Keri Pearlson, Carol Saunders,
and Dennis Galletta
© Copyright 2016
John Wiley & Sons, Inc.
Managing and Using Information Systems:
A Strategic Approach – Sixth Edition
Don't use plagiarized sources. Get Your Custom Essay on
Discussion
Just from $13/Page
Chapter 7
Security
2
Opening Case
What are some important lessons from the opening case?
How long did the theft take? How did the theft likely occur?
How long did it take Office of Personnel Management (OPM) to detect the theft?
How damaging are the early reports of the data theft for the OPM?
© 2016 John Wiley & Sons, Inc.
3
The hackers did not carry out a dramatic and quick theft; they had a year to steal the records at their leisure.
The theft took place over a year, and the hackers stole a password.
It took many months for OPM to detect the theft.
Early reports say that at least 4 million, and as many as 14 million records were stolen. Each record contained 127-page security clearances that include sensitive medical, personal, and relationship information.
3
How Long Does it Take?
How long do you think it usually takes for someone to discover a security compromise in a system after the evidence shows up?
Several seconds
Several minutes
Several hours
Several days
Several months
A Mandiant study revealed that the median for 2014 was 205 days! That’s almost 7 months!
The record is 2,982 which is 11 years!
© 2016 John Wiley & Sons, Inc.
4
Timeline of a Breach – Fantasy
Hollywood has a fairly consistent script:
0: Crooks get password and locate the file
Minute 1: Crooks start downloading data and destroying the original
Minute 2: Officials sense the breach
Minute 3: Officials try to block the breach
Minute 4: Crooks’ download completes
Minute 5: Officials lose all data
Source: http://
www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg
© 2016 John Wiley & Sons, Inc.
5
Timeline of a Breach – Reality
Source: http://
www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg
© 2016 John Wiley & Sons, Inc.
6
IT Security Decision Framework
Decision Who is Responsible Why? Otherwise?
Information Security Strategy Business Leaders They know business strategies Security is an afterthought and patched on
Information Security Infrastructure IT Leaders Technical knowledge is needed Incorrect infrastructure decisions
Information Security Policy Shared: IT and Business Leaders Trade-offs need to be handled correctly Unenforceable policies that don’t fit the IT and the users
SETA (training) Shared: IT and Business Leaders Business buy-in and technical correctness Insufficient training; errors
Information Security Investments Shared: IT and Business Leaders Evaluation of business goals and technical requirements Over- or under-investment in security
© 2016 John Wiley & Sons, Inc.
7
How Have Big Breaches Occurred?
Date Detected Company What was stolen How
November 2013 Target 40 million credit & debit cards Contractor opened virus-laden email attachment
May 2014 Ebay #1 145 million user names, physical addresses, phones, birthdays, encrypted passwords Employee’s password obtained
September 2014 Ebay #2 Small but unknown Cross-site scripting
September 2014 Home Depot 56 million credit card numbers
53 million email addresses Obtaining a vendor’s password/exploiting OS vulnerability
January 2015 Anthem Blue Cross 80 million names, birthdays, emails, Social security numbers, addresses, and employment data Obtaining passwords from 5 or more high-level employees
© 2016 John Wiley & Sons, Inc.
8
Password Breaches
80% of breaches are caused by stealing a password.
You can steal a password by:
Phishing attack
Key logger (hardware or software)
Guessing weak passwords (123456 is most common)
Evil twin wifi
© 2016 John Wiley & Sons, Inc.
9
Insecurity of WiFi– a Dutch study
“We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.”
Had WiFi transmitter broadcasting “Starbucks” as ID
Because they were connected to him, he scanned for unpatched or vulnerable mobile devices or laptops
He also saw passwords and could lock them out of their own accounts.
The correspondent: “I will never again be connecting to an insecure public WiFi network without taking security measures.”
© 2016 John Wiley & Sons, Inc.
Slide 5-10
Other Approaches
Cross-site scripting (malicious code pointing to a link requiring log-in at an imposter site)
Third parties
Target’s HVAC system was connected to main systems
Contractors had access
Hackers gained contractors’ password
Malware captured customer credit card info before it could be encrypted
© 2016 John Wiley & Sons, Inc.
11
Cost of Breaches
Estimated at $145 to $154 per stolen record
Revenue lost when sales decline
Some costs can be recouped by insurance
© 2016 John Wiley & Sons, Inc.
12
Can You be Safe?
No, unless the information is permanently inaccessible
“You cannot make a computer secure” – from Dain Gary, former CERT chief
97% of all firms have been breached
Sometimes security makes systems less usable
© 2016 John Wiley & Sons, Inc.
13
What Motivates the Hackers?
