Cybersecurity and Risk Management PDF

Chapter 11: Cybersecurity and Risk Management By: Ts. Dr. Aidrina Sofiadin What is Cybersecurity? What is Cybersecurity? Cybersecurity refers to the practices, technologies, and processes designed to protect systems, networks, devices, and data from cyberattacks, unauthorized access, damage, or theft. It encompasses measures to safeguard digital assets from threats such as hacking, malware, ransomware, and data breaches. Why Systems are Vulnerable (1 of 2) Security Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems Controls Methods, policies, and organizational procedures that ensure safety of organization’s assets; accuracy and reliability of its accounting records; and operational adherence to management standards Laudon, K. & Laudon, J.P (2021) Pearson Why Systems are Vulnerable (2 of 2) Hardware problems Software problems (breakdowns, configuration (programming errors, Accessibility of networks errors, damage from installation errors, improper use or crime) unauthorized changes) Use of networks/computers Loss and theft of portable Disasters outside of firm’s control devices Laudon, K. & Laudon, J.P (2021) Pearson Figure 8.1 Contemporary Security Challenges and Vulnerabilities Laudon, K. & Laudon, J.P (2021) Pearson Internet Vulnerabilities Network open to anyone; size means abuses can have wide impact Corporate networks linked to Internet more vulnerable E-mail, IM, and P2P increase vulnerability Email: attachments with malicious software; can be used to transmit trade secrets, confidential data IM: back door into a secure network P2P: can transmit malicious software, expose corporate data Laudon, K. & Laudon, J.P (2021) Pearson Wireless Security Challenges Bluetooth and Wi-Fi networks susceptible to hacking Radio frequency bands easy to scan SSIDs (service set identifiers) Identify access points, broadcast multiple times, can be identified by sniffer programs War driving Eavesdroppers drive by buildings and try to detect SSI D and gain access to network and resources Once access point is breached, intruder can gain access to networked drives and files Rogue access points Laudon, K. & Laudon, J.P (2021) Pearson Figure 8.2 Wi-Fi Security Challenges Laudon, K. & Laudon, J.P (2021) Pearson Malware (malicious software) Viruses Malicious Software: Viruses, Worms Worms, Trojan Horses, and Worms and viruses spread by Spyware (1 of 2) Downloads and drive-by downloads E-mail, I M attachments Mobile device malware Social network malware Laudon, K. & Laudon, J.P (2021) Pearson Malicious Software: Viruses, Worms, Trojan Horses, and Spyware (2 of 2) Trojan horse S Q L injection attacks Ransomware Spyware Key loggers Other types Reset browser home page Redirect search requests Slow computer performance by taking up memory Laudon, K. & Laudon, J.P (2021) Pearson Ransomware a type of malicious software (malware) designed to encrypt files on a victim's device, rendering them inaccessible. The attacker then demands a ransom payment, often in cryptocurrency, to decrypt the files. Types of Ransomware Crypto Ransomware Locker Ransomware Double Extortion Ransomware Ransomware-as-a-Service (RaaS) Hackers and Computer Crime (1 of 4) Hackers v s. crackers Activities include: System intrusion System damage Cybervandalism Intentional disruption, defacement, destruction of website or corporate information system Spoofing and sniffing Laudon, K. & Laudon, J.P (2021) Pearson Hackers and Computer Crime (2 of 4) DENIAL-OF-SERVICE DISTRIBUTED DENIAL- BOTNETS SPAM ATTACKS (D O S) OF-SERVICE ATTACKS (D D O S) Laudon, K. & Laudon, J.P (2021) Pearson Hackers and Computer Crime (3 of 4) Computer crime defined by U.S. Department of Justice as any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution. Computer may be target of crime Computer may be instrument of crime Laudon, K. & Laudon, J.P (2021) Pearson Hackers and Computer Crime (4 of 4) Identity theft Phishing Evil twins Pharming Click fraud Cyberterrorism Cyberwarfare Laudon, K. & Laudon, J.P (2021) Pearson Internal Threats: Employees Security threats often originate inside an organization Inside knowledge Sloppy security procedures User lack of knowledge Social engineering Both end users and information systems specialists are sources of risk Laudon, K. & Laudon, J.P (2021) Pearson Class discussion What management, organization, Interactive and technology factors were responsible for the Capitol One Session: hack? Technology: Was this an insider