ISYS 326
Information Systems
Security
1 |
Office | Faculty | Department
Week 2
The Need for Security
Learning Objectives
• Upon completion of this material, you should be able to:
• Discuss the organizational need for information security
• Explain why a successful information security program is
the shared responsibility of an organization’s three
communities of interest
• List and describe the threats posed to information security
and common attacks associated with those threats
• List the common development failures and errors that
result from poor software security efforts
2 |
Office | Faculty | Department
Introduction
• The primary mission of an information security
program is to ensure information assets—
information and the systems that house them—
remain safe and useful.
• If no threats existed, resources could be used
exclusively to improve systems that contain, use,
and transmit information.
• Threat of attacks on information systems is a
constant concern.
3 |
Office | Faculty | Department
Business Needs First
• Information security performs four important
functions for an organization:
• Protecting the organization’s ability to function
• Protecting the data and information the organization
collects and uses
• Enabling the safe operation of applications running on
the organization’s IT systems
• Safeguarding the organization’s technology assets
4 |
Office | Faculty | Department
Protecting the Functionality of an Organization
• Management (general and IT) is responsible for
facilitating security program.
• Implementing information security has more to do
with management than technology.
• Communities of interest should address information
security in terms of business impact and cost of
business interruption.
5 |
Office | Faculty | Department
Protecting Data That Organizations Collect and
Use
• Without data, an organization loses its record of
transactions and ability to deliver value to
customers.
• Protecting data in transmission, in processing, and
at rest (storage) is a critical aspect of information
security.
6 |
Office | Faculty | Department
Enabling the Safe Operation of Applications
• Organization needs environments that safeguard
applications using IT systems.
• Management must continue to oversee infrastructure
once in place—not relegate to IT department.
7 |
Office | Faculty | Department
Safeguarding Technology Assets in Organizations
• Organizations must employ secure infrastructure
hardware appropriate to the size and scope of the
enterprise.
• Additional security services may be needed as the
organization grows.
• More robust solutions should replace security
programs the organization has outgrown.
8 |
Office | Faculty | Department
Threats and Attacks
• Threat: a potential risk to an asset’s loss of value.
• Attack: An intentional or unintentional act that can damage or
otherwise compromise information and the systems that
support it.
• Exploit: A technique used to compromise a system.
• Vulnerability: A potential weakness in an asset or its
defensive control system(s).
• Management must be informed about the various threats to
an organization’s people, applications, data, and information
systems.
• Overall security is improving, but so is the number of potential
hackers.
9 |
Office | Faculty | Department
Figure 2-1 World Internet usage
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-1 Compiled Survey Results for
Types of Attack or Misuse (2000-2011)
(1 of 2)
Type of Attack or Misuse
2010/11
2008
2006
2004
Malware infection (revised after 2008)
67%
50%
65%
78%
Being fraudulently represented as sender
of phishing message
39%
31%
(new
category)
(new
category)
Laptop/ mobile hardware theft/loss
34%
42%
47%
49%
Bots/zombies in organization
29%
20%
(new
category)
(new
category)
Inside abuse of internet access or e-mail
25%
44%
42%
Denial of service
17%
21%
25%
2002
2000
85%
85%
55%
60%
59%
78%
79%
39%
40%
27%
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-1 Compiled Survey Results for
Types of Attack or Misuse (2000-2011)
(2 of 2)
Type of Attack or Misuse
2010/11
2008
2006
2004
Unauthorized access or privilege
escalation by insider
13%
15%
(revised
category)
(revised
category)
Password sniffing
11%
9%
(new
category)
(new
category)
System penetration by outsider
11%
(revised
category)
(revised
category)
Exploit of client web browser
10%
(new
category)
(new
category)
2002
2000
Source: Whitman and Mattord, 2015 SEC/CISE Threats to Information
Protection Report.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-2 Rated Threats from Internal
Sources in 2015 SEC/CISE Survey of
Threads to Information Protection (1 of 2)
From Employees or Internal
Stakeholders
Not a
Threat
1
2
3
4
A Severe
Threat
5
Comp.
Rank
Inability/unwillingness to follow
established policy
6.6%
17.2%
33.6%
26.2%
16.4%
66%
Disclosure due to insufficient training
8.1%
23.6%
29.3%
25.2%
13.8%
63%
Unauthorized access or escalation of
privileges
4.8%
24.0%
31.2%
31.2%
8.8%
63%
26.4%
40.0%
17.6%
9.6%
60%
Unauthorized information collection/data
sniffing
6.4%
Theft of on-site organizational
information assets
10.6%
32.5%
34.1%
12.2%
10.6%
56%
Theft of mobile/laptop/tablet and
related/connected information assets
15.4%
29.3%
28.5%
17.9%
8.9%
55%
Intentional damage or destruction of
information assets
22.3%
43.0%
18.2%
13.2%
3.3%
46%
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-2 Rated Threats from Internal
Sources in 2015 SEC/CISE Survey of
Threads to Information Protection (2 of 2)
From Employees or Internal
Stakeholders
Not a
Threat
1
2
3
4
A Severe
Threat
5
Comp.
Rank
Theft or misuse of organizationally
leased, purchased, or developed
software
29.6%
33.6%
21.6%
10.4%
4.8%
45%
Web site defacement
43.4%
33.6%
16.4%
4.9%
1.6%
38%
Blackmail of information release or sales
43.5%
37.1%
10.5%
6.5%
2.4%
37%
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-3 Rated Threats from External
Sources in 2015 SEC/CISE Survey of
Threads to Information Protection (1 of 2)
From Employees or Internal
Stakeholders
Unauthorized information collection/data
sniffing
Not a
Threat
1
6.4%
2
3
4
A Severe
Threat
5
Comp.
Rank
14.4%
21.6%
32.8%
24.8%
71%
Unauthorized access or escalation of
privileges
7.4%
14.0%
26.4%
31.4%
20.7%
69%
Web site defacement
8.9%
23.6%
22.8%
26.8%
17.9%
64%
Intentional damage or destruction of
information assets
14.0%
32.2%
18.2%
24.8%
10.7%
57%
Theft of mobile/laptop/tablet and
related/connected information assets
20.5%
25.4%
26.2%
15.6%
12.3%
55%
Theft of on-site organizational
informational assets
21.1%
24.4%
25.2%
17.9%
11.4%
55%
Blackmail of information release or sales
31.1%
30.3%
14.8%
14.8%
9.0%
48%
Disclosure due to insufficient training
34.5%
21.8%
22.7%
13.4%
7.6%
48%
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-3 Rated Threats from External
Sources in 2015 SEC/CISE Survey of
Threads to Information Protection (2 of 2)
From Employees or Internal
Stakeholders
Not a
Threat
1
2
3
4
A Severe
Threat
5
Comp.
Rank
Inability/unwillingness to follow
established policy
33.6%
29.4%
18.5%
6.7%
11.8%
47%
Theft or misuse of organizationally
leased, purchased, or developed
software
31.7%
30.1%
22.8%
9.8%
5.7%
46%
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-4 Perceived Threats to Information
Assets in 2015 SEC/CISE Survey of
Threats to Information Protection (1 of 4)
General Threats to Information Assets
Not a
Threat
1
2
3
4
A Severe
Threat
5
Comp.
Rank
Electronic phishing/spoofing attacks
0.8%
13.1%
16.4%
32.0%
37.7%
79%
Malware attacks
1.7%
12.4%
27.3%
36.4%
22.3%
73%
Unintentional employee/insider mistakes
2.4%
17.1%
26.8%
35.8%
17.9%
70%
Loss of trust due to information loss
4.1%
18.9%
27.0%
22.1%
27.9%
70%
Software failures or errors due to
unknown vulnerabilities in externally
acquired software
5.6%
18.5%
28.2%
33.9%
13.7%
66%
Social engineering of employees/insiders
based on social media information
8.1%
14.6%
32.5%
34.1%
10.6%
65%
Social engineering of employees/insiders
based on other published information
8.9%
19.5%
24.4%
32.5%
14.6%
65%
Software failures or errors due to poorly
developed, internally created applications
7.2%
21.6%
24.0%
32.0%
15.2%
65%
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-4 Perceived Threats to Information
Assets in 2015 SEC/CISE Survey of
Threats to Information Protection (2 of 4)
General Threats to Information Assets
Not a
Threat
1
2
3
4
A Severe
Threat
5
Comp.
Rank
SQL injections
7.6%
17.6%
31.9%
29.4%
13.4%
65%
Social engineering of employees/insiders
based on organization’s Web sites
11.4%
19.5%
23.6%
31.7%
13.8%
63%
Denial of service (and distributed DoS)
attacks
8.2%
23.0%
27.9%
32.8%
8.2%
62%
Software failures or errors due to known
vulnerabilities in externally acquired
software
8.9%
23.6%
26.8%
35.8%
4.9%
61%
Outdated organizational software
8.1%
28.2%
26.6%
26.6%
10.5%
61%
Loss of trust due to representation as
source of phishing/spoofing attack
9.8%
23.8%
30.3%
23.0%
13.1%
61%
Loss of trust due to Web defacement
12.4%
30.6%
31.4%
19.8%
5.8%
55%
Outdated organizational hardware
17.2%
34.4%
32.8%
12.3%
3.3%
50%
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-4 Perceived Threats to Information
Assets in 2015 SEC/CISE Survey of
Threats to Information Protection (3 of 4)
General Threats to Information Assets
Not a
Threat
1
2
3
4
A Severe
Threat
5
Comp.
