Transcript Lecture notes

Management of information
systems - security challenges
MBA 501
WEEK 7
This week: continuing our look at
management issues
• Last week we looked at the operational issue
of outsourcing
• This week we will look at another operational
issue – that of managing security
• Both of these areas reflect the change in focus
of the IS function
– From managing inwards, to managing outwards
• WHY? WHAT HAS HAPPENED?
Why is security an important
management issue?
• Information is a key business asset
– It needs to be accessible to all who need it
– It needs to be protected
• Managers need to develop and implement an overall
strategy for security
• Managers need to understand the threats
• Managers need to understand specific techniques for
protecting systems
• Particularly important as organizations move into
eBusiness and open up
• Goal is to reduce business risk to an acceptable level
McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
Management issues re security
– Business consequences of poor security can
be very serious
•
damage to IT infrastructure through threats and
attacks from outside
• loss of data, exposure of customer’s private
information, loss of profits, loss of opportunity,
damaged reputation
– Consumer impacts (credit cards exposed, viruses, malware,
spyware etc)
•
“Chill” effect on eBusiness – both buy side and sell
side (B2C)
– Security issues have high profile in the media
McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
Identifying and managing risk
• Airtight security is not possible
• Risks must be identified and prioritized (in
terms of the business context)
• Then resources must be put into guarding
against the most serious threats
– What does “serious mean”? – most likely to
happen / greatest business impact?
McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
Key security issues for both customers and
managers
• Organizations must guard their own data, and
their customer’s data and create a secure and
predictable environment for commercial
exchange - they must create TRUST
• Basic pillars of security : ‘PAIN’
– Privacy (and confidentiality)
– Authentication and Authorization (Identification)
– Integrity
– Non-repudiation
McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
PAIN: Privacy
and Confidentiality
• One of the major concerns that customers have
about eBusiness – Internet is a public space
• Firms need to ensure that information that is
private or sensitive is kept secure and not used for
any purpose other than that agreed to
–
–
–
–
credit card numbers
trade secrets / proprietary information
business plans
health records etc
• Confidentiality during transactions is usually
ensured by encryption
McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
PAIN: Authentication
• When someone submits something to your website, how
can you be sure that they are who they claim to be. eg.
– using credit cards
– making a contract or application
– registering for an email newsletter
• Authentication is the process by which one entity verifies
that another entity is who they claim to be
• Authentication requires evidence in the form of
credentials: :
– “something you have” plus “something you know” plus something
you are (biometrics) eg.
•
•
•
•
username and password
Two-factor authentication (Gmail example)
credit card - match exact billing name and address
digital signatures and digital certificates
PAIN: Authorization
• Once a person has been authenticated, we need to be
satisfied that she is authorized to access or do certain
things on our site
• Does the person (or program) have the right to access
particular data, programs, or system resources
(particularly important when protecting a server from
hackers)
• Authorization is usually determined by comparing
information about the person or program with access
control information associated with the resource being
accessed (permissions)
McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
PAIN: Integrity
• Integrity is the ability to prevent data from
being altered or destroyed in an unauthorized
or accidental manner
– This could include hacking to deface a website
– Altering data held on your website or database
– Intercepting data
• The parties to a transaction must be assured
that all data and documents connected with it
cannot be altered without detection
McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
PAIN: Non-repudiation
• The ability to ensure that neither side in a transaction
can later claim that they for instance
– didn’t order something using a credit card
– or didn’t accept an order or offer for something
• Non-repudiation ensures that neither side can back
out of a transaction by claiming it never took place
– Particular problem with credit cards
• Verified by Visa
• Non-repudiation is also achieved by using digital
signatures that make it difficult to claim that you
weren’t involved in an exchange
McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
Security for e-payments and other
transactions: encryption
• The cornerstone for secure online payments and
other transactions is encryption
• Messages moving across the network can be
encrypted or scrambled in such as way that it is too
difficult, expensive or time consuming for an
unauthorized person to unscramble it
• The protocol that ensures this is SSL/TLS (Transport
Layer Security) – an explanation from Google
• Simple explanation of digital encryption using
toolbox and key example
McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
Management problem?
