Information Systems Security and Online Privacy PDF

Information Systems Samaneh Kakavand, PhD Security and Online Privacy Learning Objectives To learn to make the case that information systems security, privacy, and ethics are issues of interest to general and functional managers. To explore why it is a grave mistake to delegate security exclusively to IT professionals. To understand the basic IT risk management processes, including risk assessment and risk mitigation. To understand the principal cybersecurity threats, both internal and external, and the principal safeguards that have been developed to mitigate these risks. To define ethics, apply the concept of ethical behavior to information systems decisions, 2 Key Information Security Terms http://tbn0.google.com/images?q=tbn:LOB9OHpTMCoaoM:http://content.answers.com/main/content/wp/en/thumb/3/3b/300px-Classic_time_bomb.jpg http://tbn0.google.com/images?q=tbn:Kphi5LvMp5hVKM:http://www.colindiponio.com/wp-content/uploads/2007/08/theif.jpg http://tbn0.google.com/images?q=tbn:04CSxPrMNNOOWM:http://www.ubergizmo.com/photos/2008/3/usb-memory-bomb.jpg IS controls to protect system (software, devices, procedures) Threat Information Resources A failure in security, privacy, or ethics can have dramatic repercussions on an organization, both because of its potentially damaging direct effects (e.g., Vulnerability (likelihood that threat will harm the system) computer outages, disruptions to operations) and its increasingly negative indirect effects (e.g., legal recourse, image Exposure damage) (potential harm if threat breaks the controls and comprises the resources) 3 Examples On May 12, 2017, WannaCry ransomware took the world by surprise, infecting hundreds of thousands of computers in banks, hospitals, firms, and other organizations In November 24, 2014, Sony Entertainment Company experienced a massive release of confidential information coming directly from its systems. The hacking group called “The Guardian of Peace” claimed to have stolen 100 terabytes of sensitive data, 4 Components of Information Security Confidentiality: The information is secret. No one can read that information without your permission. Integrity: The information remains unaltered. No one can change that information without your knowledge. Availability: The information is available upon your request. When you need it, that information must be available. 5 Confidentiality To Ensure Confidentiality, we need two things: First, we need to make sure that our data cannot be read by anyone except the intended recipient. We do this through Cryptography. Second, we need to make sure that the intended recipient is really the one who says he is. We do this though Access Control. 6 1.Cryptography Plaintext: original message Ciphertext: transformed message Key: secret used in transformation Encryption Decryption Cipher: algorithm for encryption/decryption 7 2. Access Control 8 Access Control We need three components to control access Authentication: to confirm that you are who you say you are. Authorization: to make sure that you can read what you are able to read. Accounting: to keep track of what you do. What is the easiest method to authenticate yourself? 9 Access Control Password is the simplest authentication method Password becomes insecure when: ▪ It is shared (intentionally/unintentionally) ▪ It is guessable ▪ Dictionary-based ▪ Personal data ▪ Well known pattern 10 Multi-factor Authentication Several businesses use multi-factor authentication to provide additional security Something you Know Something you Have Something you are 11 Internal Threat Internal cybersecurity threats are those posed by individuals who have direct, on premises access to the firm’s technology infrastructure, or those who have legitimate reasons to be using the firm’s assets. Intentional Malicious Behavior: this type of threat is typically associated with disgruntled or ill willed employees, meaning that potentially there are authorized users who can access the data and, at the same time, have a reason for leaking or tampering with them. Careless Behavior: this type of threat is typically associated with ignorance of, or disinterest in, cybersecurity policies Into this category fall a number of other behaviors that are more or less dangerous. failing to modify default passwords breaking the organization’s policy on Internet and web usage not following guidelines about saving data on personal or portable devices failing to destroy sensitive data according to planned schedules 12 The External Threat: The Intrusion Threat Consists of any situation where an unauthorized attacker gains access to organizational IT resources Hackers may use coding errors or undocumented features to gain control of entire IT systems or privileged access to company data: Social Engineering Phishing The Threat of Malicious Code Online fake news Mobile and IoT Cybersecurity Threats 13 Social Engineering What is the best way to hack people’s password? Social Engineering: the practice of obtaining restricted or private information by somehow convincing legitimate users, or other people who have the information, to share it. https://www.youtube.com/watch?v=opRMrEfAIiI 14 Malware Malware (short for Malicious Software) is any software with malicious intent against your computer. It can: disrupt computer operation gain access to private systems steal personal information or even display advertisements 15 Types of Malware Virus Worm Trojan Horses Ransomware Spyware 16 Phishing It onsists of sending official sounding spam (i.e., unwanted e mail) from known institutions. via Email / URL Link a fake website that look absolutely similar to the original Trick user to enter personal details and/or password Spear-Phishing Phishing that intend to use against specific person More sophisticated and customized More promising to the victim 17 Phishing 18 Online Fake News It Consists of targeted diffusion of false information that gains traction in the target audience. The ubiquitous access to social media that has reduced the entry barrier to the business of disinformation and the speed with which fake news can spread. Troll factories are new organizations, either private or state sponsored, specializing in the writing and posting of targeted articles, online reviews, and comments these messages seek to either discredit or promote a product, firm, or other organization’s reputation 19 Mobile and IoT Cybersecurity Threats Smartphones and IoT devices are full fledged computers and are therefore subjected to the same cybersecurity threats. Ignorance and careless behavior users of mobile devices are exposed to even higher risks compared to PC users As mobile devices become increasingly capable of performing advanced activities, hackers are finding creative ways to break into them and steal information. 