Chapter 14 Risks, Security, and Disaster Revcovery Flashcards
Goals of Information Security
- Protecting IT resources is a primary concern
- Securing corporate ISs is becoming increasingly challenging
Major goals of information security:
- Reduce the risk of systems ceasing operation
- Maintain information confidentiality
- Ensure the integrity and reliability of data resources
- Ensure the uninterrupted availability of resources
- Ensure compliance with policies and laws
- Laws passed by U.S. Congress setting standards for protecting privacy
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Sarbanes-Oxley Act of 2002 (SOX)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- CIA triad: foundational concepts of information systems security
- Confidentiality
- Integrity
- Availability
Major goals of information security
- Reduce the risk of systems ceasing operation
- Maintain information confidentiality
- Ensure the integrity and reliability of data resources
- Ensure the uninterrupted availability of resources
- Ensure compliance with policies and laws
Laws passed by U.S. Congress setting standards for protecting privacy
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Sarbanes-Oxley Act of 2002 (SOX)
CIA triad
foundational concepts of information systems security
- Confidentiality
- Integrity
- Availability
Risks to Information Systems
- Risks associated with cloud computing and data storage
- Downtime: the period of time during which an IS is not available
- $26 billion lost annually in the U.S. due to downtime
- Costs of downtime vary depending on industry, the size of the company, and other factors
Risks to Hardware
- The #1 cause of system downtime is hardware failure
- Major causes of hardware damage
- Natural disasters
-Fires, floods, earthquakes, hurricanes, tornadoes, and lightning
Blackouts and brownouts- Blackout: total loss of electricity
- Brownout: partial loss of electricity
- Uninterruptible power supply (UPS): backup power for a short time
- Natural disasters
- Major causes of hardware damage
- Vandalism
- Deliberate destruction
- Vandalism
The #1 cause of system downtime
hardware failure
Major causes of hardware damage
- Natural Disasters
- Blackouts & Brownouts
- Vandalism
Blackout
total loss of electricity
brownout
partial loss of electricity
UPS
Uninterruptible power suply
- backup power for a short time
Risks to Data and Applications
- Data should be a primary concern because it is often a unique resource
- Data and applications are susceptible to disruption, damage, and theft
- The culprit in damage to software or data is almost always human
- Keystroke logging (keylogging): software records individual keystrokes
- Social engineering: con artists pretend to be service people, and ask for passwords
- Identity theft: pretending to be another person
- Phishing: bogus messages direct users to a site to “update” personal data
- Spear phishing: personal information sued to attack organizational systems, particularly financial institutions
- Cyber terrorism: terrorist attacks on business organizations’ information systems
- Disrupt network communication
- Implement denial of service attacks
- Destroy/steal corporate/government information
- Some risks to data
- Alteration
- Destruction
- Web defacement
- Deliberate alteration or destruction is often done as a prank, but has a high cost
- Online vandal’s target may be a company’s website
- Hacking: unauthorized access
- Honeytoken: a bogus record in a networked database used to combat hackers
- Honeypot: a server containing a mirrored copy of a database or a bogus database
- Educates security officers about vulnerable points
- Virus: spreads from computer to computer
- Worm: spreads in a network without human intervention
- Antivirus software: protects against viruses
- Trojan horse: a virus disguised as legitimate software
- Logic bomb: software that is programmed to cause damage at a specific time
- Unintentional, non-malicious damage can be caused by:
- Poor training
- Lack of adherence to backup procedures
- Unauthorized downloading and installation of software may cause damage
- Human error
keylogging
software records individual keystrokes
Social engineering
con artists pretend to be service people, and ask for passwords
Identity theft
pretending to be another person
- Phishing: bogus messages direct users to a site to “update” personal data
- Spear phishing: personal information sued to attack organizational systems, particularly financial institutions
Cyber terrorism
- terrorist attacks on business organizations’ information systems
- involves terrorist attacks on business organizations’ information systems with the intent to:
- Disrupt network communication
- Implement denial of service attacks
- Destroy/steal corporate/government information
Hacking
unauthorized access
Honeytoken
a bogus record in a networked database used to combat hackers
Phishing
bogus messages direct users to a site to “update” personal data
Spear phishing
personal information sued to attack organizational systems, particularly financial institutions
Honeypot
a server containing a mirrored copy of a database or a bogus database
