Transcript Information Systems

Information Systems:
A Manager’s Guide to Harnessing Technology
By John Gallaugher
© 2012, published by Flat World Knowledge
13-1
This work is licensed under the
Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.
To view a copy of this license,
visit http://creativecommons.org/licenses/by-nc-sa/3.0/or send a letter to
Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA
© 2012, published by Flat World Knowledge
13-2
Chapter 13
Information Security: Barbarians at the Gateway
(and Just About Everywhere Else)
© 2012, published by Flat World Knowledge
13-3
Learning Objectives
•
Recognize that information security breaches are on the rise
•
Understand the potentially damaging impact of security breaches
•
Recognize that information security must be made a top organizational
priority
© 2012, published by Flat World Knowledge
13-4
Learning Objectives
•
Understand the source and motivation of those initiating information
security attacks
•
Relate examples of various infiltrations in a way that helps raise
organizational awareness of threats
•
Recognize the potential entry points for security compromise
© 2012, published by Flat World Knowledge
13-5
Learning Objectives
•
Understand infiltration techniques such as social engineering, phishing,
malware, Web site compromises (such as SQL injection), and more
•
Identify various methods and techniques to thwart infiltration
•
Identify critical steps to improve your individual and organizational
information security
© 2012, published by Flat World Knowledge
13-6
Learning Objectives
•
Be a tips, tricks, and techniques advocate, helping make your friends,
family, colleagues, and organization more secure
•
Recognize the major information security issues that organizations face,
as well as the resources, methods, and approaches that can help make
firms more secure
© 2012, published by Flat World Knowledge
13-7
Introduction
•
Business establishments are increasingly under risk of information security
threats
– Network in TJX retail store was infiltrated via an insecure Wi-Fi base station
– 45.7 million credit and debit card numbers were stolen
– Driver’s licenses and other private information pilfered from 450,000
customers
– TJX suffered under settlement costs and court-imposed punitive action to the
tune of $150 million
© 2012, published by Flat World Knowledge
13-8
Introduction
•
Factors that amplified severity of TJX security breach are:
– Personnel betrayal: An alleged FBI informant used insider information to
mastermind the attacks
– Technology lapse: TJX used WEP, an insecure wireless security technology
– Procedural gaffe: TJX had received an extension on the rollout of mechanisms
that might have discovered and plugged the hole before the hackers got in
© 2012, published by Flat World Knowledge
13-9
Introduction
•
Information security must be a top organizational priority
•
Information security isn’t just a technology problem; a host of personnel
and procedural factors can create and amplify a firm’s vulnerability
•
A constant vigilance regarding security needs to be part of individual skill
sets and a key component of organizations’ culture
© 2012, published by Flat World Knowledge
13-10
Motivations for Criminals
•
•
•
Any Internet-connected network is susceptible to security attacks
Motivation for information security-related crimes vary widely
Account theft and illegal funds transfer
– Some hackers steal data for personal use
– Others sell stolen data to fraudsters who use it to buy (then resell) goods or
create false accounts via identity theft
•
Stealing personal or financial data
© 2012, published by Flat World Knowledge
13-11
Motivations for Criminals
•
Compromising computing assets for use in other crimes such as:
– Sending spam from thousands of difficult-to-shut-down accounts
– Launching tough-to-track click-fraud efforts
– Distributed denial of service (DDoS) attacks
•
Extortionists might leverage botnets or hacked data to demand payment
to avoid retribution
© 2012, published by Flat World Knowledge
13-12
Motivations for Criminals
•
•
Corporate espionage might be performed by insiders, rivals, or even
foreign governments
Cyberwarfare
– Devastating technology disruptions by terrorists that cut off power to millions
•
Terrorism
– Compromising a key component in an oil refinery, force it to overheat, and
cause an explosion
– Taking out key components of vulnerable national power grids
© 2012, published by Flat World Knowledge
13-13
Motivations for Criminals
•
Pranks involving setting off rumors that could have widespread
repercussions
•
Protest hacking (hacktivism)
•
Revenge for disgruntled employees
© 2012, published by Flat World Knowledge
13-14
Response to Crime
•
Law enforcement agencies dealing with computer crime are increasingly
outnumbered, outskilled, and underfunded
– Technically weak personnel trained in a prior era’s crime fighting techniques
– Governments rarely match pay scale and stock bonuses offered by private
industry
© 2012, published by Flat World Knowledge
13-15
Understanding Vulnerabilities
•
A wide majority of security threats is posed by insiders
•
Rogue employees can steal secrets, install malware, or hold a firm hostage
•
Other insider threats to information security can come from
– Contract employees
– Temporary staffers
– Outsourcing key infrastructure components
– Partner firms such as clients and technology providers
© 2012, published by Flat World Knowledge
13-16
Social Engineering
•
Con games trick employees into revealing information or performing other
tasks that compromise a firm
•
Examples of social engineering methods include:
– Baiting someone to add, deny, or clarify information that can help an attacker
– Using harassment, guilt, or intimidation
•
Social media sites are a major source of information for social engineering
scammers
© 2012, published by Flat World Knowledge
13-17
Phishing
•
Phishing refers to cons executed through technology
•
The goal is to leverage reputation of a trusted firm or friend to trick a
victim into performing an action or revealing information
– Requests to reset passwords
– Requests to update information
– Requests to download malware
•
Spear phishing attacks specifically target a given organization or group of
users
© 2012, published by Flat World Knowledge
13-18
Passwords
•
Most users employ inefficient and insecure password systems:
– Using the same password for different accounts
– Making only minor tweaks in passwords
– Writing passwords down
– Saving passwords in personal e-mail accounts or on unencrypted hard drives
