600-800 Reflective report on Data Security

User Generated

IvenwXbgu

Writing

Description

You will submit a Reflective Report on Data Security based on contemporary security issues. Students should collect a paper from a journal or a newspaper or a magazine and analyse it critically. A 600-800 word reflective report on how Data Security is affecting in every aspect of our life. This task requires you to critically apply your knowledge and understanding of information systems security you have learnt from topics 1 to 4 from your text book,(i have attached the 4 slides. Please have a look) other reading materials as well materials on LEO. The report should demonstrate how you have actively engaged in the unit materials and contemporary news from Media and journals. Data Security is now a critical issue around the world and your awareness on this issue is very important if you would like to have a gainful employment as an IT professional in any organization in future.

Your report must be supported by references through additional readings. This is the structure of the report.
The report should be written in 12-point font with 1.5 line spacing.

Your case study report should be structured as follows:
1. Introduction (approximately 100 words) – Provide an overview of your report (e.g., purpose, scope etc).
2. Identify the main issues and problems(approximately 100 words)
3. Analyse and evaluate critically all relevant issues (approximately 400 words).
4. Recommendations (approximately 100 words)
5. Conclusion (approximately 100 words) – Summarise and synthesise your report. You can use subheadings if you think proper. We expect a professional report from you with properly edited

And make sure the word count is 800 (excluding Cover page, Table of Contents, Diagrams and References). Also this is a turnitin Report. Please attach the selected journal or case study. Because i need to attach that one as well.

References -
Google Scholar will also help you to locate relevant materials. Your report’s analysis and recommendations should be clearly explained, logically presented, and firmly based on evidence. It is essential that you carefully cite references (minimum 5 collecting relevant materials from different sources) supporting your analysis and recommendations. Harvard Referencing Style must be followed.

Please have a look the rubric as well.




