Chat with us, powered by LiveChat Two questions. Unit VI Journal Read Chapter 10 Instructions In this unit, you learned about | Max paper
  

Two questions.

Unit VI Journal

Read Chapter 10

Instructions

In this unit, you learned about safeguards against security threats. Do you use any of these in your personal life or at work? If so, explain how these safeguards help to ensure information security in your home or at work. If not, do you feel like the systems are adequately protected? Should any safeguards be put into place?

Your journal entry must be at least 200 words in length. No references or citations are necessary.

Unit VI PowerPoint Presentation

Instructions

Recently, a terminated employee used his mobile device to log into the company network and steal sensitive data. As the manager of the information technology (IT) security department, you were asked by your boss to present a summary of what the organization should do to prevent this from happening again. Create a PowerPoint presentation of your summary. In your PowerPoint presentation, you should do the following:

Explain the goal of information security in relation to mobile devices.

Identify the three sources of threats, provide a summary of each, and at least one example of each.

Explain technical safeguards and discuss which technical safeguard(s) should be used for mobile devices.

Explain data safeguards and discuss which data safeguard(s) should be used in this type of scenario.

Explain human safeguards and discuss which human safeguard(s) should be implemented.

Discuss why the organization needs an incident response plan order to secure information and knowledge.

Your presentation must be a minimum of six slides, not including the title and references slide. Be sure that any graphics used are appropriate and support the content of your presentation. You must use at least two references in your presentation, and they should be cited and referenced in APA format. Please cite all sources used.

Lesson 10

Information Systems Security



Lesson Preview

 

This lesson provides an overview of the major components of information systems security. We begin in Q10-1 by defining the goals of IS security and then, in Q10-2, discuss the size of the computer security problem. Next, in Q10-3, we address how you, both as a student today and as a business professional in the future, should respond to security threats. Then, in Q10-4, we ask what organizations need to do to respond to security threats. After that, Q10-5 through Q10-7 address security safeguards. Q10-5 discusses technical safeguards that involve hardware and software components, Q10-6 addresses data safeguards, and Q10-7 discusses human safeguards that involve procedure and people components. Q10-8 then summarizes what organizations need to do when they experience a security incident, and we wrap up the lesson with a preview of IS security in 2031.

Unfortunately, threats to data and information systems are increasing and becoming more complex. In fact, the U.S. Bureau of Labor Statistics estimates that demand for security specialists will increase by more than 32 percent between 2018 and 2028 with a median salary of $99,730. This is strong growth considering computer occupations are projected to grow at 13 percent and all occupations at 5 percent.1 If you find this topic attractive, majoring in information systems with a security specialty would open the door to many interesting jobs.


Q10-1 What Is the Goal of Information Systems Security?

 

Information systems security is really about trade-offs. In one sense, it’s a trade-off between security and freedom. For example, organizations can increase the security of their information systems by taking away users’ freedom to choose their own passwords and force them to choose stronger passwords that are difficult for hackers to crack.

Another way to look at information systems security, and the primary focus of this lesson, is that it’s a trade-off between cost and risk. To understand the nature of this trade-off, we begin with a description of the security threat/loss scenario and then discuss the sources of security threats. Following that, we’ll state the goal of information systems security.

The IS Security Threat/Loss Scenario

 

Figure 10-1 illustrates the major elements of the security problem that individuals and organizations confront today. A threat is a person or organization that seeks to obtain or alter data or other IS assets illegally, without the owner’s permission and often without the owner’s knowledge. A vulnerability is an opportunity for threats to gain access to individual or organizational assets. For example, when you buy something online, you provide your credit card data; when that data is transmitted over the Internet, it is vulnerable to threats. A safeguard is some measure that individuals or organizations take to block the threat from obtaining the asset. Notice in Figure 10-1 that safeguards are not always effective; some threats achieve their goal despite safeguards. Finally, the target is the asset that is desired by the threat.

 Figure 10-1: Threat/Loss Scenario
Figure 10-2 shows examples of threats/targets, vulnerabilities, safeguards, and results. In the first two rows, a hacker (the threat) wants your bank login credentials (the target) to access your bank account. If you click on links in emails, you can be directed to phishing sites that look identical to your bank’s website. Phishing sites don’t typically use https. If, as shown in the first row of Figure 10-2, you always access your bank’s site using https rather than http (discussed in Q10-5), you will be using an effective safeguard, and you will successfully counter the threat.

Figure 10-2: Examples of Threat/Loss

Threat/Target

Vulnerability

Safeguard

Result

Explanation

Hacker wants to steal your bank login credentials

Hacker creates a phishing site nearly identical to your online banking site

Only access sites using https

No loss

Effective safeguard

None

Loss of login credentials

Ineffective safeguard

Employee posts sensitive data to public Facebook group

Public access to not-secure group

Passwords Procedures Employee training

Loss of sensitive data

Ineffective safeguard

If, however, as described in the second row of Figure 10-2, you access what appears to be your bank’s site without using https (i.e., an unsecured site), you have no safeguard at all. Your login credentials can be quickly recorded and resold to other criminals.

The bottom row of Figure 10-2 shows another situation. Here an employee at work obtains sensitive data and posts it on what he thinks is a work-only Facebook group. However, the employee errs and instead posts it to a public group. The target is the sensitive data, and the vulnerability is public access to the group. In this case, there are several safeguards that should have prevented this loss; the employee needed passwords to obtain the sensitive data and to join the private, work-only group. The employer has procedures that state employees are not to post confidential data to any public site, such as Facebook, but these procedures were either unknown or ignored. A third safeguard is the training that all employees are given. Because the employee ignores the procedures, though, all of those safeguards are ineffective and the data is exposed to the public.



What Are the Sources of Threats?

 

Figure 10-3 summarizes the sources of security threats. The type of threat is shown in the columns, and the type of loss is shown in the rows.

Figure 10-3: Security Problems and Sources

Threat

Human Error

Computer Crime

Natural Disasters

Loss

Unauthorized Data Disclosure

Procedural mistakes

Pretexting
Phishing
Spoofing
Sniffing
Hacking

Disclosure during recovery

Incorrect Data Modification

Procedural mistakes
Incorrect procedures
Ineffective accounting controls
System errors

Hacking

Incorrect data recovery

Faulty Service

Procedural mistakes
Development and installation errors

Usurpation

Service improperly restored

Denial of Service (DoS)

Accidents

DoS attacks

Service interruption

Loss of Infrastructure

Accidents

Theft
Terrorist activity

Property loss

Human Error
Human errors and mistakes include accidental problems caused by both employees and nonemployees. An example is an employee who misunderstands operating procedures and accidentally deletes customer records. Another example is an employee who, in the course of backing up a database, inadvertently installs an old database on top of the current one. This category also includes poorly written application programs and poorly designed procedures. Finally, human errors and mistakes include physical accidents, such as driving a forklift through the wall of a computer room.

Computer Crime
The second threat type is computer crime. This threat type includes employees and former employees who intentionally destroy data or other system components. It also includes hackers who break into a system and virus and worm writers who infect computer systems. Computer crime also includes terrorists and those who break into a system to steal for financial gain.

Natural Events and Disasters
Natural events and disasters are the third type of security threat. This category includes fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature. Problems in this category include not only the initial loss of capability and service, but also losses stemming from actions to recover from the initial problem.

What Types of Security Loss Exist?

 

Five types of security loss exist: unauthorized data disclosure, incorrect data modification, faulty service, denial of service, and loss of infrastructure. Consider each.

Unauthorized Data Disclosure
Unauthorized data disclosure occurs when a threat obtains data that is supposed to be protected. It can occur by human error when someone inadvertently releases data in violation of policy. An example at a university is a department administrator who posts student names, identification numbers, and grades in a public place, when the releasing of names and grades violates state and federal law. Another example is employees who unknowingly or carelessly release proprietary data to competitors or to the media. WikiLeaks is a famous example of unauthorized disclosure; the situation described in the third row of Figure 10-2 is another example.

The popularity and efficacy of search engines have created another source of inadvertent disclosure. Employees who place restricted data on websites that can be reached by search engines might mistakenly publish proprietary or restricted data over the Web.

Of course, proprietary and personal data can also be released and obtained maliciously. Pretexting occurs when someone deceives by pretending to be someone else. A common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card numbers: “I’m checking your Mastercard number; it begins with 5491. Can you verify the rest of the number?” Thousands of Mastercard numbers start with 5491; the caller is attempting to steal a valid number.

Phishing is a similar technique for obtaining unauthorized data that uses pretexting via email. The phisher pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, Social Security numbers, account passwords, and so forth.

Spoofing is another term for someone pretending to be someone else. If you pretend to be your professor, you are spoofing your professor. IP spoofing occurs when an intruder uses another site’s IP address to masquerade as that other site. Email spoofing is a synonym for phishing.

Sniffing is a technique for intercepting computer communications. With wired networks, sniffing requires a physical connection to the network. With wireless networks, no such connection is required: Wardrivers simply take computers with wireless connections through an area and search for unprotected wireless networks. They use packet sniffers, which are programs that capture network traffic to monitor and intercept traffic on unsecured wireless (or wired) networks. Even protected wireless networks are vulnerable, as you will learn. Spyware and adware are two other sniffing techniques discussed later in this lesson.

Other forms of computer crime include hacking, which is breaking into computers, servers, or networks to steal data such as customer lists, product inventory data, employee data, and other proprietary and confidential data.

Finally, people might inadvertently disclose data during recovery from a natural disaster. During a recovery, everyone is so focused on restoring system capability that they might ignore normal security safeguards. A request such as “I need a copy of the customer database backup” will receive far less scrutiny during disaster recovery than at other times.

Incorrect Data Modification
The second type of security loss in Figure 10-3 is incorrect data modification. Examples include incorrectly increasing a customer’s discount or incorrectly modifying an employee’s salary, earned days of vacation, or annual bonus. Other examples include placing incorrect information, such as incorrect price changes, on a company’s website or company portal.

Incorrect data modification can occur through human error when employees follow procedures incorrectly or when procedures have been designed incorrectly. For proper internal control on systems that process financial data or control inventories of assets, such as products and equipment, companies should ensure separation of duties and authorities and have multiple checks and balances in place.

A final type of incorrect data modification caused by human error includes system errors. An example is the lost-update problem discussed in Lesson 5.

Computer criminals can make unauthorized data modifications by hacking into a computer system. For example, hackers could hack into a system and transfer people’s account balances or place orders to ship goods to unauthorized locations and customers.

Finally, faulty recovery actions after a disaster can result in incorrect data changes. The faulty actions can be unintentional or malicious.

Faulty Service
The third type of security loss, faulty service, includes problems that result because of incorrect system operation. Faulty service could include incorrect data modification, as just described. It also could include systems that work incorrectly by sending the wrong goods to a customer or the ordered goods to the wrong customer, inaccurately billing customers, or sending the wrong information to employees. Humans can inadvertently cause faulty service by making procedural mistakes. System developers can write programs incorrectly or make errors during the installation of hardware, software programs, and data.

Usurpation occurs when computer criminals invade a computer system and replace legitimate programs with their own, unauthorized ones that shut down legitimate applications and substitute their own processing to spy, steal and manipulate data, or achieve other purposes. Faulty service can also result when service is improperly restored during recovery from natural disasters.