hack? Explain your answer. Capital One: A What steps could have been taken to prevent the Capital One hack? Big Bank Heist Should companies handling from the Cloud sensitive data use cloud computing services? Explain your answer. Laudon, K. & Laudon, J.P (2021) Pearson Software Vulnerability Commercial software contains flaws that create security vulnerabilities Bugs (program code defects) Zero defects cannot be achieved Flaws can open networks to intruders Zero-day vulnerabilities Patches and patch management: repair software flaws Vulnerabilities in microprocessor design: Spectre, Meltdown Laudon, K. & Laudon, J.P (2021) Pearson What is the Business Value of Security and Control? Failed computer systems can lead to significant or total loss of business function Firms now are more vulnerable than Confidential personal and financial data ever Trade secrets, new products, strategies A security breach may cut into a firm’s market value almost immediately Inadequate security and controls also bring forth issues of liability Laudon, K. & Laudon, J.P (2021) Pearson Intrusion Detection and Prevention Systems (IDPS) Monitor network traffic to detect suspicious activity. Technology to Block malicious traffic in real-time. detect and Security Information and Event Management (SIEM) prevent Aggregates and analyzes logs and events from multiple sources. Provides real-time alerts for unusual activities. cyberattacks in real-time Blockchain for Cybersecurity Secure data transactions using cryptographic methods. Decentralized approach reduces single points of failure. Artificial Intelligence (AI) and Machine Learning (ML) Analyze large datasets to identify patterns indicative of cyber threats. Continuously adapt to new attack vectors. Strategies Medical security and HIPAA privacy rules and procedures Legal and Regulatory Requirements Gramm-Leach- Requires financial institutions to ensure the for Electronic Bliley Act security and confidentiality of customer data Records Management Imposes responsibility on companies and their management to safeguard Sarbanes-Oxley Act the accuracy and integrity of financial information that is used internally and released externally Laudon, K. & Laudon, J.P (2021) Pearson Electronic evidence Evidence for white collar crimes often in Electronic digital form Proper control of data can save time and Evidence and money when responding to legal discovery Computer request Forensics Computer forensics Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law Recovery of ambient data Laudon, K. & Laudon, J.P (2021) Pearson General Malware Prevention Strategies Keep Systems Updated Use Security Software Educate Users Limit Permissions Backup Data Information Systems Controls May be automated or manual General controls Govern design, security, and use of computer programs and security of data files in general throughout organization Software controls, hardware controls, computer operations controls, data security controls, system development controls, administrative controls, Application controls Controls unique to each computerized application Input controls, processing controls, output controls Laudon, K. & Laudon, J.P (2021) Pearson Risk Assessment Determines level of risk to firm if specific activity or process is not properly controlled Types of threat Probability of occurrence during year Potential losses, value of threat Expected annual loss Laudon, K. & Laudon, J.P (2021) Pearson Table 8.5 Online Order Processing Risk Assessment Exposure Probability of Loss Range Expected Annual Occurrence (Average) ($) Loss ($) Power failure 30% $5,000 − $200,000 $30,750 ($102,500) Embezzlement 5% $1,000 − $50,000 $1,275 ($25,500) User error 98% $200 − $40,000 $19,698 ($20,100) Laudon, K. & Laudon, J.P (2021) Pearson Post-incident risk management measures Comprehensive post-incident review of security protocols Reassess risks post-incident to determine if the measures have reduced the likelihood and impact of similar events. Perform assessments to test whether vulnerabilities exploited during the incident have been effectively mitigated. Gather input from employees who were involved in the incident response. Evaluate whether updated monitoring tools or systems detect threats earlier or more accurately post-incident. Security Policy Ranks information risks, Drives other policies Acceptable use policy (A U Identity management identifies security goals and P) mechanisms for achieving these goals Defines acceptable