- Educates security officers about vulnerable points
Virus
spreads from computer to computer
Worm
spreads in a network without human intervention
Antivirus software
protects against viruses
Trojan horse
a virus disguised as legitimate software
Logic bomb
software that is programmed to cause damage at a specific time
Unintentional, non-malicious damage can be caused by:
- Poor training
- Lack of adherence to backup procedures
- Unauthorized downloading and installation of software may cause damage
- Human error
Risks to Online Operations
- Many hackers try daily to interrupt online businesses
- Some types of attacks
- Unauthorized access
- Data theft
- Defacing of webpages
- Denial of service
- Hijacking computers
DoS
Denial of service (DoS): an attacker launches a large number of information requests
- Slows down legitimate traffic to site
- Distributed denial of service (DDoS): an attacker launches a DoS attack from multiple computers
- Usually launched from hijacked personal computers called “zombies”
- There is no definitive cure for this
- A site can filter illegitimate traffic
DDoS
Distributed denial of service (DDoS): an attacker launches a DoS attack from multiple computers
- Usually launched from hijacked personal computers called “zombies”
- There is no definitive cure for this
- A site can filter illegitimate traffic
Hijacking
using some or all of a computer’s resources without the consent of its owner
- Often done for making a DDoS attack
- Done by installing a software bot on the computer
- Main purpose of hijacking is usually to send spam
Computer Hijacking
- Hijacking: using some or all of a computer’s resources without the consent of its owner
- Often done for making a DDoS attack
- Done by installing a software bot on the computer
- Main purpose of hijacking is usually to send spam
- Bots are planted by exploiting security holes in operating systems and communications software
- A bot usually installs e-mail forwarding software
Controls
constraints and restrictions imposed on a user or a system
- Can be used to secure against risks
- Are also used to ensure that nonsensical data is not entered
- Can reduce damage caused to systems, application, and data
- Translate business policies into system features
Application Reliability and Data Entry Controls
- A reliable application can resist inappropriate usage such as incorrect data entry or processing
- The application should provide clear messages when errors or deliberate misuses occur
- Controls also translate business policies into system features
Backup
periodic duplication of all data
- Redundant Arrays of Independent Disks (RAID): set of disks programmed to replicate stored data
- Data must be routinely transported off-site as protection from a site disaster
- Some companies specialize in data backup services or backup facilities for use in the event of a site disaster
RAID
Redundant Arrays of Independent Disks (RAID): set of disks programmed to replicate stored data
Access controls
measures taken to ensure only authorized users have access to a computer, network, application, or data
- Physical locks: secure the equipment in a facility
- Software locks: determine who is authorized
- Types of access controls
- What you know: access codes, such as user ID and password
- What you have: requires special devices
- Who you are: unique physical characteristics
- Access codes and passwords are usually stored in the OS or in a database
- Security card is more secure than a password
- Requires two-factor access
- Biometric: uses unique physical characteristics such as fingerprints, retinal scans, or voiceprints
- Up to 50 percent of help desk calls are from people who have forgotten their passwords
- Biometrics can eliminate these kinds of calls
Types of access controls
- What you know: access codes, such as user ID and password
- What you have: requires special devices
- Who you are: unique physical characteristics
Biometric
uses unique physical characteristics such as fingerprints, retinal scans, or voiceprints
Atomic transaction
a set of indivisible transactions
- Requires all of the transactions in the set to be completely executed, or none are executed
- Ensures that only full entry occurs in all the appropriate files to guarantee integrity of the data
- Is a control against malfunction and also prevents fraud
Audit trail
a series of documented facts that help detect who recorded which transactions, at what time, and under whose approval
- Sometimes automatically created using data and timestamps
- Certain policy and audit trail controls are required in some countries
- Information systems auditor: a person whose job is to find and investigate fraudulent cases
Information systems auditor
a person whose job is to find and investigate fraudulent cases
Security Measures
Organizations can protect against attacks using various approaches, including:
- Firewalls
- Authentication
- Encryption
- Digital signatures
- Digital certificates
Firewall
hardware and software that blocks access to computing resources
- The best defense against unauthorized access over the Internet
