incident response

before any problems occur.
Security Safeguards as They Relate to the Five
Components
 What is senior managements security role?
The NIST Handbook of Security Elements lists the necessary elements of
an effective security program as this figure shows.

*National Institute of Standards and technology

 Senior managers should ensure their
organization has an effective security policy that
includes these elements:

1. A general statement of the organizations security

program

2. Issue-specific policies like personal use of email and

the Internet

3. System-specific policies that ensure the company is

complying with laws and regulations.
 Senior managers must also manage risks
associated with information systems security

1. Risk is the likelihood of an adverse occurrence.

2. You can reduce risk but always at a cost. The

amount of money you spend on security
influences the amount of risk you must assume.

3. Uncertainty is defined as the things we do not

know that we do not know
Senior Managements Security Role
When youre What the threats are
assessing risks to
an information
How likely they are to
occur
system you must
first determine: The consequences if
they occur
 When youre assessing risks to an information system you must first determine:
What the threats are.
How likely they are to occur.
The consequences if they occur.

The figure below lists the factors you should include in a risk assessment.
Once youve assessed the risks to your information system, you must make
decisions about how much security you want to pay for. Each decision carries
consequences.

Some risk is easy and inexpensive.

Some risk is expensive and difficult.
Managers have a fiduciary
responsibility to the organization
to adequately manage risk.
Fig 12-4 Risk Assessment Factors
 What technical safeguards are
available?
You can establish five technical Since users must access
safeguards for the hardware and many different systems, its
software components of an often more secure, and
information system as the figure
on the next slide shows. easier, to establish a single
sign-on for multiple
systems.
Identification and
authentication includes
passwords (what you
know),
smart cards (what you
have), and
biometric authentication
(what you are).
Security Layers Well Discuss!
 Whats Encryption?
The process of changing original text to a
secret message using cryptography

Cryptography is the science of transforming

information so that it is secure while it is being
transmitted or stored
 Firewalls

Firewalls, the third technical safeguard, should

be installed and used with every computer
thats connected to any network, especially
the Internet.

Firewalls can be hardware or software, used

independently of each other or used together
 Perimeter & Internal Firewalls
Act as a gateway
The diagram shows how to the network
perimeter and internal
firewalls are special
devices that help protect
a network.

Packet-filtering firewalls
are programs on
general-purpose
computers or on routers
that examine each
packet entering the
network
 Malware Protection
Malware Protection is Adware is a benign
the fourth technical program thats also
installed without your
safeguard. Well permission. It resides in
concentrate on spyware your computers
and adware here. background and
observes your behavior.
Spyware are programs that
may be installed on your
computer without your
knowledge or permission.
 If your computer displays
any of the symptoms in this
figure, you may have one of
these types of malware on
your computer.
 safeguard your computer against
malware:
Install antivirus and antispyware programs.

Scan your computer frequently for malware.

Update malware definitions often or use an automatic update

process.

Open email attachments only from known sources and even then be
wary.

Promptly install software updates from legitimate sources like

Microsoft for your operating system or McAfee for your spyware
programs.

Browse only in reputable Internet neighborhoods. Malware is often

associated with rogue Web sites.
 What data safeguards are available?
To protect databases and other data sources, an organization should
follow the safeguards listed in this figure.

Remember, data and the information from it are one of the most
important resources an organization has.
 What human safeguards are available?
Human safeguards
for employees are
some of the most
important safeguards
an organization can
deploy.

They should be
coupled with
effective procedures
to help protect
information systems.
 An organization needs human safeguards for
nonemployees whether they are temporary employees,
vendors, business partners, or the public. Here are a few
suggestions:

Ensure any contracts between the organization and other

workers include security policies. Third-party employees should
be screened and trained the same as direct employees.

Web sites used by third-party employees and the public should

be hardened against misuse or abuse.

Protect outside users from internal security problems. If your

system gets infected with a virus, you should not pass it on to
others.
 Account Administration
Account administration is the third type of
human safeguard and has three components
account management, password
management, and help-desk policies.

Account management focuses on

Establishing new accounts
Modifying existing accounts
Terminating unnecessary accounts.
 More Human Safeguards
Password management
requires that users
Immediately change newly
created passwords
Change passwords periodically
Sign an account acknowledgment
form like the one in this figure.

Fig 12-13 Sample Account Acknowledgement Form

 Help-desks have been a source of problems for
account administration because of the inherent
nature of their work.

It is difficult for the help-desk to determine exactly with

whom theyre speaking. Users call up for a new password
without the help-desk having a method of definitively
identifying who is on the other end of the line.

There must be policies in place to provide ways of

authenticating users like asking questions only the user
would know the answers to.

Users have a responsibility to help the help-desk by

responsibly controlling their passwords.
 Effective system procedures can help increase security and reduce
the likelihood of computer crime. As this figure shows, procedures
should exist for both system users and operations personnel that
cover normal, backup, and recovery procedures.

Security monitoring is Fig 12-14 Systems Procedures

the last human
safeguard. It includes:
Activity log analyses
Security testing
Investigating and
learning from security
incidents.
 How should organizations respond to security
incidents?
No system is fail-proof. Every organization must have
an effective plan for dealing with a loss of computing
systems. This figure describes disaster preparedness
tasks for every organization, large and small. The last
item that suggests an organization train and rehearse
its disaster preparedness plans is very important.
 What is the extent of computer crime?
The full extent of computer crime is unknown.
There is no national census because many
organizations are reluctant to report losses for
fear of alienating customers, suppliers, and
business partners. dollar loss.