Managing and using information system.pdf - Chapter 7...

This preview shows page 1 out of 243 pages.

Unformatted text preview: Chapter 7 Information technology (IT) security is one of the top issues of concern to businesses hacked systema or stolen data can put a company out of business, General managers must understand the basics to ensure continuance of operations. This chapter explores managing Security in five areas: strategy, Infrastructure, policies, training, and Investments, Lessons from some of the largest and most well known breaches are covered as well as how they occurred according to security experts. The chapter also discusses common tools that aim to secure access, data storage, and data transmission to prevent these breaches and their advantages and disadvantages. Policies general managers can implement to decrease risk of security issues and economic damage are presented followed by a discussion of edu. cation, training, and awareness issues. During lunchtime on June 6, 2015, a white van pulled in front of the U.S. Office of Personnel Management in Washington, D.C. A team of three expert hackers entered the front door, displaying the credentials of three janitors who were bound and gagged back at their office. As the hackers stood at a supply room door next to a highly secure server room, the target of their attack, one feigned having to crouch to tie his shoe, the other two stood in the way of the security cameras, and the crouching bandit used a lock-picking tool to gain access to the supply room. They figured they had only a few minutes to clip a monitoring device to the network wires that led to the servers containing security clearance information for millions of employees and past employees. The device monitored electrical activity right through the insulation and transmitted it to the van. The hackers closed and relocked the supply room door, exited the building, and re-entered the van just as the clock struck 1PM The tallest of the three declared "right on schedule!" and set a timer for 10 minutes. He tuned his laptop into the monitoring device and the other two did the same. They watched communications to and from the server, waiting for an employee, any employee, returning from lunch to log-in. Monitoring was risky due to random sweeps for rogue wireless con nections, so after 10 minutes they would abort the mission. The three typed frantically at their keyboards but nothing seemed to work for several agonizing minutes. Ten seconds before their time was up, one of the perpetrators hastily wrote some computer code and then smiled. He was just in time to reveal a log-in conversation complete with password. The hackers set the timer for another 10 minutes, which they had budgeted for the next phase. The hackers searched frantically for large files that might contain the security clearance information they were hired to obtain. One of them found a large file called "SecurClearRecs," and the three cursed when they saw that the file was larger than anticipated. They immediately type commands to upload the file through the Internet to a server in Shanghai, China. They kept on eve on the building and the other eye on the red "progress bar" that indicated "5% complete" fo 20 full seconds before it changed to "10% complete." The time required for each 5% seemed to var widely: moving from 15% to 20% took almost an entire minute. They realized it would take th entire 10 minutes they had allocated or more. They could almost hear their own pulses pounding as they anticipated the million dollar reward that awaited them if they were successful but also dreaded the fact that their overall budgeted 20 minutes might not be quite enough. Maybe they could chance it and go just a little longer. A few terror-filled minutes past the budgeted 20 minutes, at 90% complete, they saw a guard step outside of the building and point at the van. Another officer joined him, and the pair started walking cautiously toward the van, trying to talk into his radio. The hackers had wisely jammed police channel communications and flattened the patrol cars' tires, but they wanted to avoid physical contact as much as possible. Trouble was certain to loom ahead; one of the officers turned to run back to the building. The tallest hacker jumped into the driver's seat and started the van. The hackers looked down at the progress bar, which says “99% complete" just as an alarm sounded. The remains guard began running to the van. Four flat tires would mean a 10-minute waiting to econds for "100% complete" and then screeched away to 10-minute delay waiting for another officer from the a secluded clearing a one-half mile away in the woods where a blue turbocharged Hyundai Sonata awaited them. They pushed a red "self-destruct" button in the van to start a timer, jumped the Hyu roads as distant sirens glared and the van exploded. Two weeks Jater, on June 20, 2015, an article in Computerworld a timer, jumped in the Hyundai, and sped down back stated that "The U.S. government still