Denial of Service
Human error in following procedures or a lack of procedures can result in denial of service (DoS), the fourth type of loss. For example, humans can inadvertently shut down a Web server or corporate gateway router by starting a computationally intensive application. An OLAP application that uses the operational DBMS can consume so many DBMS resources that order-entry transactions cannot get through.

Computer criminals can launch an intentional denial-of-service attack in which a malicious hacker floods a Web server, for example, with millions of bogus service requests that so occupy the server that it cannot service legitimate requests. Also, computer worms can infiltrate a network with so much artificial traffic that legitimate traffic cannot get through. Finally, natural disasters may cause systems to fail, resulting in denial of service.

Loss of Infrastructure
Many times, human accidents cause loss of infrastructure, the last loss type. Examples are a bulldozer cutting a conduit of fiber-optic cables and a floor buffer crashing into a rack of Web servers.

Theft and terrorist events also cause loss of infrastructure. For instance, a disgruntled, terminated employee might walk off with corporate data servers, routers, or other crucial equipment. Terrorist events also can cause the loss of physical plants and equipment.

Natural disasters present the largest risk for infrastructure loss. A fire, flood, earthquake, or similar event can destroy data centers and all they contain.

You may be wondering why Figure 10-3 does not include terms such as viruses, worms, and Trojan horses. The answer is that viruses, worms, and Trojan horses are techniques for causing some of the problems in the figure. They can cause a denial-of-service attack, or they can be used to cause malicious, unauthorized data access or data loss.

Finally, a new threat term has come into recent use. An Advanced Persistent Threat (APT) is a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments. APTs can be a means to engage in cyberwarfare and cyber-espionage.

An example of an APT is a group called APT41 (Double Dragon), which is allegedly a covert, financially motivated, state-sponsored hacking group based out of China. In 2020, security researchers at FireEye released a detailed report describing APT41’s tools, tactics, and procedures.2 More specifically, it showed how APT41 is targeting healthcare and technology companies. Before 2015 the hacking group was focused on stealing intellectual property (source code). But since 2017 the group has focused on hacking supply chains, cryptocurrency manipulation, intelligence gathering, and injecting malware into legitimate software updates sent to consumers. If you work in the military or for intelligence agencies, you will certainly be concerned, if not involved, with APTs. We return to this topic in Q10-9.



Goal of Information Systems Security

 

As shown in Figure 10-1, threats can be stopped, or if not stopped, the costs of loss can be reduced by creating appropriate safeguards. Safeguards are, however, expensive to create and maintain. They also reduce work efficiency by making common tasks more difficult, adding additional labor expense. The goal of information security is to find an appropriate trade-off between the risk of loss and the cost of implementing safeguards.

Business professionals need to consider that trade-off carefully. In your personal life, you should certainly employ antivirus software. You should probably implement other safeguards that you’ll learn about in Q10-3. Some safeguards, such as deleting browser cookies, will make using your computer more difficult. Are such safeguards worth it? You need to assess the risks and benefits for yourself.

Similar comments pertain to organizations, though they need to go about it more systematically. The bottom line is not to let the future unfold without careful analysis and action as indicated by that analysis. Get in front of the security problem by making the appropriate trade-off for your life and your business.



Knowledge Check

Q10-2 How Big Is the Computer Security Problem?

 

We do not know the full extent of the financial and data losses due to computer security threats. Certainly, the losses due to human error are enormous, but few organizations compute those losses, and even fewer publish them. However, a 2019 security report by Risk Based Security reported the loss of 15 billion personal records in a record 7,000 security incidents.3 Some of the more notable data breaches include the loss of user accounts at Sina Weibo (538 million), OxyData (380 million), Zynga (218 million), and Capital One (100 million). And that’s not even counting the loss of more than 137 million financial records from Canva or the loss of 161 million Dubsmash accounts. More than 84 percent of user records stolen were taken by external attackers via Web vulnerabilities (89 percent) or direct hacking (10 percent). Keep in mind that these are only the companies that made the news and voluntarily reported their losses.

Losses due to natural disasters are also enormous and nearly impossible to compute. The 2011 earthquake in Japan, for example, shut down Japanese manufacturing, and losses rippled through the supply chain from the Far East to Europe and the United States. One can only imagine the enormous expense for Japanese companies as they restored their information systems.

Furthermore, no one knows the cost of computer crime. For one, there are no standards for tallying crime costs. Does the cost of a denial-of-service attack include lost employee time, lost revenue, or long-term revenue losses due to lost customers? Or if an employee loses a $2,000 laptop, does the cost include the value of the data that was on it? Does it include the cost of the time of replacing it and reinstalling software? Or if someone steals next year’s financial plan, how is the cost of the value that competitors glean determined?

Protecting data from internal hackers is an important issue, as discussed in the Ethics Guide.

Second, all the studies on the cost of computer crime are based on surveys. Different respondents interpret terms differently, some organizations don’t report all their losses, and some won’t report computer crime losses at all. Absent standard definitions and a more accurate way of gathering crime data, we cannot rely on the accuracy of any particular estimate. The most we can do is look for trends by comparing year-to-year data, assuming the same methodology is used by the various types of survey respondents.

Figure 10-4 shows the results of a survey performed by Accenture plc, a multinational professional services company, and the Ponemon Institute. It shows the percentage of companies experiencing the most common types of attacks. It appears the most common attack type was malware (98 percent).5 Unfortunately, this type of attack doesn’t seem to be decreasing anytime soon. Other types of attacks are also fairly stable over time, except for ransomware, which has increased dramatically. Figure 10-5 shows that the costs for these attacks are all increasing over time.

 Figure 10-4: Percentage of Companies Experiencing Attack by Attack Type

Source: Based on Accenture, The Cost of Cyber Crime Study, March 2019.

 Figure 10-5: Computer Crime Costs

Source: Based on Accenture, The Cost of Cyber Crime Study, March 2019.

In addition to this data, Accenture also surveyed losses by type of asset compromised. It found that information loss was the single most expensive consequence of computer crime averaging $5.9M in losses annually per firm in 2018. Business disruption was the second highest cost, at $4.0M. Equipment losses and damages were only $0.5M of the lost value. Clearly, value lies in data and not in hardware!

Accenture also reported that 60 percent of internal costs related to cybercrime come from discovery (36 percent) and containment (24 percent). The next most costly activities were investigation (22 percent) and recovery (18 percent).

The 2019 Cost of Computer Crime Study includes an in-depth analysis of the effect of different security policies on the savings in computer crime. The bottom line is that organizations that spend more to create the safeguards discussed in Q10-4 through Q10-7 (later in this lesson) experience less computer crime and suffer smaller losses when they do. Security safeguards do work!

If you search for the phrase computer crime statistics on the Web, you will find numerous similar studies. Some are based on dubious sampling techniques and seem to be written to promote a particular safeguard product or point of view. Be aware of such bias as you read.

Using the Accenture study, the bottom line, as of 2019, is:

Ransomware and malicious insider attacks are increasingly serious security threats.

Information loss and business disruption are principal costs of computer crime.

Discovery and containment account for over half of the internal costs related to cyber intrusions.

Security safeguards work.


Q10-3 How Should You Respond to Security Threats?

 

As stated at the end of Q10-1, your personal IS security goal should be to find an effective trade-off between the risk of loss and the cost of safeguards. However, few individuals take security as seriously as they should, and most fail to implement even low-cost safeguards.

Figure 10-6 lists recommended personal security safeguards. The first safeguard is to take security seriously. You cannot see the attempts that are being made, right now, to compromise your computer. However, they are there.

Figure 10-6: Personal Security Safeguards

· Take security seriously

· Create strong passwords

· Use multiple passwords

· Send no valuable data via email or IM

· Use https at trusted, reputable vendors

· Remove high-value assets from computers

· Clear browsing history, temporary files, and cookies (CCleaner or equivalent)

· Regularly update antivirus software

· Demonstrate security concern to your fellow workers

· Follow organizational security directives and guidelines

· Consider security for all business initiatives

Unfortunately, the first sign you receive that your security has been compromised will be bogus charges on your credit card or messages from friends complaining about the disgusting email they just received from your email account. Computer security professionals run intrusion detection systems to detect attacks. An intrusion detection system (IDS) is a computer program that senses when another computer is attempting to scan or access a computer or network. IDS logs can record thousands of attempts each day. If these attempts come from outside the country, there is nothing you can do about them except use reasonable safeguards.

If you decide to take computer security seriously, the single most important safeguard you can implement is to create and use strong passwords. We discussed ways of doing this in Lesson 1. To summarize, do not use any word, in any language, as part of your password. Use passwords with a mixture of upper- and lowercase letters and numbers and special characters.

Such nonword passwords are still vulnerable to a brute force attack in which the password cracker tries every possible combination of characters. A brute force attack can crack a six-character password of either upper- or lowercase letters in a couple minutes. However, a brute force attack of a six-character password having a mixture of upper- and lowercase letters, numbers, and special characters can take hours. A 10-digit password of only upper- and lowercase letters can take years to crack, but one using a mix of letters, numbers, and special characters may require hundreds of years. A 12-digit, letter-only password may require thousands of years, and a 12-digit mixed password may take millions of years. All of these estimates assume, of course, that the password contains no word in any language. The bottom line is this: Use long passwords with no words, 12 or more characters, and a mix of letters, numbers, and special characters.

In addition to using long, complex passwords, you should also use different passwords for different sites. That way, if one of your passwords is compromised, you do not lose control of all of your accounts. Attackers use credential stuffing, or the automated injection of stolen usernames and passwords, to gain access to multiple websites. Credential stuffing is becoming very common because of password reuse, or the use of login information to access multiple sites.

Make sure you use very strong passwords for important sites (like your bank’s site), and do not reuse those passwords on less important sites (like your social networking sites). Some sites are focused on innovating products and may not allocate the same amount of resources to protect your information. Guard your information with a password it deserves.

Never send passwords, credit card data, or any other valuable data in email or IM. As stated numerous times in this text, most email and IM is not protected by encryption (see Q10-5), and you should assume that anything you write in email or IM could find its way to the front page of The New York Times tomorrow.

Buy only from reputable online vendors using a secure https connection. If the vendor does not support https in its transactions (look for https:// in the address line of your browser), do not buy from that vendor.

You can reduce your vulnerability to loss by removing high-value assets from your computers. Now, and especially later as a business professional, make it your practice not to travel out of your office with a laptop or other device that contains any data that you do not need. In general, store proprietary data on servers or removable devices that do not travel with you. (Microsoft 365, by the way, uses https to transfer data to and from SharePoint. You can use it or a similar application for processing documents from public locations such as airports while you are traveling.)

Your browser automatically stores a history of your browsing activities and temporary files that contain sensitive data about where you’ve visited, what you’ve purchased, what your account names and passwords are, and so forth. It also stores cookies, which are small files that your browser receives when you visit websites. The cookie might contain data such as the date you last visited, whether you are currently signed in, or something else about your interaction with that site. Cookies enable you to access websites without having to sign in every time, and they speed up processing of some sites.

A third-party cookie is a cookie created by a site other than the one you visited. Such cookies are generated in several ways, but the most common occurs when a Web page includes content from multiple sources. For example, Amazon designs its pages so that one or more sections contain ads provided by the ad-servicing company DoubleClick. When the browser constructs your Amazon page, it contacts DoubleClick to obtain the content for such sections (in this case, ads). When it responds with the content, DoubleClick instructs your browser to store a DoubleClick cookie. That cookie is a third-party cookie. In general, third-party cookies do not contain the name or any value that identifies a particular user. Instead, they include the IP address to which the content was delivered.