• “Airtight security is not possible because companies
have to allow on-line commerce. They have to make
trade-offs between absolute information security
and efficient flow of information.”
McNurlin + Sprague
• The management challenge is that of finding the balance
• What is the reality of the threat?
– What do you think are the most serious and high risk threats to
business?
McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
All threats are not equal for all
organizations
• “..the key components for managing a security
program are the likelihood and the likely
impact of an attack.”
• CSI Computer Crime and Security Survey
What are companies worried about? Canadian Cyber
Crime research (2013) from International Cyber
Security Protection Alliance
https://www.icspa.org/fileadmin/user_upload/Downloads/ICSPA_Canada_Cyber_Crime_Study_May_2013.pdf
What is the extent of the problem?
• Half the respondents to
the CSI survey didn’t
experience a security
incident over the course
of the year – but that
doesn’t mean that they
weren’t threatened
• 2010 CSI Computer Crime and Security Survey
•
2010 CSI Computer Crime and Security Survey
•
2010 CSI Computer Crime and Security Survey
Types of direct threats and attacks: Risks to
infrastructure (particularly eBusiness)
– Distributed Denial of Service attacks (DoS)
• Wikileaks (2010)
• 4Chan attacks on Anti-Piracy Websites (2011)
– Hacking – web site defacement
• New York Times – 1998
– DNS Highjack
• Twitter - 2009
– Malicious code: viruses, worms, trojans etc
• Skype’s network frozen by a trojan horse attack in 2007
• Stuxnet – attacks on nuclear facilities and other
industrial targets
Types of threats and attacks: Attacks
on data
– Intercepted transmissions (eavesdropping /
sniffing)
– Attacks related to insecure passwords - are
“strong” passwords and frequent changes the
answer?
– social engineering (and how to protect against
it)
– Phishing
A new source of threat: BYOD
• Security lax on the part of employees (not
even a lock screen is common)
• Sensitive work files stored on personal devices
• Devices on the corporate network without IT
knowledge
• Fragmentation of operating system / support
cost increases
• Phone number as piece of branding /
customer connection (what happens when
employee leaves?)
BYOD Policy: security,
confidentiality and privacy
• 69 % of companies permit some form of BYOD
• 70 % have no policy to manage the practice
• While 26 % of those with no policy plan to have one
in place within one year, 44 % said they have no
plans to enact one at all.
– IDC Canada Survey 2012
• Software is being developed to create
separate “spaces” on phones for work and
personal use eg Blackberry Balance
Creating a Security Policy
(including BYOD)
• The CSI Survey identified that a very small
percentage of those surveyed did not have
some kind of information security policy
• The policy is aimed at both educating
employees and managing (and balancing) the
“people risks” we have identified
• What should it address, and why?
Control strategies for managers to
ensure the integrity of an IS
•
•
•
•
Containment
Deterrence
Obfuscation
Recovery
• Firms must balance these strategies to suit
their business requirements
Containment
• Make the target look as unattractive as
possible
– Heavily encrypted data is less attractive
• Focus on controlling access to data resources
by erecting barriers
– Expensive and requires constant vigilance to keep
ahead of attackers
• Physically remove the target system from
threats
– Isolating systems from the network
– Distributing data across an organization or geographic area
Deterrence
• Need to understand and anticipate the
motives of those who would breach security
– Use of threats of prosecution and dismissal (internal), and well
publicized barriers
• Monitoring patterns of data usage or access to
resources
• Implementation of defenses or
countermeasures
Obfuscation
• Involves hiding and/or distributing assets so that any
damage caused can be limited
• Often entails monitoring of all an organization’s
activities, not just those where security threats are
perceived (a broader strategy than containment or
deterrence)
• Needs good overview and frequent auditing of
hardware, software and network resources
– Eg. to identify illegal software loaded onto employees
machines
Recovery
• Assumes security breach will occur, and puts
in place an action plan and strategy for
business recovery
• Requires extensive organizational planning
• Backup systems, redundant systems needed
(often outsourced)
• Emergency planning and recovery in place
Two questions to consider
1. Reporting a cybercrime occurs less than 50%
of the time. Why is this? Is this a good thing
or not? What might you do to encourage a
higher percentage of companies to make
formal reports?
2. What is your view about the assertion that
"Security is as much a human problem as a
technical problem?"