Rank
Outdated organizational data format
18.7%
35.8%
26.8%
13.8%
4.9%
50%
Inability/unwillingness to establish
effective policy by management
30.4%
26.4%
24.0%
13.6%
5.6%
48%
Hardware failures or errors due to aging
equipment
19.5%
39.8%
24.4%
14.6%
1.6%
48%
Hardware failures or errors due to
defective equipment
17.9%
48.0%
24.4%
8.1%
1.6%
46%
Deviations in quality of service from other
provider
25.2%
38.7%
25.2%
7.6%
3.4%
45%
Deviations in quality of service from data
communications provider/ISP
26.4%
39.7%
23.1%
7.4%
3.3%
44%
Deviations in quality of service from
telecommunication provider/ISP (if
different from data provider)
29.9%
38.5%
18.8%
9.4%
3.4%
44%
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-4 Perceived Threats to Information
Assets in 2015 SEC/CISE Survey of
Threats to Information Protection (4 of 4)
General Threats to Information Assets
Not a
Threat
1
2
3
4
A Severe
Threat
5
Comp.
Rank
Loss due to other natural disaster
31.0%
37.9%
23.3%
6.9%
0.9%
42%
Loss due to fire
26.2%
49.2%
21.3%
3.3%
0.0%
40%
Deviations in quality of service from
power provider
36.1%
43.4%
12.3%
5.7%
2.5%
39%
Loss due to flood
33.9%
43.8%
19.8%
1.7%
0.8%
38%
Loss due to earthquake
41.7%
35.8%
15.0%
6.7%
0.8%
38%
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-5 The 12 Categories of Threats to
Information Security
Category of Threat
Attack Examples
Compromises to intellectual property
Piracy, copyright infringement
Deviations in equality of service
Internet service provider (ISP), power, or WAN service problems
Espionage or trespass
Unauthorized access and/or data collection
Forces of nature
Fire, floods, earthquakes. lightning
Human error or failure
Accidents, employee mistakes
Information extortion
Blackmail, information disclosure
Sabotage or vandalism
Destruction of systems or information
Software attacks
Viruses, worms, macros, denial of service
Technical hardware failures or errors
Equipment failure
Technical software failures or errors
Bugs, code problems, unknown loopholes
Technological obsolescence
Antiquated or outdated technologies
Theft
Illegal confiscation of equipment or information
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Compromises to Intellectual Property
• Intellectual property (IP): creation, ownership, and
control of original ideas as well as the representation
of those ideas.
• The most common IP breaches involve software
piracy.
• Two watchdog organizations investigate software
abuse:
• Software & Information Industry Association (SIIA)
• Business Software Alliance (BSA)
• Enforcement of copyright law has been attempted
with technical security mechanisms.
22 |
Office | Faculty | Department
Deviations in Quality of Service (1 of 2)
• Information system depends on the successful
operation of many interdependent support systems.
• Internet service, communications, and power
irregularities dramatically affect the availability of
information and systems.
• Internet service issues
• Internet service provider (ISP) failures can
considerably undermine the availability of information.
• Outsourced Web hosting provider assumes
responsibility for all Internet services as well as for
the hardware and Web site operating system
software.
23 |
Office | Faculty | Department
Deviations in Quality of Service (2 of 2)
• Communications and other service provider issues
• Other utility services affect organizations: telephone, water, wastewater, trash
pickup.
• Loss of these services can affect an organization’s ability to function.
• Power irregularities
• Are commonplace
• Lead to fluctuations such as power excesses, power shortages, and power
losses
• Sensitive electronic equipment vulnerable to and easily damaged/destroyed
by fluctuations
• Controls can be applied to manage power quality
24 |
Office | Faculty | Department
Figure 2-5 Cost of online service provider
downtime
Source: MegaPath. Used with permission.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Espionage or Trespass (1 of 3)
• Access of protected information by unauthorized individuals
• Competitive intelligence (legal) versus industrial
espionage (illegal)
• Shoulder surfing can occur anywhere a person accesses confidential
information
• Controls let trespassers know they are encroaching on organization’s
cyberspace
• Hackers use skill, guile, or fraud to bypass controls protecting others’
information
26 |
Office | Faculty | Department
Espionage or Trespass (2 of 3)
• Expert hackers
• Develop software scripts and program exploits
• Usually a master of many skills
• Will often create attack software and share with others
• Unskilled hackers
• Many more unskilled hackers than expert hackers
• Use expertly written software to exploit a system
• Do not usually fully understand the systems they hack
27 |
Office | Faculty | Department
Espionage or Trespass (3 of 3)
• Other terms for system rule breakers:
• Cracker: “cracks” or removes software protection designed to prevent
unauthorized duplication
• Phreaker: hacks the public telephone system to make free calls or disrupt
services
• Password attacks
•
•
•
•
•
28 |
Cracking
Brute force
Dictionary
Rainbow tables
Social engineering
Office | Faculty | Department
Figure 2-6 Shoulder surfing
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Figure 2-7 Contemporary hacker profile
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-6 Password Power (1 of 2)
Case-Insensitive Passwords Using a Standards Alphabet Set (No Numbers or Special
Characters)
Password Length
Odd of cracking: 1 in (Based on Numbers of
Characters ^ Password length):
Estimated Time to Crack*
8
208,827,064,576
1.01 seconds
9
5,429,503,678,976
26.2 seconds
10
141,167,095,653,376
11.4 minutes
11
3,670,344,486,987,780
4.9 hours
12
95,428,956,661,682,200
5.3 days
13
2,481,152,873,203,740,000
138.6 days
14
64,509,974,703,297,200,000
9.9years
15
1,677,259,342,285,730,000,000
256.6 years
16
43,608,742,899,428,900,000,000
6,672.9 years
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-6 Password Power (2 of 2)
Case-Sensitive Passwords Using a Standards Alphabet Set (with Numbers and Special
Characters)
Password Length
Odd of cracking: 1 in (Based on Numbers of
Characters ^ Password length):
Estimated Time to Crack*
8
2,044,140,858,654,980
2.7 hours
9
167,619,550,409,708,000
9.4 days
10
13,744,803,133,596,100,000
2.1 years
11
1,127,073,856,954,880,000,000
172.5 years
12
92,420,056,270,299,900,000,000
14,141.9 years
13
7,578,444,614,164,590,000,000,000
1,159,633.8 years
14
621,432,458,361,496,000,000,000,000
95,089,967.6 years
15
50,957,461,585,642,700,000,000,000,000
7,797,377,343.5 years
16
4,178,511,850,022,700,000,000,000,000,000
639,384,942,170.1 years
*Estimated Time to crack is based on a 2015-era PC with an intel i7-6700K Quad Core CPU performing 207.23
Dhrystone GIPS (giga/ billion instructions per second) at 4.0 GHz.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Forces of Nature
• Forces of nature can present some of the most
dangerous threats.
• They disrupt not only individual lives but also
storage, transmission, and use of information.
• Organizations must implement controls to limit
damage and prepare contingency plans for
continued operations.
33 |
Office | Faculty | Department
Human Error or Failure (1 of 2)
• Includes acts performed without malicious intent or
in ignorance
• Causes include:
• Inexperience
• Improper training
• Incorrect assumptions
• Employees are among the greatest threats to an
organization’s data
34 |
Office | Faculty | Department
Human Error or Failure (2 of 2)
• Employee mistakes can easily lead to:
•
•
•
•
•
Revelation of classified data
Entry of erroneous data
Accidental data deletion or modification
Data storage in unprotected areas
Failure to protect information
• Many of these threats can be prevented with training, ongoing
awareness activities, and controls
• Social engineering uses social skills to convince people to
reveal access credentials or other valuable information to an
attacker
35 |
Office | Faculty | Department
Figure 2-9 The biggest threat—acts of
human error or failure
Source: © iStockphoto/BartCo, © iStockphoto/sdominick, © iStockphoto/mikkelwilliam.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Social Engineering
• “People are the weakest link. You can have the best technology; firewalls,
intrusion-detection systems, biometric devices ... and somebody can call an
unsuspecting employee. That's all she wrote, baby. They got everything.”—
Kevin Mitnick
• Advance-fee fraud: indicates recipient is due money and small advance
fee/personal banking information required to facilitate transfer
• Phishing: attempt to gain personal/confidential information; apparent
legitimate communication hides embedded code that redirects user to thirdparty site
37 |
Office | Faculty | Department
Figure 2-10 Example of a Nigerian 4-1-9
fraud letter
Source: © iStockphoto/BartCo, © iStockphoto/sdominick, © iStockphoto/mikkelwilliam.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Figure 2-11 Phishing example: lure
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Figure 2-12 Phishing example: fake
Website
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Information Extortion
• Attacker steals information from a computer system
and demands compensation for its return or
nondisclosure. Also known as cyberextortion.
• Commonly done in credit card number theft
41 |
Office | Faculty | Department
Sabotage or Vandalism
• Threats can range from petty vandalism to organized
sabotage.
• Web site defacing can erode consumer confidence,
diminishing organization’s sales, net worth, and
reputation.
• Threat of hacktivist or cyberactivist operations is
rising.
• Cyberterrorism/Cyberwarfare: a much more sinister
form of hacking.
42 |
Office | Faculty | Department
Software Attacks (1
of 5)
• Malicious software (malware) is used to overwhelm the processing
capabilities of online systems or to gain access to protected systems via
hidden means.
• Software attacks occur when an individual or a group designs and deploys
software to attack a system.