On its own servers, when it creates the cookie, DoubleClick records that data in a log, and if you click on the ad, it will add the fact of that click to the log. This logging is repeated every time DoubleClick shows an ad. Cookies have an expiration date, but that date is set by the cookie creator, and they can last many years. So, over time, DoubleClick and any other third-party cookie owner will have a history of what they’ve shown, what ads have been clicked, and the intervals between interactions.

But the opportunity is even greater. DoubleClick has agreements not only with Amazon but also with many others, such as Facebook. If Facebook includes any DoubleClick content on its site, DoubleClick will place another cookie on your computer. This cookie is different from the one that it placed via Amazon, but both cookies have your IP address and other data sufficient to associate the second cookie as originating from the same source as the first. So, DoubleClick now has a record of your ad response data on two sites. Over time, the cookie log will contain data to show not only how you respond to ads but also your pattern of visiting various websites on all those sites in which it places ads.

Unfortunately, some cookies contain sensitive security data and may be used to track you in ways you may not realize. The best safeguard is to remove your browsing history, temporary files, and cookies from your computer and to set your browser to disable history and cookies.

CCleaner is a free, open source product that will do a thorough job of securely removing all such data (CCleaner). You should make a backup of your data before using CCleaner.

Removing and disabling cookies presents an excellent example of the trade-off between improved security and cost. Your security will be substantially improved, but your computer will be more difficult to use. You decide, but make a conscious decision; do not let ignorance of the vulnerability of such data make the decision for you.

We will address the use of antivirus software in Q10-5. The last three items in Figure 10-6 apply once you become a business professional. With your coworkers, and especially with those whom you manage, you should demonstrate a concern and respect for security. You should also follow all organizational security directives and guidelines. Finally, consider security in all of your business initiatives.

Knowledge Check

Q10-4 How Should Organizations Respond to Security Threats?

 

Q10-3 discussed ways that you as an individual should respond to security threats. In the case of organizations, a broader and more systematic approach needs to be taken. In 2020, 53 percent of global CEOs were “extremely concerned” about the impact of cyber threats on their organizations.7 To begin, senior management needs to address two critical security functions: security policy and risk management.

See what a typical workday would look like for someone who works as a security engineer in the Career Guide.



Security Policy

 

Considering the first, senior management must establish a company-wide security policy, or a document that states the rules and procedures that protect an organization’s information systems and data. Take, for example, a data security policy that states the organization’s posture regarding data that it gathers about its customers, suppliers, partners, and employees. At a minimum, the policy should stipulate:

What sensitive data the organization will store?

How it will process that data?

Whether data will be shared with other organizations?

How employees and others can obtain copies of data stored about them?

How employees and others can request changes to inaccurate data?

The specifics of a policy depend on whether the organization is governmental or nongovernmental, on whether it is publicly held or private, on the organization’s industry, on the relationship of management to employees, and on other factors. As a new hire, seek out your employer’s security policy if it is not discussed with you in new-employee training.

A common pitfall of creating security policies is to make too many overly strict rules. Too many authoritarian rules can irritate employees and make them feel like they’re not trusted. They can even reduce employee productivity or, worse, drive away key employees. Too many security policies can also lead to information security fatigue, or a reluctance to deal with information security due to feeling overwhelmed. Users can become overwhelmed when they’re asked to make too many complex security decisions. They can also become weary from a constant barrage of bad news about data breaches, malware, DoS attacks, and so on. Hopelessness sets in, and employees just stop trying.

Information security fatigue can be reduced by making security policies less complex and easier to follow. Information security managers need to balance the security of the organization with the productivity and satisfaction of employees. More policies don’t necessarily make organizations more secure. In fact, too many rules may actually make organizations less secure.



Risk Management

 

The second senior management security function is to manage risk. Risk cannot be eliminated, so manage risk means to proactively balance the trade-off between risk and cost. This trade-off varies from industry to industry and from organization to organization. Financial institutions are obvious targets for theft and must invest heavily in security safeguards. On the other hand, a bowling alley is unlikely to be much of a target, unless, of course, it stores credit card data on computers or mobile devices (a decision that would be part of its security policy and that would seem unwise, not only for a bowling alley but also for most small businesses).

To make trade-off decisions, organizations need to create an inventory of the data and hardware they want to protect and then evaluate safeguards relative to the probability of each potential threat. Figure 10-3 is a good source for understanding categories and frequencies of threat. Given this set of inventory and threats, the organization needs to decide how much risk it wishes to take or, stated differently, which security safeguards it wishes to implement.

A good analogy of using safeguards to protect information assets is buying car insurance. Before buying car insurance you determine how much your car is worth, the likelihood of incurring damage to your car, and how much risk you are willing to accept. Then you transfer some of your risk to the insurer by buying a safeguard called an insurance policy. Instead of buying just one insurance policy, organizations implement a variety of safeguards to protect their data and hardware.

An easy way to remember information systems safeguards is to arrange them according to the five components of an information system, as shown in Figure 10-7. Some of the safeguards involve computer hardware and software. Some involve data; others involve procedures and people. We will consider technical, data, and human safeguards in the next three questions.

Q10-5 How Can Technical Safeguards Protect Against Security Threats?

 

Technical safeguards involve the hardware and software components of an information system. Figure 10-8 lists primary technical safeguards. Consider each.

 Figure 10-8: Technical Safeguards

Identification and Authentication

 

Every information system today should require users to sign on with a username and password. The username identifies the user (the process of identification), and the password authenticates that user (the process of authentication).

Passwords have important weaknesses. In spite of repeated warnings (don’t let this happen to you!), users often share their passwords, and many people choose ineffective, simple passwords. In fact, a 2020 Verizon report noted that 80 percent of confirmed data breaches involved stolen credentials, or passwords obtained from a brute force password attack.8 There’s a good chance your password will be stolen at some point. Because of these problems, some organizations choose to use smart cards and biometric authentication in addition to passwords.

Smart Cards
A smart card is a plastic card similar to an older credit card with a magnetic stripe but with an embedded microchip. The microchip, which holds far more data than a magnetic strip, is loaded with identifying data. Users of smart cards are required to enter a personal identification number (PIN) to be authenticated.

Biometric Authentication
Biometric authentication uses personal physical characteristics such as fingerprints, facial features, and retinal scans to authenticate users. Biometric authentication provides strong authentication, but the required equipment is expensive. Often, too, users resist biometric identification because they feel it is invasive.

Biometric authentication is in the early stages of adoption. Because of its strength, it likely will see increased usage in the future. It is also likely that legislators will pass laws governing the use, storage, and protection requirements for biometric data. For more on biometrics, search for biometrics at TechTarget.

Note that authentication methods fall into three categories: what you know (password or PIN), what you have (smart card), and what you are (biometric).



Single Sign-On for Multiple Systems

 

Information systems often require multiple sources of authentication. For example, when you sign on to your personal computer, you need to be authenticated. When you access the LAN in your department, you need to be authenticated again. When you traverse your organization’s WAN, you will need to be authenticated to even more networks. Also, if your request requires database data, the DBMS server that manages that database will authenticate you yet again.

It would be annoying to enter a name and password for every one of these resources. You might have to use and remember five or six different passwords just to access the data you need to perform your job. It would be equally undesirable to send your password across all of these networks. The further your password travels, the greater the risk it can be compromised.

Instead, today’s operating systems have the capability to authenticate you to networks and other servers. You sign on to your local computer and provide authentication data; from that point on your operating system authenticates you to another network or server, which can authenticate you to yet another network and server, and so forth. Because this is so, your identity and passwords open many doors beyond those on your local computer; remember this when you choose your passwords!

Encryption

 

Encryption is the process of transforming clear text into coded, unintelligible text for secure storage or communication. Considerable research has gone into developing encryption algorithms (procedures for encrypting data) that are difficult to break. Commonly used methods are DES, 3DES, and AES; search the Web for these terms if you want to know more about them.

A key is a string of bits used to encrypt the data. It is called a key because it unlocks a message, but it is a string of bits, expressed as numbers or letters, used with an encryption algorithm. It’s not a physical thing like the key to your apartment.

To encrypt a message, a computer program uses the encryption method (say, AES) combined with the key (say, the word “key”) to convert a plaintext message (in this case, the word “secret”) into an encrypted message. The resulting coded message (“U2FsdGVkX1+b637aTP80u+y2WYlUbqUz2XtYcw4E8m4=”) looks like gibberish. Decoding (decrypting) a message is similar; a key is applied to the coded message to recover the original text. With symmetric encryption, the same key is used to encode and to decode. With asymmetric encryption, two keys are used; one key encodes the message, and the other key decodes the message. Symmetric encryption is simpler and much faster than asymmetric encryption.

A special version of asymmetric encryption, public key encryption, is used on the Internet. With this method, each site has a public key for encoding messages and a private key for decoding them. Before we explain how that works, consider the following analogy.

Suppose you send a friend an open combination lock (like you have on your gym locker). Suppose you are the only one who knows the combination to that lock. Now, suppose your friend puts something in a box and locks the lock. Now, neither your friend nor anyone else can open that box. That friend sends the locked box to you, and you apply the combination to open the box.

A public key is like the combination lock, and the private key is like the combination. Your friend uses the public key to code the message (lock the box), and you use the private key to decode the message (open the lock).

Now, suppose we have two generic computers, A and B. Suppose B wants to send an encrypted message to A. To do so, A sends B its public key (in our analogy, A sends B an open combination lock). Now B applies A’s public key to the message and sends the resulting coded message back to A. At that point, neither B nor anyone other than A can decode that message. It is like the box with a locked combination lock. When A receives the coded message, A applies its private key (the combination in our analogy) to unlock or decrypt the message.

Again, public keys are like open combination locks. Computer A will send a lock to anyone who asks for one. But A never sends its private key (the combination) to anyone. Private keys stay private.

Most secure communication over the Internet uses a protocol called https. With https, data are encrypted using a protocol called the Secure Sockets Layer (SSL), which is also known as Transport Layer Security (TLS). SSL/TLS uses a combination of public key encryption and symmetric encryption.

The basic idea is this: Symmetric encryption is fast and is preferred. But the two parties (say, you and a website) don’t share a symmetric key. So, the two of you use public key encryption to share the same symmetric key. Once you both have that key, you use symmetric encryption for the remainder of the communication.

Figure 10-9 summarizes how SSL/TLS works when you communicate securely with a website:

Your computer obtains the public key of the website to which it will connect.

Your computer generates a key for symmetric encryption.

Your computer encodes that key using the website’s public key. It sends the encrypted symmetric key to the website.

The website then decodes the symmetric key using its private key.

From that point forward, your computer and the website communicate using symmetric encryption.

 Figure 10-9: The Essence of https (SSL or TLS)
At the end of the session, your computer and the secure site discard the keys. Using this strategy, the bulk of the secure communication occurs using the faster symmetric encryption. Also, because keys are used for short intervals, there is less likelihood they can be discovered.

Use of SSL/TLS makes it safe to send sensitive data such as credit card numbers and bank balances. Just be certain that you see https:// in your browser and not just http://. Most browsers have additional plug-ins or add-ons (like HTTPS Everywhere) that can force https connections when available.