- Firewalls are now routinely integrated into routers
DMZ
demilitarized zone approach
- One end of the network is connected to the trusted network, and the other end to the Internet
- Connection is established using a proxy server
Proxy server
“represents” another server for all information requests from resources inside the trusted network
- Can also be placed between the Internet and the trusted network when there is no DMZ
Authentication
the process of ensuring that you are who you say you are
Encryption
coding a message into an unreadable form
(mathematical algorithm and a key)
increases security
slows down communication
(Every message must be encrypted and then decrypted)
Authentication and Encryption
- Authentication: the process of ensuring that you are who you say you are
- Encryption: coding a message into an unreadable form
- Messages are encrypted and authenticated to ensure security
- Important when communicating confidential information, e.g., financial and medical records
- A message may be text, image, sound, or other digital information
- Encryption programs scramble the transmitted information
- Plaintext: the original message
- Ciphertext: the encoded message
- Encryption uses a mathematical algorithm and a key
- Key: a unique combination of bits that will decipher the ciphertext
- Public-key encryption: uses two keys, one public and one private
- Symmetric encryption: when the sender and the recipient use the same key
- Asymmetric encryption: both a public and a private key are used
- Transport Layer Security (TLS): a protocol for transactions on the Web that uses a combination of public key and symmetric key encryption
- HTTPS: the secure version of HTTP
- Digital signature: a means to authenticate online messages; implemented with public keys
- Message digest: unique fingerprint of file
- Digital certificates: computer files that associate one’s identity with one’s public key
Issued by certificate authority - Certificate authority (CA): a trusted third party
- A digital certificate contains its holder’s name, a serial number, its expiration dates, and a copy of holder’s public key
- Also contains the digital signature of the CA
Plaintext
the original message
Ciphertext
the encoded message
Key
a unique combination of bits that will decipher the ciphertext
Public-key encryption
uses two keys, one public and one private
Symmetric encryption
when the sender and the recipient use the same key
Asymmetric encryption
both a public and a private key are used
TLS
Transport Layer Security (TLS): a protocol for transactions on the Web that uses a combination of public key and symmetric key encryption
HTTPS
the secure version of HTTP
Digital signature
a means to authenticate online messages; implemented with public keys
Message digest
unique fingerprint of file
Digital certificates
computer files that associate one’s identity with one’s public key
- Issued by certificate authority
- contains its holder’s name, a serial number, its expiration dates, and a copy of holder’s public key
- contains the digital signature of the CA
CA
Certificate authority (CA): a trusted third party
SSO
Single sign-on (SSO): a user must enter his or her name/password only once
- saves employees time
The Downside of Security Measures
- Single sign-on (SSO): a user must enter his or her name/password only once
- Single sign-on saves employees time
- Encryption slows down communication
- Every message must be encrypted and then decrypted
- IT specialists must clearly explain the implications of security measures to upper management
Recovery Measures
- Security measures may reduce mishaps, but no one can control all disasters
- Preparation for uncontrolled disasters requires that recovery measures are in place
- Redundancy may be used
- Very expensive, especially in distributed systems
- Other measures must be taken
- Very expensive, especially in distributed systems
The Business Recovery Plan
a detailed plan about what should be done and by whom if critical systems go down
- Also called disaster recovery plan, business resumption plan, or business continuity plan
Developing a business recovery plan
- Obtain management’s commitment to the plan
- Establish a planning committee
- Perform risk assessment and impact analysis
- Prioritize recovery needs
- Mission-critical applications: those without which the business cannot conduct operations
- Select a recovery plan
- Select vendors
- Develop and implement the plan
- Test the plan
- Continually test and evaluate
Mission-critical applications
those without which the business cannot conduct operations
Hot sites
Alternative sites that a business can use when a disaster occurs
- Backup sites provide desks, computer systems, and Internet links
Recovery Planning and Hot Site Providers
- Can outsource recovery plans to firms that specialize in disaster recover planning
- Hot sites: alternative sites that a business can use when a disaster occurs
- Backup sites provide desks, computer systems, and Internet links
- Companies that implement hot sites
- IBM
- Hewlett-Packard
- SunGard Availability Services
How Much Security Is Enough Security?