43 |
Office | Faculty | Department
Software Attacks (2 of 5)
• Types of attacks include:
• Malware (malicious code): It includes the execution of viruses, worms, Trojan
horses, and active Web scripts with the intent to destroy or steal information.
• Virus: It consists of code segments that attach to existing program and take control of access
to the targeted computer.
• Worms: They replicate themselves until they completely fill available resources such as
memory and hard drive space.
• Trojan horses: malware disguised as helpful, interesting, or necessary pieces of software.
44 |
Office | Faculty | Department
Software Attacks (3
of 5)
• Polymorphic threat: actually evolves to elude detection
• Virus and worm hoaxes: nonexistent malware that employees waste time spreading
awareness about
• Back door: gaining access to system or network using known or previously
unknown/newly discovered access mechanism
• Denial-of-service (DoS): An attacker sends a large number of connection or
information requests to a target.
• The target system becomes overloaded and cannot respond to legitimate requests for service.
• It may result in system crash or inability to perform ordinary functions.
45 |
Office | Faculty | Department
Software Attacks (4
of 5)
• Distributed denial-of-service (DDoS): A coordinated stream of requests is
launched against a target from many locations simultaneously.
• Mail bombing (also a DoS): An attacker routes large quantities of e-mail to
target to overwhelm the receiver.
• Spam (unsolicited commercial e-mail): It is considered more a nuisance than
an attack, though is emerging as a vector for some attacks.
• Packet sniffer: It monitors data traveling over network; it can be used both for
legitimate management purposes and for stealing information from a network.
46 |
Office | Faculty | Department
Software Attacks (5
of 5)
• Spoofing: A technique used to gain unauthorized access; intruder assumes a
trusted IP address.
• Pharming: It attacks a browser’s address bar to redirect users to an
illegitimate site for the purpose of obtaining private information.
• Man-in-the-middle: An attacker monitors the network packets, modifies them,
and inserts them back into the network.
47 |
Office | Faculty | Department
Table 2-7 The Most Dangerous Malware
Attacks to Date (1 of 2)
Malware
Type
Year
Estimated Number of
Systems Infected
Estimated Financial
Damage
MyDoom
Worm
2004
2 million
$ 38 billion
Klez (and variants)
Virus
2001
7.2% of Internet
$19.8 billion
ILOVEYOU
Virus
2000
10% of Internet
$ 5.5 billion
Sobig F
Worm
2003
1 million
$ 3 billion
Code Red (and CR II)
Worm
2001
400,000 servers
$ 2.6 billion
SQL slammer, a.k.a.
Sapphire
Worm
2003
75,000
$ 950 million to $ 1.2 billion
Melissa
Macro virus
1999
Unknown
$ 300 million to $ 600 million
CIH, a.k.a. Chernobyl
Memoryresident virus
1998
Unknown
$ 250 million
Storm Worm
Trojan horse
virus
2006
10 million
Unknown
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-7 The Most Dangerous Malware
Attacks to Date (2 of 2)
Malware
Type
Year
Estimated Number of
Systems Infected
Estimated Financial
Damage
Conficker
Worm
2009
15 million
Unknown
Nimda
Multivector worm
2001
Unknown
Unknown
Sasser
Worm
2004
500,000 to 700,000
Unknown
Nesky
Virus
2004
Under 100,000
Unknown
Leap-A/Oompa-A
Virus
2006
Unknown (Apple)
Unknown
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 2-8 Attack Replication Vectors
Vector
Description
IP scan and attack The infected system scans a range of IP addresses and service ports
and targets several vulnerabilities known to hackers or left over from
previous exploits, such as Code Red, Back Orifice, or PoizonBox.
Web browsing
If the infected system has write access to any Web pages, it makes all
Web content files infectious, including .html, .asp, .cgi, and other files.
Users who browse to those pages infect their machines.
Virus
Each affected machine infects common executable or script files on all
computers to which it can write, which spreads the virus code to cause
further infection.
Unprotected shares Using vulnerabilities in file systems and in the way many organizations
configure them, the infected machine copies the viral component to all
locations it can reach.
Mass mail
By sending e-mail infections to addresses found in the address book,
the affected machine infects many other users, whose mail-reading
programs automatically run the virus program and infect even more
systems.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Figure 2-18 Denial-of-service attack
In a denial-of-service attack, a hacker compromises a system and uses that
system to attack the target computer, flooding it with more requests for
services than the target can handle.
In a distributed denial-of service attack, dozens or even hundreds of
computers (known as zombies or bots) are compromised, loaded with Dos
attack software, and then remotely activated by the hacker to conduct a
coordinated attack.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Figure 2-19 IP Spoofing attack
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Figure 2-20 Man-in-the-middle attack
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Technical Hardware Failures or Errors (1
of
2)
• They occur when a manufacturer distributes equipment containing a known or
unknown flaw.
• They can cause the system to perform outside of expected parameters,
resulting in unreliable service or lack of availability.
• Some errors are terminal and some are intermittent.
• Intel Pentium CPU failure.
• Mean time between failure measures the amount of time between hardware
failures.
54 |
Office | Faculty | Department
Technical Software Failures or Errors (2
of
2)
• Large quantities of computer code are written, debugged, published, and sold
before all bugs are detected and resolved.
• Combinations of certain software and hardware can reveal new software
bugs.
• Entire Web sites are dedicated to documenting bugs.
• Open Web Application Security Project (OWASP) is dedicated to helping
organizations create/operate trustworthy software and publishes a list of top
security risks.
55 |
Office | Faculty | Department
The Deadly Sins in Software Security (1 of 3)
• Common failures in software development:
• Buffer overruns
• Catching exceptions
• Command injection
• Cross-site scripting (XSS)
• Failure to handle errors
• Failure to protect network traffic
• Failure to store and protect data securely
• Failure to use cryptographically strong random numbers
• Format string problems
• Neglecting change control
56 |
Office | Faculty | Department
The Deadly Sins in Software Security (2 of 3)
• Improper file access
• Improper use of Secure Sockets Layer (SSL)
• Information leakage
• Integer bugs (overflows/underflows)
• Race conditions
• SQL injection
57 |
Office | Faculty | Department
The Deadly Sins in Software Security (3 of 3)
• Problem areas in software development:
• Trusting network address resolution
• Unauthenticated key exchange
• Use of magic URLs and hidden forms
• Use of weak password-based systems
• Poor usability
58 |
Office | Faculty | Department
Technological Obsolescence
• Antiquated/outdated infrastructure can lead to unreliable, untrustworthy
systems.
• Proper managerial planning should prevent technology obsolescence.
• IT plays a large role.
59 |
Office | Faculty | Department
Theft
• Illegal taking of another’s physical, electronic, or intellectual property.
• Physical theft is controlled relatively easily.
• Electronic theft is a more complex problem; the evidence of crime is not
readily apparent.
60 |
Office | Faculty | Department
Summary (1 of 4)
• Information security performs four important functions:
• Protecting organization’s ability to function
• Enabling safe operation of applications implemented on organization’s IT
systems
• Protecting data an organization collects and uses
• Safeguarding the technology assets in use at the organization
• Threats or dangers facing an organization’s people, information, and systems
fall into the following categories:
• Compromises to intellectual property: Intellectual property, such as trade
secrets, copyrights, trademarks, or patents, are intangible assets that may be
attacked via software piracy or the exploitation of asset protection controls.
61 |
Office | Faculty | Department
Summary (2 of 4)
• Deviations in quality of service: Organizations rely on services
provided by others.
• Losses can come from interruptions to those services.
• Espionage or trespass: Asset losses may result when electronic
and human activities breach the confidentiality of information.
• Forces of nature: A wide range of natural events can overwhelm
control systems and preparations to cause losses to data and
availability.
• Human error or failure: Losses to assets may come from
intentional or accidental actions by people inside and outside
the organization.
• Information extortion: Stolen or inactivated assets may be held
hostage to extract payment of ransom.
62 |
Office | Faculty | Department
Summary (3 of 4)
• Sabotage or vandalism: Losses may result from the deliberate sabotage of a
computer system or business, or from acts of vandalism. These acts can
either destroy an asset or damage the image of an organization.
• Software attacks: Losses may result when attackers use software to gain
unauthorized access to systems or cause disruptions in systems availability.
• Technical hardware failures or errors: Technical defects in hardware systems
can cause unexpected results, including unreliable service or lack of
availability.
• Technical software failures or errors: Software used by systems may have
purposeful or unintentional errors that result in failures, which can lead to loss
of availability or unauthorized access to information.
63 |
Office | Faculty | Department
Summary (4 of 4)
• Technological obsolescence: Antiquated or outdated
infrastructure can lead to unreliable and untrustworthy systems
that may result in loss of availability or unauthorized access to
information.
• Theft: Theft of information can result from a wide variety of
attacks.
64 |
Office | Faculty | Department
Week 3
ISYS 326
Information Systems
Security
1 |
Office | Faculty | Department
Ethical and Professional
Issues in Information
Security
Learning Objectives
• Upon completion of this material, you should be able to:
• Describe the functions of and relationships among laws, regulations, and
professional organizations in information security
• Explain the differences between laws and ethics
• Identify major national laws that affect the practice of information security
• Discuss the role of privacy as it applies to law and ethics in information
security
2 |
Office | Faculty | Department
Introduction
• You must understand the scope of an organization’s
legal and ethical responsibilities.