•
Challenge questions offered by many sites to automate password
distribution and resets offer flimsy protection
© 2012, published by Flat World Knowledge
13-19
Passwords
•
Any firm not changing default accounts and passwords sold with any
software purchased risks having an open door
•
Users setting systems for open access leave their firms vulnerable to
attacks
© 2012, published by Flat World Knowledge
13-20
Technology Threats - Malware
•
Malware threatens any connected system running software such as
embedded devices and a firm’s networking equipment
•
Methods of infection include:
– Viruses
– Worms
– Trojans
© 2012, published by Flat World Knowledge
13-21
Technology Threats - Goals of Malware
•
•
•
•
•
•
Botnets or zombie networks
Malicious adware
Spyware
Keylogger
Screen capture
Blended threats
© 2012, published by Flat World Knowledge
13-22
Technology Threats - Compromising Web
Sites
•
SQL injection technique exploits sloppy programming practices that do not
validate user input
•
Problematic because of absence of deployed piece of security software
that can protect a firm
•
Firms have to check the integrity of their Web sites for vulnerabilities
•
Related programming exploits:
– Cross-site scripting attacks
– HTTP header injection
© 2012, published by Flat World Knowledge
13-23
The Encryption Prescription
•
•
Scrambling data using a code or formula, known as a cipher, such that it is
hidden from those who do not have the unlocking key
Even the largest known brute force attacks haven’t come close to
breaking encryption that scrambles transmissions most browsers use in
communication with banks and shopping sites
© 2012, published by Flat World Knowledge
13-24
Other Technology Threats
•
Push-Button Hacking
– Hackers have created tools to make it easy for the criminally inclined to
automate attacks
– Hacking toolkits can probe systems for the latest vulnerabilities, and then
launch appropriate attacks
•
Network Threats
– The network itself may be a source of compromise (Example: TJX hack)
– DNS cache poisoning exploits can redirect the DNS mapping
© 2012, published by Flat World Knowledge
13-25
Physical Threats
•
Dumpster diving: Sifting through trash to uncover valuable data or
insights to facilitate attacks
•
Shoulder surfing: Looking over someone’s shoulder to glean password or
other proprietary information on a computer screen
•
Eavesdropping - Listening into or recording conversations, transmissions,
or keystrokes
© 2012, published by Flat World Knowledge
13-26
Taking Action as a User
•
Question links, enclosures, download requests, and the integrity of Web
sites visited
•
Be on guard for phishing attacks, social engineering con artists, and other
attempts for letting in malware
•
Turn on software update features for your operating system and any
application you use
•
Install a full suite of security software and regularly update it
•
Encrypt all valuable and sensitive data
© 2012, published by Flat World Knowledge
13-27
Taking Action as a User
•
Do not turn on risky settings like unrestricted folder sharing
•
Home networks should be secured with password protection and a firewall
•
Use VPN software when accessing public hotspots
•
Maintain a strict password regimen involving regular updating and
changing default passwords
•
Regularly back up systems and destroy data on removable devices after
use
© 2012, published by Flat World Knowledge
13-28
Taking Action as an Organization
•
Security frameworks aim to take all measures to ensure security of firm
for its customers, employees, shareholders, and others
– ISO 27,000 series
•
Firms may also face compliance requirements—legal or professionally
binding steps
•
Compliance does not equal security
© 2012, published by Flat World Knowledge
13-29
Taking Action as an Organization
•
Education, audit, and enforcement
– Employees need to know a firm’s policies, be regularly trained, and
understand that they will face strict penalties if they fail to meet their
obligations
– Include operations employees, R&D function, representatives from general
counsel, audit, public relations, and human resources in security teams
– Audits include real-time monitoring of usage, announced audits, and surprise
spot checks
© 2012, published by Flat World Knowledge
13-30
Taking Action as an Organization
•
Information security should start with an inventory-style auditing and risk
assessment
•
Firms should invest wisely in easily prevented methods to thwart common
infiltration techniques
•
Security is an economic problem, involving attack likelihood, costs, and
prevention benefits
•
Tightening security and lobbying for legislation to impose severe penalties
on crooks helps raise adversary costs and lowers likelihood of breaches
© 2012, published by Flat World Knowledge
13-31
Role of technology
•
Patches
– Pay attention to security bulletins and install software updates that plug
existing holes
– Legitimate concerns exist over ability of patches to unfavorably affect a firm’s
systems
•
Lock down hardware
–
–
–
–
Reimage hard drives of end-user PCs
Disable boot capability of removable media
Prevent Wi-Fi use
Require VPN encryption for network transmissions
© 2012, published by Flat World Knowledge
13-32
Role of Technology
•
Lock down networks
– Firewalls control network traffic, block unauthorized traffic and permit
acceptable use
– Intrusion detection systems monitor network use for hacking attempts and
take preventive action
– Honeypots are seemingly tempting, bogus targets meant to lure hackers
– Blacklists deny the entry or exit of specific IP addresses and other entities
– Whitelists permit communication only with approved entities or in an approved
manner
© 2012, published by Flat World Knowledge
13-33
Role of Technology
•
Lock down partners
– Insist on partner firms being compliant with security guidelines and audit them
regularly
– Use access controls to compartmentalize data access on a need-to-know basis
– Use recording, monitoring, and auditing to hunt for patterns of abuse
– Maintain multiple administrators to jointly control key systems
© 2012, published by Flat World Knowledge
13-34
Pointers for firms
•
Lock down systems
– Audit for SQL injection and other application exploits
•
Have failure and recovery plans
– Employ recovery mechanisms to regain control in the event that key
administrators are incapacitated or uncooperative
– Broad awareness of infiltration reduces organizational stigma in coming
forward
– Share knowledge on techniques used by cybercrooks with technology partners
© 2012, published by Flat World Knowledge
13-35