isn't saying how much data it fears was stolen. This story is notable for two reasons: (1) It is exactly the type of story that we would all imagine when hearing about data breaches, largely thanks to big-budget Hollywood movies. However, (2) the story is almost completely false; the only true parts are that a large number of private security clearance files were indeed stolen from the Office of Personnel Management, and the June 20 article in Computerworld did display the preceding quote. If managers expect only such "urgent and frantic" physical attacks, they will focus their attention threats. It is important to learn the true story of this very real breach. Governmental officials learned in May 2015 that at least 4 million records likely had been stolen several months earlier. Subsequent estimates placed the number at 14 million records.2 The records contained much more than names, addresses, and social security numbers of current and former employees, possibly as far back as the 1980S. The 127-page dossier for each person also included information on alcohol and drug use, financial, psychological, employment, and criminal history as well as sensitive personal information about contacts and relatives. There were even comments from acquaintances, which could include neighbors, enemies, and potential enemies of each person. In short, according to the International Business to ruin potentially millions of American lives."4 As a consequence, the Chairman of the U.S. House Oversight Committee asked for the resignation of the person in charge, the Director of the Office of Personnel Management. Times, the stolen information was "invasive enough In reality, the following important issues are true for this case as well as many others: 1. 2. They were able to spend an extended period of time-possibly over a year-to carry out their attack. 3. tracks. In fact, a 2015 report from consulting firm Mandiant revealed that the median time that it took in 2014 for firms to detect a threat group's presence was 205 days, and the maximum was a whopping 2,982 days (11 years).? It took the victim organization months to discover the breach, which enabled the hackers to cover their The hackers were far away and did not need any physical contact or any escape plan. 4. The hackers exploited a stolen password, likely obtained by various means described later in this chapter. 1 O'Connor, Fred, "Hackers Had Access to Security Clearance Data for a Year" Computerworld (June 20, 2015), article/2938654/cybercrime-hacking/hackershad-access-to-security-clearance-data-for-a-year.html (last accessed June 22, 2015). Kim Zetter and Andy Greenberg, "Why the OPM Breach Is Such a Security and Privacy Debacle," Wired (June 11, 2015), . com/2015/06/opm-breach-security-privacy-debacle/ (accessed June 22, 2015). Ibid. Jeff Stone "Hacked US Security Clearances Are Giving Beijing Insanely Personal Information about American Citizens" (June 12, 2015). ibtimes.com/hacked-us-securityclearances-are-giving-beijing-insanely-personal-information-about-1964882 (last accessed August 25, 2015 3 Erin Kelly, "House Oversight to OPM Chief: 'Time for You to Go,'In Brief (June 26, 2015), 2A. 6 "Blackmail Looms after Govermment Cyber Breaches," WND.com (June 13, 2015). . cyber-breaches/ (accessed June 22, 2015). 1"M-Trends: A View fr Many other firms have been victimized, and hundreds of millions of records filled with personal information have been stolen just ove been breached. Managers must understand how large breaches occur to clarify the picture of what is going on out Olen just over the last two years. Security consulting firm FireEye estimates that 97% of all firms have in the wild frontier and to protect their own company from similar fates. Only when threats are more fully under- lood can management begin to formulate and implement effective security plans. IT Security Decision Framework The first step on roa Step the road to an effective security plan is for management to adopt a broad view of security. This (eedone by establishing an information security strategy and then putting the infrastructure (tools) and policies tactics) in place that can help the organization realize its strategy, To round out the picture, users need to become familiar with security, and in and investments need to be made. The whole security picture can be reflected in five key on security decisions. Understanding these decisions and who is responsible for them (that is, who has decision rights for them) is presented in Figure 7.1. We introduced decision rights in Chapter 3, and we use e concept to illustrate appropriate roles of business and IT managers in making a company's security decisions. Rationale Major Symptoms of Improper Decision Rights Allocation Information Security Decision Security Strategy Business leaders Who Is Responsible of the company's strategies on which security strategy should be based. Business leaders have the knowledge Security is an afterthought and patched on to processes and products. No detailed technical knowledge is required. Infrastructure IT leaders (CISO) In-depth technical knowledge and expertise are needed. security and network topologies or a misconfiguration of infrastructure. Technical security control is ineffective. There is a misspecification of Security Policy Security policies are written based on theory and generic templates. and users. Shared: IT and business leaders of behaviors and processes need to Technical and security implications be analyzed, and trade-offs between security and productivity need to be made. The particulars of a company's IT infrastructure need to be known. Security Education, Training, and Awareness Investments Under- or overinvestment in They are unenforceable due to a misfit with the company's specific IT business leaders Shared: IT and Business buy in and understanding are expertise and knowledge of critical security issues are needed to build them. when security breaches occur. needed to design programs. Technical Users are insufficiently trained, bypass security measures, or do not know how to react properly Shared: IT and business leaders impacts of security Investments. A business case has to be presented for rivaling projects. Infrastructure impacts of wasted. They require financial (quantitative) and qualitative evaluation of business The human or technical security information security occurs. resources are insufficient or funding decisions need to be evaluated. FIGURE 7.1 Sources: Adapted from Yu Wu, "What Color is Your Archetype? Governance Patterns for Information Security," (Ph.D. Disserta University of Central Florida, 2007); Yu Wu and Carol Saunders, "Governing Information Security: Governance Domains and Decision Rights Allocation Patterns," Information Resources Management Journal 24, no. 1 (JanuaryMarch 20112845 Key information security decisions. Bill Whitaker, "What Happens When You Swipe Your Card?" 60 Minutes (November 30, 2014), transcript, your-credit-card-and-hacking-andcybercrime/(accessed June 24, 2015). 150 Security 1. Information security strategy: A company's information security strategy is based on such IT principles as protecting the confidentiality of customer information, strict compliance with regulations, and maintain- ing a security baseline that is above the industry benchmark. Security strategy is not a technical decision. Rather, it should reflect the company's mission, overall strategy, business model, and business environment. Deciding on the security strategy requires decision makers who are knowledgeable about the company s strategy and management systems. An organization's information systems (IS) likely required technical input for supporting the decision. ation systems (IS) likely need to provide the 2. Information security infrastructure: Information security infrastructure decisions involve selecting and configuring the right tools. Common objectives are to achieve consistency in protection, economies of scale, and synergy among the components. Top business executives typically lack the experience or exper tise to make these decisions. For these reasons, corporate IT typically is responsible for managmg the dedicated security mechanisms and general IT infrastructure, such as enterprise network devices. Thus, corporate IT should take the lead and make sure that the technology tools in the infrastructure are correctly specified and configured. 3. Information security policy: Security policies encourage standardization and integration. Following best practices, they broadly define the scope of and overall expectations for the company's information security program. From these security policies, lower-level tactics are developed to control specific security areas (e.g., Internet use, access control) and/or individual applications (e.g., payroll systems, telecom systems). Policies must reflect the delicate balance between the enhanced information security gained from follow ing them versus productivity losses and user inconvenience. As security attacks become more sophisti cated, obeying security measures to deflect those attacks places cognitive demands on users. For example, they may need a different password for every account, and these passwords must often be long and hard to remember because they must have special characters. Productivity of users is often sacrificed when they have to come up with new passwords every month or when they have to spend time judging the legitimacy of dozens of e-mails each day. Not surprisingly, both IT and business perspectives are important in setting policies. Business users must be able to say what they want from the information security program and how they expect the security function to support their business activities. On the other hand, IT leaders should be consulted for two reasons: (1) their judgment prevents unrealistic goals for standardization and integration and (2) policy decisions require the ability to analyze the technical and security implications of user behaviors and business processes. If either users or IT leaders are not consulted, unenforceable pol icies will probably result. 