• To minimize liabilities/reduce risks, the information
security practitioner must:
• Understand the current legal environment
• Stay current with laws and regulations
• Watch for new and emerging issues
3 |
Office | Faculty | Department
Law and Ethics in Information Security
• Laws: rules that mandate or prohibit certain behavior and are enforced by the
state
• Ethics: regulate and define socially acceptable behavior
• Cultural mores: fixed moral attitudes or customs of a particular group
• Laws carry the authority of a governing authority; ethics do not
4 |
Office | Faculty | Department
Organizational Liability and the Need for Counsel (1
of 2)
• Liability: the legal obligation of an entity extending beyond criminal or contract
law; includes the legal obligation to make restitution
• Restitution: the legal obligation to compensate an injured party for wrongs
committed
• Due care: the legal standard requiring a prudent organization to act legally
and ethically and know the consequences of actions
• Due diligence: the legal standard requiring a prudent organization to maintain
the standard of due care and ensure actions are effective
5 |
Office | Faculty | Department
Organizational Liability and the Need for Counsel (2
of 2)
• Jurisdiction: court’s right to hear a case if the wrong was committed in its
territory or involved its citizenry
• Long-arm jurisdiction: application of laws to those residing outside a court’s
normal jurisdiction; usually granted when a person acts illegally within the
jurisdiction and leaves
6 |
Office | Faculty | Department
Policy Versus Law (1 of 2)
• Policies: managerial directives that specify acceptable and unacceptable
employee behavior in the workplace
• Policies function as organizational laws; must be crafted and implemented
with care to ensure they are complete, appropriate, and fairly applied to
everyone
• Difference between policy and law: Ignorance of a policy is an acceptable
defense.
7 |
Office | Faculty | Department
Policy Versus Law (2 of 2)
• Criteria for policy enforcement:
•
•
•
•
•
8 |
Dissemination (distribution)
Review (reading)
Comprehension (understanding)
Compliance (agreement)
Uniform enforcement
Office | Faculty | Department
Types of Law
• Constitutional
• Statutory
• Civil
• Tort
• Criminal
• Regulatory or Administrative
• Common Case, and Precedent
• Private and Public
9 |
Office | Faculty | Department
Relevant U.S. Laws
• The United States has been a leader in the development and implementation
of information security legislation.
• Information security legislation contributes to a more reliable business
environment and a stable economy.
• The United States has demonstrated understanding of the importance of
securing information and has specified penalties for individuals and
organizations that breach civil and criminal law.
10 |
Office | Faculty | Department
General Computer Crime Laws (1 of 2)
• Computer Fraud and Abuse Act of 1986 (CFA Act): Cornerstone of many
computer-related federal laws and enforcement efforts
• National Information Infrastructure Protection Act of 1996:
• Modified several sections of the previous act and increased the penalties for
selected crimes
• Severity of the penalties was judged on the value of the information and the
purpose
• For purposes of commercial advantage
• For private financial gain
• In furtherance of a criminal act
11 |
Office | Faculty | Department
General Computer Crime Laws (2 of 2)
• USA PATRIOT Act of 2001: Provides law enforcement agencies with broader
latitude in order to combat terrorism-related activities
• USA PATRIOT Improvement and Reauthorization Act: Made permanent 14 of
the 16 expanded powers of the Department of Homeland Security and the
FBI in investigating terrorist activity
• USA FREEDOM Act inherited select USA PATRIOT functions as the PATRIOT
act expired in 2015
• Computer Security Act of 1987: One of the first attempts to protect federal
computer systems by establishing minimum acceptable security practices
12 |
Office | Faculty | Department
Privacy (1 of 2)
• One of the hottest topics in information security
• Right of individuals or groups to protect themselves and personal information
from unauthorized access
• Ability to aggregate data from multiple sources allows creation of information
databases previously impossible
• The number of statutes addressing an individual’s right to privacy has grown
13 |
Office | Faculty | Department
Privacy (2 of 2)
• U.S. Regulations
•
•
•
•
Privacy of Customer Information Section of the common carrier regulation
Federal Privacy Act of 1974
Electronic Communications Privacy Act of 1986
Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka
Kennedy-Kassebaum Act
• Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999
14 |
Office | Faculty | Department
Figure 3-2 Information aggregation
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Identity Theft (1 of 2)
• It can occur when someone steals a victim’s personally identifiable
information (PII) and poses as the victim to conduct actions/make purchases.
• Federal Trade Commission (FTC) oversees efforts to foster coordination,
effective prosecution of criminals, and methods to increase victim’s restitution.
• Fraud and Related Activity in Connection with Identification Documents,
Authentication Features, and Information Act (Title 18, U.S.C. § 1028).
16 |
Office | Faculty | Department
Identity Theft (2 of 2)
• If someone suspects identity theft, the FTC recommends:
• Place an initial fraud alert: Report to one of the three national credit reporting
companies and ask for an initial fraud alert on your credit report.
• Order your credit reports: Filing an initial fraud alert entitles you to a free
credit report from each of the three credit reporting companies. Examine the
reports for fraud activity.
• Create an identity theft report: Filing a complaint with the FTC will generate an
identity theft affidavit, which can be used to file a police report and create an
identity theft report.
• Monitor your progress: Document all calls, letters, and communications during
the process.
17 |
Office | Faculty | Department
Figure 3-3 U.S. Department of
Justice report on victims of identity
theft in 2012 and 2014
Source: U.S. Federal Trade Commission.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Export and Espionage Laws
• Economic Espionage Act of 1996
• Security and Freedom through Encryption Act of 1999
• The acts include provisions about encryption that:
• Reinforce the right to use or sell encryption algorithms, without concern of key
registration.
• Prohibit the federal government from requiring the use of encryption.
• Make it not probable cause to suspect criminal activity.
• Relax export restrictions.
• Additional penalties for using encryption in a crime.
19 |
Office | Faculty | Department
U.S. Copyright Law
• Intellectual property was recognized as a protected asset in the United States;
copyright law extends to electronic formats.
• With proper acknowledgment, it is permissible to include portions of others’
work as reference.
• U.S. Copyright Office Web site: www.copyright.gov/.
20 |
Office | Faculty | Department
Financial Reporting
• Sarbanes-Oxley Act of 2002
• Affects the executive management of publicly traded corporations and public
accounting firms
• Seeks to improve the reliability and accuracy of financial reporting and
increase the accountability of corporate governance in publicly traded
companies
• Penalties for noncompliance range from fines to jail terms
21 |
Office | Faculty | Department
Freedom of Information Act of 1966 (FOIA)
• Allows access to federal agency records or information not determined to be
matter of national security.
• U.S. government agencies are required to disclose any requested information
upon receipt of written request.
• Some information is protected from disclosure; this act does not apply to
state/local government agencies or private businesses/individuals.
22 |
Office | Faculty | Department
Figure 3-5 U.S. government FOIA
requests and processing
Source: www.foia.gov.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Payment Card Industry Data Security Standards (PCI
DSS)
• PCI Security Standards Council offers a standard of performance to which
organizations processing payment cards must comply
• Designed to enhance security of customer’s account data
• Addresses six areas:
•
•
•
•
•
•
24 |
Build and maintain secure networks/systems
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain information security policy
Office | Faculty | Department
State and Local Regulations
• Federal computer laws are mainly written specifically for federal information
systems; they have little applicability to private organizations.
• Information security professionals are responsible for understanding state
regulations and ensuring that organization is in compliance with regulations.
25 |
Office | Faculty | Department
International Laws and Legal Bodies
• When organizations do business on the Internet, they do business globally.
• Professionals must be sensitive to the laws and ethical values of many
different cultures, societies, and countries.
• Because of the political complexities of relationships among nations and
differences in culture, few international laws cover privacy and information
security.
• These international laws are important but are limited in their enforceability.
26 |
Office | Faculty | Department
U.K. Computer Security Laws
• Computer Misuse Act 1990: Defined three “computer misuse offenses”:
• Unauthorized access to computer material.
• Unauthorized access with intent to commit or facilitate commission of further
offenses.
• Unauthorized acts with intent to impair, or with recklessness as to impairing,
operation of computer, etc.
• Privacy and Electronic Communications (EC Directive) Regulations 2003:
Focuses on protection against unwanted or harassing phone, e-mail, and
SMS messages
• Police and Justice Act 2006: Updated the Computer Misuse Act, modified the
penalties, and created new crimes defined as the “unauthorized acts with
intent to impair operation of computer, etc.”
27 |
Office | Faculty | Department
Council of Europe Convention on Cybercrime
• Created international task force to oversee Internet security functions for
standardized international technology laws
• Attempts to improve effectiveness of international investigations into breaches
of technology law
• Well received by intellectual property rights advocates due to emphasis on
copyright infringement prosecution
• Lacks realistic provisions for enforcement
28 |
Office | Faculty | Department
WTO and the Agreement on Trade-Related Aspects of
Intellectual Property Rights
• Created by the World Trade Organization (WTO)
• The first significant international effort to protect intellectual property rights;
outlines requirements for governmental oversight and legislation providing
minimum levels of protection for intellectual property.
• Agreement covers five issues:
• Application of basic principles of trading system and international intellectual
property agreements
• Giving adequate protection to intellectual property rights
• Enforcement of those rights by countries within their borders
• Settling intellectual property disputes between WTO members
• Transitional arrangements while new system is being introduced
29 |
Office | Faculty | Department
Digital Millennium Copyright Act (DMCA)
• U.S. contribution to international effort to reduce impact of copyright,
trademark, and privacy infringement
• A response to European Union Directive 95/46/EC
• Prohibits
• Circumvention of protections and countermeasures
• Manufacture and trafficking of devices used to circumvent such protections
• Altering information attached or imbedded in copyrighted material
• Excludes Internet Service Providers (ISPs) from some copyright infringement
30 |
Office | Faculty | Department
Ethics and Information Security
• Many professional disciplines have explicit rules governing the ethical
behavior of members.
• IT and InfoSec do not have binding codes of ethics.
• Professional associations and certification agencies work to maintain ethical
codes of conduct.
• Can prescribe ethical conduct
• Do not always have the ability to ban violators from practice in field
31 |
Office | Faculty | Department
Offline (1 of 2)
The Ten Commandments of Computer Ethics from the Computer Ethics
Institute
32 |
1.
Thou shalt not use a computer to harm other people.
2.
Thou shalt not interfere with other people's computer work.
3.
Thou shalt not snoop around in other people's computer files.
4.
Thou shalt not use a computer to steal.
5.
Thou shalt not use a computer to bear false witness.
6.
Thou shalt not copy or use proprietary software for which you have not
paid.
Office | Faculty | Department
Offline (2 of 2)
7.
Thou shalt not use other people's computer resources without
authorization or proper compensation.
8.
Thou shalt not appropriate other people's intellectual output.
9.
Thou shalt think about the social consequences of the program you are
writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and
respect for your fellow humans.
33 |
Office | Faculty | Department
Ethical Differences Across Cultures
• Cultural differences create difficulty in determining what is and is not ethical.
• Difficulties arise when one nationality’s ethical behavior conflicts with the
ethics of another national group.
• Scenarios are grouped into:
• Software license infringement
• Illicit use
• Misuse of corporate resources
• Cultures have different views on the scenarios.
34 |
Office | Faculty | Department
Table 3.2 Rates and Commercial Values of
Unlicensed PC Software Installations
Biennially from 2009 to 2015
Worldwide by Region
Commerc
ial Value
of
Unlicense
d
Software
($M)
in 2015
Commerc
ial Value
of
Unlicense
d
Software
($M)
in 2013
Commerc
ial Value
of
Unlicense
d
Software
($M)
in 2011
Commerc
ial Value
of
Unlicense
d
Software
($M)
in 2009
Rates of
Unlicensed
Software
Installation
s in 2015
Rates of
Unlicensed
Software
Installation
s in 2013
Rates of
Unlicensed
Software
Installation
s in 2011
Rates of
Unlicense
d
Software
Installatio
ns in
2009
Asia Pacific
61%
62%
60%
59%
$19,064
$21,041
$20,998
$16,544
Central &
Eastern
Europe
58%
61%
62%
64%
$3,136
$5,318
$6,133
$4,673
Latin America
Middle East &
Africa
North
America
Western
Europe
Total
Worldwide
55%
59%
61%
63%
$5,787
$8,422
$7,459
$6,210
57%
59%
58%
59%
$3,696
$4,309
$4,159
$2,887
17%
19%
19%
21%
$10,016
$10,853
$10,958
$9,379
28%
29%
32%
34%
$10,543
$12,766
$13,749
$11,750
39%
43%
42%
43%
$52,242
$62,709
$63,456
$51,443
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Ethics and Education
• Education is the overriding factor in leveling ethical perceptions within a small
population.
• Employees must be trained and kept aware of the expected behavior of an
ethical employee, as well as many other information security topics.
• Proper ethical training is vital to creating informed and a well-prepared system
user.
36 |
Office | Faculty | Department
Deterring Unethical and Illegal Behavior
• Three general causes of unethical and illegal behavior: ignorance, accident,
intent
• Deterrence: best method for preventing an illegal or unethical activity; for
example, laws, policies, technical controls
• Laws and policies only deter if three conditions are present:
• Fear of penalty
• Probability of being apprehended
• Probability of penalty being applied
37 |
Office | Faculty | Department
Figure 3-6 Deterrents to illegal or
unethical behavior
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Codes of Ethics of Professional Organizations
• Many professional organizations have established codes of conduct/ethics.
• Codes of ethics can have a positive effect; unfortunately, many employers do
not encourage joining these professional organizations.
• Responsibility of security professionals is to act ethically and according to the
policies of the employer, the professional organization, and the laws of
society.
39 |
Office | Faculty | Department
Table 3-3 Professional Organizations of
Interest to Information Security
Professionals (1 of 2)
Professional
Organization
Web Resource
Location
Association of
Computing
Machinery
information
Systems Audit
and Control
Association
www.acm.org
information
Systems
Security
Association
www.isaca.org
www.issa.org
Description
Focus
Code of 24 imperatives of personal
and ethical responsibilities for
security professionals
Focus on auditing, information
security, business process analysis,
and IS
planning through the OSA and OSM
certifications
Ethics of security
professionals
Professional association of
information systems security
professionals; provides education
forum, publications, and peer
networking for members
Tasks and knowledge
required of the
information systems
audit professional
Professional security
information sharing
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 3-3 Professional Organizations of
Interest to Information Security
Professionals (2 of 2)
Professional
Organization
International Information
Systems Security
Certification
Consortium (ISQ2
Web Resource
Location
www.isc2.org
SANS Institute's Global
Information Assurance
Certification
www.giac.org
Description
Focus
International consortium
dedicated to improving the
quality of security
professionals through SSCP
and CISSP certifications
GIAC certifications focus on
four security areas: security
administration, security
management IT audits, and
software security, these
areas have standard, gold,
and expert levels
Requires certificants to
follow its published
code of ethics
Requires certificants to
follow its published
code of ethic
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Major IT and InfoSec Professional Organizations (1 of
5)
• Association of Computing Machinery (ACM)
• Established in 1947 as “the world’s first educational and scientific computing
society.”
• Code of ethics contains references to protecting information confidentiality,
causing no harm, protecting others’ privacy, and respecting others’ intellectual
property and copyrights.
42 |
Office | Faculty | Department
Major IT and InfoSec Professional Organizations (2 of
5)
• International Information Systems Security Certification Consortium, Inc.
(ISC)2
• Nonprofit organization focusing on the development and implementation of
information security certifications and credentials.
• Code is primarily designed for the information security professionals who
have certification from (ISC)2.
• Code of ethics focuses on four mandatory canons.
43 |
Office | Faculty | Department
Major IT and InfoSec Professional Organizations (3 of
5)
• SANS (originally System Administration, Networking, and Security Institute)
• Professional organization with a large membership dedicated to the protection
of information and systems.
• SANS offers a set of certifications called Global Information Assurance
Certification (GIAC).
44 |
Office | Faculty | Department
Major IT and InfoSec Professional Organizations (4 of
5)
• ISACA (originally Information Systems Audit and Control Association)
• Professional association with focus on auditing, control, and security
• Concentrates on providing IT control practices and standards
• ISACA has a code of ethics for its professionals
45 |
Office | Faculty | Department
Major IT and InfoSec Professional Organizations (5 of
5)
• Information Systems Security Association (ISSA)
• Nonprofit society of InfoSec professionals
• Primary mission to bring together qualified IS practitioners for information
exchange and educational development
• Promotes code of ethics similar to (ISC)2, ISACA, and ACM
46 |
Office | Faculty | Department
Key U.S. Federal Agencies (1 of 3)
• Department of Homeland Security (DHS)
• Mission is to protect the citizens as well as the physical and informational
assets of the United States.
• United States Computer Emergency Readiness Team (US-CERT) provides
mechanisms to report phishing and malware.
• U.S. Secret Service
• In addition to protective services, it is charged with safeguarding the nation’s
financial infrastructure and payments system to preserve the integrity of the
economy.
47 |
Office | Faculty | Department
Key U.S. Federal Agencies (2 of 3)
• Federal Bureau of Investigation
• Primary law enforcement agency; investigates traditional crimes and
cybercrimes
• Key priorities include computer/network intrusions, identity theft, and fraud
• Federal Bureau of Investigation’s National InfraGard Program
•
•
•
•
48 |
Office | Faculty | Department
Maintains an intrusion alert network
Maintains a secure Web site for communication about suspicious activity or intrusions
Sponsors local chapter activities
Operates a help desk for questions
Key U.S. Federal Agencies (3 of 3)
• National Security Agency (NSA)
• Is the nation’s cryptologic organization
• Responsible for signal intelligence and information assurance (security)
• Information Assurance Directorate (IAD) is responsible for the protection of
systems that store, process, and transmit information of high national value
49 |
Office | Faculty | Department
Figure 3-9 U.S. Secret Service
Operation Firewall
Source: USSS.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Figure 3-11 FBI Cyber’s Most Wanted list
Source: fbi.gov.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Summary (1 of 3)
• Laws: rules that mandate or prohibit certain behavior in society; drawn from
ethics
• Ethics: define socially acceptable behaviors, based on cultural mores (fixed
moral attitudes or customs of a particular group)
• Types of law: civil, criminal, private, and public
52 |
Office | Faculty | Department
Summary (2 of 3)
• Relevant U.S. laws:
•
•
•
•
•
•
•
53 |
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of 1996
USA PATRIOT Act of 2001
USA PATRIOT Improvement and Reauthorization Act
USA FREEDOM Act of 2015
Computer Security Act of 1987
Fraud and Related Activity in Connection with Identification Documents,
Authentication Features, and Information Act (Title 18, U.S.C. § 1028)
Office | Faculty | Department
Summary (3 of 3)
• Many organizations have codes of conduct and/or codes of ethics.