Unformatted Attachment Preview

ISYS 326 Information Systems Security 1 | Office | Faculty | Department Week 2 The Need for Security Learning Objectives • Upon completion of this material, you should be able to: • Discuss the organizational need for information security • Explain why a successful information security program is the shared responsibility of an organization’s three communities of interest • List and describe the threats posed to information security and common attacks associated with those threats • List the common development failures and errors that result from poor software security efforts 2 | Office | Faculty | Department Introduction • The primary mission of an information security program is to ensure information assets— information and the systems that house them— remain safe and useful. • If no threats existed, resources could be used exclusively to improve systems that contain, use, and transmit information. • Threat of attacks on information systems is a constant concern. 3 | Office | Faculty | Department Business Needs First • Information security performs four important functions for an organization: • Protecting the organization’s ability to function • Protecting the data and information the organization collects and uses • Enabling the safe operation of applications running on the organization’s IT systems • Safeguarding the organization’s technology assets 4 | Office | Faculty | Department Protecting the Functionality of an Organization • Management (general and IT) is responsible for facilitating security program. • Implementing information security has more to do with management than technology. • Communities of interest should address information security in terms of business impact and cost of business interruption. 5 | Office | Faculty | Department Protecting Data That Organizations Collect and Use • Without data, an organization loses its record of transactions and ability to deliver value to customers. • Protecting data in transmission, in processing, and at rest (storage) is a critical aspect of information security. 6 | Office | Faculty | Department Enabling the Safe Operation of Applications • Organization needs environments that safeguard applications using IT systems. • Management must continue to oversee infrastructure once in place—not relegate to IT department. 7 | Office | Faculty | Department Safeguarding Technology Assets in Organizations • Organizations must employ secure infrastructure hardware appropriate to the size and scope of the enterprise. • Additional security services may be needed as the organization grows. • More robust solutions should replace security programs the organization has outgrown. 8 | Office | Faculty | Department Threats and Attacks • Threat: a potential risk to an asset’s loss of value. • Attack: An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. • Exploit: A technique used to compromise a system. • Vulnerability: A potential weakness in an asset or its defensive control system(s). • Management must be informed about the various threats to an organization’s people, applications, data, and information systems. • Overall security is improving, but so is the number of potential hackers. 9 | Office | Faculty | Department Figure 2-1 World Internet usage Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-1 Compiled Survey Results for Types of Attack or Misuse (2000-2011) (1 of 2) Type of Attack or Misuse 2010/11 2008 2006 2004 Malware infection (revised after 2008) 67% 50% 65% 78% Being fraudulently represented as sender of phishing message 39% 31% (new category) (new category) Laptop/ mobile hardware theft/loss 34% 42% 47% 49% Bots/zombies in organization 29% 20% (new category) (new category) Inside abuse of internet access or e-mail 25% 44% 42% Denial of service 17% 21% 25% 2002 2000 85% 85% 55% 60% 59% 78% 79% 39% 40% 27% Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-1 Compiled Survey Results for Types of Attack or Misuse (2000-2011) (2 of 2) Type of Attack or Misuse 2010/11 2008 2006 2004 Unauthorized access or privilege escalation by insider 13% 15% (revised category) (revised category) Password sniffing 11% 9% (new category) (new category) System penetration by outsider 11% (revised category) (revised category) Exploit of client web browser 10% (new category) (new category) 2002 2000 Source: Whitman and Mattord, 2015 SEC/CISE Threats to Information Protection Report. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-2 Rated Threats from Internal Sources in 2015 SEC/CISE Survey of Threads to Information Protection (1 of 2) From Employees or Internal Stakeholders Not a Threat 1 2 3 4 A Severe Threat 5 Comp. Rank Inability/unwillingness to follow established policy 6.6% 17.2% 33.6% 26.2% 16.4% 66% Disclosure due to insufficient training 8.1% 23.6% 29.3% 25.2% 13.8% 63% Unauthorized access or escalation of privileges 4.8% 24.0% 31.2% 31.2% 8.8% 63% 26.4% 40.0% 17.6% 9.6% 60% Unauthorized information collection/data sniffing 6.4% Theft of on-site organizational information assets 10.6% 32.5% 34.1% 12.2% 10.6% 56% Theft of mobile/laptop/tablet and related/connected information assets 15.4% 29.3% 28.5% 17.9% 8.9% 55% Intentional damage or destruction of information assets 22.3% 43.0% 18.2% 13.2% 3.3% 46% Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-2 Rated Threats from Internal Sources in 2015 SEC/CISE Survey of Threads to Information Protection (2 of 2) From Employees or Internal Stakeholders Not a Threat 1 2 3 4 A Severe Threat 5 Comp. Rank Theft or misuse of organizationally leased, purchased, or developed software 29.6% 33.6% 21.6% 10.4% 4.8% 45% Web site defacement 43.4% 33.6% 16.4% 4.9% 1.6% 38% Blackmail of information release or sales 43.5% 37.1% 10.5% 6.5% 2.4% 37% Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-3 Rated Threats from External Sources in 2015 SEC/CISE Survey of Threads to Information Protection (1 of 2) From Employees or Internal Stakeholders Unauthorized information collection/data sniffing Not a Threat 1 6.4% 2 3 4 A Severe Threat 5 Comp. Rank 14.4% 21.6% 32.8% 24.8% 71% Unauthorized access or escalation of privileges 7.4% 14.0% 26.4% 31.4% 20.7% 69% Web site defacement 8.9% 23.6% 22.8% 26.8% 17.9% 64% Intentional damage or destruction of information assets 14.0% 32.2% 18.2% 24.8% 10.7% 57% Theft of mobile/laptop/tablet and related/connected information assets 20.5% 25.4% 26.2% 15.6% 12.3% 55% Theft of on-site organizational informational assets 21.1% 24.4% 25.2% 17.9% 11.4% 55% Blackmail of information release or sales 31.1% 30.3% 14.8% 14.8% 9.0% 48% Disclosure due to insufficient training 34.5% 21.8% 22.7% 13.4% 7.6% 48% Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-3 Rated Threats from External Sources in 2015 SEC/CISE Survey of Threads to Information Protection (2 of 2) From Employees or Internal Stakeholders Not a Threat 1 2 3 4 A Severe Threat 5 Comp. Rank Inability/unwillingness to follow established policy 33.6% 29.4% 18.5% 6.7% 11.8% 47% Theft or misuse of organizationally leased, purchased, or developed software 31.7% 30.1% 22.8% 9.8% 5.7% 46% Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-4 Perceived Threats to Information Assets in 2015 SEC/CISE Survey of Threats to Information Protection (1 of 4) General Threats to Information Assets Not a Threat 1 2 3 4 A Severe Threat 5 Comp. Rank Electronic phishing/spoofing attacks 0.8% 13.1% 16.4% 32.0% 37.7% 79% Malware attacks 1.7% 12.4% 27.3% 36.4% 22.3% 73% Unintentional employee/insider mistakes 2.4% 17.1% 26.8% 35.8% 17.9% 70% Loss of trust due to information loss 4.1% 18.9% 27.0% 22.1% 27.9% 70% Software failures or errors due to unknown vulnerabilities in externally acquired software 5.6% 18.5% 28.2% 33.9% 13.7% 66% Social engineering of employees/insiders based on social media information 8.1% 14.6% 32.5% 34.1% 10.6% 65% Social engineering of employees/insiders based on other published information 8.9% 19.5% 24.4% 32.5% 14.6% 65% Software failures or errors due to poorly developed, internally created applications 7.2% 21.6% 24.0% 32.0% 15.2% 65% Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-4 Perceived Threats to Information Assets in 2015 SEC/CISE Survey of Threats to Information Protection (2 of 4) General Threats to Information Assets Not a Threat 1 2 3 4 A Severe Threat 5 Comp. Rank SQL injections 7.6% 17.6% 31.9% 29.4% 13.4% 65% Social engineering of employees/insiders based on organization’s Web sites 11.4% 19.5% 23.6% 31.7% 13.8% 63% Denial of service (and distributed DoS) attacks 8.2% 23.0% 27.9% 32.8% 8.2% 62% Software failures or errors due to known vulnerabilities in externally acquired software 8.9% 23.6% 26.8% 35.8% 4.9% 61% Outdated organizational software 8.1% 28.2% 26.6% 26.6% 10.5% 61% Loss of trust due to representation as source of phishing/spoofing attack 9.8% 23.8% 30.3% 23.0% 13.1% 61% Loss of trust due to Web defacement 12.4% 30.6% 31.4% 19.8% 5.8% 55% Outdated organizational hardware 17.2% 34.4% 32.8% 12.3% 3.3% 50% Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-4 Perceived Threats to Information Assets in 2015 SEC/CISE Survey of Threats to Information Protection (3 of 4) General Threats to Information Assets Not a Threat 1 2 3 4 A Severe Threat 5 Comp. Rank Outdated organizational data format 18.7% 35.8% 26.8% 13.8% 4.9% 50% Inability/unwillingness to establish effective policy by management 30.4% 26.4% 24.0% 13.6% 5.6% 48% Hardware failures or errors due to aging equipment 19.5% 39.8% 24.4% 14.6% 1.6% 48% Hardware failures or errors due to defective equipment 17.9% 48.0% 24.4% 8.1% 1.6% 46% Deviations in quality of service from other provider 25.2% 38.7% 25.2% 7.6% 3.4% 45% Deviations in quality of service from data communications provider/ISP 26.4% 39.7% 23.1% 7.4% 3.3% 44% Deviations in quality of service from telecommunication provider/ISP (if different from data provider) 29.9% 38.5% 18.8% 9.4% 3.4% 44% Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-4 Perceived Threats to Information Assets in 2015 SEC/CISE Survey of Threats to Information Protection (4 of 4) General Threats to Information Assets Not a Threat 1 2 3 4 A Severe Threat 5 Comp. Rank Loss due to other natural disaster 31.0% 37.9% 23.3% 6.9% 0.9% 42% Loss due to fire 26.2% 49.2% 21.3% 3.3% 0.0% 40% Deviations in quality of service from power provider 36.1% 43.4% 12.3% 5.7% 2.5% 39% Loss due to flood 33.9% 43.8% 19.8% 1.7% 0.8% 38% Loss due to earthquake 41.7% 35.8% 15.0% 6.7% 0.8% 38% Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-5 The 12 Categories of Threats to Information Security Category of Threat Attack Examples Compromises to intellectual property Piracy, copyright infringement Deviations in equality of service Internet service provider (ISP), power, or WAN service problems Espionage or trespass Unauthorized access and/or data collection Forces of nature Fire, floods, earthquakes. lightning Human error or failure Accidents, employee mistakes Information extortion Blackmail, information disclosure Sabotage or vandalism Destruction of systems or information Software attacks Viruses, worms, macros, denial of service Technical hardware failures or errors Equipment failure Technical software failures or errors Bugs, code problems, unknown loopholes Technological obsolescence Antiquated or outdated technologies Theft Illegal confiscation of equipment or information Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Compromises to Intellectual Property • Intellectual property (IP): creation, ownership, and control of original ideas as well as the representation of those ideas. • The most common IP breaches involve software piracy. • Two watchdog organizations investigate software abuse: • Software & Information Industry Association (SIIA) • Business Software Alliance (BSA) • Enforcement of copyright law has been attempted with technical security mechanisms. 22 | Office | Faculty | Department Deviations in Quality of Service (1 of 2) • Information system depends on the successful operation of many interdependent support systems. • Internet service, communications, and power irregularities dramatically affect the availability of information and systems. • Internet service issues • Internet service provider (ISP) failures can considerably undermine the availability of information. • Outsourced Web hosting provider assumes responsibility for all Internet services as well as for the hardware and Web site operating system software. 