Firewalls

 

A firewall is a computing device that prevents unauthorized network access. A firewall can be a special-purpose computer, or it can be a program on a general-purpose computer or on a router. In essence, a firewall is simply a filter. It can filter traffic in a variety of ways including where network traffic is coming from, what types of packets are being sent, the contents of the packets, and if the packets are part of an authorized connection.

Organizations normally use multiple firewalls. A perimeter firewall sits outside the organizational network; it is the first device that Internet traffic encounters. In addition to perimeter firewalls, some organizations employ internal firewalls inside the organizational network. Figure 10-10 shows the use of a perimeter firewall that protects all of an organization’s computers and a second internal firewall that protects a LAN.

 Figure 10-10: Use of Multiple Firewalls

A packet-filtering firewall examines each part of a message and determines whether to let that part pass. To make this decision, it examines the source address, the destination address(es), and other data.

Packet-filtering firewalls can prohibit outsiders from starting a session with any user behind the firewall. They can also disallow traffic from particular sites, such as known hacker addresses. They can prohibit traffic from legitimate, but unwanted, addresses, such as competitors’ computers, and filter outbound traffic as well. They can keep employees from accessing specific sites, such as competitors’ sites, sites with pornographic material, or popular news sites. As a future manager, if you have particular sites with which you do not want your employees to communicate, you can ask your IS department to enforce that limit via the firewall.

Packet-filtering firewalls are the simplest type of firewall. Other firewalls filter on a more sophisticated basis. If you take a data communications class, you will learn about them. For now, just understand that firewalls help to protect organizational computers from unauthorized network access.

No computer should connect to the Internet without firewall protection. Many ISPs provide firewalls for their customers. By nature, these firewalls are generic. Large organizations supplement such generic firewalls with their own. Most home routers include firewalls, and Microsoft Windows has a built-in firewall as well. Third parties also license firewall products.

Malware Protection

 

The next technical safeguard in our list in Figure 10-8 concerns malware. Malware is a broad category of software that includes viruses, spyware, and adware.

A virus is a computer program that replicates itself. Unchecked replication is like computer cancer; ultimately, the virus consumes the computer’s resources. Furthermore, many viruses also take unwanted and harmful actions. The program code that causes the unwanted actions is called the payload. The payload can delete programs or data—or, even worse, modify data in undetected ways.

Trojan horses are viruses that masquerade as useful programs or files. The name refers to the gigantic mock-up of a horse that was filled with soldiers and moved into Troy during the Trojan War. A typical Trojan horse appears to be a computer game, an MP3 music file, or some other useful, innocuous program.

A worm is a virus that self-propagates using the Internet or other computer network. Worms spread faster than other virus types because they can replicate by themselves. Unlike nonworm viruses, which must wait for the user to share a file with a second computer, worms actively use the network to spread. Sometimes, worms can propagate so quickly that they overload and crash a network.

Spyware programs are installed on the user’s computer without the user’s knowledge or permission. Spyware resides in the background and, unknown to the user, observes the user’s actions and keystrokes, monitors computer activity, and reports the user’s activities to sponsoring organizations. Some malicious spyware, called key loggers, captures keystrokes to obtain usernames, passwords, account numbers, and other sensitive information. Other spyware supports marketing analyses such as observing what users do, websites visited, products examined and purchased, and so forth.

In 2017, cryptocurrencies started to increase in value and attackers began cryptojacking victim computers, or installing hidden malware that mines cryptocurrency for attackers. Cryptojacking allowed hackers to mine cryptocurrencies without paying for expensive hardware or energy consumption.

Adware is similar to spyware in that it is installed without the user’s permission and resides in the background and observes user behavior. Most adware is benign in that it does not perform malicious acts or steal data. It does, however, watch user activity and produce pop-up ads. Adware can also change the user’s default window or modify search results and switch the user’s search engine.

Ransomware is malicious software that blocks access to a system or data until money is paid to the attacker. Some forms of ransomware like crypto malware encrypt your data and prevent you from accessing it until the ransom is paid (CryptoLocker). Other types of ransomware can prevent you from running applications or even lock you out of your operating system (Reveton). Attackers demand to be paid before they will allow access to your data or system.

Figure 10-11 lists some of the symptoms of adware and spyware. Sometimes these symptoms develop slowly over time as more malware components are installed. Should these symptoms occur on your computer, remove the spyware or adware using antimalware programs.

Figure 10-11: Spyware and Adware Symptoms

· Slow system startup

· Sluggish system performance

· Many pop-up advertisements

· Suspicious browser homepage changes

· Suspicious changes to the taskbar and other system interfaces

· Unusual hard-disk activity

Malware Safeguards
Fortunately, it is possible to avoid most malware using the following malware safeguards:

Install antivirus and antispyware programs on your computer. Your IS department will have a list of recommended (perhaps required) programs for this purpose. If you choose a program for yourself, choose one from a reputable vendor. Check reviews of antimalware software on the Web before purchasing.

Set up your antimalware programs to scan your computer frequently. You should scan your computer at least once a week and possibly more often. When you detect malware code, use the antimalware software to remove it. If the code cannot be removed, contact your IS department or antimalware vendor.

Update malware definitions. Malware definitions—patterns that exist in malware code—should be downloaded frequently. Antimalware vendors update these definitions continuously, and you should install these updates as they become available.

Open email attachments only from known sources. Also, even when opening attachments from known sources, do so with great care. With a properly configured firewall, email is the only outside-initiated traffic that can reach user computers.

Most antimalware programs check email attachments for malware code. However, all users should form the habit of never opening an email attachment from an unknown source. Also, if you receive an unexpected email from a known source or an email from a known source that has a suspicious subject, odd spelling, or poor grammar, do not open the attachment without first verifying with the known source that the attachment is legitimate.

Promptly install software updates from legitimate sources. Unfortunately, all programs are chock full of security holes; vendors are fixing them as rapidly as they are discovered, but the practice is inexact. Install patches to the operating system and application programs promptly.

Browse only reputable websites. It is possible for some malware to install itself when you do nothing more than open a Web page. Recently, malware writers have been paying for banner ads on legitimate sites that have malware embedded in the ad. One click, and you’re infected.



Design for Secure Applications

 

The final technical safeguard in Figure 10-8 concerns the design of applications. As you learned in the opening vignette, Emily and Jose are designing iMed with security in mind; iMed will store users’ privacy settings in a database, and it will develop all applications to first read the privacy settings before revealing any data in reports. Most likely, iMed will design its programs so that privacy data is processed by programs on servers; that design means that such data need be transmitted over the Internet only when it is created or modified.

By the way, a SQL injection attack occurs when users enter a SQL statement into a form in which they are supposed to enter a name or other data. If the program is improperly designed, it will accept this code and make it part of the database command that it issues. Improper data disclosure and data damage and loss are possible consequences. A well-designed application will make such injections ineffective.

As a future IS user, you will not design programs yourself. However, you should ensure that any information system developed for you and your department includes security as one of the application requirements.



Knowledge Check

Q10-6 How Can Data Safeguards Protect Against Security Threats?

 

Data safeguards protect databases and other organizational data. Two organizational units are responsible for data safeguards. Data administration refers to an organization-wide function that is in charge of developing data policies and enforcing data standards.

Database administration refers to a function that pertains to a particular database. ERP, CRM, and MRP databases each have a database administration function. Database administration develops procedures and practices to ensure efficient and orderly multiuser processing of the database, to control changes to the database structure, and to protect the database. Database administration was summarized in Lesson 5.

Both data and database administration are involved in establishing the data safeguards in Figure 10-12. First, data administration should define data policies such as “We will not share identifying customer data with any other organization” and the like. Then data administration and database administration(s) work together to specify user data rights and responsibilities. Third, those rights should be enforced by user accounts that are authenticated at least by passwords.

Figure 10-12: Data Safeguards

· Define data policies

· Data rights and responsibilities

· Rights enforced by user accounts authenticated by passwords

· Data encryption

· Backup and recovery procedures

· Physical security

The organization should protect sensitive data by storing it in encrypted form. Such encryption uses one or more keys in ways similar to that described for data communication encryption. One potential problem with stored data, however, is that the key might be lost or that disgruntled or terminated employees might destroy it. Because of this possibility, when data are encrypted, a trusted party should have a copy of the encryption key. This safety procedure is sometimes called key escrow.

Another data safeguard is to periodically create backup copies of database contents. The organization should store at least some of these backups off premises, possibly in a remote location. Additionally, IT personnel should periodically practice recovery to ensure that the backups are valid and that effective recovery procedures exist. Do not assume that just because a backup is made that the database is protected.

Physical security is another data safeguard. The computers that run the DBMS and all devices that store database data should reside in locked, controlled-access facilities. If not, they are subject not only to theft, but also to damage. For better security, the organization should keep a log showing who entered the facility, when, and for what purpose.

When organizations store databases in the cloud, all of the safeguards in Figure 10-12 should be part of the cloud service contract.



Legal Safeguards for Data

 

Some organizations have legal requirements to safeguard the customer data they collect and store. Laws can dictate how long records must be kept, with whom companies can share the data, and mandatory safe data storage requirements. Some data storage laws have direct implications for business.

For example, the Payment Card Industry Data Security Standard (PCI DSS) governs the secure storage and processing of credit card data. The Gramm-Leach-Bliley Act (GLBA), passed by Congress in 1999, protects consumer financial data stored by financial institutions, which are defined as banks; securities firms; insurance companies; and organizations that supply financial advice, prepare tax returns, and provide similar financial services.

For healthcare organizations, the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 give individuals the right to access health data created by doctors and other healthcare providers. HIPAA also sets rules and limits on who can read and receive your health information.

Data protection laws may be stronger in other countries than in the United States. The General Data Protection Regulation (GDPR) is an EU privacy law enacted in 2018 that outlines data protection regulations designed to protect personal data. It regulates the collection, storage, and transfer of personal data within the EU. Although the GDPR is the most important EU privacy rule, many other nations with which U.S. firms do business are also developing strong commercial data privacy laws.

In 2019 British Airways was fined $222 million (£183 million) for violation of the new EU privacy law General Data Protection Regulation (GDPR).9 In 2018 British Airways lost 500,000 customer records in a data breach containing credit card and personal information. The UK’s Information Commissioner’s Office (ICO) wasted no time levying fines. British Airways is appealing the record fine, arguing there’s no proof that any of the stolen data has been used, or that they were negligent in storing customer data.


Q10-7 How Can Human Safeguards Protect Against Security Threats?

 

Human safeguards involve the people and procedure components of information systems. In general, human safeguards result when authorized users follow appropriate procedures for system use and recovery. Restricting access to authorized users requires effective authentication methods and careful user account management. In addition, appropriate security procedures must be designed as part of every information system, and users should be trained on the importance and use of those procedures. In this section, we will consider the development of human safeguards for employees. According to the survey of computer crime discussed in Q10-2, crime from malicious insiders is a frequent and expensive problem. This fact makes safeguards even more important.

Read about the COVID-19 related security threats in the Security Guide.



Human Safeguards for Employees

 

Figure 10-13 lists security considerations for employees. Consider each.

Figure 10-13: Security Policy for In-House Staff
Position Definitions
Effective human safeguards begin with definitions of job tasks and responsibilities. In general, job descriptions should provide a separation of duties and authorities. For example, no single individual should be allowed to both approve expenses and write checks. Instead, one person should approve expenses, another pay them, and a third should account for the payment. Similarly, in inventory, no single person should be allowed to authorize an inventory withdrawal and also to remove the items from inventory.