20 Privacy Privacy: The right to be left alone and to be free of unreasonable personal intrusions. Information Privacy: related to information collection and dissemination Is your Facebook page a private or public place? https://www.youtube.com/watch?v=wogtTQs8Kzw 21 Cybersecurity is an IT Problem? 22 Cybersecurity = negative deliverable Cybersecurity should be on managers’ radar screens because of its peculiar characteristics that run the risk of leaving it underfunded unless managers get directly involved in the threat assessment and mitigation process. Cybersecurity is a negative deliverable: all the money spent on managing IT risk and securing the firm’s IT infrastructure and the data repositories produces no revenue and creates no efficiencies. It limits the possibility that future negative fallout will happen It is difficult to take credit for doing a great job when all you have to show for your efforts is that nothing bad has happened 23 Managers Responsibility Security, privacy, and ethics are areas where, as managers, you cannot resign from your responsibility. In order to actively participate in decision making on these three fronts, managers must be able to understand: under what circumstances choices and trade offs are made what are the principal threats and responses 24 IT Risk Management and Cybersecurity Information systems security, or cybersecurity as it is generally called, refers to the set of defenses an organization puts in place to mitigate threats to its technology infrastructure and digital assets. IT risk management is the process by which the firm attempts to identify and measure information systems security risks and to plan the optimal mitigation Strategy. Cybersecurity and IT risk management have come to the forefront of managerial attention because of the increasing threat of cyberterrorism. 25 Risk Assessment The risk assessment process consists of auditing the current resources, technological as well as human , in an effort to map the current state of the art of information systems security in the organization. An understanding of the current resources will provide an idea of the current set of vulnerabilities the firm is facing. The amount you invest in cybersecurity safeguards should be proportional to the extent of the threat and its potential negative effects 26 Risk mitigation Risk mitigation is the process of matching the appropriate response to the cybersecurity threats your firm has identified. Risk mitigation allows your organization to devise the optimal strategy given the set of cybersecurity risks it faces. Such optimal strategy is the one that yields the best trade off between the degree of cybersecurity the firm attains and the total investment in countermeasures necessary to achieve it. 27 Three Mitigation Strategies Risk acceptance: consists of not investing in countermeasures and not reducing the security risk The more an organization gravitates toward this strategy, the higher the potential failure cost it faces while minimizing anticipation costs. Risk reduction: consists of actively investing in the safeguards designed to mitigate security threats. The more an organization gravitates toward this strategy, the higher the anticipation cost it faces while actively reducing failure costs. Risk transference: consists of passing a portion (or all) of the risks associated with cybersecurity to a third party (e g by outsourcing security or buying insurance) 28 Cybersecurity Responses: Internal Threats The first step for raising the awareness on the risk of internal threats consists of performing a comprehensive assessment to understand the effects of potential scenarios, their likelihood, and their potential harm: Security Policies: spells out what the organization believes are the behaviors that individual employees and groups within the firm should follow in order to minimize security risks. Monitoring: The classical approach is to monitor and limit the access to dangerous websites or to prevent the installation and execution of unauthorized software. Testing: Sending fake phishing to see their response. 29 Cybersecurity Responses: External Threats Intrusion : The cornerstone of securing against intrusion are: Passwords: there is an inherent trade off between the complexity of a password and human ability Firewall : a software tool designed to screen and manage traffic in and out of a computer network. Encryption: ensures that if the wrong individuals gain access to the data, they will be unable to make out its meaning Malware : Safeguarding against malware requires that the firm’s IT professionals install the appropriate detection software: Antivirus and spyware sweepers Training and policies can also be very helpful in mitigating the malware threat 30 Risk Assessment and mitigation Threat Vulnerability Consequence Risk Rating Action Explanation Needed The vulnerability is low since the servers are on a high floor. Even though the consequences of flooding could result in a severe shutdown and financial loss, the risk is still considered medium due to the low likelihood of flooding affecting Low (Servers on third floor, Severe shutdown and loss of the servers directly. Therefore, no immediate Flooding Medium None minimal risk of flooding) $50,000 action is needed at this time. Overheating Servers High (AC is 10 years old and Server shutdown for 12 Critical High Reduce by The vulnerability is high due to the aging AC, may not be efficient) hours (high impact) purchasing a new which increases the risk of overheating. The AC for $5,000 consequence of a server shutdown for 12 hours would significantly disrupt operations. Therefore, immediate action is required to reduce the risk by investing in a new AC system to prevent overheating. 31 Cybersecurity Responses: External Threats Threat Vulnerability Consequence Risk Action Needed Explanation Rating The vulnerability is low because of the updated firewall and protections already in place. However, the consequence of a 2- hour website shutdown could lead to a Severe shutdown of website Reduce by constantly $20,000 loss, making the risk medium. The Low (Updated firewall and DDoS Attack for 2 hours, potential loss of Medium monitoring and updating action to reduce the risk involves constant configured protections) $20,000 protection services monitoring and regular updates to ensure the protection services are up-to-date and effective. Insider Threat (Data Theft) Medium (Insufficient Data theft, potential financial High Reduce by implementing The vulnerability is medium due to monitoring, poor access loss, reputational damage stronger access controls and insufficient monitoring and poor access control) monitoring controls. The consequence could involve serious data theft, leading to financial loss and damage to the company's reputation, making the risk high. To reduce the risk, the company should implement stronger access controls, enhance monitoring systems, and conduct regular security audits to detect suspicious activities early. 32

Information Systems Security and Online Privacy PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue