Unformatted text preview: Chapter 7
Information technology (IT) security is one of the top issues of concern to businesses hacked
systema or stolen data can put a company out of business, General managers must understand
the basics to ensure continuance of operations. This chapter explores managing Security in five
areas: strategy, Infrastructure, policies, training, and Investments, Lessons from some of the
largest and most well known breaches are covered as well as how they occurred according to
security experts. The chapter also discusses common tools that aim to secure access, data
storage, and data transmission to prevent these breaches and their advantages and
disadvantages. Policies general managers can implement to decrease risk of security issues
and economic damage are presented followed by a discussion of edu.
cation, training, and awareness issues.
During lunchtime on June 6, 2015, a white van pulled in front of the U.S. Office of Personnel
Management in Washington, D.C. A team of three expert hackers entered the front door,
displaying the credentials of three janitors who were bound and gagged back at their office. As
the hackers stood at a supply room door next to a highly secure server room, the target of their
attack, one feigned having to crouch to tie his shoe, the other two stood in the way of the
security cameras, and the crouching bandit used a lock-picking tool to gain access to the supply
room. They figured they had only a few minutes to clip a monitoring device to the network wires
that led to the servers containing security clearance information for millions of employees and
past employees. The device monitored electrical activity right through the insulation and
transmitted it to the van.
The hackers closed and relocked the supply room door, exited the building, and re-entered the
van just as the clock struck 1PM The tallest of the three declared "right on schedule!" and set a
timer for 10 minutes. He tuned his laptop into the monitoring device and the other two did the
They watched communications to and from the server, waiting for an employee, any employee,
returning from lunch to log-in. Monitoring was risky due to random sweeps for rogue wireless
con nections, so after 10 minutes they would abort the mission.
The three typed frantically at their keyboards but nothing seemed to work for several agonizing
minutes. Ten seconds before their time was up, one of the perpetrators hastily wrote some
computer code and then smiled. He was just in time to reveal a log-in conversation complete
The hackers set the timer for another 10 minutes, which they had budgeted for the next phase.
The hackers searched frantically for large files that might contain the security clearance
information they were hired to obtain. One of them found a large file called "SecurClearRecs,"
and the three cursed when they saw that the file was larger than anticipated. They immediately
type commands to upload the file through the Internet to a server in Shanghai, China. They kept on eve on the building and the other eye on the red "progress bar" that indicated "5% complete"
fo 20 full seconds before it changed to "10% complete." The time required for each 5% seemed
to var widely: moving from 15% to 20% took almost an entire minute. They realized it would take
th entire 10 minutes they had allocated or more. They could almost hear their own pulses
they anticipated the million dollar reward that awaited them if they were successful but also
dreaded the fact that their overall budgeted 20 minutes might not be quite enough. Maybe they
could chance it and go just a little longer. A few terror-filled minutes past the budgeted 20
minutes, at 90% complete, they saw a guard step outside of the building and point at the van.
Another officer joined him, and the pair started walking cautiously toward the van, trying to talk
into his radio. The hackers had wisely jammed police channel communications and flattened the
patrol cars' tires, but they wanted to avoid physical contact as much as possible. Trouble was
certain to loom ahead; one of the officers turned to run back to the building. The tallest hacker
jumped into the driver's seat and started the van.
The hackers looked down at the progress bar, which says “99% complete" just as an alarm
sounded. The remains guard began running to the van. Four flat tires would mean a 10-minute
waiting to econds for "100% complete" and then screeched away to 10-minute delay waiting for
another officer from the a secluded clearing a one-half mile away in the woods where a blue
turbocharged Hyundai Sonata awaited them.
They pushed a red "self-destruct" button in the van to start a timer, jumped the Hyu roads as
distant sirens glared and the van exploded. Two weeks Jater, on June 20, 2015, an article in
Computerworld a timer, jumped in the Hyundai, and sped down back stated that "The U.S.
government still isn't saying how much data it fears was stolen.