• Organization increases liability if it refuses to take measures known as due
care.
• Due diligence requires that organizations make a valid effort to protect others
and continually maintain that effort.
54 |
Office | Faculty | Department
Why are we doing this?
By completing the activities in this week, you should be able to:
1.
Describe the four categories of ethical issues related to information technology.
2.
Discuss potential threats to the privacy of personal data stored in different locations and
how they may violate the common good.
3.
Have practical skills to work with database
55 |
Office | Faculty | Department
Essential Question
What are the major areas of ethical and privacy concerns due to the use of information
technology?
1.
In our career, we often encounter numerous ethical and privacy issues.
2.
Many of which will involve IT in some manner.
3.
The objective of this chapter is to gain an understanding of and how to respond to these
issues.
4.
It will help us to make contributions to our company’s code of ethics and its privacy policies.
5.
You will also be able to provide meaningful input concerning the potential ethical and privacy
impacts of your organisation’s information systems on people inside and outside the
organisation.
56 |
Office | Faculty | Department
Ethical issues
Ethics: principles of right and wrong that individuals use to make choices that guide their
behavior
Deciding what is right or wrong is not always easy or clear-cut.
Fortunately, many frameworks are available to help us make ethical decisions.
57 |
Office | Faculty | Department
General Framework for ethical decision making
Does this
decision
damage
someone?
Does this
decision
involve a
choice
between
good/bad
alternative?
Does it go
beyond what
is legal?
58 |
Office | Faculty | Department
Identify
stakeholders
and consult
relevant
persons /
groups
What are the
relevant
facts of the
situation?
Do I know
enough to
make a
decision?
Evaluate
alternative
actions
under all 4
ethical
standards
(next page)
Which
option best
addresses
the
situation?
Implement the
decision with
greatest care
-Evaluate the
outcome,
reflect on
lessons learnt
Ethical standards
Utilitarian approach
• States that an ethical action is the one that provides the most good or does the least
harm. This approach would be the one that produces the greatest good and does the
least harm for all affected parties – customers, employees, stakeholders, the
community and the environment.
Rights approach
• Maintains that an ethical action is the one that best protects and respects the moral
rights of the affected parties. Moral rights can include the rights to make one’s choices
about what kind of life to lead, to be told the truth, not to be injured and to a degree of
privacy. These are actually the moral rights that people are entitled to.
59 |
Office | Faculty | Department
Ethical standards
Fairness approach
• States that ethical actions treats all humans equally, or if unequally, then fairly, based
on some defensible standard. For example, the difference between the salaries of
employees and that of an CEO in a company. Is it fair? Is it based on a defensible
standard? Is it a result of imbalance of power hence unfair?
Common good approach
• Highlights an ethical action that best serves the community as a whole. It is important
to the welfare of everyone, not just some members.
• It emphasises the common conditions that are important to the welfare of everyone.
These conditions can include a system of laws, effective police, fire department,
healthcare, public education and even public recreational areas.
60 |
Office | Faculty | Department
Ethics and information technology
Privacy issues
• Involve collecting, storing, and disseminating information about individuals
• Example: Google Street View
Accuracy issues
• Involve the authenticity, fidelity (degree of correctness), and accuracy of information
that is collected and processed
Property issues
• Involve the ownership and value of information
Accessibility issues
61 |
• Revolve around who should have access to information and whether they should
pay for that access
Officehave
| Faculty | to
Department
Ethics and Information
Technology
62 |
Office | Faculty | Department
Privacy
Privacy
• The right to be left alone and to be free of unreasonable personal intrusions.
Privacy Law
• The protection of an individual’s personal information that could identify the individual.
• The Privacy Act 1988
• Regulates the use of personal information
• Includes 10 NPPs (National Privacy Principles) and 11 IPPs (Information Privacy Principles)
• Freedom of information
• The public’s right to access government information
63 |
Office | Faculty | Department
Threats to privacy
Electronic surveillance
• The tracking of people’s activities, online or offline, with the aid of computers
• The Surveillance Devices Bill 2004 regulates the use of surveillance data by law enforcement
agencies.
Personal information in databases
• Banks, utility companies,
government, and
credit reporting agencies
Information on Internet bulletin boards, newsgroups, and social networking sites
64 |
Office | Faculty | Department
Privacy codes and policies
They are an organisation’s guidelines with respect to protecting the privacy of customers,
clients, and employees.
Informed consent models:
• Opt-out model
• Organisations are permitted to collect personal information until the customer specifically requests
that the data not be collected
• Opt-in model (Preferred by privacy advocates)
• Organisations are prohibited from collecting any personal information unless the customer specifically
authorises it
65 |
Office | Faculty | Department
Chapter Summary
This chapter focused on
• The ethical issues related to information technology
• The potential threats to the privacy of personal data stored in different locations
66 |
Office | Faculty | Department
ISYS 326
Information Systems
Security
1 |
Office | Faculty | Department
Week 4
Planning for Security
Learning Objectives (1 of 2)
• Upon completion of this material, you should be able
to:
• Describe management’s role in the development,
maintenance, and enforcement of information security
policy, standards, practices, procedures, and
guidelines
• Explain what an information security blueprint is,
identify its major components, and explain how it
supports the information security program
2 |
Office | Faculty | Department
Learning Objectives (2 of 2)
• Discuss how an organization institutionalizes its
policies, standards, and practices using education,
training, and awareness programs
• Describe what contingency planning is and how it
relates to incident response planning, disaster
recovery planning, and business continuity plans
3 |
Office | Faculty | Department
Introduction
• Information security program begins with policies,
standards, and practices, which are the foundation
for information security architecture and blueprint.
• Coordinated planning is required to create and
maintain these elements.
• Strategic planning for the management of allocation
of resources.
• Contingency planning for the preparation of
uncertain business environment.
4 |
Office | Faculty | Department
Information Security Planning and Governance
(1 of 2)
• Planning levels help translate organization’s strategic
plans into tactical objectives
• Planning and the CISO
• Information security governance
• Governance:
• Set of responsibilities and practices exercised by the board
and executive management
• Goal to provide strategic direction, establishment of
objectives, and measurement of progress toward objectives
• Also verifies/validates that risk management practices are
appropriate and assets used properly
5 |
Office | Faculty | Department
Information Security Planning and Governance
(2 of 2)
• Information security governance outcomes
• Five goals:
•
•
•
•
•
6 |
Office | Faculty | Department
Strategic alignment
Risk management
Resource management
Performance measurement
Value delivery
Figure 4-1 Information security
governance roles and responsibilities
Source: This information is derived from the Corporate Governance Task
Force Report, “Information Security Governance: A Call to Action,” April
2004, National Cyber Security Task Force.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Information Security Policy, Standards,
and Practices
• Management from communities of interest must
make policies the basis for all information security
planning, design, and deployment.
• Policies direct how issues should be addressed and
technologies used.
• Policies should never contradict law, must be able to
stand up in court, and must be properly
administered.
• Security policies are the least expensive controls to
execute but most difficult to implement properly.
8 |
Office | Faculty | Department
Policy as the Foundation for Planning
• Policy functions as organizational law that dictates
acceptable and unacceptable behavior.
• Standards: more detailed statements of what must
be done to comply with policy.
• Practices, procedures, and guidelines effectively
explain how to comply with policy.
• For a policy to be effective, it must be properly
disseminated, read, understood, and agreed to by
all members of the organization, and uniformly
enforced.
9 |
Office | Faculty | Department
Figure 4-2 Policies, standards,
guidelines, and procedures
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Enterprise Information Security Policy (EISP)
(1 of 2)
• Sets strategic direction, scope, and tone for all
security efforts within the organization
• Executive-level document, usually drafted by or with
chief information officer (CIO) of the organization
• Typically addresses compliance in two areas:
• General compliance to ensure meeting of
requirements to establish program and assigning
responsibilities therein to various organizational
components
• Use of specified penalties and disciplinary action
11 |
Office | Faculty | Department
Enterprise Information Security Policy (EISP) (2
of 2)
• EISP Elements should include:
• Overview of the corporate security philosophy
• Information on the structure of the organization and
people in information security roles
• Articulated responsibilities for security shared by all
members of the organization
• Articulated responsibilities for security unique to each
role in the organization
12 |
Office | Faculty | Department
Table 4-1 Components of the EISP (1 of 3)
Component
Statement of
Purpose
Description
Answers the question 'What is this policy for?" Provides a framework
that helps the reader understand the intent of the document. Can
include text such as the following: This document will:
• Identify the elements of a good security policy
• Explain the need for information security
• Specify the various categories of information security
• Identify the information security responsibilities and roles
• Identify appropriate levels of security through standards and
guidelines
This document establishes an overarching security policy and direction
for our company. Individual departments are expected to establish
standards, guidelines, and operating procedures that adhere to and
reference this policy while addressing their specific and individual
needs."
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 4-1 Components of the EISP (2 of 3)
Component
Information Security
Elements
Need for Information
Security
Description
Defines information security. For example:
"Protecting the confidentiality, integrity, and availability of
information while in processing, transmission, and storage,
through the use of policy, education and training, and
technology ..."
This section can also lay out security definitions or philosophies
to clarify the policy.
Provides information on the importance of information
security in the organization and the legal and ethical
obligation to protect critical information about customers,
employees, and markets.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Table 4-1 Components of the EISP (3 of 3)
Component
Description
Information
Security
Responsibilities
and Roles
Defines the organizational structure designed to support
information security within the organization. Identifies
categories of people with responsibility for information security
(IT department, management, users) and those
responsibilities, including maintenance of this document.