Costs to consider in security measures
- Cost of the potential damage
- Cost of implementing a preventative measure
𝐶𝑜𝑠𝑡 𝑜𝑓 𝑃𝑜𝑡𝑒𝑛𝑡𝑖𝑎𝑙 𝐷𝑎𝑚𝑎𝑔𝑒= ∑_(𝑖=1)^𝑛 𝐶𝑜𝑠𝑡 𝑜𝑓 𝐷𝑖𝑠𝑟𝑢𝑝𝑡𝑖𝑜𝑛_𝑖 ×𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑦 𝑜𝑓 𝐷𝑖𝑠𝑟𝑢𝑝𝑡𝑖𝑜𝑛_𝑖
- Where 𝑖 is a probable event, and 𝑛 is the number of events
- As the cost of security measures increases, the cost of potential damage decreases
- Companies try to find the optimal point
- The company must define what needs to be protected
- Security measures should never exceed the value of protected system
𝐶𝑜𝑠𝑡 𝑜𝑓 𝑃𝑜𝑡𝑒𝑛𝑡𝑖𝑎𝑙 𝐷𝑎𝑚𝑎𝑔𝑒
∑_(𝑖=1)^𝑛 𝐶𝑜𝑠𝑡 𝑜𝑓 𝐷𝑖𝑠𝑟𝑢𝑝𝑡𝑖𝑜𝑛_𝑖 ×𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑦 𝑜𝑓 𝐷𝑖𝑠𝑟𝑢𝑝𝑡𝑖𝑜𝑛_𝑖
Where 𝑖 is a probable event, and 𝑛 is the number of events
Calculating Downtime
- Businesses should try to minimize downtime, but the benefit of greater uptime must be compared to the added cost
- Mission-critical systems must be connected to an alternative source of power, duplicated with a redundant system, or both
- Many ISs are now interfaced with other systems
- The greater the number of interdependent systems, the greater the expected downtime
- Redundancies reduce expected downtime
Summary
- The purpose of controls and security measures is to maintain the functionality of ISs
- Risks to ISs include risks to hardware, data, and networks
- Risks to hardware include natural disasters and vandalism
- Risks to data and applications include theft of information, identity theft, data alteration, data destruction, defacement of websites, viruses, worms, logic bombs, and nonmalicious mishaps
- Risks to online systems include denial of service and computer hijacking
- Controls are used to minimize disruption
- Access controls require information to be entered before resources are made available
- Atomic transactions ensure data integrity
- Firewalls protect against Internet attacks
- Encryption schemes scramble messages to protect them on the Internet
- A key is used to encrypt and decrypt messages
- SSL, TLS, and HTTPS are encryption standards designed for the web
- Keys and digital certificates can be purchased from a certificate authority
- Many organizations use the services of organizations that provide hot sites
- Careful evaluation of the amount spent on security measures is necessary
- Redundancy reduces the probability of downtime
- Governments are obliged to protect citizens against crime and terrorism