23 | Office | Faculty | Department Deviations in Quality of Service (2 of 2) • Communications and other service provider issues • Other utility services affect organizations: telephone, water, wastewater, trash pickup. • Loss of these services can affect an organization’s ability to function. • Power irregularities • Are commonplace • Lead to fluctuations such as power excesses, power shortages, and power losses • Sensitive electronic equipment vulnerable to and easily damaged/destroyed by fluctuations • Controls can be applied to manage power quality 24 | Office | Faculty | Department Figure 2-5 Cost of online service provider downtime Source: MegaPath. Used with permission. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Espionage or Trespass (1 of 3) • Access of protected information by unauthorized individuals • Competitive intelligence (legal) versus industrial espionage (illegal) • Shoulder surfing can occur anywhere a person accesses confidential information • Controls let trespassers know they are encroaching on organization’s cyberspace • Hackers use skill, guile, or fraud to bypass controls protecting others’ information 26 | Office | Faculty | Department Espionage or Trespass (2 of 3) • Expert hackers • Develop software scripts and program exploits • Usually a master of many skills • Will often create attack software and share with others • Unskilled hackers • Many more unskilled hackers than expert hackers • Use expertly written software to exploit a system • Do not usually fully understand the systems they hack 27 | Office | Faculty | Department Espionage or Trespass (3 of 3) • Other terms for system rule breakers: • Cracker: “cracks” or removes software protection designed to prevent unauthorized duplication • Phreaker: hacks the public telephone system to make free calls or disrupt services • Password attacks • • • • • 28 | Cracking Brute force Dictionary Rainbow tables Social engineering Office | Faculty | Department Figure 2-6 Shoulder surfing Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 2-7 Contemporary hacker profile Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-6 Password Power (1 of 2) Case-Insensitive Passwords Using a Standards Alphabet Set (No Numbers or Special Characters) Password Length Odd of cracking: 1 in (Based on Numbers of Characters ^ Password length): Estimated Time to Crack* 8 208,827,064,576 1.01 seconds 9 5,429,503,678,976 26.2 seconds 10 141,167,095,653,376 11.4 minutes 11 3,670,344,486,987,780 4.9 hours 12 95,428,956,661,682,200 5.3 days 13 2,481,152,873,203,740,000 138.6 days 14 64,509,974,703,297,200,000 9.9years 15 1,677,259,342,285,730,000,000 256.6 years 16 43,608,742,899,428,900,000,000 6,672.9 years Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-6 Password Power (2 of 2) Case-Sensitive Passwords Using a Standards Alphabet Set (with Numbers and Special Characters) Password Length Odd of cracking: 1 in (Based on Numbers of Characters ^ Password length): Estimated Time to Crack* 8 2,044,140,858,654,980 2.7 hours 9 167,619,550,409,708,000 9.4 days 10 13,744,803,133,596,100,000 2.1 years 11 1,127,073,856,954,880,000,000 172.5 years 12 92,420,056,270,299,900,000,000 14,141.9 years 13 7,578,444,614,164,590,000,000,000 1,159,633.8 years 14 621,432,458,361,496,000,000,000,000 95,089,967.6 years 15 50,957,461,585,642,700,000,000,000,000 7,797,377,343.5 years 16 4,178,511,850,022,700,000,000,000,000,000 639,384,942,170.1 years *Estimated Time to crack is based on a 2015-era PC with an intel i7-6700K Quad Core CPU performing 207.23 Dhrystone GIPS (giga/ billion instructions per second) at 4.0 GHz. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Forces of Nature • Forces of nature can present some of the most dangerous threats. • They disrupt not only individual lives but also storage, transmission, and use of information. • Organizations must implement controls to limit damage and prepare contingency plans for continued operations. 33 | Office | Faculty | Department Human Error or Failure (1 of 2) • Includes acts performed without malicious intent or in ignorance • Causes include: • Inexperience • Improper training • Incorrect assumptions • Employees are among the greatest threats to an organization’s data 34 | Office | Faculty | Department Human Error or Failure (2 of 2) • Employee mistakes can easily lead to: • • • • • Revelation of classified data Entry of erroneous data Accidental data deletion or modification Data storage in unprotected areas Failure to protect information • Many of these threats can be prevented with training, ongoing awareness activities, and controls • Social engineering uses social skills to convince people to reveal access credentials or other valuable information to an attacker 35 | Office | Faculty | Department Figure 2-9 The biggest threat—acts of human error or failure Source: © iStockphoto/BartCo, © iStockphoto/sdominick, © iStockphoto/mikkelwilliam. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Social Engineering • “People are the weakest link. You can have the best technology; firewalls, intrusion-detection systems, biometric devices ... and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything.”— Kevin Mitnick • Advance-fee fraud: indicates recipient is due money and small advance fee/personal banking information required to facilitate transfer • Phishing: attempt to gain personal/confidential information; apparent legitimate communication hides embedded code that redirects user to thirdparty site 37 | Office | Faculty | Department Figure 2-10 Example of a Nigerian 4-1-9 fraud letter Source: © iStockphoto/BartCo, © iStockphoto/sdominick, © iStockphoto/mikkelwilliam. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 2-11 Phishing example: lure Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 2-12 Phishing example: fake Website Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Information Extortion • Attacker steals information from a computer system and demands compensation for its return or nondisclosure. Also known as cyberextortion. • Commonly done in credit card number theft 41 | Office | Faculty | Department Sabotage or Vandalism • Threats can range from petty vandalism to organized sabotage. • Web site defacing can erode consumer confidence, diminishing organization’s sales, net worth, and reputation. • Threat of hacktivist or cyberactivist operations is rising. • Cyberterrorism/Cyberwarfare: a much more sinister form of hacking. 42 | Office | Faculty | Department Software Attacks (1 of 5) • Malicious software (malware) is used to overwhelm the processing capabilities of online systems or to gain access to protected systems via hidden means. • Software attacks occur when an individual or a group designs and deploys software to attack a system. 43 | Office | Faculty | Department Software Attacks (2 of 5) • Types of attacks include: • Malware (malicious code): It includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. • Virus: It consists of code segments that attach to existing program and take control of access to the targeted computer. • Worms: They replicate themselves until they completely fill available resources such as memory and hard drive space. • Trojan horses: malware disguised as helpful, interesting, or necessary pieces of software. 44 | Office | Faculty | Department Software Attacks (3 of 5) • Polymorphic threat: actually evolves to elude detection • Virus and worm hoaxes: nonexistent malware that employees waste time spreading awareness about • Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism • Denial-of-service (DoS): An attacker sends a large number of connection or information requests to a target. • The target system becomes overloaded and cannot respond to legitimate requests for service. • It may result in system crash or inability to perform ordinary functions. 45 | Office | Faculty | Department Software Attacks (4 of 5) • Distributed denial-of-service (DDoS): A coordinated stream of requests is launched against a target from many locations simultaneously. • Mail bombing (also a DoS): An attacker routes large quantities of e-mail to target to overwhelm the receiver. • Spam (unsolicited commercial e-mail): It is considered more a nuisance than an attack, though is emerging as a vector for some attacks. • Packet sniffer: It monitors data traveling over network; it can be used both for legitimate management purposes and for stealing information from a network. 46 | Office | Faculty | Department Software Attacks (5 of 5) • Spoofing: A technique used to gain unauthorized access; intruder assumes a trusted IP address. • Pharming: It attacks a browser’s address bar to redirect users to an illegitimate site for the purpose of obtaining private information. • Man-in-the-middle: An attacker monitors the network packets, modifies them, and inserts them back into the network. 47 | Office | Faculty | Department Table 2-7 The Most Dangerous Malware Attacks to Date (1 of 2) Malware Type Year Estimated Number of Systems Infected Estimated Financial Damage MyDoom Worm 2004 2 million $ 38 billion Klez (and variants) Virus 2001 7.2% of Internet $19.8 billion ILOVEYOU Virus 2000 10% of Internet $ 5.5 billion Sobig F Worm 2003 1 million $ 3 billion Code Red (and CR II) Worm 2001 400,000 servers $ 2.6 billion SQL slammer, a.k.a. Sapphire Worm 2003 75,000 $ 950 million to $ 1.2 billion Melissa Macro virus 1999 Unknown $ 300 million to $ 600 million CIH, a.k.a. Chernobyl Memoryresident virus 1998 Unknown $ 250 million Storm Worm Trojan horse virus 2006 10 million Unknown Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-7 The Most Dangerous Malware Attacks to Date (2 of 2) Malware Type Year Estimated Number of Systems Infected Estimated Financial Damage Conficker Worm 2009 15 million Unknown Nimda Multivector worm 2001 Unknown Unknown Sasser Worm 2004 500,000 to 700,000 Unknown Nesky Virus 2004 Under 100,000 Unknown Leap-A/Oompa-A Virus 2006 Unknown (Apple) Unknown Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 2-8 Attack Replication Vectors Vector Description IP scan and attack The infected system scans a range of IP addresses and service ports and targets several vulnerabilities known to hackers or left over from previous exploits, such as Code Red, Back Orifice, or PoizonBox. Web browsing If the infected system has write access to any Web pages, it makes all Web content files infectious, including .html, .asp, .cgi, and other files. Users who browse to those pages infect their machines. Virus Each affected machine infects common executable or script files on all computers to which it can write, which spreads the virus code to cause further infection. Unprotected shares Using vulnerabilities in file systems and in the way many organizations configure them, the infected machine copies the viral component to all locations it can reach. Mass mail By sending e-mail infections to addresses found in the address book, the affected machine infects many other users, whose mail-reading programs automatically run the virus program and infect even more systems. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 2-18 Denial-of-service attack In a denial-of-service attack, a hacker compromises a system and uses that system to attack the target computer, flooding it with more requests for services than the target can handle. In a distributed denial-of service attack, dozens or even hundreds of computers (known as zombies or bots) are compromised, loaded with Dos attack software, and then remotely activated by the hacker to conduct a coordinated attack. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 2-19 IP Spoofing attack Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 2-20 Man-in-the-middle attack Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Technical Hardware Failures or Errors (1 of 2) • They occur when a manufacturer distributes equipment containing a known or unknown flaw. • They can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability. • Some errors are terminal and some are intermittent. • Intel Pentium CPU failure. • Mean time between failure measures the amount of time between hardware failures. 