Reference
Standards
Lists other standards that influence this policy document and are
influenced by it, perhaps including relevant federal laws, state
laws, and other policies.
to Other Information
and Guidelines
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Issue-Specific Security Policy (ISSP)
(1 of 2)
• The ISSP:
• Addresses specific areas of technology
• Requires frequent updates
• Contains statement on the organization’s position on
specific issue
• Three common approaches when creating and managing ISSPs:
• Create a number of independent ISSP documents
• Create a single comprehensive ISSP document
• Create a modular ISSP document
16 |
Office | Faculty | Department
Issue-Specific Security Policy (ISSP)
(2 of 2)
• Components of the policy:
•
•
•
•
•
•
•
17 |
Statement of policy
Authorized access and usage of equipment
Prohibited use of equipment
Systems management
Violations of policy
Policy review and modification
Limitations of liability
Office | Faculty | Department
Table 4-2 Components of the ISSP (1 of 4)
• Statement of policy
― Scope and applicability
― Definition of technology addressed
― Responsibilities
•
Authorized access and usage of equipment
― User access
― Fair and responsible use
― Protection of privacy
18 |
Office | Faculty | Department
Table 4-2 Components of the ISSP (2 of 4)
• Prohibited use of equipment
―
―
―
―
―
Disruptive use or misuse
Criminal use
Offensive or harassing materials
Copyrighted, licensed, or other intellectual property
Other restrictions
• Systems management
― Management of stored materials
― Employee monitoring
― Virus protection
19 |
Office | Faculty | Department
Table 4-2 Components of the ISSP (3 of 4)
― Physical security
― Encryption
• Violations of policy
― Procedures for reporting violations
― Penalties for violations
• Policy review and modification
― Scheduled review of policy procedures for modification
― Legal disclaimers
20 |
Office | Faculty | Department
Table 4-2 Components of the ISSP (4 of 4)
• Limitations of liability
― Statements of liability
― Other disclaimers as needed
21 |
Office | Faculty | Department
Systems-Specific Security Policy (SysSP) (1
of 2)
• SysSPs often function as standards or procedures
used when configuring or maintaining systems.
• SysSPs fall into two groups:
• Managerial guidance
• Technical specifications
• Access control lists (ACLs) can restrict access for a
particular user, computer, time, duration—even a
particular file.
22 |
Office | Faculty | Department
Systems-Specific Security Policy(SysSP) (2
of 2)
• Configuration rule policies govern how a security
system reacts to received data.
• Combination SysSPs combine managerial guidance
and technical specifications.
23 |
Office | Faculty | Department
Policy Management
• Policies must be managed as they constantly
change.
• To remain viable, security policies must have:
•
•
•
•
•
24 |
A responsible manager
A schedule of reviews
A method for making recommendations for reviews
A policy issuance and revision date
Automated policy management
Office | Faculty | Department
The Information Security Blueprint
• Basis for design, selection, and implementation of all
security policies, education and training programs,
and technological controls
• Detailed version of security framework (outline of
overall information security strategy for organization)
• Specifies tasks and order in which they are to be
accomplished
• Should also serve as a scalable, upgradeable, and
comprehensive plan for the current and future
information security needs
25 |
Office | Faculty | Department
The ISO 27000 Series (1 of 8)
• One of the most widely referenced security models
• Standard framework for information security that
states organizational security policy is needed to
provide management direction and support
• Purpose is to give recommendations for information
security management
• Provides a starting point for developing
organizational security
26 |
Office | Faculty | Department
The ISO 27000 Series (2 of 8)
• ISO/IEC 27000—Information security management
systems; overview and vocabulary
• ISO/IEC 27001—Information technology; security
techniques; information security management
systems
• ISO/IEC 27002—Code of practice for information
security management
• ISO/IEC 27003—Information security management
system implementation guidance
27 |
Office | Faculty | Department
The ISO 27000 Series (3 of 8)
• ISO/IEC 27004—Information security management;
measurement
• ISO/IEC 27005—Information security risk
management
• ISO/IEC 27006—Requirements for bodies providing
audit and certification of information security
management systems
• ISO/IEC 27007—Guidelines for information security
management systems auditing (focused on the
management system)
28 |
Office | Faculty | Department
The ISO 27000 Series (4 of 8)
• ISO/IEC TR 27008—Guidance for auditors on ISMS
controls (focused on the information security
controls)
• ISO/IEC 27010—Information security management
for inter-sector and inter-organizational
communications
• ISO/IEC 27011—Information security management
guidelines for telecommunications organizations
based on ISO/IEC 27002
29 |
Office | Faculty | Department
The ISO 27000 Series (5 of 8)
• ISO/IEC 27013—Guidance on the integrated
implementation of ISO/IEC 27001 and ISO/IEC
20000-1
• ISO/IEC 27014—Information security governance.
• ISO/IEC TR 27015—Information security
management guidelines for financial services
• ISO/IEC 27017—Code of practice for
information security controls based on
ISO/IEC 27002 for cloud services
30 |
Office | Faculty | Department
The ISO 27000 Series (6 of 8)
• ISO/IEC 27018—Code of practice for protection of
personally identifiable information (PII) in public
clouds acting as PII processors
• ISO/IEC 27031—Guidelines for information and
communication technology readiness for business
continuity
• ISO/IEC 27032—Guideline for cybersecurity
• ISO/IEC 27033-1—Network security—Part 1:
Overview and concepts
31 |
Office | Faculty | Department
The ISO 27000 Series (7 of 8)
• ISO/IEC 27033-2—Network security—Part 2:
Guidelines for the design and implementation of
network security
• ISO/IEC 27033-3—Network security—Part 3:
Reference networking scenarios; threats, design
techniques and control issues
• ISO/IEC 27033-5—Network security—Part 5:
Securing communications across networks using
Virtual Private Networks (VPNs)
32 |
Office | Faculty | Department
The ISO 27000 Series (8 of 8)
• ISO/IEC 27034-1—Application security—Part 1: Guideline for application
security
• ISO/IEC 27035—Information security incident management
• ISO/IEC 27036-3—Information security for supplier relationships—Part 3:
Guidelines for information and communication technology supply chain
security
• ISO/IEC 27037—Guidelines for identification, collection, acquisition and
preservation of digital evidence
• ISO 27799—Information security management in health using ISO/IEC 27002
33 |
Office | Faculty | Department
Figure 4-7 ISO/IEC 27001:2013 major
process steps
Source: 27001 Academy: ISO 27001 and ISO 22301 Online Consultation
Center
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
NIST Security Models
• Another possible approach described in the
documents available from Computer Security
Resource Center of NIST
•
•
•
•
•
35 |
SP 800-12
SP 800-14
SP 800-18 Rev. 1
SP 800-26
SP 800-30
Office | Faculty | Department
NIST Special Publication 800-14 (1 of 2)
• Security supports the mission of the organization
and is an integral element of sound management.
• Security should be cost effective; owners have
security responsibilities outside their own
organizations.
• Security responsibilities and accountability should be
made explicit; security requires a comprehensive
and integrated approach.
36 |
Office | Faculty | Department
NIST Special Publication 800-14 (2 of 2)
• Security should be periodically reassessed; security
is constrained by societal factors.
• Thirty-three principles for securing systems (see
Table 4-5).
37 |
Office | Faculty | Department
NIST Cybersecurity Framework (1 of 2)
• Consists of three fundamental components:
• Framework core: set of information security activities
an organization is expected to perform and their
desired results
• Framework tiers: help relate the maturity of security
programs and implement corresponding measures
and functions
• Framework profile: used to perform a gap analysis
between the current and a desired state of
information security/risk management
38 |
Office | Faculty | Department
NIST Cybersecurity Framework (2 of 2)
• Seven-step approach to implementing/improving
programs:
•
•
•
•
•
•
•
39 |
Prioritize and scope
Orient
Create current profile
Conduct risk assessment
Create target profile
Determine, analyze, and prioritize gaps
Implement action plan
Office | Faculty | Department
Other Sources of Security Frameworks
• Computer Emergency Response Team Coordination
Center (CERT/CC)
• International Association of Professional Security
Consultants
40 |
Office | Faculty | Department
Design of Security Architecture (1 of 2)
• Spheres of security: foundation of the security framework
• Levels of controls:
• Management controls set the direction and scope of the
security processes and provide detailed instructions for its
conduct.
• Operational controls address personnel and physical
security and the protection of production inputs/outputs.
• Technical controls are the tactical and technical
implementations related to designing and integrating
security in the organization.
41 |
Office | Faculty | Department
Design of Security Architecture (2 of 2)
• Defense in depth
• Implementation of security in layers
• Requires that organization establish multiple layers of
security controls and safeguards
• Security perimeter
• Border of security protecting internal systems from
outside threats
• Does not protect against internal attacks from
employee threats or onsite physical threats
42 |
Office | Faculty | Department
Figure 4-8 Spheres of security
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Figure 4-9 Defense in depth
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Figure 4-10 Security perimeters and
domains
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Security Education, Training, and Awareness
Program
• Once general security policy exists, implement
security education, training, and awareness (SETA)
program.
• SETA is a control measure designed to reduce
accidental security breaches.
• The SETA program consists of security education,
security training, and security awareness.
• It enhances security by improving awareness,
developing skills and knowledge, and building indepth knowledge.
