Class 7 - prof.pptx
Transcript
AFM 341 ACCOUNTING INFORMATION SYSTEMS Class #7 professionals go #beyondideas SCHOOL OF ACCOUNTING AGENDA Last class recap Designing and implementing security controls Sample exam questions Take-aways PAGE 2 AIS in t...
AFM 341 ACCOUNTING INFORMATION SYSTEMS Class #7 professionals go #beyondideas SCHOOL OF ACCOUNTING AGENDA Last class recap Designing and implementing security controls Sample exam questions Take-aways PAGE 2 AIS in the news On Monday, Spotify announced a new AI feature that can translate podcasts into different languages using the host’s own voice. Spotify said the feature relies on OpenAI’s updates to ChatGPT, which were also announced Monday. The tech can create “realistic synthetic voices” from just a few seconds of speech, OpenAI said in a release. What are your thoughts on technology that is able to reproduce human speech? What opportunities exist? What are the cons? PAGE 3 The good news Detecting AI by people is a learnable skill Daphne Ippolito, a senior research scientist at Google Brain created a game, studies suggest people improve their ability to detect ai over several play throughs https://roft.io/ PAGE 4 Last class recap Cybersecurity is primarily concerned with the confidentiality, integrity, and availability of IT resources. A variety of security threats (e.g., malware, DDOS, social engineering) endanger the reputation, financial stability, and competitiveness of organizations. Insiders pose a unique and often overlooked security threat to organizations. PAGE 5 Security Life Cycle Security is a management issue! How to Mitigate Cybersecurity Attacks Preventive Controls Detective Controls People: Culture, training Log analysis Process (e.g., Intrusion detection authentication, systems authorization) IT Solutions (e.g., firewalls, Response encryption) Computer Incident Physical and Response Teams (CIRT) environmental security (covered in Class 10) Preventive Controls: People Culture of security Tone set at the top with management: funding, communications, etc. Training Follow safe computing practices Never open unsolicited e-mail attachments Use only approved software Do not share passwords Physically protect laptops/cellphones Protect against social engineering Be wary of ‘fatiguing’ employees with too much cybersecurity guidance Preventive Controls: Authentication In order to verify that an individual attempting to gain access to an IT resource is who they say they are, we have a range of authentication options. Five broad categories, or factors, are generally referred to: Something you know: An item of information that an individual remembers. Something you are: A physical attribute of an individual. Something you have: The physical possession of an item or device. Something you do: The actions or behaviors of an individual. Where you are: The physical presence of an individual at a particular Passwords How many different passwords do you have? How do you remember them? Passwords What makes a password complex/strong? 12+ characters Randomly generated Mix of letters/numbers/symbols Avoidance of ‘dictionary words’ Avoidance of common passwords (e.g. password, default) Avoidance of relative or pet names Avoidance of keyboard patterns (e.g. qwerty) Avoidance of common passwords across multiple applications or websites Avoidance of words related to known interests (e.g. BlueJays) Avoidance of words with appended numbers (e.g. BlueJays123) www.howsecureismypassword.net Breakout activity Of the 4 password management controls, describe the control (what specifically does it include), determine the type of control (preventive, detective, corrective) and 1 pro and 1 con Single sign-on Employee training and awareness Complexity requirements Regular password expiry PAGE 12 Managing Passwords in Organizations: Solutions (or not?) Single sign-on: Allowing users to authenticate at one, central sign-in, which allows access to multiple applications without additional authentication Positives: Can save time by reducing multiple logins, users need to remember only one password, and fewer account lock-outs Negatives: Single point of failure Employee training and awareness: Policies, procedures, bulletins, email reminders of the importance of complex, secure passwords Positives: Reinforces the importance of good password ‘hygiene’, such as avoiding writing down passwords, providing passwords to others via social engineering or phishing Negatives: Employees may tune out if security-related communications are too frequent Managing Passwords in Organizations: Solutions (or not?) Complexity requirements: Requiring that all passwords conform to an approved degree of strength (e.g. minimum 8 characters, at least one number) Positives: Eliminates highly simple passwords Negatives: Encourages passwords that fulfill only the minimum standard Regular password expiry (e.g. a new password needs to be selected every 60 days): Positives: Accounts are (arguably) less susceptible to attack Negatives: Encourages incrementing passwords, encourages writing down of passwords, arguable net security benefits Preventive Controls: Authorization Authorization is the activity of specifying the level of access to physical and logical information systems resources. We typically think about authorization at a granular level, which refers to the degree of specificity we can allocate to resource privileges. The principle of least privilege dictates that we should only allow the bare minimum of access to a party in order to perform the functions required, but consider that complex applications such as SAP and Oracle have thousands of possible transactions. PAGE 15 Preventive Controls: Firewalls A firewall is a hardware or software tool that controls the flow of traffic in and out of networks. Its objective is to prevent unauthorized access to private networks. In effect, firewalls act as the security guards for an organization’s data, stopping to inspect everything going in and coming out to make sure it adheres to a standardized set of rules and regulations. Protecting Network Traffic Sensitive data sent over an unsecure or untrusted wireless network can be intercepted This intercepted data can include passwords, bank details, credit card numbers, social security numbers, etc. Encrypting the data being communicated across a network maintain its confidentiality Cryptography - Terminology Cryptography is the science of maintaining the confidentiality and integrity of information. Encryption refers to the transformation of unencrypted data (called plaintext) into encrypted form (called ciphertext) Decryption is the process of recovering the plaintext from the ciphertext. Encryption Steps: Takes plain text and with an encryption key and algorithm, converts to unreadable ciphertext (sender of message) To read ciphertext, encryption key reverses process to make information readable (receiver of message) Types of Encryption Symmetric Asymmetric Uses one key to encrypt Uses two keys and decrypt Public—everyone has access