Transcript Principles and Practice of Information Security

Principles and Practice of
Information Security
Protecting Computers From
Hackers and Lawyers
Linda Volonino
Stephen R. Robinson
Part I: Digital Liabilities and
Risk Management
• Chapter 1: Security in a Globally Connected
Economy
• Chapter 2: Sources of Digital Liability
• Chapter 3: Threats, Vulnerabilities, and Risk
Exposure
• Chapter 4: An Affirmative Model of Defense:
Digital Liability management
• Chapter 5: Models for Estimating Risk and
Optimizing the Return on Security
Investment
7/17/2015
2
Preface
• With emergence of Homeland Security (2002)
and National Strategy to Secure Cyberspace
(2003) there is growing demand for
information security professionals
• Security begins with firewalls, antivirus
software, access control, and encryption
• For organizations to build effective info sec
pgms they must ask what is at risk, what
needs to be protected, and what are the
consequences of failure.
7/17/2015
3
Preface (2)
• This text intends to provide students and
professionals w/ the necessary managerial,
technical, and legal background to allocate
resources more effectively
• Networks can never be 100% secure and
organizations cannot afford investment mistakes
• The text is intended to be a well-rounded reference
on hacker and virus exploits; attacks against ecommerce and online operations; and the
vulnerabilities of wireless technology, social
engineering, and electronic fraud
• The book also discusses the PATRIOT Act and
HIPAA
7/17/2015
4
Chapter 1: Security in a Globally
Connected Economy
• Security is defined as the policies, practices,
and technology that must be in place for an
organization to transact business
electronically via networks w/ a reasonable
assurance of safety
• This assurance applies to all online
activities, transmissions, and storage
• It also applies to business partners,
customers, regulators, insurers, or others
who might be at risk in the event of a breach
of that company’s security
7/17/2015
5
Glossary
• Lets look at the glossary beginning on
page 192.
• Look up security and read then go to
the next slide
7/17/2015
6
Gray Box on pg 2
• Hacking is unauthorized access, or access in excess
of authority, to a computer network or information
system for profit, criminal activity, or other personal
gain.
• Go to the glossary and look up hacking
• While we are in the glossary lets look up:
• Virus
• Worm and worm virus (see Nimda)
• Trojan horse
• Logic Bomb and Time bomb
• Review input, process, and output crimes
7/17/2015
7
@Lert
• Pg. 2, what does our author mean in the text
with these @Lerts?
• Look back to preface, these are brief tips,
facts, and warnings in an easy-to-recall
format
• What does this one mean on pg 2?
– There are no small security or policy breaches –
only ones that are caught early
7/17/2015
8
Applying Conventional
Principles to the Cyber World
• Placing the word cyber in front of a threat
does not make it something new
• What we usually have is old types of crimes
using a new medium
• Does this remind you of earlier
conversations this semester? What were
they?
7/17/2015
9
More on Conventional Principles
in the Cyber World
• If we are dealing with the same types of crimes then
why is it so difficult to apply the principles of
protection that are commonly in use?
• Because of all the years of experience in a clear
understanding of risk as well as the laws as they
related to businesses
• The rapid growth of the web has outpaced our ability
to fully identify the threats, quantify the risks,
understand the technology and develop our
defensive strategies
• Too often businesses connect to the Internet or
supply-chain partners and later worry about the
consequences
7/17/2015
10
The Digital Liability Management
(DLM) Model
• Author uses this model to explain how people,
process, and technology all play a key role and must
work together to implement an effective cyber
security program.
• There are four tiers to the DLM model
–
–
–
–
1) Senior management commitment and support
2) Acceptable-use policies and other statements of practice
3) secure-use procedures
4) hardware, software, and network security tools
• To be discussed in more detail in chapter 4
7/17/2015
11
The Principles of Security
• Security is Complex
• The issues regarding security and risk
management are not always clear nor easy to
resolve, it is not convenient, and it is not
cheap.
• A security plan must consider corporate
assets such as cash, intellectual property,
customer data, reputation, etc
7/17/2015
12
Principles of Security (2)
• Protecting assets includes guarding against hackers
and lawyers!
• This means that security should protect against the
risk of loss, liability, or litigation from these two
distinct sources
• These are the two sources of risk
• The principles of security then are based upon
– Managerial policies
– Technologies, and
– Legal and Ethical issues
7/17/2015
13
Hackers
• Outsiders who break into system or,
• Someone with authorization but uses it to obtain or alter
information in the computer that they are not entitled to obtain
or alter
• Exploits: tools or techniques to take advantage of a
vulnerability in a computer system to exceed the users’
authorized level of access
• Script Kiddies: individuals using existing hacker tools and
virus-building code that is widely available on the Internet.
• Identify thieves are also included in the hacker category as well
as those involved in espionage, vandals, disgruntled
employees, social/political activists, and employees exceeding
authorized access
7/17/2015
14
Lawyers
• We have often heard of tort reform
• A tort is “simply stated as a wrong.”