uses of firm’s Identifying valid users information resources and computing Controlling access equipment Laudon, K. & Laudon, J.P (2021) Pearson Figure 8.3 Access Rules for a Personnel System Laudon, K. & Laudon, J.P (2021) Pearson Disaster Recovery Planning and Business Continuity Planning Disaster recovery planning Devises plans for restoration of disrupted services Business continuity planning Focuses on restoring business operations after disaster Both types of plans needed to identify firm’s most critical systems Business impact analysis to determine impact of an outage Management must determine which systems restored first Laudon, K. & Laudon, J.P (2021) Pearson The Role of Auditing Information systems audit Examines firm’s overall security environment as well as controls governing individual information systems Security audits Review technologies, procedures, documentation, training, and personnel May even simulate disaster to test responses List and rank control weaknesses and the probability of occurrence Assess financial and organizational impact of each threat Laudon, K. & Laudon, J.P (2021) Pearson Figure 8.4 Sample Auditor’s List of Control Weaknesses Laudon, K. & Laudon, J.P (2021) Pearson Tools and Technologies for Safeguarding Information Systems (1 of 3) Identity management software Automates keeping track of all users and privileges Authenticates users, protecting identities, controlling access Authentication Password systems Tokens Smart cards Biometric authentication Two-factor authentication Laudon, K. & Laudon, J.P (2021) Pearson Tools and Technologies for Safeguarding Information Systems (2 of 3) Firewall Combination of hardware and software that prevents unauthorized users from accessing private networks Packet filtering Stateful inspection Network address translation (N A T) Application proxy filtering Laudon, K. & Laudon, J.P (2021) Pearson Figure 8.5 A Corporate Firewall Laudon, K. & Laudon, J.P (2021) Pearson Tools and Technologies for Safeguarding Information Systems (3 of 3) Intrusion detection system Monitors hot spots on corporate networks to detect and deter intruders Antimalware and antispyware software Checks computers for presence of malware and can often eliminate it as well Requires continual updating Unified threat management (U T M) systems Laudon, K. & Laudon, J.P (2021) Pearson Securing Wireless Networks Static encryption keys are relatively easy to crack W E P security Improved if used in conjunction with V P N Replaces W E P with stronger WPA2 standards specification Continually changing, longer encryption keys W P A3 is most recent specification, with even stronger encryption Laudon, K. & Laudon, J.P (2021) Pearson Encryption and Public Key Infrastructure (1 of 3) Encryption Transforming text or data into cipher text that cannot be read by unintended recipients Two methods for encryption on networks Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS) Secure Hypertext Transfer Protocol (S-HTT P) Laudon, K. & Laudon, J.P (2021) Pearson Encryption and Public Key Infrastructure (2 of 3) Two methods of encryption of messages Symmetric key encryption Sender and receiver use single, shared key Public key encryption Uses two, mathematically related keys: public key and private key Sender encrypts message with recipient’s public key Recipient decrypts with private key Laudon, K. & Laudon, J.P (2021) Pearson Figure 8.6 Public Key Encryption Laudon, K. & Laudon, J.P (2021) Pearson Encryption and Public Key Infrastructure (3 of 3) Digital certificate Data file used to establish the identity of users and electronic assets for protection of online transactions Uses a trusted third party, certification authority (CA), to validate a user's identity CA verifies user’s identity, stores information in CA server, which generates encrypted digital certificate containing owner ID information and copy of owner’s public key Public key infrastructure (PKI) Use of public key cryptography working with certificate authority Widely used in e-commerce Laudon, K. & Laudon, J.P (2021) Pearson Securing Transactions with Blockchain Secure transaction database Encryption used to verify users and transactions Decentralized Records cannot be changed Blockchain has some vulnerabilities requiring attention to security and controls Laudon, K. & Laudon, J.P (2021) Pearson Decentralisation Data is stored across a network of nodes rather than a central server, reducing the risk of single points of failure