Both parties need to know Private—used to decrypt (only the key known by you) Need to securely Public key can be used by all communicate the shared key your trading partners Cannot share key with Can create digital multiple parties, they get their own (different) key from the signatures organization Cryptography Considerations Key length (longer = stronger) As time passes, vulnerabilities are identified in ‘widely accepted’ encryption algorithms. Such algorithms are routinely replaced with more secure alternatives, which, in turn, have new vulnerabilities identified. It is critical that organizations monitor accepted standards regarding encryption algorithm replacement. For example, TJX used an out-of-date algorithm and hackers stole 94M credit card numbers. Establishing organizational policies on what should be encrypted, how it should be encrypted, and how keys are managed are important to establish consistent and reliable processes. Preventive IT Solutions - VPN A Virtual Private Network (VPN) refers to a tool that encrypts data travelling between one network (e.g. your home or your office) and another network (e.g. a remote office) via the Internet. Rather than opting for the expense (and privacy) of leased communication lines (e.g. T1) between two points, users can remotely gain secure access to files and applications. VPNs typically use encryption to maintain confidentiality of the data, user authentication to verify identities (e.g. passwords, biometrics, etc.), and hashing functions to confirm communication integrity. Protecting Network Traffic - VPN Securely transmits encrypted data between sender and receiver Sender and receiver have the appropriate encryption and decryption keys. Detective Controls Log Analysis—examining logs to identify evidence of possible attacks What information systems activities would be most useful to log? Intrusion Detection Systems (and Intrusion Prevention Systems) —system that creates logs of network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions. Responding to Attacks Incident response is the capability to identify, prepare for and respond to incidents to control and limit damage; provide forensic and investigative capabilities; and maintain, recover and restore normal operations. ‘Incidents’ can be technical (e.g. DDOS, viruses, network intrusions), accidents (e.g. water leak on server), mistakes (e.g. inadvertent data deletion), or system failure (e.g. power outage). A Computer Incident Response Team (CIRT) is tasked with managing organizational incidents. Incident Response Recognitio n Containme Follow-up nt Recovery Incident Response 1. Recognition: Identifies unusual or suspicious activities that may compromise critical business functions or infrastructure. Includes: Proactive detection: Vulnerability scanning, network monitoring, antivirus, security audits Reactive detection: Reports from system users or other organizations of unusual or suspicious activity 2. Containment: Stopping the incident and containing the damage. Includes: Sorting, categorizing, prioritizing and assigning incoming events Assigning incidents to CIRT members based on availability, experience, priority, related business unit Response steps: Technical response: Collecting data for analysis, analyzing information (e.g. logs), researching mitigation strategies Management response: Notification, interaction, escalation and approval of response activities. Legal response: Investigation, prosecution, consideration of privacy/copyright/regulatory issues Incident Response 3. Recovery: Getting the systems back online and in working order. Includes: Eradicating malware Deploying patches Restoring data from backups Forensics investigations 4. Follow-up: Analysis of the event, including examination of required policy updates, as well as evaluating response speed and effectiveness. Measuring Incident Response Effectiveness A variety of criteria can be used to measure the effectiveness and efficiency of the incident management function. Reporting on these metrics can help senior management understand the incident management capabilities and value to the organization: Total number of reported incidents Total number of detected incidents Average time to respond to an incident Average time to resolve an incident Total number of employees receiving security awareness training Total damage from reported and detected incidents Total savings from potential damages from incidents resolved Total labor responding to incidents Looking for additional information on security? Check out these online resources: http://krebsonsecurity.com/ http://www.infosecurity-magazine.com/ http://www.cert.org/ ***Also: http://www.securityweek.com/ Consider enrolling in the http://www.scmagazine.com/ new AFM 347 https://threatpost.com/ (Cybersecurity) course in the http://www.darkreading.com/ Fall or Winter http://www.cio.com/category/security semester https://www.schneier.com/ https://www.us-cert.gov/ SAMPLE QUIZ QUESTIONS 1. Restricting access of users to specific portions of the system as well as specific tasks, is an example of: A. authentication. B. authorization. C. identification. D. threat monitoring. 2. Which of the following is not true regarding virtual private networks (VPN)? A. VPNs provide the functionality of a privately owned network using the Internet. B. Using VPN software to encrypt information while it is in transit over the Internet in effect creates private communication channels, often referred to as tunnels, which are accessible only to those parties possessing the appropriate encryption and decryption keys. C. It is more expensive to reconfigure VPNs to include new sites than it is to add or remove the corresponding physical connections in a privately owned network. D. The cost of the VPN software is much less than the cost of leasing or buying the infrastructure (telephone lines, satellite links, communications equipment, etc.) needed to create a privately owned secure communications network. PAGE 30 CLASS TAKE-AWAYS A variety of security controls can be employed to prevent, detect, and respond to incidents. Control design and implementation decisions should include input from a range of business and technology stakeholders. Organizations can establish cybersecurity controls by 1) assessing threats and selecting a response, 2) developing and communicating policies to employees, 3) acquiring and implementing solutions, and 4) monitoring performance The four stages of incident response consist of recognition, containment, recovery, and follow-up. PAGE 31 Next Class Preparation: Cybersecurity Case Study - Read ‘Cyber Breach at Target’ (Refer to the syllabus for instructions on how to access the Harvard Business Publishing course pack) - Prepare to discuss to the following questions: 1. What steps did the cybercriminals follow in committing this theft? 2. What factors allowed the theft to take place? 3. How was the breach discovered and how did Target react? 4. What are the consequences of the breach for the stakeholders?