54 | Office | Faculty | Department Technical Software Failures or Errors (2 of 2) • Large quantities of computer code are written, debugged, published, and sold before all bugs are detected and resolved. • Combinations of certain software and hardware can reveal new software bugs. • Entire Web sites are dedicated to documenting bugs. • Open Web Application Security Project (OWASP) is dedicated to helping organizations create/operate trustworthy software and publishes a list of top security risks. 55 | Office | Faculty | Department The Deadly Sins in Software Security (1 of 3) • Common failures in software development: • Buffer overruns • Catching exceptions • Command injection • Cross-site scripting (XSS) • Failure to handle errors • Failure to protect network traffic • Failure to store and protect data securely • Failure to use cryptographically strong random numbers • Format string problems • Neglecting change control 56 | Office | Faculty | Department The Deadly Sins in Software Security (2 of 3) • Improper file access • Improper use of Secure Sockets Layer (SSL) • Information leakage • Integer bugs (overflows/underflows) • Race conditions • SQL injection 57 | Office | Faculty | Department The Deadly Sins in Software Security (3 of 3) • Problem areas in software development: • Trusting network address resolution • Unauthenticated key exchange • Use of magic URLs and hidden forms • Use of weak password-based systems • Poor usability 58 | Office | Faculty | Department Technological Obsolescence • Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems. • Proper managerial planning should prevent technology obsolescence. • IT plays a large role. 59 | Office | Faculty | Department Theft • Illegal taking of another’s physical, electronic, or intellectual property. • Physical theft is controlled relatively easily. • Electronic theft is a more complex problem; the evidence of crime is not readily apparent. 60 | Office | Faculty | Department Summary (1 of 4) • Information security performs four important functions: • Protecting organization’s ability to function • Enabling safe operation of applications implemented on organization’s IT systems • Protecting data an organization collects and uses • Safeguarding the technology assets in use at the organization • Threats or dangers facing an organization’s people, information, and systems fall into the following categories: • Compromises to intellectual property: Intellectual property, such as trade secrets, copyrights, trademarks, or patents, are intangible assets that may be attacked via software piracy or the exploitation of asset protection controls. 61 | Office | Faculty | Department Summary (2 of 4) • Deviations in quality of service: Organizations rely on services provided by others. • Losses can come from interruptions to those services. • Espionage or trespass: Asset losses may result when electronic and human activities breach the confidentiality of information. • Forces of nature: A wide range of natural events can overwhelm control systems and preparations to cause losses to data and availability. • Human error or failure: Losses to assets may come from intentional or accidental actions by people inside and outside the organization. • Information extortion: Stolen or inactivated assets may be held hostage to extract payment of ransom. 62 | Office | Faculty | Department Summary (3 of 4) • Sabotage or vandalism: Losses may result from the deliberate sabotage of a computer system or business, or from acts of vandalism. These acts can either destroy an asset or damage the image of an organization. • Software attacks: Losses may result when attackers use software to gain unauthorized access to systems or cause disruptions in systems availability. • Technical hardware failures or errors: Technical defects in hardware systems can cause unexpected results, including unreliable service or lack of availability. • Technical software failures or errors: Software used by systems may have purposeful or unintentional errors that result in failures, which can lead to loss of availability or unauthorized access to information. 63 | Office | Faculty | Department Summary (4 of 4) • Technological obsolescence: Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems that may result in loss of availability or unauthorized access to information. • Theft: Theft of information can result from a wide variety of attacks. 64 | Office | Faculty | Department Week 3 ISYS 326 Information Systems Security 1 | Office | Faculty | Department Ethical and Professional Issues in Information Security Learning Objectives • Upon completion of this material, you should be able to: • Describe the functions of and relationships among laws, regulations, and professional organizations in information security • Explain the differences between laws and ethics • Identify major national laws that affect the practice of information security • Discuss the role of privacy as it applies to law and ethics in information security 2 | Office | Faculty | Department Introduction • You must understand the scope of an organization’s legal and ethical responsibilities. • To minimize liabilities/reduce risks, the information security practitioner must: • Understand the current legal environment • Stay current with laws and regulations • Watch for new and emerging issues 3 | Office | Faculty | Department Law and Ethics in Information Security • Laws: rules that mandate or prohibit certain behavior and are enforced by the state • Ethics: regulate and define socially acceptable behavior • Cultural mores: fixed moral attitudes or customs of a particular group • Laws carry the authority of a governing authority; ethics do not 4 | Office | Faculty | Department Organizational Liability and the Need for Counsel (1 of 2) • Liability: the legal obligation of an entity extending beyond criminal or contract law; includes the legal obligation to make restitution • Restitution: the legal obligation to compensate an injured party for wrongs committed • Due care: the legal standard requiring a prudent organization to act legally and ethically and know the consequences of actions • Due diligence: the legal standard requiring a prudent organization to maintain the standard of due care and ensure actions are effective 5 | Office | Faculty | Department Organizational Liability and the Need for Counsel (2 of 2) • Jurisdiction: court’s right to hear a case if the wrong was committed in its territory or involved its citizenry • Long-arm jurisdiction: application of laws to those residing outside a court’s normal jurisdiction; usually granted when a person acts illegally within the jurisdiction and leaves 6 | Office | Faculty | Department Policy Versus Law (1 of 2) • Policies: managerial directives that specify acceptable and unacceptable employee behavior in the workplace • Policies function as organizational laws; must be crafted and implemented with care to ensure they are complete, appropriate, and fairly applied to everyone • Difference between policy and law: Ignorance of a policy is an acceptable defense. 7 | Office | Faculty | Department Policy Versus Law (2 of 2) • Criteria for policy enforcement: • • • • • 8 | Dissemination (distribution) Review (reading) Comprehension (understanding) Compliance (agreement) Uniform enforcement Office | Faculty | Department Types of Law • Constitutional • Statutory • Civil • Tort • Criminal • Regulatory or Administrative • Common Case, and Precedent • Private and Public 9 | Office | Faculty | Department Relevant U.S. Laws • The United States has been a leader in the development and implementation of information security legislation. • Information security legislation contributes to a more reliable business environment and a stable economy. • The United States has demonstrated understanding of the importance of securing information and has specified penalties for individuals and organizations that breach civil and criminal law. 10 | Office | Faculty | Department General Computer Crime Laws (1 of 2) • Computer Fraud and Abuse Act of 1986 (CFA Act): Cornerstone of many computer-related federal laws and enforcement efforts • National Information Infrastructure Protection Act of 1996: • Modified several sections of the previous act and increased the penalties for selected crimes • Severity of the penalties was judged on the value of the information and the purpose • For purposes of commercial advantage • For private financial gain • In furtherance of a criminal act 11 | Office | Faculty | Department General Computer Crime Laws (2 of 2) • USA PATRIOT Act of 2001: Provides law enforcement agencies with broader latitude in order to combat terrorism-related activities • USA PATRIOT Improvement and Reauthorization Act: Made permanent 14 of the 16 expanded powers of the Department of Homeland Security and the FBI in investigating terrorist activity • USA FREEDOM Act inherited select USA PATRIOT functions as the PATRIOT act expired in 2015 • Computer Security Act of 1987: One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices 12 | Office | Faculty | Department Privacy (1 of 2) • One of the hottest topics in information security • Right of individuals or groups to protect themselves and personal information from unauthorized access • Ability to aggregate data from multiple sources allows creation of information databases previously impossible • The number of statutes addressing an individual’s right to privacy has grown 13 | Office | Faculty | Department Privacy (2 of 2) • U.S. Regulations • • • • Privacy of Customer Information Section of the common carrier regulation Federal Privacy Act of 1974 Electronic Communications Privacy Act of 1986 Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act • Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999 14 | Office | Faculty | Department Figure 3-2 Information aggregation Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Identity Theft (1 of 2) • It can occur when someone steals a victim’s personally identifiable information (PII) and poses as the victim to conduct actions/make purchases. • Federal Trade Commission (FTC) oversees efforts to foster coordination, effective prosecution of criminals, and methods to increase victim’s restitution. • Fraud and Related Activity in Connection with Identification Documents, Authentication Features, and Information Act (Title 18, U.S.C. § 1028). 16 | Office | Faculty | Department Identity Theft (2 of 2) • If someone suspects identity theft, the FTC recommends: • Place an initial fraud alert: Report to one of the three national credit reporting companies and ask for an initial fraud alert on your credit report. • Order your credit reports: Filing an initial fraud alert entitles you to a free credit report from each of the three credit reporting companies. Examine the reports for fraud activity. • Create an identity theft report: Filing a complaint with the FTC will generate an identity theft affidavit, which can be used to file a police report and create an identity theft report. • Monitor your progress: Document all calls, letters, and communications during the process. 17 | Office | Faculty | Department Figure 3-3 U.S. Department of Justice report on victims of identity theft in 2012 and 2014 Source: U.S. Federal Trade Commission. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Export and Espionage Laws • Economic Espionage Act of 1996 • Security and Freedom through Encryption Act of 1999 • The acts include provisions about encryption that: • Reinforce the right to use or sell encryption algorithms, without concern of key registration. • Prohibit the federal government from requiring the use of encryption. • Make it not probable cause to suspect criminal activity. • Relax export restrictions. • Additional penalties for using encryption in a crime. 19 | Office | Faculty | Department U.S. Copyright Law • Intellectual property was recognized as a protected asset in the United States; copyright law extends to electronic formats. • With proper acknowledgment, it is permissible to include portions of others’ work as reference. • U.S. Copyright Office Web site: www.copyright.gov/. 