Given appropriate job descriptions, user accounts should be defined to give users the least possible privilege needed to perform their jobs. For example, users whose job description does not include modifying data should be given accounts with read-only privileges. Similarly, user accounts should prohibit users from accessing data their job description does not require.

Finally, the security sensitivity should be documented for each position. Some jobs involve highly sensitive data (e.g., employee compensation, salesperson quotas, and proprietary marketing or technical data). Other positions involve no sensitive data. Documenting position sensitivity enables security personnel to prioritize their activities in accordance with the possible risk and loss.

Hiring and Screening
Security considerations should be part of the hiring process. Of course, if the position involves no sensitive data and no access to information systems, then screening for information systems security purposes will be minimal. When hiring for high-sensitivity positions, however, extensive interviews, references, and background investigations are appropriate. Note, too, that security screening applies not only to new employees, but also to employees who are promoted into sensitive positions.

Dissemination and Enforcement
Employees cannot be expected to follow security policies and procedures that they do not know about. Therefore, employees need to be made aware of the security policies, procedures, and responsibilities they will have.

Employee security training begins during new-employee training, with the explanation of general security policies and procedures. That general training must be amplified in accordance with the position’s sensitivity and responsibilities. Promoted employees should receive security training that is appropriate to their new positions. The company should not provide user accounts and passwords until employees have completed required security training.

Enforcement consists of three interdependent factors: responsibility, accountability, and compliance. First, the company should clearly define the security responsibilities of each position. The design of the security program should be such that employees can be held accountable for security violations. Procedures should exist so that when critical data are lost, it is possible to determine how the loss occurred and who is accountable. Finally, the security program should encourage security compliance. Employee activities should regularly be monitored for compliance, and management should specify the disciplinary action to be taken in light of noncompliance.

Management attitude is crucial: Employee compliance is greater when management demonstrates, both in word and deed, a serious concern for security. If managers write passwords on staff bulletin boards, shout passwords down hallways, or ignore physical security procedures, then employee security attitudes and employee security compliance will suffer. Note, too, that effective security is a continuing management responsibility. Regular reminders about security are essential.

Termination
Companies also must establish security policies and procedures for the termination of employees. Many employee terminations are friendly and occur as the result of promotion or retirement or when the employee resigns to take another position. Standard human resources policies should ensure that system administrators receive notification in advance of the employee’s last day so that they can remove accounts and passwords. The need to recover keys for encrypted data and any other special security requirements should be part of the employee’s out-processing.

Unfriendly termination is more difficult because employees may be tempted to take malicious or harmful actions. In such a case, system administrators may need to remove user accounts and passwords prior to notifying the employee of his or her termination. Other actions may be needed to protect the company’s data assets. A terminated sales employee, for example, may attempt to take the company’s confidential customer and sales-prospect data for future use at another company. The terminating employer should take steps to protect those data prior to the termination.

The human resources department should be aware of the importance of giving IS administrators early notification of employee termination. If no blanket policy exists; the information systems department must assess each case on an individual basis.

Human Safeguards for Nonemployee Personnel

 

Business requirements may necessitate opening information systems to nonemployee personnel—temporary personnel, vendors, partner personnel (employees of business partners), and the public. Although temporary personnel can be screened, to reduce costs the screening will be abbreviated from that for employees. In most cases, companies cannot screen either vendor or partner personnel. Of course, public users cannot be screened at all. Similar limitations pertain to security training and compliance testing.

In the case of temporary, vendor, and partner personnel, the contracts that govern the activity should call for security measures appropriate to the sensitivity of the data and the IS resources involved. Companies should require vendors and partners to perform appropriate screening and security training. The contract also should mention specific security responsibilities that are particular to the work to be performed. Companies should provide accounts and passwords with the least privilege and remove those accounts as soon as possible.

The situation differs with public users of websites and other openly accessible information systems. It is exceedingly difficult and expensive to hold public users accountable for security violations. In general, the best safeguard from threats from public users is to harden the website or other facility against attack as much as possible. Hardening a site means to take extraordinary measures to reduce a system’s vulnerability. Hardened sites use special versions of the operating system, and they lock down or eliminate operating systems features and functions that are not required by the application. Hardening is actually a technical safeguard, but we mention it here as the most important safeguard against public users.

Finally, note that the business relationship with the public, and with some partners, differs from that with temporary personnel and vendors. The public and some partners use the information system to receive a benefit. Consequently, safeguards need to protect such users from internal company security problems. A disgruntled employee who maliciously changes prices on a website potentially damages both public users and business partners. As one IT manager put it, “Rather than protecting ourselves from them, we need to protect them from us.” This is an extension of the fifth safeguard in Figure 10-7.



Account Administration

 

The administration of user accounts, passwords, and help-desk policies and procedures is another important human safeguard.

Account Management
Account management concerns the creation of new user accounts, the modification of existing account permissions, and the removal of unneeded accounts. Information system administrators perform all of these tasks, but account users have the responsibility to notify the administrators of the need for these actions. The IS department should create standard procedures for this purpose. As a future user, you can improve your relationship with IS personnel by providing early and timely notification of the need for account changes.

The existence of accounts that are no longer necessary is a serious security threat. IS administrators cannot know when an account should be removed; it is up to users and managers to give such notification.

Password Management
Passwords are the primary means of authentication. They are important not just for access to the user’s computer, but also for authentication to other networks and servers to which the user may have access. Because of the importance of passwords, the National Institute of Standards and Technology (NIST) recommends that employees be required to sign statements similar to those shown in Figure 10-14.

Figure 10-14: Sample Account Acknowledgment Form

Source: National Institute of Standards and Technology, U.S. Department of Commerce. Introduction to Computer Security: The NIST Handbook, Publication 800–812.

I hereby acknowledge personal receipt of the system password(s) associated with the user IDs listed below. I understand that I am responsible for protecting the password(s), will comply with all applicable system security standards, and will not divulge my password(s) to any person. I further understand that I must report to the Information Systems Security Officer any problem I encounter in the use of the password(s) or when I have reason to believe that the private nature of my password(s) has been compromised.

When an account is created, users should immediately change the password they are given to one of their own. In fact, well-constructed systems require the user to change the password on first use.

Additionally, users should change passwords frequently thereafter. Some systems will require a password change every 3 months or perhaps more frequently. Users grumble at the nuisance of making such changes, but frequent password changes reduce not only the risk of password loss but also the extent of damage if an existing password is compromised.

Some users create two passwords and switch back and forth between those two. This strategy results in poor security, and some password systems do not allow the user to reuse recently used passwords. Again, users may view this policy as a nuisance, but it is important.

Help-Desk Policies
In the past, help desks have been a serious security risk. A user who had forgotten his password would call the help desk and plead for the help-desk representative to tell him his password or to reset the password to something else. “I can’t get this report out without it!” was (and is) a common lament.

The problem for help-desk representatives is, of course, that they have no way of determining that they are talking with the true user and not someone spoofing a true user. But they are in a bind: If they do not help in some way, the help desk is perceived to be the “unhelpful desk.”

To resolve such problems, many systems give the help-desk representative a means of authenticating the user. Typically, the help-desk information system has answers to questions that only the true user would know, such as the user’s birthplace, mother’s maiden name, or last four digits of an important account number. Usually, when a password is changed, notification of that change is sent to the user in an email. Email is sent as plaintext, however, so the new password itself ought not to be emailed. If you ever receive notification that your password was reset when you did not request such a reset, immediately contact IT security. Someone has compromised your account.

All such help-desk measures reduce the strength of the security system, and, if the employee’s position is sufficiently sensitive, they may create too large a vulnerability. In such a case, the user may just be out of luck. The account will be deleted, and the user must repeat the account-application process.

Systems Procedures

 

Figure 10-15 shows a grid of procedure types—normal operation, backup, and recovery. Procedures of each type should exist for each information system. For example, the order-entry system will have procedures of each of these types, as will the Web storefront, the inventory system, and so forth. The definition and use of standardized procedures reduce the likelihood of computer crime and other malicious activity by insiders. It also ensures that the system’s security policy is enforced.

Figure 10-15: Systems Procedures

System Users

Operations Personnel

Normal operation

Use the system to perform job tasks, with security appropriate to sensitivity.

Operate data center equipment, manage networks, run Web servers, and do related operational tasks.

Backup

Prepare for loss of system functionality.

Back up website resources, databases, administrative data, account and password data, and other data.

Recovery

Accomplish job tasks during failure. Know tasks to do during system recovery.

Recover systems from backed up data. Perform role of help desk during recovery.

Procedures exist for both users and operations personnel. For each type of user, the company should develop procedures for normal, backup, and recovery operations. As a future user, you will be primarily concerned with user procedures. Normal-use procedures should provide safeguards appropriate to the sensitivity of the information system.

Backup procedures concern the creation of backup data to be used in the event of failure. Whereas operations personnel have the responsibility for backing up system databases and other systems data, departmental personnel have the need to back up data on their own computers. Good questions to ponder are “What would happen if I lost my computer or mobile device tomorrow?” “What would happen if someone dropped my computer during an airport security inspection?” “What would happen if my computer was stolen?” Employees should ensure that they back up critical business data on their computers. The IS department may help in this effort by designing backup procedures and making backup facilities available.

Finally, systems analysts should develop procedures for system recovery. First, how will the department manage its affairs when a critical system is unavailable? Customers will want to order and manufacturing will want to remove items from inventory even though a critical information system is unavailable. How will the department respond? Once the system is returned to service, how will records of business activities during the outage be entered into the system? How will service be resumed? The system developers should ask and answer these questions and others like them and develop procedures accordingly.



Security Monitoring

 

Security monitoring is the last of the human safeguards we will consider. Important monitoring functions are activity log analyses, security testing, and investigating and learning from security incidents.

Many information system programs produce activity logs. Firewalls produce logs of their activities, including lists of all dropped packets, infiltration attempts, and unauthorized access attempts from within the firewall. DBMS products produce logs of successful and failed log-ins. Web servers produce voluminous logs of Web activities. The operating systems in personal computers can produce logs of log-ins and firewall activities.

None of these logs adds any value to an organization unless someone looks at them. Accordingly, an important security function is to analyze these logs for threat patterns, successful and unsuccessful attacks, and evidence of security vulnerabilities.

Today, most large organizations actively investigate their security vulnerabilities. They may employ utilities such as Tenable’s Nessus or HCL’s AppScan to assess their vulnerabilities.

Many companies create honeypots, which are false targets for computer criminals to attack. To an intruder, a honeypot looks like a particularly valuable resource, such as an unprotected website, but in actuality the only site content is a program that determines the attacker’s IP address. Organizations can then trace the IP address back using free online tools, like DNSstuff, to determine who has attacked them.10 If you are technically minded, detail-oriented, and curious, a career as a security specialist in this field is almost as exciting as it appears on CSI. To learn more, check out DNSstuff, Nessus, or Security AppScan.

Another important monitoring function is to investigate security incidents. How did the problem occur? Have safeguards been created to prevent a recurrence of such problems? Does the incident indicate vulnerabilities in other portions of the security system? What else can be learned from the incident?

Security systems reside in a dynamic environment. Organization structures change. Companies are acquired or sold; mergers occur. New systems require new security measures. New technology changes the security landscape, and new threats arise. Security personnel must constantly monitor the situation and determine if the existing security policy and safeguards are adequate. If changes are needed, security personnel need to take appropriate action.