Sell stolen credit card numbers for up to $50 each
2 million Target card numbers were sold for $20 each on average
Street gang members can usually get $400 out of a card
Some “kits” (card number plus SSN plus medical information) sell for up to $1,000
They allow opening new account cards
Stolen cards can be sold for bitcoin on the Deep Web
© 2016 John Wiley & Sons, Inc.
14
What Should Management Do?
Security strategy
Infrastructure
Access tools *
Storage and transmission tools *
Security policies *
Training *
Investments
* Described next
© 2016 John Wiley & Sons, Inc.
15
Access Tools
Access Tool Ubiquity Advantages Disadvantages
Physical locks Very high Excellent if guarded Locks can be picked
Physical Access is often not needed
Keys can be lost
Passwords Very high User acceptance and familiarity
Ease of use
Mature practices Poor by themselves
Sometimes forgotten
Sometimes stolen from users using deception or key loggers
Biometrics Medium Can be reliable
Never forgotten
Cannot be stolen
Can be inexpensive False positives/negatives
Some are expensive
Some might change (e.g., voice)
Lost limbs
Loopholes (e.g., photo)
© 2016 John Wiley & Sons, Inc.
16
Access Tools (continued)
Access Tool Ubiquity Advantages Disadvantages
Challenge questions Medium (high in banking) Not forgotten
Multitude of questions can be used Social networking might reveal some answers
Personal knowledge of an individual might reveal the answers
Spelling might not be consistent
Token Low Stolen passkey is useless quickly Requires carrying a device
Text message Medium Stolen passkey is useless
Mobile phone already owned by users
Useful as a secondary mechanism too Requires mobile phone ownership by all users
Home phone option requires speech synthesis
Requires alternative access control if mobile phone lost
Multi-factor authentication Medium Stolen password is useless
Enhanced security Requires an additional technique if one of the two fails
Temptation for easy password
© 2016 John Wiley & Sons, Inc.
17
Storage and Transmission Tools
Tool Ubiquity Advantages Disadvantages
Antivirus/ antispyware Very high Blocks many known threats
Blocks some “zero-day” threats Slow down operating system
“Zero day” threats can be missed
Firewall High Can prevent some targeted traffic Can only filter known threats
Can have well-known “holes”
System logs Very high Can reveal IP address of attacker
Can estimate the extent of the breach Hackers can conceal their IP address
Hackers can delete logs
Logs can be huge
Irregular inspections
System alerts High Can help point to logs
Can detect an attack in process
High sensitivity Low selectivity
© 2016 John Wiley & Sons, Inc.
18
Storage and Transmission Tools (continued)
Tool Ubiquity Advantages Disadvantages
Encryption Very high Difficult to access a file without the key
Long keys could take years to break Keys are unnecessary if password is known
If the key is not strong, hackers could uncover it by trial and error
WEP/WPA Very high Same as encryption
Most devices have the capability
Provides secure wifi connection Same as encryption
Some older devices have limited protections
WEP is not secure, yet it is still provided
VPN Medium Trusted connection is as if you were connected on site
Hard to decrypt Device could be stolen while connected
Sometimes slows the connection
© 2016 John Wiley & Sons, Inc.
19
Security Policies
Perform security updates promptly
Separate unrelated networks
Keep passwords secret
Manage mobile devices (BYOD)
Formulate data policies (retention and disposal)
Manage social media (rules as to what can be shared, how to identify yourself)
Use consultants (Managed Security Services Providers)
© 2016 John Wiley & Sons, Inc.
20
SETA (Security Education, Training, and Awareness)
Training on access tools
Limitations of passwords
Formulating a password
Changing passwords periodically
Using multi-factor authentication
Using password managers
© 2016 John Wiley & Sons, Inc.
21
SETA (Security Education, Training, and Awareness)
BYOD
Rules
How to follow them
Social Media
Rules
How to follow them
Cases from the past that created problems
© 2016 John Wiley & Sons, Inc.
22
SETA (Security Education, Training, and Awareness)
Vigilance: Recognizing:
Bogus warning messages
Phishing emails
Physical intrusions
Ports and access channels to examine
© 2016 John Wiley & Sons, Inc.
23
Classic Signs of Phishing
Account is being closed
Email in-box is full
Winning a contest or lottery
Inheritance or commission to handle funds
Product delivery failed
Odd URL when hovering
Familiar name but strange email address
Poor grammar/spelling
Impossibly low prices
Attachment with EXE, ZIP, or BAT (etc.)
© 2016 John Wiley & Sons, Inc.
24
Keri Pearlson, Carol Saunders,
and Dennis Galletta
© Copyright 2016
John Wiley & Sons, Inc.
Managing and Using Information Systems:
A Strategic Approach – Sixth Edition