and making it more resistant to hacking attempts. Transparency and Auditability every transaction on the blockchain is recorded and visible to authorized participants , ensuring accountability and enabling easy audits while maintaining privacy. User Identity Protection Blockchain uses cryptographic keys to secure identities, allowing users to interact with the system without revealing sensitive personal data. Smart Contracts Self-executing contracts on the blockchain enforce predefined rules and eliminate third-party involvement, reducing security vulnerabilities in transactions. User Identity Protection Blockchain uses cryptographic keys to secure identities, allowing users to interact with the system without revealing sensitive personal data. Figure 8.7 Digital Certificates Laudon, K. & Laudon, J.P (2021) Pearson Ensuring System Availability Online transaction processing requires 100% availability Fault-tolerant computer systems Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service Security outsourcing Managed security service providers (MSSPs) Laudon, K. & Laudon, J.P (2021) Pearson Achieving Digital Resiliency Deals with how to maintain and Calls attention to managerial and Single weak link can cause an outage if increase resilience of organization and organizational issues in addition to IT resiliency has not been explicitly its business processes infrastructure designed in, measured, and tested Interactive Session: Management: PayPal Ups Its Digital Resiliency Class discussion Why is digital resiliency so important for a company such as PayPal? How did PayPal benefit from measuring its digital resiliency? What issues did it address? What is the role of management and organizational issues in making an organization’s IT infrastructure more resilient? Security Issues for Cloud Computing and the Mobile Digital Platform (1 of 2) Security in the cloud Responsibility for security resides with company owning the data Firms must ensure providers provide adequate protection: Where data are stored Meeting corporate requirements, legal privacy laws Segregation of data from other clients Audits and security certifications Service level agreements (SLAs) Security Issues for Cloud Computing and the Mobile Digital Platform (2 of 2) Securing mobile platforms Security policies should include and cover any special requirements for mobile devices - Guidelines for use of platforms and applications Mobile device management tools Authorization Inventory records Control updates Lock down/erase lost devices Encryption Software for segregating corporate data on devices Ensuring Software Quality Software metrics: Objective assessments of system in form of quantified measurements Number of transactions Online response time Payroll checks printed per hour Known bugs per hundred lines of code Early and regular testing Walkthrough: Review of specification or design document by small group of qualified people Debugging: Process by which errors are eliminated Formulating Strategy SWOT Analysis identification and analysis of organizational strengths and weaknesses and environmental opportunities and threats as part of strategy formulation Copyright© Copyright ©2017 2012Pearson PearsonEducation, Education, Ltd. Inc. 5-34 Publishing as Prentice Hall Formulating Strategy Environmental Organizational Analysis Analysis process of process of scanning the analyzing a business firm’s environment strengths and for threats weaknesses and opportunities Copyright© Copyright ©2017 2012Pearson PearsonEducation, Education, Ltd. Inc. 5-35 Publishing as Prentice Hall A Hierarchy of Plans plan reflecting decisions about Strategic resource allocations, company priorities, Plan and steps needed to meet strategic goals generally short-term plan concerned with Tactical Plan implementing specific aspects of a company’s strategic plans plan setting short-term Operational targets for daily, weekly, or monthly Plan performance Copyright© Copyright ©2017 2012Pearson PearsonEducation, Education, Ltd. Inc. 5-36 Publishing as Prentice Hall Contingency Planning and Crisis Management identifying aspects of a business or its environment that might Contingency Planning entail changes in strategy organization’s methods for Crisis dealing with emergencies Management Copyright© Copyright ©2017 2012Pearson PearsonEducation, Education, Ltd. Inc. 5-37 Publishing as Prentice Hall

Cybersecurity and Risk Management PDF

Document Details

Tags

Related

Summary

Full Transcript