20 | Office | Faculty | Department Financial Reporting • Sarbanes-Oxley Act of 2002 • Affects the executive management of publicly traded corporations and public accounting firms • Seeks to improve the reliability and accuracy of financial reporting and increase the accountability of corporate governance in publicly traded companies • Penalties for noncompliance range from fines to jail terms 21 | Office | Faculty | Department Freedom of Information Act of 1966 (FOIA) • Allows access to federal agency records or information not determined to be matter of national security. • U.S. government agencies are required to disclose any requested information upon receipt of written request. • Some information is protected from disclosure; this act does not apply to state/local government agencies or private businesses/individuals. 22 | Office | Faculty | Department Figure 3-5 U.S. government FOIA requests and processing Source: www.foia.gov. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Payment Card Industry Data Security Standards (PCI DSS) • PCI Security Standards Council offers a standard of performance to which organizations processing payment cards must comply • Designed to enhance security of customer’s account data • Addresses six areas: • • • • • • 24 | Build and maintain secure networks/systems Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain information security policy Office | Faculty | Department State and Local Regulations • Federal computer laws are mainly written specifically for federal information systems; they have little applicability to private organizations. • Information security professionals are responsible for understanding state regulations and ensuring that organization is in compliance with regulations. 25 | Office | Faculty | Department International Laws and Legal Bodies • When organizations do business on the Internet, they do business globally. • Professionals must be sensitive to the laws and ethical values of many different cultures, societies, and countries. • Because of the political complexities of relationships among nations and differences in culture, few international laws cover privacy and information security. • These international laws are important but are limited in their enforceability. 26 | Office | Faculty | Department U.K. Computer Security Laws • Computer Misuse Act 1990: Defined three “computer misuse offenses”: • Unauthorized access to computer material. • Unauthorized access with intent to commit or facilitate commission of further offenses. • Unauthorized acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. • Privacy and Electronic Communications (EC Directive) Regulations 2003: Focuses on protection against unwanted or harassing phone, e-mail, and SMS messages • Police and Justice Act 2006: Updated the Computer Misuse Act, modified the penalties, and created new crimes defined as the “unauthorized acts with intent to impair operation of computer, etc.” 27 | Office | Faculty | Department Council of Europe Convention on Cybercrime • Created international task force to oversee Internet security functions for standardized international technology laws • Attempts to improve effectiveness of international investigations into breaches of technology law • Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution • Lacks realistic provisions for enforcement 28 | Office | Faculty | Department WTO and the Agreement on Trade-Related Aspects of Intellectual Property Rights • Created by the World Trade Organization (WTO) • The first significant international effort to protect intellectual property rights; outlines requirements for governmental oversight and legislation providing minimum levels of protection for intellectual property. • Agreement covers five issues: • Application of basic principles of trading system and international intellectual property agreements • Giving adequate protection to intellectual property rights • Enforcement of those rights by countries within their borders • Settling intellectual property disputes between WTO members • Transitional arrangements while new system is being introduced 29 | Office | Faculty | Department Digital Millennium Copyright Act (DMCA) • U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement • A response to European Union Directive 95/46/EC • Prohibits • Circumvention of protections and countermeasures • Manufacture and trafficking of devices used to circumvent such protections • Altering information attached or imbedded in copyrighted material • Excludes Internet Service Providers (ISPs) from some copyright infringement 30 | Office | Faculty | Department Ethics and Information Security • Many professional disciplines have explicit rules governing the ethical behavior of members. • IT and InfoSec do not have binding codes of ethics. • Professional associations and certification agencies work to maintain ethical codes of conduct. • Can prescribe ethical conduct • Do not always have the ability to ban violators from practice in field 31 | Office | Faculty | Department Offline (1 of 2) The Ten Commandments of Computer Ethics from the Computer Ethics Institute 32 | 1. Thou shalt not use a computer to harm other people. 2. Thou shalt not interfere with other people's computer work. 3. Thou shalt not snoop around in other people's computer files. 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false witness. 6. Thou shalt not copy or use proprietary software for which you have not paid. Office | Faculty | Department Offline (2 of 2) 7. Thou shalt not use other people's computer resources without authorization or proper compensation. 8. Thou shalt not appropriate other people's intellectual output. 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans. 33 | Office | Faculty | Department Ethical Differences Across Cultures • Cultural differences create difficulty in determining what is and is not ethical. • Difficulties arise when one nationality’s ethical behavior conflicts with the ethics of another national group. • Scenarios are grouped into: • Software license infringement • Illicit use • Misuse of corporate resources • Cultures have different views on the scenarios. 34 | Office | Faculty | Department Table 3.2 Rates and Commercial Values of Unlicensed PC Software Installations Biennially from 2009 to 2015 Worldwide by Region Commerc ial Value of Unlicense d Software ($M) in 2015 Commerc ial Value of Unlicense d Software ($M) in 2013 Commerc ial Value of Unlicense d Software ($M) in 2011 Commerc ial Value of Unlicense d Software ($M) in 2009 Rates of Unlicensed Software Installation s in 2015 Rates of Unlicensed Software Installation s in 2013 Rates of Unlicensed Software Installation s in 2011 Rates of Unlicense d Software Installatio ns in 2009 Asia Pacific 61% 62% 60% 59% $19,064 $21,041 $20,998 $16,544 Central & Eastern Europe 58% 61% 62% 64% $3,136 $5,318 $6,133 $4,673 Latin America Middle East & Africa North America Western Europe Total Worldwide 55% 59% 61% 63% $5,787 $8,422 $7,459 $6,210 57% 59% 58% 59% $3,696 $4,309 $4,159 $2,887 17% 19% 19% 21% $10,016 $10,853 $10,958 $9,379 28% 29% 32% 34% $10,543 $12,766 $13,749 $11,750 39% 43% 42% 43% $52,242 $62,709 $63,456 $51,443 Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Ethics and Education • Education is the overriding factor in leveling ethical perceptions within a small population. • Employees must be trained and kept aware of the expected behavior of an ethical employee, as well as many other information security topics. • Proper ethical training is vital to creating informed and a well-prepared system user. 36 | Office | Faculty | Department Deterring Unethical and Illegal Behavior • Three general causes of unethical and illegal behavior: ignorance, accident, intent • Deterrence: best method for preventing an illegal or unethical activity; for example, laws, policies, technical controls • Laws and policies only deter if three conditions are present: • Fear of penalty • Probability of being apprehended • Probability of penalty being applied 37 | Office | Faculty | Department Figure 3-6 Deterrents to illegal or unethical behavior Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Codes of Ethics of Professional Organizations • Many professional organizations have established codes of conduct/ethics. • Codes of ethics can have a positive effect; unfortunately, many employers do not encourage joining these professional organizations. • Responsibility of security professionals is to act ethically and according to the policies of the employer, the professional organization, and the laws of society. 39 | Office | Faculty | Department Table 3-3 Professional Organizations of Interest to Information Security Professionals (1 of 2) Professional Organization Web Resource Location Association of Computing Machinery information Systems Audit and Control Association www.acm.org information Systems Security Association www.isaca.org www.issa.org Description Focus Code of 24 imperatives of personal and ethical responsibilities for security professionals Focus on auditing, information security, business process analysis, and IS planning through the OSA and OSM certifications Ethics of security professionals Professional association of information systems security professionals; provides education forum, publications, and peer networking for members Tasks and knowledge required of the information systems audit professional Professional security information sharing Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 3-3 Professional Organizations of Interest to Information Security Professionals (2 of 2) Professional Organization International Information Systems Security Certification Consortium (ISQ2 Web Resource Location www.isc2.org SANS Institute's Global Information Assurance Certification www.giac.org Description Focus International consortium dedicated to improving the quality of security professionals through SSCP and CISSP certifications GIAC certifications focus on four security areas: security administration, security management IT audits, and software security, these areas have standard, gold, and expert levels Requires certificants to follow its published code of ethics Requires certificants to follow its published code of ethic Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Major IT and InfoSec Professional Organizations (1 of 5) • Association of Computing Machinery (ACM) • Established in 1947 as “the world’s first educational and scientific computing society.” • Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property and copyrights. 42 | Office | Faculty | Department Major IT and InfoSec Professional Organizations (2 of 5) • International Information Systems Security Certification Consortium, Inc. (ISC)2 • Nonprofit organization focusing on the development and implementation of information security certifications and credentials. • Code is primarily designed for the information security professionals who have certification from (ISC)2. • Code of ethics focuses on four mandatory canons. 43 | Office | Faculty | Department Major IT and InfoSec Professional Organizations (3 of 5) • SANS (originally System Administration, Networking, and Security Institute) • Professional organization with a large membership dedicated to the protection of information and systems. • SANS offers a set of certifications called Global Information Assurance Certification (GIAC). 44 | Office | Faculty | Department Major IT and InfoSec Professional Organizations (4 of 5) • ISACA (originally Information Systems Audit and Control Association) • Professional association with focus on auditing, control, and security • Concentrates on providing IT control practices and standards • ISACA has a code of ethics for its professionals 45 | Office | Faculty | Department Major IT and InfoSec Professional Organizations (5 of 5) • Information Systems Security Association (ISSA) • Nonprofit society of InfoSec professionals • Primary mission to bring together qualified IS practitioners for information exchange and educational development • Promotes code of ethics similar to (ISC)2, ISACA, and ACM 46 | Office | Faculty | Department Key U.S. Federal Agencies (1 of 3) • Department of Homeland Security (DHS) • Mission is to protect the citizens as well as the physical and informational assets of the United States. • United States Computer Emergency Readiness Team (US-CERT) provides mechanisms to report phishing and malware. • U.S. Secret Service • In addition to protective services, it is charged with safeguarding the nation’s financial infrastructure and payments system to preserve the integrity of the economy. 