Security, like quality, is an ongoing process. There is no final state that represents a secure system or company. Instead, companies must monitor security on a continuing basis.



Knowledge Check


Q10-8 How Should Organizations Respond to Security Incidents?

 

The last component of a security plan that we will consider is incident response. Figure 10-16 lists the major factors. First, every organization should have an incident-response plan as part of the security program. No organization should wait until some asset has been lost or compromised before deciding what to do. The plan should include how employees are to respond to security problems, whom they should contact, the reports they should make, and steps they can take to reduce further loss.

Figure 10-16: Factors in Incident Response

· Have plan in place

· Centralized reporting

· Specific responses

· Speed

· Preparation pays

· Don’t make problem worse

· Practice

Consider, for example, a virus. An incident-response plan will stipulate what an employee should do when he notices the virus. It should specify whom to contact and what to do. It may stipulate that the employee should turn off his computer and physically disconnect from the network. The plan should also indicate what users with wireless computers should do.

The plan should provide centralized reporting of all security incidents. Such reporting will enable an organization to determine if it is under systematic attack or whether an incident is isolated. Centralized reporting also allows the organization to learn about security threats, take consistent actions in response, and apply specialized expertise to all security problems.

When an incident does occur, speed is of the essence. The longer the incident goes on, the greater the cost. Viruses and worms can spread very quickly across an organization’s networks, and a fast response will help to mitigate the consequences. Because of the need for speed, preparation pays. The incident-response plan should identify critical personnel and their off-hours contact information. These personnel should be trained on where to go and what to do when they get there. Without adequate preparation, there is substantial risk that the actions of well-meaning people will make the problem worse. Also, the rumor mill will be alive with all sorts of nutty ideas about what to do. A cadre of well-informed, trained personnel will serve to dampen such rumors.

Finally, organizations should periodically practice incident response. Without such practice, personnel will be poorly informed on the response plan, and the plan itself may have flaws that only become apparent during a drill.



Knowledge Check


Q10-9 2031?

 

What will be the status of information security by 2031? Will we have found a magic bullet to eliminate security problems? No. Human error is a constant; well-managed organizations will plan better for it and know how to respond better when it does occur, but as long as we have humans, we’ll have error. Natural disasters are similar. The horrific events surrounding Hurricane Katrina in 2005 and the Japanese tsunami in 2011, as well as Hurricane Sandy in 2012, have alerted the world that we need to be better prepared, and more companies will set up hot or cold sites and put more data in well-prepared clouds. So, we’ll be better prepared, but natural disasters are natural, after all.

Unfortunately, it is likely that sometime in the next 10 years some new, major incidents of cyberwarfare will have occurred. APTs will become more common, if indeed they are not already common but we don’t know it. Will some new nation or group enter the cyberwar picture? That also seems likely. Unless you’re in the security and intelligence business, there isn’t much you can do about it. But don’t be surprised if some serious damage is inflicted somewhere in the world due to APTs.

In 2013, privacy advocates were outraged at the existence of PRISM, the intelligence program by which the National Security Agency (NSA) requested and received data about Internet activities from major Internet providers. They claimed their privacy, or freedom from being observed by other people, was being destroyed in the name of security, the state of being free from danger. After the initial hullabaloo, it appears that Internet providers did not allow the government direct access to their servers but rather delivered only data about specific individuals, as legally requested according to security laws enacted after 9/11. If so, then PRISM represents a legal governmental request for data, different only in scale from a governmental request for banking data about an organized crime figure.

As of June 2020, Edward Snowden, the man who exposed the PRISM program, appears to be either an advocate for Internet freedom and privacy or a traitor who sold government secrets to China and Russia for private gain. Regardless of the reasons for the leak, the episode raises the question of what governmental intrusion should be allowed into private data. We can hope the revelation of the existence of PRISM will spark a public conversation on the balance of national security and data privacy. In 2018, the PRISM surveillance program was renewed by Congress and the president of the United States for an additional 6 years.

What about computer crime? It is a game of cat and mouse. Computer criminals find a vulnerability to exploit, and they exploit it. Computer security experts discover that vulnerability and create safeguards to thwart it. Computer criminals find a new vulnerability to exploit, computer security forces thwart it, and so it goes. The next major challenges will likely be those affecting mobile devices. But security on these devices will be improved as threats emerge that exploit their vulnerabilities. This cat-and-mouse game is likely to continue for at least the next 10 years. No super-safeguard will be devised to prevent computer crime, nor will any particular computer crime be impossible to thwart. However, the skill level of this cat-and-mouse activity is likely to increase, and substantially so. Because of increased security in operating systems and other software and because of improved security procedures and employee training, it will become harder and harder for the lone hacker to find some vulnerability to exploit. Not impossible, but vastly more difficult.

So, what will happen? Cloud vendors and major organizations will continue to invest in safeguards; they’ll hire more people (maybe you), train them well, and become ever more difficult to infiltrate. Although some criminals will continue to attack these fortresses, most will turn their attention to less protected, more vulnerable, midsized and smaller organizations and to individuals. You can steal $50M from one company or $50 from a million people with the same cash result. And, in the next 10 years, because of improved security at large organizations, the difficulty and cost of stealing that $50M will be much higher than stealing $50 a million times.

Part of the problem is porous national borders. People can freely enter the United States electronically without a passport. They can commit crimes with little fear of repercussions. There are no real electronic IDs. Cyber-gangs are well organized, financially motivated, and possibly state-sponsored. Electronic lawlessness is the order of the day. If someone in Romania steals from Google, Apple, Microsoft, or Boeing and then disappears into a cloud of networks in Uzbekistan, do those large organizations have the resources, expertise, and legal authority to pursue the attackers? What if that same criminal steals from you in Nashville? Can your local or state law enforcement authorities help? And if your portion of the crime is $50, how many calls to Uzbekistan do they want to make?

Take another look at Figure 10-6. Send a copy to your loved ones.

So What? New From Black Hat 2019

Hackers, security professionals, academics, and government agents flock to Las Vegas each year to attend two of the world’s largest and most well-known security conferences—Black Hat and Def Con. Black Hat caters to more of a professional and academic crowd of security professionals, corporations, and government entities, whereas Def Con attracts more general members of the hacking community. Despite the different target audiences of these events, travelers to Las Vegas typically attend both conferences as they occur back-to-back.

Source: Rawpixel.com/Shutterstock

Each year speakers make briefings on how things can be hacked. Presenters show exactly how to exploit weaknesses in hardware, software, protocols, or systems. One session may show you how to hack your smartphone, whereas another may show you how to empty the cash out of an ATM.

Presentations encourage companies to fix product vulnerabilities and serve as an educational forum for hackers, developers, manufacturers, and government agencies. The following are topic areas that were some of the highlights from the 2019 Black Hat and Def Con conferences.

Deepfakes
A number of talks this year centered on deepfakes—the creation of computer-generated imagery (they can be either photos or videos) in which the likeness of one individual is replaced by the likeness of another. It is possible to create high-fidelity deepfakes using powerful artificial intelligence and machine learning technologies. As processing power has continued to increase over time and specialized software that can be used to create these videos has become more widely available, the number of deepfakes being created and shared on the Web has risen drastically.

Early applications of deepfake videos were focused on pornography. Deepfake creators would generate videos with the faces of celebrities merged with the bodies of porn stars. Even more nefarious was the practice of deepfake creators generating videos of pornography actors with the faces of coworkers, classmates, or exes.

The quality of the computer-generated deepfakes is so high that even victims/targets who claim the videos are fake may not be believed. It has become a priority to be able to identify indicators of these fake videos to protect the integrity of information. New methods to do so were presented at Black Hat 2019.11

Internet of Things (IoT)
Households are gradually adopting more and more IoT devices. It is not uncommon to walk into a friend’s, family member’s, or neighbor’s house today and see a smart thermostat, Wi-Fi or Bluetooth lighting, Internet-connected security cameras or baby monitors, smart TVs, smart speakers, digital assistants, and so on.

An underlying principle of IoT devices is that they must be easily configurable and integrated with other IoT devices—for example, smart lighting that is linked with a smart security system and the lighting flashes red when the alarm goes off.

Another important feature of IoT devices is that they must be easily controlled by intuitive apps and digital assistants—for example, a homeowner walks into their dark house and tells Alexa to turn the lights on.

All of these integrations between IoT devices and apps mean that there are many potential vulnerabilities in the software that is used to communicate with and manage these devices. If IoT software was developed with a priority on security, easy integration between hundreds and thousands of different products would be much more difficult.

Def Con and Black Hat are often riddled with presentations about how smart devices can be hacked (often very easily!)—this year, presentations focused on how to compromise a variety of different motors and even the internal network of a Boeing aircraft.

Election Technology
The 2016 U.S. presidential election was clouded with a variety of rumors and allegations about misinformation campaigns. Even the integrity of the voting equipment was questioned. Accordingly, interest by information security professionals and hackers in technology used in any way for the election process has skyrocketed.

In an effort to identify potential hacking techniques that could be used against voting machines, Def Con created a Voting Village, where attendees can get direct access to tinker around with the same models of various technologies that are still used today to conduct elections.

A highlight this year in the Voting Village was the addition of a new microprocessor developed by the Defense Advanced Research Projects Agency (DARPA), which they submitted to allow people to have a chance to compromise it.13 Companies are relying more and more on external security experts to identify vulnerabilities in their products and digital services—this is just one more example of that collaboration.

Questions

What are the implications of deepfake videos for the world of politics, finance, or national security?

 Show Answer

Do you think it is illegal to create and post a deepfake video?

 Show Answer

What is your position on the adoption of IoT devices considering their tendency to have poor security controls? Are they worth the risk?

 Show Answer

If you could go to either Black Hat or Def Con, what topic area would be of most interest to you (technical security, behavioral security, hacking IoT devices, etc.)? Explain.

 Show Answer

Security Guide

Using Tech to Mitigate Covid-19 Risks
A key element of information security is identifying risk and determining the best course of action to deal with that risk. A common way to think about information security risk is to liken it to a medieval castle. Castles are notorious for leveraging a variety of security measures to keep occupants and resources on the inside safe. Defense mechanisms include a drawbridge, gate, moat, inner and outer walls, towers, and battlements.

Storming a castle with such defenses requires extensive planning, resources, time, and a winning strategy. Often, the burden is so high that the castle defenses act as an effective deterrent because external threats decide not to even waste their time, energy, or resources trying to gain entry.

Source: kora_sun/Shutterstock

Digital Defenses
In the digital world, organizations use a variety of defenses to keep networks, systems, and data safe. For example, physical security, like restricted parking, card swipes at doors, check-in stations in office lobbies, and role-based access controls to certain parts of an office building, helps ensure that unauthorized people can’t physically access sensitive systems and data.

Digital fortifications, like firewalls and intrusion detection systems, help ensure that nefarious actors cannot gain access to sensitive internal networks to steal, modify, delete, or corrupt data. Finally, security education training and awareness (SETA) programs and security policies help increase the chances that those behind “castle walls” don’t inadvertently leave a “door” or “window” unlocked that might allow an enemy to easily gain entry.

In addition to the standard security posture organizations use to build their secure digital castles, other mechanisms are used to help ensure the longevity of an organization in the event of other risks (e.g., a natural disaster).