• Torts can be civil (as opposed to criminal)
wrongs that result from a breach of a legal
right or duty
• A right is a legal claim that others not
interfere with a protected interest such as
property (like computer) or privacy
• A duty is a legal obligation not to interfere w/
a protected interest
7/17/2015
15
More Law
• Negligence (and negligent torts) involve conduct that
creates or fails to protect against an unreasonable
risk of harm
• Negligence claims can stem from the failure to
protect customer data or the illegal, irresponsible,
ignorant, or unethical behavior of employees
• We understand how hackers can cause damage but
they don’t generally file lawsuits for harassment,
privacy invasion, disclosure of confidential
information, copyright infringement, or investment
fraud. That is done by lawyers
7/17/2015
16
Security is Difficult to CostJustify, but not Impossible
• Some have written that security investments cannot
be cost-justified because they do not add to the
bottom line
• Some weaknesses in this statement are:
• Security policies and technology can help avoid
economic loss well in excess of the required
investment
• The Code Red virus caused Denial of Service (DOS)
attacks caused lost productivity, and direct
expenses to repair, clean, and restore stricken
systems with a cost of over $3billion
• Consider a company with a reputation as having
inadequate security – would you let your company
7/17/2015
17
computers connect to it?
Denial of Service Attacks
• DOS refers to an attack on a network or server that
is caused when it receives more hits (requests for
service) than it can respond to causing the
overwhelmed server to deny service
• Basic procedures to keep the SW up to date would
have prevented these attacks
• Chapter five will present some useful risk
assessment metrics
• @Lert – typically by the time an intrusion or infection
is detected, the damage is already done
7/17/2015
18
Security in the Information
Economy
• Global Economy in Transition
• We’ve already discussed much of this in the
Ethics portion
– Criminals can use technology to commit crimes
faster with enhanced criminal productivity
– We’ve discussed potential for damage to be done
from employees within the company
– We must modify our perceptions and priorities in
recognizing that key business assets are digital,
portable, and vulnerable to anyone when
businesses are connected to a global network!
7/17/2015
19
Legal Liability Issues
• Today’s interconnected businesses must
safeguard their own information assets but
also those of their employees, partners, and
customers
• If they don’t maintain this safety and trust
they may face expensive and embarrassing
litigation
7/17/2015
20
Mistakes, Malice, and Mischief
Increase Liability – and
Legislation
• Electronic evidence in form of archived e-mails and
transaction histories is becoming more frequently
used by prosecutors and civil litigators targeting a
specific business.
• Company insiders are also a valuable ally to hackers
and lawyers as they can thwart security systems out
of malice, ignorance, or lack of discipline
• Attacks by lawyers can extract a higher price than
hackers b/c of criminal penalties, regulatory action,
or damage to a company’s reputation
7/17/2015
21
Threats to Information Security
• Employees – lost laptop, divulged password, bribed
systems admin can defeat the best IT security and
create a multi-million dollar liability
• What are some other things that they could do?
• Lawsuits and Insurance Premiums – Victims of
security breaches will soon be seeking
reimbursement for losses due to data exposure or
theft. Litigation doors will open and could exceed
tobacco and asbestos litigation
• Regulators – relates to policy vacuums – regulators
will try to react to political mandates but must face
this on a global level w/ different governments.
There will be a stream of regulation usually one step
behind the current state of the technology
7/17/2015
22
Extended Legislation and
Responsibilities
• The Gramm-Leach-Bliley (GLB) Act defines
regulations that pertain to the financial
services industry and require board and
management involvement in the
development and implementation of an
information security program
• The Health Insurance Portability and
Accountability Act (HIPAA) specifies the
privacy, security, and electronic transaction
standards with regard to patient information
for all health care providers
7/17/2015
23
Electronic Records Retention
• Electronic Records Management (ERM) relies on
policies for managing the retention, destruction, and
storage of electronic records
• An effective document retention policy ensures that
electronic documents are efficiently handled and
neither retained too long nor destroyed too soon
• Example: job applications, why?
• Computer Forensics: the discovery of electronic
evidence
• Company e-mail, jokes on company e-mail can
become damning evidence in an employee’s
harassment lawsuit
7/17/2015
24
DOJ Defines Computer Crime
• The US DOJ broadly defines computer crime
as “any violation of criminal law that involves
a knowledge of computer technology for
their perpetration, investigation, or
prosecution
• More simply, computer crimes are those
crimes that require knowledge of computers
to commit
• Crime from hackers and malcontent insiders
is on the rise
7/17/2015
25
Congress Expands Computer
Crime Legislation and Authority
• Counterfeit Access Device and Computer Fraud and
Abuse Law (1984) and amendments address
computer crimes in which the computer is the
subject of the crime b/c there is no analogous
traditional crime so this special legislation was
needed
• National Information Infrastructure Protection Act
(1996), NIIPA – updated existing statutes so that they
could be used to prosecute traditional crimes that
had been committed with the use of a computer.
Particularly fraud and embezzlement
• USA PATRIOT Act – 2001 Uniting and Strengthening
America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism Act – expanded 26
7/17/2015
authority of law enforcement to intercept electronic
New Ethic of Responsibility
• President George W. Bush in July of 2002 called for a
“new ethic of responsibility” in corporate America.
• Emphasized that preventing fraud and other abuse
was a corporate responsibility for which senior
executives and directors would be held accountable
• The Sarbanes-Oxley Act has legislated that
responsibility
• You Read
• End of Chapter 1
• Look at the questions at the end of the chapter
• Write some questions of your own and share them
with your classmates
7/17/2015
27