47 | Office | Faculty | Department Key U.S. Federal Agencies (2 of 3) • Federal Bureau of Investigation • Primary law enforcement agency; investigates traditional crimes and cybercrimes • Key priorities include computer/network intrusions, identity theft, and fraud • Federal Bureau of Investigation’s National InfraGard Program • • • • 48 | Office | Faculty | Department Maintains an intrusion alert network Maintains a secure Web site for communication about suspicious activity or intrusions Sponsors local chapter activities Operates a help desk for questions Key U.S. Federal Agencies (3 of 3) • National Security Agency (NSA) • Is the nation’s cryptologic organization • Responsible for signal intelligence and information assurance (security) • Information Assurance Directorate (IAD) is responsible for the protection of systems that store, process, and transmit information of high national value 49 | Office | Faculty | Department Figure 3-9 U.S. Secret Service Operation Firewall Source: USSS. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 3-11 FBI Cyber’s Most Wanted list Source: fbi.gov. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Summary (1 of 3) • Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics • Ethics: define socially acceptable behaviors, based on cultural mores (fixed moral attitudes or customs of a particular group) • Types of law: civil, criminal, private, and public 52 | Office | Faculty | Department Summary (2 of 3) • Relevant U.S. laws: • • • • • • • 53 | Computer Fraud and Abuse Act of 1986 (CFA Act) National Information Infrastructure Protection Act of 1996 USA PATRIOT Act of 2001 USA PATRIOT Improvement and Reauthorization Act USA FREEDOM Act of 2015 Computer Security Act of 1987 Fraud and Related Activity in Connection with Identification Documents, Authentication Features, and Information Act (Title 18, U.S.C. § 1028) Office | Faculty | Department Summary (3 of 3) • Many organizations have codes of conduct and/or codes of ethics. • Organization increases liability if it refuses to take measures known as due care. • Due diligence requires that organizations make a valid effort to protect others and continually maintain that effort. 54 | Office | Faculty | Department Why are we doing this? By completing the activities in this week, you should be able to: 1. Describe the four categories of ethical issues related to information technology. 2. Discuss potential threats to the privacy of personal data stored in different locations and how they may violate the common good. 3. Have practical skills to work with database 55 | Office | Faculty | Department Essential Question What are the major areas of ethical and privacy concerns due to the use of information technology? 1. In our career, we often encounter numerous ethical and privacy issues. 2. Many of which will involve IT in some manner. 3. The objective of this chapter is to gain an understanding of and how to respond to these issues. 4. It will help us to make contributions to our company’s code of ethics and its privacy policies. 5. You will also be able to provide meaningful input concerning the potential ethical and privacy impacts of your organisation’s information systems on people inside and outside the organisation. 56 | Office | Faculty | Department Ethical issues Ethics: principles of right and wrong that individuals use to make choices that guide their behavior Deciding what is right or wrong is not always easy or clear-cut. Fortunately, many frameworks are available to help us make ethical decisions. 57 | Office | Faculty | Department General Framework for ethical decision making Does this decision damage someone? Does this decision involve a choice between good/bad alternative? Does it go beyond what is legal? 58 | Office | Faculty | Department Identify stakeholders and consult relevant persons / groups What are the relevant facts of the situation? Do I know enough to make a decision? Evaluate alternative actions under all 4 ethical standards (next page) Which option best addresses the situation? Implement the decision with greatest care -Evaluate the outcome, reflect on lessons learnt Ethical standards Utilitarian approach • States that an ethical action is the one that provides the most good or does the least harm. This approach would be the one that produces the greatest good and does the least harm for all affected parties – customers, employees, stakeholders, the community and the environment. Rights approach • Maintains that an ethical action is the one that best protects and respects the moral rights of the affected parties. Moral rights can include the rights to make one’s choices about what kind of life to lead, to be told the truth, not to be injured and to a degree of privacy. These are actually the moral rights that people are entitled to. 59 | Office | Faculty | Department Ethical standards Fairness approach • States that ethical actions treats all humans equally, or if unequally, then fairly, based on some defensible standard. For example, the difference between the salaries of employees and that of an CEO in a company. Is it fair? Is it based on a defensible standard? Is it a result of imbalance of power hence unfair? Common good approach • Highlights an ethical action that best serves the community as a whole. It is important to the welfare of everyone, not just some members. • It emphasises the common conditions that are important to the welfare of everyone. These conditions can include a system of laws, effective police, fire department, healthcare, public education and even public recreational areas. 60 | Office | Faculty | Department Ethics and information technology Privacy issues • Involve collecting, storing, and disseminating information about individuals • Example: Google Street View Accuracy issues • Involve the authenticity, fidelity (degree of correctness), and accuracy of information that is collected and processed Property issues • Involve the ownership and value of information Accessibility issues 61 | • Revolve around who should have access to information and whether they should pay for that access Officehave | Faculty | to Department Ethics and Information Technology 62 | Office | Faculty | Department Privacy Privacy • The right to be left alone and to be free of unreasonable personal intrusions. Privacy Law • The protection of an individual’s personal information that could identify the individual. • The Privacy Act 1988 • Regulates the use of personal information • Includes 10 NPPs (National Privacy Principles) and 11 IPPs (Information Privacy Principles) • Freedom of information • The public’s right to access government information 63 | Office | Faculty | Department Threats to privacy Electronic surveillance • The tracking of people’s activities, online or offline, with the aid of computers • The Surveillance Devices Bill 2004 regulates the use of surveillance data by law enforcement agencies. Personal information in databases • Banks, utility companies, government, and credit reporting agencies Information on Internet bulletin boards, newsgroups, and social networking sites 64 | Office | Faculty | Department Privacy codes and policies They are an organisation’s guidelines with respect to protecting the privacy of customers, clients, and employees. Informed consent models: • Opt-out model • Organisations are permitted to collect personal information until the customer specifically requests that the data not be collected • Opt-in model (Preferred by privacy advocates) • Organisations are prohibited from collecting any personal information unless the customer specifically authorises it 65 | Office | Faculty | Department Chapter Summary This chapter focused on • The ethical issues related to information technology • The potential threats to the privacy of personal data stored in different locations 66 | Office | Faculty | Department ISYS 326 Information Systems Security 1 | Office | Faculty | Department Week 4 Planning for Security Learning Objectives (1 of 2) • Upon completion of this material, you should be able to: • Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines • Explain what an information security blueprint is, identify its major components, and explain how it supports the information security program 2 | Office | Faculty | Department Learning Objectives (2 of 2) • Discuss how an organization institutionalizes its policies, standards, and practices using education, training, and awareness programs • Describe what contingency planning is and how it relates to incident response planning, disaster recovery planning, and business continuity plans 3 | Office | Faculty | Department Introduction • Information security program begins with policies, standards, and practices, which are the foundation for information security architecture and blueprint. • Coordinated planning is required to create and maintain these elements. • Strategic planning for the management of allocation of resources. • Contingency planning for the preparation of uncertain business environment. 4 | Office | Faculty | Department Information Security Planning and Governance (1 of 2) • Planning levels help translate organization’s strategic plans into tactical objectives • Planning and the CISO • Information security governance • Governance: • Set of responsibilities and practices exercised by the board and executive management • Goal to provide strategic direction, establishment of objectives, and measurement of progress toward objectives • Also verifies/validates that risk management practices are appropriate and assets used properly 5 | Office | Faculty | Department Information Security Planning and Governance (2 of 2) • Information security governance outcomes • Five goals: • • • • • 6 | Office | Faculty | Department Strategic alignment Risk management Resource management Performance measurement Value delivery Figure 4-1 Information security governance roles and responsibilities Source: This information is derived from the Corporate Governance Task Force Report, “Information Security Governance: A Call to Action,” April 2004, National Cyber Security Task Force. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Information Security Policy, Standards, and Practices • Management from communities of interest must make policies the basis for all information security planning, design, and deployment. • Policies direct how issues should be addressed and technologies used. • Policies should never contradict law, must be able to stand up in court, and must be properly administered. • Security policies are the least expensive controls to execute but most difficult to implement properly. 8 | Office | Faculty | Department Policy as the Foundation for Planning • Policy functions as organizational law that dictates acceptable and unacceptable behavior. • Standards: more detailed statements of what must be done to comply with policy. • Practices, procedures, and guidelines effectively explain how to comply with policy. • For a policy to be effective, it must be properly disseminated, read, understood, and agreed to by all members of the organization, and uniformly enforced. 9 | Office | Faculty | Department Figure 4-2 Policies, standards, guidelines, and procedures Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Enterprise Information Security Policy (EISP) (1 of 2) • Sets strategic direction, scope, and tone for all security efforts within the organization • Executive-level document, usually drafted by or with chief information officer (CIO) of the organization • Typically addresses compliance in two areas: • General compliance to ensure meeting of requirements to establish program and assigning responsibilities therein to various organizational components • Use of specified penalties and disciplinary action 11 | Office | Faculty | Department Enterprise Information Security Policy (EISP) (2 of 2) • EISP Elements should include: • Overview of the corporate security philosophy • Information on the structure of the organization and people in information security roles • Articulated responsibilities for security shared by all members of the organization • Articulated responsibilities for security unique to each role in the organization 12 | Office | Faculty | Department Table 4-1 Components of the EISP (1 of 3) Component Statement of Purpose Description Answers the question 'What is this policy for?" Provides a framework that helps the reader understand the intent of the document. Can include text such as the following: This document will: • Identify the elements of a good security policy • Explain the need for information security • Specify the various categories of information security • Identify the information security responsibilities and roles • Identify appropriate levels of security through standards and guidelines This document establishes an overarching security policy and direction for our company. Individual departments are expected to establish standards, guidelines, and operating procedures that adhere to and reference this policy while addressing their specific and individual needs." Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 4-1 Components of the EISP (2 of 3) Component Information Security Elements Need for Information Security Description Defines information security. For example: "Protecting the confidentiality, integrity, and availability of information while in processing, transmission, and storage, through the use of policy, education and training, and technology ..." This section can also lay out security definitions or philosophies to clarify the policy. Provides information on the importance of information security in the organization and the legal and ethical obligation to protect critical information about customers, employees, and markets. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 4-1 Components of the EISP (3 of 3) Component Description Information Security Responsibilities and Roles Defines the organizational structure designed to support information security within the organization. Identifies categories of people with responsibility for information security (IT department, management, users) and those responsibilities, including maintenance of this document. Reference Standards Lists other standards that influence this policy document and are influenced by it, perhaps including relevant federal laws, state laws, and other policies. to Other Information and Guidelines Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Issue-Specific Security Policy (ISSP) (1 of 2) • The ISSP: • Addresses specific areas of technology • Requires frequent updates • Contains statement on the organization’s position on specific issue • Three common approaches when creating and managing ISSPs: • Create a number of independent ISSP documents • Create a single comprehensive ISSP document • Create a modular ISSP document 16 | Office | Faculty | Department Issue-Specific Security Policy (ISSP) (2 of 2) • Components of the policy: • • • • • • • 17 | Statement of policy Authorized access and usage of equipment Prohibited use of equipment Systems management Violations of policy Policy review and modification Limitations of liability Office | Faculty | Department Table 4-2 Components of the ISSP (1 of 4) • Statement of policy ― Scope and applicability ― Definition of technology addressed ― Responsibilities • Authorized access and usage of equipment ― User access ― Fair and responsible use ― Protection of privacy 18 | Office | Faculty | Department Table 4-2 Components of the ISSP (2 of 4) • Prohibited use of equipment ― ― ― ― ― Disruptive use or misuse Criminal use Offensive or harassing materials Copyrighted, licensed, or other intellectual property Other restrictions • Systems management ― Management of stored materials ― Employee monitoring ― Virus protection 19 | Office | Faculty | Department Table 4-2 Components of the ISSP (3 of 4) ― Physical security ― Encryption • Violations of policy ― Procedures for reporting violations ― Penalties for violations • Policy review and modification ― Scheduled review of policy procedures for modification ― Legal disclaimers 20 | Office | Faculty | Department Table 4-2 Components of the ISSP (4 of 4) • Limitations of liability ― Statements of liability ― Other disclaimers as needed 21 | Office | Faculty | Department Systems-Specific Security Policy (SysSP) (1 of 2) • SysSPs often function as standards or procedures used when configuring or maintaining systems. • SysSPs fall into two groups: • Managerial guidance • Technical specifications • Access control lists (ACLs) can restrict access for a particular user, computer, time, duration—even a particular file. 22 | Office | Faculty | Department Systems-Specific Security Policy(SysSP) (2 of 2) • Configuration rule policies govern how a security system reacts to received data. • Combination SysSPs combine managerial guidance and technical specifications. 23 | Office | Faculty | Department Policy Management • Policies must be managed as they constantly change. • To remain viable, security policies must have: • • • • • 24 | A responsible manager A schedule of reviews A method for making recommendations for reviews A policy issuance and revision date Automated policy management Office | Faculty | Department The Information Security Blueprint • Basis for design, selection, and implementation of all security policies, education and training programs, and technological controls • Detailed version of security framework (outline of overall information security strategy for organization) • Specifies tasks and order in which they are to be accomplished • Should also serve as a scalable, upgradeable, and comprehensive plan for the current and future information security needs 25 | Office | Faculty | Department The ISO 27000 Series (1 of 8) • One of the most widely referenced security models • Standard framework for information security that states organizational security policy is needed to provide management direction and support • Purpose is to give recommendations for information security management • Provides a starting point for developing organizational security 26 | Office | Faculty | Department The ISO 27000 Series (2 of 8) • ISO/IEC 27000—Information security management systems; overview and vocabulary • ISO/IEC 27001—Information technology; security techniques; information security management systems • ISO/IEC 27002—Code of practice for information security management • ISO/IEC 27003—Information security management system implementation guidance 27 | Office | Faculty | Department The ISO 27000 Series (3 of 8) • ISO/IEC 27004—Information security management; measurement • ISO/IEC 27005—Information security risk management • ISO/IEC 27006—Requirements for bodies providing audit and certification of information security management systems • ISO/IEC 27007—Guidelines for information security management systems auditing (focused on the management system) 28 | Office | Faculty | Department The ISO 27000 Series (4 of 8) • ISO/IEC TR 27008—Guidance for auditors on ISMS controls (focused on the information security controls) • ISO/IEC 27010—Information security management for inter-sector and inter-organizational communications • ISO/IEC 27011—Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 29 | Office | Faculty | Department The ISO 27000 Series (5 of 8) • ISO/IEC 27013—Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 • ISO/IEC 27014—Information security governance. • ISO/IEC TR 27015—Information security management guidelines for financial services • ISO/IEC 27017—Code of practice for information security controls based on ISO/IEC 27002 for cloud services 30 | Office | Faculty | Department The ISO 27000 Series (6 of 8) • ISO/IEC 27018—Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors • ISO/IEC 27031—Guidelines for information and communication technology readiness for business continuity • ISO/IEC 27032—Guideline for cybersecurity • ISO/IEC 27033-1—Network security—Part 1: Overview and concepts 31 | Office | Faculty | Department The ISO 27000 Series (7 of 8) • ISO/IEC 27033-2—Network security—Part 2: Guidelines for the design and implementation of network security • ISO/IEC 27033-3—Network security—Part 3: Reference networking scenarios; threats, design techniques and control issues • ISO/IEC 27033-5—Network security—Part 5: Securing communications across networks using Virtual Private Networks (VPNs) 32 | Office | Faculty | Department The ISO 27000 Series (8 of 8) • ISO/IEC 27034-1—Application security—Part 1: Guideline for application security • ISO/IEC 27035—Information security incident management • ISO/IEC 27036-3—Information security for supplier relationships—Part 3: Guidelines for information and communication technology supply chain security • ISO/IEC 27037—Guidelines for identification, collection, acquisition and preservation of digital evidence • ISO 27799—Information security management in health using ISO/IEC 27002 33 | Office | Faculty | Department Figure 4-7 ISO/IEC 27001:2013 major process steps Source: 27001 Academy: ISO 27001 and ISO 22301 Online Consultation Center Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. NIST Security Models • Another possible approach described in the documents available from Computer Security Resource Center of NIST • • • • • 35 | SP 800-12 SP 800-14 SP 800-18 Rev. 1 SP 800-26 SP 800-30 Office | Faculty | Department NIST Special Publication 800-14 (1 of 2) • Security supports the mission of the organization and is an integral element of sound management. • Security should be cost effective; owners have security responsibilities outside their own organizations. • Security responsibilities and accountability should be made explicit; security requires a comprehensive and integrated approach. 36 | Office | Faculty | Department NIST Special Publication 800-14 (2 of 2) • Security should be periodically reassessed; security is constrained by societal factors. • Thirty-three principles for securing systems (see Table 4-5). 37 | Office | Faculty | Department NIST Cybersecurity Framework (1 of 2) • Consists of three fundamental components: • Framework core: set of information security activities an organization is expected to perform and their desired results • Framework tiers: help relate the maturity of security programs and implement corresponding measures and functions • Framework profile: used to perform a gap analysis between the current and a desired state of information security/risk management 38 | Office | Faculty | Department NIST Cybersecurity Framework (2 of 2) • Seven-step approach to implementing/improving programs: • • • • • • • 39 | Prioritize and scope Orient Create current profile Conduct risk assessment Create target profile Determine, analyze, and prioritize gaps Implement action plan Office | Faculty | Department Other Sources of Security Frameworks • Computer Emergency Response Team Coordination Center (CERT/CC) • International Association of Professional Security Consultants 40 | Office | Faculty | Department Design of Security Architecture (1 of 2) • Spheres of security: foundation of the security framework • Levels of controls: • Management controls set the direction and scope of the security processes and provide detailed instructions for its conduct. • Operational controls address personnel and physical security and the protection of production inputs/outputs. • Technical controls are the tactical and technical implementations related to designing and integrating security in the organization. 41 | Office | Faculty | Department Design of Security Architecture (2 of 2) • Defense in depth • Implementation of security in layers • Requires that organization establish multiple layers of security controls and safeguards • Security perimeter • Border of security protecting internal systems from outside threats • Does not protect against internal attacks from employee threats or onsite physical threats 42 | Office | Faculty | Department Figure 4-8 Spheres of security Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 4-9 Defense in depth Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 4-10 Security perimeters and domains Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Security Education, Training, and Awareness Program • Once general security policy exists, implement security education, training, and awareness (SETA) program. • SETA is a control measure designed to reduce accidental security breaches. • The SETA program consists of security education, security training, and security awareness. • It enhances security by improving awareness, developing skills and knowledge, and building indepth knowledge. 