For example, disaster recovery plans and the more expansive business continuity plans are put in place so that organizations have a procedure in place to restore critical systems in the event of disruption but also help ensure the likelihood that some degree of normal business operations can be maintained during a crisis.

Mitigating COVID-19
However, despite all of the security measures and risk-mitigation strategies that organizations had developed and implemented, few were ready for the impact of the COVID-19 pandemic. The sweeping effects of a highly contagious virus had not been accounted for by most organizations, and widespread stay-at-home orders and social distancing measures translated to office buildings being shuttered for extended periods of time.

In short, a new form of risk had been introduced to organizations—a risk introduced by one of its greatest assets—its very own employees. As organizations started thinking about steps to gradually reopen business to bring people back into office spaces, innovative solutions were proposed on how the risks of working in an office could be minimized to help avoid the need to shut down operations once more.

The following list introduces some technologically based measures that organizations are developing to help reduce risk and promote a safe environment for employees:14

Thermal cameras. Having a fever was one of the most consistent symptoms of COVID-19. Thermal cameras have been identified as an effective way to identify people who may be symptomatic. Placing a thermal camera at the entrance of an office building could be used to screen employees as they come in to work. Anyone displaying increased body temperature could be notified and sent home.

Risk segmentation. While working from home was permitted by many organizations during the initial stages of the pandemic, it may only be permitted for high-risk employees once office work resumes. Identifying employees whose age or preexisting conditions would render them especially or moderately susceptible to the virus would allow organizations to adopt different mitigation strategies for different groups instead of implementing sweeping protocols that may not be necessary for everyone (e.g., everyone is mandated to work from home indefinitely).

Phone apps. One thing people usually have nearby is their phone. This habit provides organizations with a number of opportunities for keeping track of where employees are located and how they are interacting with other employees. Apps can be used to track employee movements to help monitor and enforce social distancing. Some apps are even embedding gamification to help motivate employees to follow safety protocols (e.g., “You get bonus points today for not gathering in collaborative work groups > 5 people!”).

Surveys. Data collected from employees about their activities and their symptoms can be used to identify potential risks. Some companies are deploying daily or weekly surveys to identify employees who may have engaged in risky behavior or who may be in the early stages of having the virus. Daily snapshots of employees can be used to make decisions about who is eligible to come to the office. It has also been proposed that a digital thermometer could be linked to an app so that employees could submit daily temperature readings to an employer before getting the green light to come back to work.

 Discussion Questions

The list presented in the article entails a number of solutions that would require data collection from employees. Do you think employers have a right to collect these types of data?

 Show Answer

When a person or an organization is granted power, it can often be difficult for this power to be relinquished. If organizations put a number of monitoring and surveillance mechanisms in place to track employees so risk can be identified/mitigated, do you think employers will readily curtail these activities once the threat from the pandemic has subsided?

 Show Answer

Can you think of any other innovations not listed in the article that companies could use to try to mitigate the risks introduced by employees who may have the virus and be contagious?

 Show Answer

The comparison of information security to a digital castle has been used for many years. However, the landscape of technology has changed drastically with the mass proliferation of laptops, mobile devices, wearables, and so on. Do you think the digital castle model still holds true today? Why or why not?

 Show Answer

Career Guide

Source: Chris Heywood, Northrop Grumman, Cyber Systems Engineer

Name: Chris Heywood

Company: Northrop Grumman

Job Title: Cyber Systems Engineer

Education: Carnegie Mellon University, Weber State University

How did you get this type of job?

I knew I wanted to be in cybersecurity ever since I was a junior in college. I started applying to all kinds of cybersecurity jobs and would go to any job fair I could find. I practiced and practiced interviewing and worked really hard to understand technical concepts in networking and security. My hard work paid off as I was able to land my first internship in cybersecurity. Shortly after my internship, I was able to get a graduate degree and landed another internship for my current company. After a very successful internship, I was offered a full-time position as a cyber systems engineer. It took a lot of hard work and education, but it has been worth it!

What attracted you to this field?

I always thought it would be awesome to know how to break into systems and know how to defend systems from hackers. After seeing YouTube videos demonstrating how easy it is for hackers to steal usernames, passwords, and even data about bank accounts, I decided that I would love to protect myself and others from the malicious intents of hackers and to keep our information safe.

What does a typical workday look like for you (duties, decisions, problems)?

Every day at my work is very different. Some days I could be looking for vulnerabilities in highly sensitive systems, and other days I could be writing policy for our organization. Most of my days involve me looking at systems and deciding how much cybersecurity risk the system has based off the vulnerabilities I find and then making plans on how to better secure those systems. Each day presents unique challenges that I love to solve.

What do you like most about your job?

Working in the security industry gives me a lot of opportunities to learn about securing the many changing technologies out there. The greatest thing about loving your job is that it’s more of a hobby than it is a job. I get to learn about how to physically and virtually break into systems, secure systems, encrypt communications, engineer secure networks, and hunt for threats in my organization.

What skills would someone need to do well at your job?

When I am looking for someone to hire on my team, some of the main skills that I look for are the abilities to communicate comfortably with others, work well on a team, and have the desire to keep on learning. Having a technical and analytical background will also be valuable to someone who is joining cybersecurity.

Are education or certifications important in your field? Why?

Education and certifications are very valuable in the cybersecurity field. Many organizations will require that you have at least a bachelor’s degree in any IT-related field and hold at least one cybersecurity certification. This will ensure that you can effectively demonstrate your knowledge of cybersecurity to protect your organization’s information technology. With new cyber threats and vulnerabilities emerging daily, it is vital to continue your education in cybersecurity.

What advice would you give to someone who is considering working in your field?

Work really hard to understand how information technology works and don’t be afraid to experiment with it. Set up labs and virtual machines to help you understand how networking, system administration, and cybersecurity work. Apply the things that you learn in classes and get as much practical experience as you can. Start implementing free cybersecurity tools in your home network and become an expert. Watch YouTube tutorials on how to set up, exploit, and secure environments. Most of all, have fun and enjoy what you are doing to learn cybersecurity concepts.

What do you think will be hot tech jobs in 10 years?

I think that there will continue to be many hot tech jobs in 10 years. Technology isn’t going away anytime soon, and I expect the need for professionals in the tech industry will be at its highest. We will start to see more jobs in the fields of IoT, the cloud, robotics, data science, software engineering, and cybersecurity. It’s a great time to be part of the tech industry!

Ethics Guide

White Hat, Blackballed
Howard stared at the phone waiting for the next call to come in—surprisingly, it was another few minutes before the red light flickered, the piercing ringtone was triggered, and he was rattled into action. “Hello, thank you for calling customer service . . . how can I help you today?” Every time he uttered those words, he felt a little piece of himself crumble on the inside. He didn’t know how much longer he could do this job without having a breakdown.

Howard had been working in the customer service call center for a few years. It had been a necessary financial solution for him while going to school. His ambition, however, was not serving customers but actually information security.

He was currently in his final year of an undergraduate management information systems program, and he was specializing in the security track. He’d spent a few years waffling around and testing out different majors, but luckily, he had finally found something that he could get excited about.

He loved it so much that information security actually felt more like a hobby to him than something he had to study or work at. He would never admit it to his friends, but the weekends he told them he couldn’t join them he was actually at home reading Kevin Mitnick books, testing out newfound security software, or sifting through security sites and message boards to find out the latest news from the security world. He had even checked out the dark web a few times just to see what it was all about.

However, he had started to get bored with just tinkering around on his home network. Sure, using steganography applications to hide data in images was cool at first, but after a few dozen times, it lost its luster. Packet sniffing with Wireshark had been entertaining for a while, but his home network only had a few devices connected to it, so there wasn’t much traffic to check out. He needed a bigger sandbox to test out his skills.

To liven things up, he had decided to bring his laptop to work with him so that he could start tinkering around with his security tool arsenal on the company network. It wasn’t a huge company, and the IT staff was clearly not a priority—it was a pretty small shop.

If he could find a few problems on the network and show them to his boss, maybe he could even get a job on the IT team and get out of customer service. After all, wouldn’t he basically be doing what a white hat hacker does but for free? How could this be a problem?

Source: vchal/Shutterstock

White Hat
It only took about a week for Howard to accumulate a treasure trove of data on the company network. Even though he had access to the call center Wi-Fi network as an employee, he wanted to pretend that he was an outside hacker to see if he could first gain access and then find sensitive data.

He used a method he found on YouTube to break into the Wi-Fi and then used his packet sniffing tool to start scoping things out. He quickly found out that the custom software platform that had been developed for the company’s call center had very few security measures in place. In fact, it looked like each user’s credentials were sent every few minutes in plaintext in the packet header—within about a half hour, Howard had been able to jot down the username and password of everyone that was working that shift, even the supervisor.

Once he had this list of employee credentials, he wanted to go for the crown jewels—the HR system. Based on his knowledge of the tendency for people to reuse the same password for multiple accounts, he figured a high percentage of the passwords used for the call center system would have been used for the HR platform as well.

Logging in to the HR account of his boss seemed like it would be pushing it, so he tested out the passwords for a few of his call center coworkers. Three of the five passwords worked, and he was able to log in to their HR accounts. He felt wrong checking out pay slips or looking at anything too sensitive, so he took screenshots of their contact information and added them to the archive of everything else he had documented.

Finally, he saved the files onto a USB drive. “I am going to be a hero!” he said to himself as he walked down the hall to talk to his supervisor. As he turned the corner, he wondered how much more they would pay him in his new position as an IT security worker—how could they turn him down?

Blackballed
It took Howard all of 15 minutes to run through his impromptu presentation. He felt a rush of adrenaline as he explained, step-by-step, how he had compromised the network, scooped up user credentials, and, ultimately, found his way into multiple HR accounts.

In his excitement, he failed to notice the evolution of his supervisor’s demeanor from inconvenienced to annoyed to irate. Howard closed his presentation by asking for the supervisor to consider him the next time a spot on the IT staff became available. He was completely blindsided by his supervisor’s response:

“Howard, I am not sure you understand the gravity of this situation. Do we want our company to be safe and secure—of course! And we can and will take your analysis to the IT group to have them shore up some of these vulnerabilities. However, the nature of what you have done is very serious.

“First, you spent company time to play hacker, and that is not what we are paying you to do. Second, you violated the privacy of multiple fellow employees by logging into their HR accounts, and even though you only took screenshots of relatively benign information, there is no way for me to know that you weren’t looking at more sensitive areas. Third, you dropped all of this information, including your methods, onto a USB drive. What happens if someone takes this from you or if you drop it in the parking lot on your way out? You have created a hacking care package for someone else that could potentially use this info to inflict serious damage!

“I am going to have to ask you to leave for the day and to not return until I talk with management—I need to think about this more, but I am afraid you may have compromised your job here.”

 
Howard couldn’t believe what he was hearing. He was just trying to practice his security skills but also help the company by pointing out where it had vulnerabilities—he was trying to protect the company! It’s not like he broke the law, and as far as he could tell, he didn’t think he had even done anything wrong according to the employee handbook. As he walked out to his car, he wondered if he would ever see this place again.

Discussion Questions

Consider Howard’s unsanctioned efforts to investigate and report security vulnerabilities on the company network, activities outside his role.

Is this behavior ethical according to the categorical imperative?

Is this behavior ethical according to the utilitarian perspective?

How do you think the employees whose records Howard accessed would react if they found out about his behavior?