This story is notable for two reasons: (1) It is exactly the type of story that we would all imagine
when hearing about data breaches, largely thanks to big-budget Hollywood movies. However,
(2) the story is almost completely false; the only true parts are that a large number of private
security clearance files were indeed stolen from the Office of Personnel Management, and the
June 20 article in Computerworld did display the preceding quote.
If managers expect only such "urgent and frantic" physical attacks, they will focus their attention
threats. It is important to learn the true story of this very real breach.
Governmental officials learned in May 2015 that at least 4 million records likely had been stolen
several months earlier. Subsequent estimates placed the number at 14 million records.2 The
records contained much more than names, addresses, and social security numbers of current
and former employees, possibly as far back as the 1980S.
The 127-page dossier for each person also included information on alcohol and drug use,
financial, psychological, employment, and criminal history as well as sensitive personal
information about contacts and relatives. There were even comments from acquaintances,
which could include neighbors, enemies, and potential enemies of each person. In short, according to the International Business to ruin potentially millions of American lives."4 As a
consequence, the Chairman of the U.S. House Oversight Committee asked for the resignation
of the person in charge, the Director of the Office of Personnel Management. Times, the stolen
information was "invasive enough
In reality, the following important issues are true for this case as well as many others:
2. They were able to spend an extended period of time-possibly over a year-to carry out their
tracks. In fact, a 2015 report from consulting firm Mandiant revealed that the median time that it
took in 2014 for firms to detect a threat group's presence was 205 days, and the maximum was
a whopping 2,982 days (11 years).? It took the victim organization months to discover the
breach, which enabled the hackers to cover their
The hackers were far away and did not need any physical contact or any escape plan.
4. The hackers exploited a stolen password, likely obtained by various means described later in
1 O'Connor, Fred, "Hackers Had Access to Security Clearance Data for a Year" Computerworld
(June 20, 2015), article/2938654/cybercrime-hacking/hackershad-access-to-security-clearance-data-for-a-year.html (last accessed June 22, 2015).
Kim Zetter and Andy Greenberg, "Why the OPM Breach Is Such a Security and Privacy
Debacle," Wired (June 11, 2015), .
com/2015/06/opm-breach-security-privacy-debacle/ (accessed June 22, 2015).
Jeff Stone "Hacked US Security Clearances Are Giving Beijing Insanely Personal Information
about American Citizens" (June 12, 2015). ibtimes.com/hacked-us-securityclearances-are-giving-beijing-insanely-personal-information-about-1964882 (last accessed
August 25, 2015
3 Erin Kelly, "House Oversight to OPM Chief: 'Time for You to Go,'In Brief (June 26, 2015), 2A.
6 "Blackmail Looms after Govermment Cyber Breaches," WND.com (June 13, 2015).
. cyber-breaches/ (accessed June 22, 2015).
1"M-Trends: A View fr Many other firms have been victimized, and hundreds of millions of records filled with personal
information have been stolen just ove been breached. Managers must understand how large
breaches occur to clarify the picture of what is going on out Olen just over the last two years.
Security consulting firm FireEye estimates that 97% of all firms have in the wild frontier and to
protect their own company from similar fates. Only when threats are more fully under- lood can
management begin to formulate and implement effective security plans.
IT Security Decision Framework
The first step on roa Step the road to an effective security plan is for management to adopt a
broad view of security. This (eedone by establishing an information security strategy and then
putting the infrastructure (tools) and policies tactics) in place that can help the organization
realize its strategy, To round out the picture, users need to become familiar with security, and in
and investments need to be made. The whole security picture can be reflected in five key on
security decisions. Understanding these decisions and who is responsible for them (that is, who
has decision rights for them) is presented in Figure 7.1. We introduced decision rights in
Chapter 3, and we use e concept to illustrate appropriate roles of business and IT managers in
making a company's security decisions.
Major Symptoms of Improper Decision Rights Allocation
Information Security Decision
Who Is Responsible
of the company's strategies on which security strategy should be based. Business leaders have
Security is an afterthought and patched on to processes and products.
No detailed technical knowledge is required. Infrastructure
IT leaders (CISO) In-depth technical knowledge and expertise are needed.
security and network topologies or a misconfiguration of infrastructure. Technical security
control is ineffective. There is a misspecification of
Security policies are written based on theory and generic templates.
Shared: IT and business leaders of behaviors and processes need to Technical and security
implications be analyzed, and trade-offs between security and productivity need to be made.
The particulars of a company's IT infrastructure need to be known.
Security Education, Training, and Awareness
Under- or overinvestment in
They are unenforceable due to a misfit with the company's specific IT
business leaders Shared: IT and
Business buy in and understanding are expertise and knowledge of critical security issues are
needed to build them. when security breaches occur. needed to design programs. Technical
Users are insufficiently trained, bypass security measures, or do not know how to react properly
Shared: IT and business leaders
impacts of security Investments.
A business case has to be presented for rivaling projects. Infrastructure impacts of wasted.
They require financial (quantitative) and qualitative evaluation of business
The human or technical security information security occurs. resources are insufficient or
funding decisions need to be evaluated. FIGURE 7.1 Sources: Adapted from Yu Wu, "What Color is Your Archetype? Governance
Patterns for Information Security," (Ph.D. Disserta University of Central Florida, 2007); Yu Wu
and Carol Saunders, "Governing Information Security: Governance Domains and Decision
Rights Allocation Patterns," Information Resources Management Journal 24, no. 1 (JanuaryMarch 20112845 Key information security decisions.
Bill Whitaker, "What Happens When You Swipe Your Card?" 60 Minutes (November 30, 2014),
transcript, your-credit-card-and-hacking-andcybercrime/(accessed June 24, 2015).
1. Information security strategy: A company's information security strategy is based on such IT
principles as protecting the confidentiality of customer information, strict compliance with
regulations, and maintain- ing a security baseline that is above the industry benchmark. Security
strategy is not a technical decision. Rather, it should reflect the company's mission, overall
strategy, business model, and business environment.
Deciding on the security strategy requires decision makers who are knowledgeable about the
company s strategy and management systems. An organization's information systems (IS) likely
required technical input for supporting the decision. ation systems (IS) likely need to provide the
2. Information security infrastructure: Information security infrastructure decisions involve
selecting and configuring the right tools. Common objectives are to achieve consistency in
protection, economies of scale, and synergy among the components. Top business executives
typically lack the experience or exper tise to make these decisions. For these reasons,
corporate IT typically is responsible for managmg the dedicated security mechanisms and
general IT infrastructure, such as enterprise network devices. Thus, corporate IT should take
the lead and make sure that the technology tools in the infrastructure are correctly specified and
3. Information security policy: Security policies encourage standardization and integration.
Following best practices, they broadly define the scope of and overall expectations for the
company's information security program. From these security policies, lower-level tactics are
developed to control specific security areas (e.g., Internet use, access control) and/or individual
applications (e.g., payroll systems, telecom systems).
Policies must reflect the delicate balance between the enhanced information security gained
from follow ing them versus productivity losses and user inconvenience. As security attacks
become more sophisti cated, obeying security measures to deflect those attacks places
cognitive demands on users. For example, they may need a different password for every account, and these passwords must often be long and hard to remember because they must
have special characters. Productivity of users is often sacrificed when they have to come up
with new passwords every month or when they have to spend time judging the legitimacy of
dozens of e-mails each day. Not surprisingly, both IT and business perspectives are important
in setting policies. Business users must be able to say what they want from the information
security program and how they expect the security function to support their business activities.
On the other hand, IT leaders should be consulted for two reasons: (1) their judgment prevents
unrealistic goals for standardization and integration and (2) policy decisions require the ability to
analyze the technical and security implications of user behaviors and business processes. If
either users or IT leaders are not consulted, unenforceable pol icies will probably result.
4. Information security education, training, and awareness (SETA): It is very important to make
business users aware of security policies and practices and to provide information security
education, training, and awareness (SETA). Training and awareness programs build a securityconscious culture. To promote effectiveness and post-training retention, training and awareness
programs must be linked to the unique requirements of individual business processes. Business
user participation in planning and implementing training and awareness programs helps gain
acceptance of security initiatives. However, IT security person nel are in the best position to
know critical issues. Thus, both IT security managers and business users must be actively
involved in planning SETA activities.
5. Information security investments: The fear, uncertainty, and doubt ("FUD) factor once was all
that was needed to get top management to invest in information security. As information
security becomes a routine concern in daily operations, security managers increasingly must
justify their budget requests financially
But it is difficult to show how important security is until there has been a breach-and even then it
is hard to put a dollar amount on the value of security. As when determining business needs,
different units within the company may have rival or conflicting "wish lists" for information
security-related purchases that benefit their unique needs. The IS organization also should have
a significant say in these decisions because the best position to assess whether and how the
investments may fit with the company's current IT infra- structure and application portfolio. Thus,
both IT and business leaders should participate in investment and prioritization decisions. One
way to ensure this joint participation is to use executive committees/councils it is in Composed of business and IT executives, such as the IT steering committee and budget
committee, with the CIO having overlapping Ving overlapping memberships in both. These
committees are where IT and business leaders make ss cases for their proposed investments
and debate the merit and priorities of the investments. These decisions about the appropriate
level of investment are made with the company's best interests in mind.
Breaches and How They Occurred 2013 and 2014, before the Office of Personnel Management's attack, the most famous
breaches infiltrated the Systems at EBay (twice), Target. Home Depot, and Anthem Blue Cross.
See Figure 7.2 for the magnitude and cause
of each breach.
important to emphasize the damage that can be done by password breaches. As the following
descriptions Tmaicate, trusting and trustworthy users might have no idea they are opening a
security hole by clicking on an attachment, using public WiFi, or following a link to an authenticlooking site. Executives should not believe that employees who use their personal laptops away
from the office are harmless to the firm. When employees whose systems are infected log into
work e-mail systems and intranets, a hacker can gain access to the firm.
60 Minutes reported in 2015 that 80% of breaches are conducted by stealing a password. There
are many ways to steal a person's password. One common method is to conduct a successful
phishing attack, which sends a person a counterfeit e-mail that purports to be from a known
entity. The e-mail includes either a virus-laden
Date Detected November 2013
What Was Stolen 40 million debit and credit card account numbers
e-mail attachment containing a virus, revealing a password Contractor's opening of an
Obtaining an employee's password
September 2014 September 2014
145 million user names, emails, physical addresses, phone numbers, birth dates, encrypted
passwords Small but unknown 53 million e-mail addresses 56 million credit card numbers
EBay #2 Home Depot Cross-site scripting Obtaining a vendor's password and exploiting an operating system's
vulnerability Obtaining passwords of at least five high-level employees
Anthem Blue Cross 80 million names, birthdays, emails, social security numbers, addresses,
and employment data (including income)
Brian Krebs, "Target Hackers Broke in Via HVAC Company," Krebs on Security (February 14,
2014), a-hvac-company/ (accessed
June 22, 2015).
Brian Krebs, "Home Depot: Hackers Stole 53M Email Addresses," Krebs on Security
(November 14, 2014), hackers-stole-53memail-addresses/ (accessed June 28, 2015)
Andy Greenberg, "EBay Demonstrates How Not to Respond to a Huge Data Breach, Wired
(May 23, 2014), how-not-to-respond-to-a-hugedata-breach/(accessed June 22, 2015)
Bill Whitaker, "What Happens When You Swipe Your Card?" 60 Minutes (November 30, 2014),
transcript, ard-and-hacking-andcybercrime/(accessed June 24, 2015).
Ashley Carman, "Windows Vulnerability Identified as R...
View Full Document