46 | Office | Faculty | Department Security Education • Everyone in an organization needs to be trained and aware of information security; not every member needs a formal degree or certificate in information security. • When formal education is deemed appropriate, an employee can investigate courses in continuing education from local institutions of higher learning. • A number of universities have formal coursework in information security. 47 | Office | Faculty | Department Security Training • Provides members of the organization with detailed information and hands-on instruction to prepare them to perform their duties securely. • Management of information security can develop customized in-house training or outsource the training program. • Alternatives to formal training include conferences and programs offered through professional organizations. 48 | Office | Faculty | Department Security Awareness • One of the least frequently implemented but most beneficial programs is the security awareness program. • It is designed to keep information security at the forefront of users’ minds. • It need not be complicated or expensive. • If the program is not actively implemented, employees may begin to neglect security matters, and risk of employee accidents and failures is likely to increase. 49 | Office | Faculty | Department Table 4-6 Comparative Framework of SETA Education Training Awareness Attribute Why How What Objective Understanding Skill Exposure Teaching method Theoretical instruction • Discussion seminar • Background reading • Hands-on practice Practical instruction • Lecture • Case study workshop • Posters Media • Videos • Newsletters Test measure Essay (interpret learning) Problem solving (apply learning) • • Impact timeframe Long term Intermediate Short term True or False Multiple choice (identify learning) Source: NIST SP 800-12 Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Continuity Strategies (1 of 2) • Incident response plans (IRPs), disaster recovery plans (DRPs), and business continuity plans (BCPs) • Primary functions of above plans: • IRP focuses on immediate response; if attack escalates or is disastrous, process changes to DRP and BCP. • DRP typically focuses on restoring systems after disasters occur; as such, it is closely associated with BCP. • BCP occurs concurrently with DRP when damage is major or ongoing, requiring more than simple restoration of information and information resources. 51 | Office | Faculty | Department Continuity Strategies (2 of 2) • Before planning can actually begin, a team has to start the process • Champion: high-level manager to support, promote, and endorse findings of the project • Project manager: leads project and ensures sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed • Team members: should be managers, or their representatives, from various communities of interest: business, IT, and information security 52 | Office | Faculty | Department Figure 4-12 Components of contingency planning Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 4-13 Contingency planning timeline Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Contingency Planning (CP) Process • Includes the following steps: • • • • • • • 55 | Develop CP policy statement Conduct business impact analysis Identify preventive controls Create contingency strategies Develop contingency plan Ensure plan testing, training, and exercises Ensure plan maintenance Office | Faculty | Department Figure 4-14 Major steps in contingency planning Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. The CP Policy • Should contain the following sections: • • • • • • • • Introductory statement of philosophical perspective Statement of scope/purpose Call for periodic risk assessment/BIA Specification of CP’s major components Call for/guidance in the selection of recovery options Requirement to test the various plans regularly Identification of key regulations and standards Identification of key people responsible for CP operations • Challenge to the organization members for support • Administrative information 57 | Office | Faculty | Department Business Impact Analysis (BIA) • Investigation and assessment of various adverse events that can affect organization • Assumes security controls have been bypassed, have failed, or have proven ineffective, and the attack has succeeded • Organization should consider scope, plan, balance, knowledge of objectives, and follow-ups • Three stages: • Determine mission/business processes and recovery criticality • Identify recovery priorities for system resources • Identify resource requirements 58 | Office | Faculty | Department Figure 4-15 RPO, RTO, WRT, and MTD Source: http://networksandservers.blogspot.com/2011/02/high-availability-terminology-ii.html. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Incident Response Planning (1 of 8) • Incident response planning includes identification of, classification of, and response to an incident. • Attacks classified as incidents if they: • Are directed against information assets • Have a realistic chance of success • Could threaten confidentiality, integrity, or availability of information resources • Incident response is more reactive than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident. 60 | Office | Faculty | Department Incident Response Planning (2 of 8) • Incident response policy identifies the following key components: • • • • • • • • 61 | Statement of management commitment Purpose/objectives of policy Scope of policy Definition of InfoSec incidents and related terms Organizational structure Prioritization or severity ratings of incidents Performance measures Reporting and contact forms Office | Faculty | Department Incident Response Planning (3 of 8) • Incident Planning • Predefined responses enable the organization to react quickly and effectively to the detected incident if: • The organization has an IR team • The organization can detect the incident • IR team consists of individuals needed to handle systems as incident takes place • Incident response plan • Format and content • Storage • Testing 62 | Office | Faculty | Department Incident Response Planning (4 of 8) • Incident detection • Most common occurrence is complaint about technology support, often delivered to help desk. • Careful training is needed to quickly identify and classify an incident. • Once incident is properly identified, the organization can respond. • Incident indicators vary. 63 | Office | Faculty | Department Incident Response Planning (5 of 8) • Incident reaction • Consists of actions that guide the organization to stop incident, mitigate its impact, and provide information for recovery • Actions that must occur quickly: • Notification of key personnel • Documentation of the incident • Incident containment strategies • Containment of incident’s scope or impact is first priority; must then determine which information systems are affected 64 | Office | Faculty | Department Incident Response Planning (6 of 8) ―Organization can stop incident and attempt to recover control through a number or strategies • Incident recovery • Once incident has been contained and control of systems regained, the next stage is recovery. • The first task is to identify human resources needed and launch them into action. • Full extent of the damage must be assessed. 65 | Office | Faculty | Department Incident Response Planning (7 of 8) • Organization repairs vulnerabilities, addresses any shortcomings in safeguards, and restores data and services of the systems. • Damage assessment • Several sources of information on damage can be used, including system logs, intrusion detection logs, configuration logs and documents, documentation from incident response, and results of detailed assessment of systems and data storage. • Computer evidence must be carefully collected, documented, and maintained to be usable in formal or informal proceedings. 66 | Office | Faculty | Department Incident Response Planning (8 of 8) • Individuals who assess damage need special training. • Automated response • New systems can respond to incident threat autonomously. • Downsides of current automated response systems may outweigh benefits. • Legal liabilities of a counterattack • Ethical issues 67 | Office | Faculty | Department Disaster Recovery Planning • Disaster recovery planning (DRP) is preparation for and recovery from a disaster. • The contingency planning team must decide which actions constitute disasters and which constitute incidents. • When situations are classified as disasters, plans change as to how to respond; take action to secure most valuable assets to preserve value for the longer term. • DRP strives to reestablish operations at the primary site. 68 | Office | Faculty | Department Business Continuity Planning (1 of 3) • BCP prepares the organization to reestablish or relocate critical business operations during a disaster that affects operations at the primary site. • If disaster has rendered the current location unusable, there must be a plan to allow business to continue functioning. • Development of BCP is somewhat simpler than IRP or DRP. • It consists primarily of selecting a continuity strategy and integrating off-site data storage and recovery functions into this strategy. 69 | Office | Faculty | Department Business Continuity Planning (2 of 3) • Continuity strategies • There are a number of strategies for planning for business continuity. • Determining factor in selecting between options is usually cost. • In general, there are three exclusive options: hot sites, warm sites, and cold sites. • There are three shared functions: time-share, service bureaus, and mutual agreements. 70 | Office | Faculty | Department Business Continuity Planning (3 of 3) • Off-site disaster data storage • To get sites up and running quickly, an organization must have the ability to move data into new site’s systems. • Options for getting operations up and running include: • Electronic vaulting • Remote journaling • Database shadowing 71 | Office | Faculty | Department Crisis Management (1 of 3) • Actions taken in response to an emergency should minimize injury/loss of life, preserve organization’s image/market share, and complement disaster recovery/business continuity processes. • What may truly distinguish an incident from a disaster are the actions of the response teams. • Disaster recovery personnel must know their roles without any supporting documentation. • Preparation • Training • Rehearsal 72 | Office | Faculty | Department Crisis Management (2 of 3) • Crisis management team is responsible for managing the event from an enterprise perspective and covers: • Supporting personnel and families during crisis • Determining impact on normal business operations and, if necessary, making disaster declaration • Keeping the public informed • Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties 73 | Office | Faculty | Department Crisis Management (3 of 3) • Key areas of crisis management also include: • Verifying personnel head count • Checking alert roster • Checking emergency information cards 74 | Office | Faculty | Department The Consolidated Contingency Plan • Single document set approach combines all aspects of...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Please find attached. Feel free to ask for clarifications. Thank you.

Outline

Introduction
Body
Conclusion
References


WannaCry Ransomware Attack on NHS Systems in England 1

A REFLECTIVE REPORT ON DATA SECUTY: A CASE OF WANNACRY
RANSOMWARE ATTACK ON NHS SYSTEMS IN ENGLAND

Student’s Name

Course’s Name
Professor’s Name
City (State)
Date

Ransomware Attack on NHS Systems in England 2
WannaCry Ransomware Attack on NHS Systems in England
The concept of information or data security all over the world has in the recent past been a
major concern for most of the organizations and individuals (Kim and Solomon 2016). Businesses
and particular individuals are on a daily basis incorporating the information technology principle
in running their business operations (Kim and Solomon 2016). This report will thus give a
reflection of the recently launched attack that hit 150 countries across the globe. In this context,
we will focus on the ransomware attack that particularly hit National Health Services in England.
The intention of the report is to explore the flaws that exist on an information infrastructure and
the associated vulnerabilities.
The main issue that led to the attac...

Similar Content

Related Tags