If Howard had asked his supervisor for permission to engage in this type of behavior, do you think he would have been given permission to proceed?

If you were Howard’s supervisor, what would you do? What if there was nothing in the employee handbook relevant to these activities and Howard did not technically break the law? Would that change your response in this situation?


Active Review

 

Use this Active Review to verify that you understand the ideas and concepts that answer the lesson’s study questions.

Q10-1 What is the goal of information systems security?

Define threat, vulnerability, safeguard, and target. Give an example of each. List three types of threats and five types of security losses. Give different examples for the three rows of Figure 10-2. Summarize each of the elements in the cells of Figure 10-3. Explain why it is difficult to know the true cost of computer crime. Explain the goal of IS security.

Q10-2 How big is the computer security problem?

Explain why it is difficult to know the true size of the computer security problem in general and of computer crime in particular. List the takeaways in this question and explain the meaning of each.

Q10-3 How should you respond to security threats?

Explain each of the elements in Figure 10-6. Define IDS, and explain why the use of an IDS program is sobering, to say the least. Define brute force attack and credential stuffing. Summarize the characteristics of a strong password. Explain how your identity and password do more than just open doors on your computer. Define cookie and explain why using a program like CCleaner is a good example of the computer security trade-off.

Q10-4 How should organizations respond to security threats?

Name and describe two security functions that senior management should address. Summarize the contents of a security policy. Describe the causes of security fatigue and how to prevent it. Explain what it means to manage risk. Summarize the steps that organizations should take when balancing risk and cost.

Q10-5 How can technical safeguards protect against security threats?

List five technical safeguards. Define identification and authentication. Describe three types of authentication. Explain how SSL/TLS works. Define firewall, and explain its purpose. Define malware and name six types of malware. Describe six ways to protect against malware. Summarize why malware is a serious problem. Explain how iMed Analytics is designed for security.

Q10-6 How can data safeguards protect against security threats?

Define data administration and database administration, and explain the difference. List data safeguards. Explain how laws like GLBA, HIPAA, GDPR, and PCI DSS protect consumer data.

Q10-7 How can human safeguards protect against security threats?

Summarize human safeguards for each activity in Figure 10-12. Summarize safeguards that pertain to nonemployee personnel. Describe three dimensions of safeguards for account administration. Explain how system procedures can serve as human safeguards. Describe security monitoring techniques.

Q10-8 How should organizations respond to security incidents?

Summarize the actions that an organization should take when dealing with a security incident.

Q10-9 2031?

What, in the opinion of the authors, is likely to happen regarding cyberwarfare in the next 10 years? Explain how the phrase cat and mouse pertains to the evolution of computer crime. Describe the types of security problems that are likely to occur in the next 10 years. Explain how the focus of computer criminals will likely change in the next 10 years. Explain how this is likely to impact smaller organizations, and you.

Using Your Knowledge with iMed Analytics
As an employee, investor, or advisor to iMed Analytics, you can use the knowledge of this lesson to understand the security threats to which any business is subject. You know the need to trade off cost versus risk. You also know three categories of safeguards and the major types of safeguards for each. And you know what it means to design for security. You can also help ensure that iMed Analytics employees and iMed users create and use strong passwords.

Using Your Knowledge

 

10-1. Credit reporting agencies are required to provide you with a free credit report each year. Most such reports do not include your credit score, but they do provide the details on which your credit score is based. Use one of the following companies to obtain your free report: Equifax, Experion, and TransUnion.

You should review your credit report for obvious errors. However, other checks are appropriate. Search the Web for guidance on how best to review your credit records. Summarize what you learn.

What actions can you take if you find errors in your credit report?

Define identity theft. Search the Web and determine the best course of action if someone thinks he or she has been the victim of identity theft.

10-2. Suppose you lose your company laptop at an airport. What should you do? Does it matter what data are stored on your disk drive? If the computer contained sensitive or proprietary data, are you necessarily in trouble? Under what circumstances should you now focus on updating your résumé for your new employer?

10-3. Suppose you alert your boss to the security threats discussed in Q10-1 and to the safeguards discussed in Q10-4. Suppose she says, “Very interesting. Tell me more.” In preparing for the meeting, you decide to create a list of talking points.

Write a brief explanation of each threat discussed in Q10-1.

Explain how the five components relate to safeguards.

Describe two to three technical, two to three data, and two to three human safeguards.

Write a brief description about the safeguards discussed in Q10-4.

List security procedures that pertain to you, a temporary employee.

List procedures that your department should have with regard to disaster planning.

Collaboration Exercise

 

Using the collaboration IS you built in Lesson 1, collaborate with a group of students to answer the following questions.

The purpose of this activity is to assess the current state of computer crime.

10-4. Search the Web for the term computer crime and any related terms. Identify what you and your teammates think are the five most serious recent examples. Consider no crime that occurred more than 6 months ago. For each crime, summarize the loss that occurred and the circumstances surrounding the loss, and identify safeguards that were not in place or were ineffective in preventing the crime.

 Show Answer

10-5. Search the Web for the term computer crime statistics and find two sources other than the Accenture surveys cited in Q10-2.

For each source, explain the methodology used and explain strengths and weaknesses of that methodology.

 Show Answer

Compare the data in the two new sources to that in Q10-2 and describe differences.

 Show Answer

Using your knowledge and intuition, describe why you think those differences occurred.

 Show Answer

10-6. Go to Accenture and download the Cost of Cyber Crime Study (or a more recent report if one is available).

Summarize the survey with regard to safeguards and other measures that organizations use.

 Show Answer

Summarize the study’s conclusions with regard to the efficacy of organizational security measures.

 Show Answer

Does your team agree with the conclusions in the study? Explain your answer.

 Show Answer

10-7. Suppose that you are asked by your boss for a summary of what your organization should do with regard to computer security. Using the knowledge of this lesson and your answer to questions 10-4 through 10-6, create a PowerPoint presentation for your summary. Your presentation should include, but not be limited to:

Definition of key terms

Summary of threats

Summary of safeguards

Current trends in computer crime

What senior managers should do about computer security

What managers at all levels should do about computer security


Case Study

 

CrowdStrike

 

In the closing months of 2014, one of the most high-profile cyberattacks to date would be reported. The attack targeted systems housed at the headquarters of Sony Pictures in Culver City, California. It was triggered by the impending release of a controversial movie that would be hitting theaters in the coming weeks (titled The Interview). The plot of the comedy movie featured criticisms of North Korean leadership and centered around an assassination attempt of Kim Jong-un by two well-known American actors.

Source: Piotr Swat/Shutterstock

The cyberattack resulted in extensive damage to Sony Pictures, including the release of highly sensitive employee data, internal email, intellectual property (e.g., unreleased films and resources for films under production), and so on. Additionally, upon seizing extensive amounts of data from Sony Pictures systems, the attackers then deployed malware to wipe vast amounts of data from the company’s computing infrastructure.

While it was logical that some entity either within or associated with North Korea was behind the attacks, making such an attribution without evidence could be perceived as speculative, irresponsible, and diplomatically damaging. Investigations were launched to follow a trail of “digital bread crumbs” to identify the origin of the attack. Roughly a month after the attack, the Federal Bureau of Investigation (FBI) found that destructive malware linked to the North Korean government had been used to carry out the attack.15

This claim was made based on similarities between the Sony Pictures malware and other malware attacks that had been carried out by other North Korean attackers as well as IP addresses used in the attack that were linked to North Korean infrastructure. Despite lingering questions about the FBI’s assessment, an emerging cybersecurity company, Crowdstrike, reaffirmed the FBI’s attribution by reporting similarities between the culprits associated with the Sony Pictures hack and attacks that had taken place against South Korea going back almost 10 years.



Striking While the Iron Is Hot

 

CrowdStrike was cofounded in 2011 by George Kurtz and Dmitri Alperovitch to provide a more intelligence-based and comprehensive security platform that would go beyond simple malware protection.17 While reporting on the Sony Pictures hack in 2014 was a source of exposure for the company, CrowdStrike had already been involved in a number of important operations, including assisting the U.S. government in investigations of Chinese military hackers and investigating Russian hackers accused of international intelligence gathering activities. Later, the company would be involved in linking Russian intelligence groups with accessing the Democratic National Committee’s (DNC) information systems during the 2016 presidential campaign.18

In a world increasingly dependent on technology and in which security was and continues to be a growing concern, CrowdStrike was poised for massive growth. Over the years, CrowdStrike enhanced and expanded its security solution offerings. In light of its robust lineup of tools, the company was named one of Forbes’s most promising companies, included in the Deloitte Fast 500 in 2015, featured in CNBC’s Disruptor 50 list and Forbes’s Cloud 100 list in 2017, and listed as a top place to work on numerous occasions by Forbes (in addition to many other accolades).19

The company’s growing list of products and accomplishments brought in multiple rounds of funding; by 2018 CrowdStrike was valued at $3 billion and in total had raised $481 million.20 In June 2019, the company had its initial public offering (IPO) with an initial share price listed at $34; shares closed at the final bell listed at $58, thereby raising over $600 million total.



Strike That

 

With CrowdStrike’s development of new products and tools and its inherently modular nature that allows customers to configure security solutions that work best for them, the company should be on a trend of sustained growth. However, in early fall of 2019, the company’s shares took a hit when President Trump mentioned CrowdStrike on a call with the Ukrainian president; it turns out the two were discussing the 2016 presidential campaign and the DNC breach.

Being a leader in the information security space has its perks, but being the go-to company called upon to get involved in nation-state-sponsored hacking investigations, cyberwar operations, and digitally based political entanglements has its risks. Will CrowdStrike be able to navigate these dangerous waters, or is it only a matter of time before they become the next target?

Questions

10-8. What lessons did the Sony Pictures hack teach the world about cyberwarfare?

 Show Answer

10-9. What advice would you give executives at CrowdStrike if they wanted to grow their business? How could they increase revenues?

 Show Answer

10-10. Why does CrowdStrike’s appointment to the Forbes list of best places to work point to long-term success for the company?

 Show Answer

10-11. What is CrowdStrike’s current stock price? How has CrowdStrike’s stock been performing over the past year? What might be driving CrowdStrike’s valuation? Also, do an Internet search to see if CrowdStrike has been involved in any political or government investigations recently. Is there any relationship between these two searches?

 Show Answer

10-12. The article closes by pointing out the risks of getting involved with politics, foreign affairs, and so on. If you were an executive at CrowdStrike, would you recommend avoiding involvement in these types of investigations moving forward?

 Show Answer

10-13. How might CrowdStrike be affected in a cyberwar? Would it be affected if a traditional kinetic war broke out? Explain your answer.

 Show Answer

10-14. How might an increase in the quantity and size of data breaches affect CrowdStrike’s revenue?

 Show Answer

Complete the following writing exercises

10-15. Suppose you need to terminate an employee who works in your department. Summarize security protections you must take. How would you behave differently if this termination were a friendly one?

10-16. Suppose you were just notified that your company has experienced a major data breach. You’ve lost customer records, including usernames, email addresses, passwords, addresses, and phone numbers for all 500,000 of your customers. Estimate the direct costs for notification, detection, escalation, remediation, and legal fees. Suppose the attackers contact you and offer to destroy all records, tell no one about the data breach, and show you how to patch the security hole. The only trick is they want to be hired as a “consultant” and have $600,000 deposited into their European bank account. Would you pay the “consulting” fee? Justify your decision.

error: Content is protected !!