46 |
Office | Faculty | Department
Security Education
• Everyone in an organization needs to be trained and
aware of information security; not every member
needs a formal degree or certificate in information
security.
• When formal education is deemed appropriate, an
employee can investigate courses in continuing
education from local institutions of higher learning.
• A number of universities have formal coursework in
information security.
47 |
Office | Faculty | Department
Security Training
• Provides members of the organization with detailed
information and hands-on instruction to prepare
them to perform their duties securely.
• Management of information security can develop
customized in-house training or outsource the
training program.
• Alternatives to formal training include conferences
and programs offered through professional
organizations.
48 |
Office | Faculty | Department
Security Awareness
• One of the least frequently implemented but most
beneficial programs is the security awareness
program.
• It is designed to keep information security at the
forefront of users’ minds.
• It need not be complicated or expensive.
• If the program is not actively implemented,
employees may begin to neglect security matters,
and risk of employee accidents and failures is likely
to increase.
49 |
Office | Faculty | Department
Table 4-6 Comparative Framework of
SETA
Education
Training
Awareness
Attribute
Why
How
What
Objective
Understanding
Skill
Exposure
Teaching method
Theoretical instruction
• Discussion seminar
• Background reading
• Hands-on practice
Practical instruction
• Lecture
• Case study
workshop
• Posters
Media
• Videos
• Newsletters
Test measure
Essay (interpret
learning)
Problem solving (apply
learning)
•
•
Impact timeframe
Long term
Intermediate
Short term
True or False
Multiple
choice
(identify
learning)
Source: NIST SP 800-12
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Continuity Strategies (1 of 2)
• Incident response plans (IRPs), disaster recovery plans
(DRPs), and business continuity plans (BCPs)
• Primary functions of above plans:
• IRP focuses on immediate response; if attack escalates or
is disastrous, process changes to DRP and BCP.
• DRP typically focuses on restoring systems after disasters
occur; as such, it is closely associated with BCP.
• BCP occurs concurrently with DRP when damage is major
or ongoing, requiring more than simple restoration of
information and information resources.
51 |
Office | Faculty | Department
Continuity Strategies (2 of 2)
• Before planning can actually begin, a team has to
start the process
• Champion: high-level manager to support, promote,
and endorse findings of the project
• Project manager: leads project and ensures sound
project planning process is used, a complete and
useful project plan is developed, and project
resources are prudently managed
• Team members: should be managers, or their
representatives, from various communities of interest:
business, IT, and information security
52 |
Office | Faculty | Department
Figure 4-12 Components of
contingency planning
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Figure 4-13 Contingency planning
timeline
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Contingency Planning (CP) Process
• Includes the following steps:
•
•
•
•
•
•
•
55 |
Develop CP policy statement
Conduct business impact analysis
Identify preventive controls
Create contingency strategies
Develop contingency plan
Ensure plan testing, training, and exercises
Ensure plan maintenance
Office | Faculty | Department
Figure 4-14 Major steps in
contingency planning
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
The CP Policy
• Should contain the following sections:
•
•
•
•
•
•
•
•
Introductory statement of philosophical perspective
Statement of scope/purpose
Call for periodic risk assessment/BIA
Specification of CP’s major components
Call for/guidance in the selection of recovery options
Requirement to test the various plans regularly
Identification of key regulations and standards
Identification of key people responsible for CP
operations
• Challenge to the organization members for support
• Administrative information
57 |
Office | Faculty | Department
Business Impact Analysis (BIA)
• Investigation and assessment of various adverse events that
can affect organization
• Assumes security controls have been bypassed, have failed,
or have proven ineffective, and the attack has succeeded
• Organization should consider scope, plan, balance,
knowledge of objectives, and follow-ups
• Three stages:
• Determine mission/business processes and recovery
criticality
• Identify recovery priorities for system resources
• Identify resource requirements
58 |
Office | Faculty | Department
Figure 4-15 RPO, RTO, WRT, and MTD
Source: http://networksandservers.blogspot.com/2011/02/high-availability-terminology-ii.html.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for classroom use.
Incident Response Planning (1 of 8)
• Incident response planning includes identification of,
classification of, and response to an incident.
• Attacks classified as incidents if they:
• Are directed against information assets
• Have a realistic chance of success
• Could threaten confidentiality, integrity, or availability
of information resources
• Incident response is more reactive than proactive,
with the exception of planning that must occur to
prepare IR teams to be ready to react to an incident.
60 |
Office | Faculty | Department
Incident Response Planning (2 of 8)
• Incident response policy identifies the following key
components:
•
•
•
•
•
•
•
•
61 |
Statement of management commitment
Purpose/objectives of policy
Scope of policy
Definition of InfoSec incidents and related terms
Organizational structure
Prioritization or severity ratings of incidents
Performance measures
Reporting and contact forms
Office | Faculty | Department
Incident Response Planning (3 of 8)
• Incident Planning
• Predefined responses enable the organization to react
quickly and effectively to the detected incident if:
• The organization has an IR team
• The organization can detect the incident
• IR team consists of individuals needed to handle systems
as incident takes place
• Incident response plan
• Format and content
• Storage
• Testing
62 |
Office | Faculty | Department
Incident Response Planning (4 of 8)
• Incident detection
• Most common occurrence is complaint about
technology support, often delivered to help desk.
• Careful training is needed to quickly identify and
classify an incident.
• Once incident is properly identified, the organization
can respond.
• Incident indicators vary.
63 |
Office | Faculty | Department
Incident Response Planning (5 of 8)
• Incident reaction
• Consists of actions that guide the organization to stop
incident, mitigate its impact, and provide information for
recovery
• Actions that must occur quickly:
• Notification of key personnel
• Documentation of the incident
• Incident containment strategies
• Containment of incident’s scope or impact is first priority;
must then determine which information systems are
affected
64 |
Office | Faculty | Department
Incident Response Planning (6 of 8)
―Organization can stop incident and attempt to recover
control through a number or strategies
• Incident recovery
• Once incident has been contained and control of
systems regained, the next stage is recovery.
• The first task is to identify human resources needed
and launch them into action.
• Full extent of the damage must be assessed.
65 |
Office | Faculty | Department
Incident Response Planning (7 of 8)
• Organization repairs vulnerabilities, addresses any
shortcomings in safeguards, and restores data and
services of the systems.
• Damage assessment
• Several sources of information on damage can be used,
including system logs, intrusion detection logs,
configuration logs and documents, documentation from
incident response, and results of detailed assessment of
systems and data storage.
• Computer evidence must be carefully collected,
documented, and maintained to be usable in formal or
informal proceedings.
66 |
Office | Faculty | Department
Incident Response Planning (8 of 8)
• Individuals who assess damage need special
training.
• Automated response
• New systems can respond to incident threat
autonomously.
• Downsides of current automated response systems
may outweigh benefits.
• Legal liabilities of a counterattack
• Ethical issues
67 |
Office | Faculty | Department
Disaster Recovery Planning
• Disaster recovery planning (DRP) is preparation for and recovery from a
disaster.
• The contingency planning team must decide which actions constitute
disasters and which constitute incidents.
• When situations are classified as disasters, plans change as to how to
respond; take action to secure most valuable assets to preserve value for the
longer term.
• DRP strives to reestablish operations at the primary site.
68 |
Office | Faculty | Department
Business Continuity Planning (1 of 3)
• BCP prepares the organization to reestablish or relocate
critical business operations during a disaster that affects
operations at the primary site.
• If disaster has rendered the current location unusable,
there must be a plan to allow business to continue
functioning.
• Development of BCP is somewhat simpler than IRP or
DRP.
• It consists primarily of selecting a continuity strategy and
integrating off-site data storage and recovery functions
into this strategy.
69 |
Office | Faculty | Department
Business Continuity Planning (2 of 3)
• Continuity strategies
• There are a number of strategies for planning for
business continuity.
• Determining factor in selecting between options is
usually cost.
• In general, there are three exclusive options: hot
sites, warm sites, and cold sites.
• There are three shared functions: time-share, service
bureaus, and mutual agreements.
70 |
Office | Faculty | Department
Business Continuity Planning (3 of 3)
• Off-site disaster data storage
• To get sites up and running quickly, an organization
must have the ability to move data into new site’s
systems.
• Options for getting operations up and running include:
• Electronic vaulting
• Remote journaling
• Database shadowing
71 |
Office | Faculty | Department
Crisis Management (1 of 3)
• Actions taken in response to an emergency
should minimize injury/loss of life, preserve
organization’s image/market share, and
complement disaster recovery/business
continuity processes.
• What may truly distinguish an incident from a
disaster are the actions of the response teams.
• Disaster recovery personnel must know their
roles without any supporting documentation.
• Preparation
• Training
• Rehearsal
72 |
Office | Faculty | Department
Crisis Management (2 of 3)
• Crisis management team is responsible for
managing the event from an enterprise perspective
and covers:
• Supporting personnel and families during crisis
• Determining impact on normal business operations
and, if necessary, making disaster declaration
• Keeping the public informed
• Communicating with major customers, suppliers,
partners, regulatory agencies, industry organizations, the
media, and other interested parties
73 |
Office | Faculty | Department
Crisis Management (3 of 3)
• Key areas of crisis management also include:
• Verifying personnel head count
• Checking alert roster
• Checking emergency information cards
74 |
Office | Faculty | Department
The Consolidated Contingency Plan
• Single document set approach combines all aspects
of...
Purchase answer to see full
attachment