4. Information security education, training, and awareness (SETA): It is very important to make business users aware of security policies and practices and to provide information security education, training, and awareness (SETA). Training and awareness programs build a securityconscious culture. To promote effectiveness and post-training retention, training and awareness programs must be linked to the unique requirements of individual business processes. Business user participation in planning and implementing training and awareness programs helps gain acceptance of security initiatives. However, IT security person nel are in the best position to know critical issues. Thus, both IT security managers and business users must be actively involved in planning SETA activities. 5. Information security investments: The fear, uncertainty, and doubt ("FUD) factor once was all that was needed to get top management to invest in information security. As information security becomes a routine concern in daily operations, security managers increasingly must justify their budget requests financially But it is difficult to show how important security is until there has been a breach-and even then it is hard to put a dollar amount on the value of security. As when determining business needs, different units within the company may have rival or conflicting "wish lists" for information security-related purchases that benefit their unique needs. The IS organization also should have a significant say in these decisions because the best position to assess whether and how the investments may fit with the company's current IT infra- structure and application portfolio. Thus, both IT and business leaders should participate in investment and prioritization decisions. One way to ensure this joint participation is to use executive committees/councils it is in Composed of business and IT executives, such as the IT steering committee and budget committee, with the CIO having overlapping Ving overlapping memberships in both. These committees are where IT and business leaders make ss cases for their proposed investments and debate the merit and priorities of the investments. These decisions about the appropriate level of investment are made with the company's best interests in mind. Breaches and How They Occurred 2013 and 2014, before the Office of Personnel Management's attack, the most famous breaches infiltrated the Systems at EBay (twice), Target. Home Depot, and Anthem Blue Cross. See Figure 7.2 for the magnitude and cause of each breach. Password Breaches important to emphasize the damage that can be done by password breaches. As the following descriptions Tmaicate, trusting and trustworthy users might have no idea they are opening a security hole by clicking on an attachment, using public WiFi, or following a link to an authenticlooking site. Executives should not believe that employees who use their personal laptops away from the office are harmless to the firm. When employees whose systems are infected log into work e-mail systems and intranets, a hacker can gain access to the firm. 60 Minutes reported in 2015 that 80% of breaches are conducted by stealing a password. There are many ways to steal a person's password. One common method is to conduct a successful phishing attack, which sends a person a counterfeit e-mail that purports to be from a known entity. The e-mail includes either a virus-laden How Date Detected November 2013 What Was Stolen 40 million debit and credit card account numbers May 2014 EBay #1 Company Target e-mail attachment containing a virus, revealing a password Contractor's opening of an Obtaining an employee's password September 2014 September 2014 January 2015 145 million user names, emails, physical addresses, phone numbers, birth dates, encrypted passwords Small but unknown 53 million e-mail addresses 56 million credit card numbers EBay #2 Home Depot Cross-site scripting Obtaining a vendor's password and exploiting an operating system's vulnerability Obtaining passwords of at least five high-level employees Anthem Blue Cross 80 million names, birthdays, emails, social security numbers, addresses, and employment data (including income) Brian Krebs, "Target Hackers Broke in Via HVAC Company," Krebs on Security (February 14, 2014), a-hvac-company/ (accessed June 22, 2015). Brian Krebs, "Home Depot: Hackers Stole 53M Email Addresses," Krebs on Security (November 14, 2014), hackers-stole-53memail-addresses/ (accessed June 28, 2015) Andy Greenberg, "EBay Demonstrates How Not to Respond to a Huge Data Breach, Wired (May 23, 2014), how-not-to-respond-to-a-hugedata-breach/(accessed June 22, 2015) Bill Whitaker, "What Happens When You Swipe Your Card?" 60 Minutes (November 30, 2014), transcript, ard-and-hacking-andcybercrime/(accessed June 24, 2015). Ashley Carman, "Windows Vulnerability Identified as R...
View Full Document

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture