1

IT Security and IT Security and PrivacyPrivacyEddie Meyer

Scott WibbenmeyerChanchart ChanthananZhijing FangZongJun Zhu

2

IT Security IT Security Information securityInformation security is the is the

process of process of protecting information protecting information systemssystems and and datadata from from

unauthorized access, use, unauthorized access, use, disclosure, destruction, disclosure, destruction,

modification, or disruption. modification, or disruption. Information securityInformation security is is

concernedconcerned with the with the confidentiality, integrity, and confidentiality, integrity, and

availability of availability of datadata regardless of regardless of the form the data may take: the form the data may take:

electronic, print, or other formselectronic, print, or other forms..

http://en.wikipedia.org/wiki/It_security, viewed April 2nd, 2007

3

OverviewOverview

Why is it important?Why is it important? Role of CSORole of CSO Costs of IT SecurityCosts of IT Security Security ThreatsSecurity Threats Practices to mitigate threatsPractices to mitigate threats Case StudyCase Study Case StudyCase Study

4

Why is IT Security Important?Why is IT Security Important?

““Security breachesSecurity breaches are as are as commoncommon in today’s in today’s business landscape as bad coffee and business landscape as bad coffee and briefcases.”briefcases.”

Computer systemsComputer systems are are vulnerablevulnerable to many to many threats that can inflict various types of damage threats that can inflict various types of damage resulting in significant losses. This damage can resulting in significant losses. This damage can range from errors harming database integrity to range from errors harming database integrity to fires destroying entire computer centers. fires destroying entire computer centers.

An Introduction to Computer Security: The NIST Handbook, National Institute of Standards and Technology. U.S. Department of CommerceSpecial Publication 800-12

http://www.cio.com/article/28648/Data_Breaches_Preparation_Damage_Control_and_a_Recent_History, April 2, 2008

5

46% of Respondents said that their organization

had experienced a

security incident in

2007

Why is IT Security Why is IT Security Important?Important?

Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007.

6

Trends in Trends in Information Security Information Security

Breaches Breaches

7

Trends in Information Security Trends in Information Security BreachesBreaches

Security is increasing as a top management concern.

Luftman, J., Kempaiah, R., and Nash, E., Key Issues for IT Executives 2005, MIS Quarterly Executive, Vol. 5, No. 2, June 2006, pp 81-99

8

Trends in Information Security Trends in Information Security BreachesBreaches

The percentage

of companies

with a written security

policy has increased

from 47% in 2004 to 62%

in 2006.

http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOSKH0CJUNN2JVN?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008

9

Trends in Information Security Trends in Information Security BreachesBreaches

Figure 2. Security breaches are getting more serious.

http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOSKH0CJUNN2JVN?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008

Severity Level of Security Breaches

0-10 Scale of Severity

10

Role of Chief Role of Chief Security OfficerSecurity Officer

11

Chief Security OfficerChief Security Officer (CSO) is (CSO) is a corporation's top a corporation's top executive who is responsible for securityexecutive who is responsible for security. The CSO . The CSO serves as the business leader responsible for the serves as the business leader responsible for the development, implementation and management of the development, implementation and management of the organization’s corporate security vision, strategy and organization’s corporate security vision, strategy and programs. programs. They direct staff in identifying, developing, They direct staff in identifying, developing, implementing and maintaining security processes implementing and maintaining security processes across the organization to reduce risks, respond to across the organization to reduce risks, respond to incidents, and limit exposure to liability in all areas of incidents, and limit exposure to liability in all areas of financial, physical, and personal risk;financial, physical, and personal risk; establish establish appropriate standards and risk controls associated with appropriate standards and risk controls associated with intellectual property; and direct the establishment and intellectual property; and direct the establishment and implementation of policies and procedures related to implementation of policies and procedures related to data security.data security.

CSOCSO

http://en.wikipedia.org/wiki/Chief_Security_Officer, view April 2, 2008

12

Most CSOs have an IT Background (63%)Most CSOs have an IT Background (63%) Others: (37%)Others: (37%)

Corporate Security Corporate Security MilitaryMilitary Law Enforcement Law Enforcement Business Operations Business Operations Audit Audit

Background of CSOBackground of CSO

Petersen, Rodney,Petersen, Rodney, The Role of the CSO, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.Educause, September/October, 2006, pp. 73-82.

13

Oversee a network of security directors and Oversee a network of security directors and vendors who safeguard the companies vendors who safeguard the companies assets, intellectual property, and computer assets, intellectual property, and computer systems, along with the physical safety of systems, along with the physical safety of employees and visitorsemployees and visitors

Role of CSORole of CSO

Petersen, Rodney,Petersen, Rodney, The Role of the CSO, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.Educause, September/October, 2006, pp. 73-82.

http://images.google.com/imgres?imgurl=http://www.csointerchange.org/images/cso_interchange_logo.gif&imgrefurl=http://www.csointerchange.org/bios/bios-chicago-05/&h=93&w=303&sz=5&hl=en&start=19&um=1&tbnid=Zu6MFMM7sH-YvM:&tbnh=36&tbnw=116&prev=/images%3Fq%3Dcso%2BSymantec%2BCorporation%2B%26um%3D1%26hl%3Den, viewed April 10, 2008

Identify protection goals, objectives, and Identify protection goals, objectives, and metrics consistentmetrics consistent with corporate strategic with corporate strategic plansplans

ManageManage the development and the development and implementationimplementation of global security policy, of global security policy, standards, guidelines, and procedures to standards, guidelines, and procedures to ensure ongoing maintenance of securityensure ongoing maintenance of security

Role of CSO (Cont’d)Role of CSO (Cont’d)

Petersen, Rodney,Petersen, Rodney, The Role of the CSO, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.Educause, September/October, 2006, pp. 73-82.

15

IT Security CostsIT Security Costs

Between 1995 and 2000 company spending on IT security increased 188%Between 1995 and 2000 company spending on IT security increased 188%

16

IT Security CostsIT Security CostsAverage losses in 2007 were $345,000 per respondent

Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007.

17

IT Security CostsIT Security Costs

The figure above shows the total losses as reported by the 2005 CSI/FBI Annual Computer Crime and Security Survey. http://www.acunetix.com/websitesecurity/web-hacking.htm, viewed March 27, 2008

18

IT Security CostsIT Security Costs

Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007.

Are Costs equalizing?

19Information Security Magazine July 1999 - "Top Obstacle is Budget: What is the SINGLE greatest obstacle to

achieving adequate infosecurity at your organization?"

What is the SINGLE greatest

obstacle to achieving adequate

infosecurity at your

organization?"

IT Security CostsIT Security Costs

20

IT Security ThreatsIT Security ThreatsOrganizational Organizational

(Individual)(Individual)

21

21

Many types of threats exist.

Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.

22

Types of Attacks or AbuseTypes of Attacks or Abuse

Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007. PP 1-25.

23

Who is Attacking?Who is Attacking?

http://www.esecurityplanet.com/, Viewed April 2, 2008

24

2 Types of threats that can affect both Individual and

Organizational Security:

1.Natural Threats- Weather, Deterioration, Accidents, etc

2. Man Made Threats - Hacker, Spam, Phishing, Identity

Theft, Terrorism

25

Natural Security ThreatsNatural Security Threats

WeatherWeather

DeterioratiDeteriorationon

AccidentsAccidents

-Do you have backup data stored offsite?

- Do you have a plan?

26

PhishingPhishingIdentity TheftIdentity TheftTerrorismTerrorism

Man Made Security Man Made Security ThreatsThreats

What do you have in place to prevent these things from happening?

27

PhishingPhishing

An attempt to criminally and fraudulently acquire An attempt to criminally and fraudulently acquire sensitive information, such as usernames, sensitive information, such as usernames, passwords and credit card details, by masquerading passwords and credit card details, by masquerading as a trustworthy entity in an electronic as a trustworthy entity in an electronic

communication.communication.

Man Made Security Man Made Security ThreatsThreats

http://en.wikipedia.org/wiki/Phishing, viewed April 2, 2008

28

Risk of Phishing Risk of Phishing

According to the Kaspersky Lab, 45% of the According to the Kaspersky Lab, 45% of the online activity requires users to disclose online activity requires users to disclose personal or financial data.personal or financial data.

The top online activities listed by home PC The top online activities listed by home PC users that require the disclosure of personal users that require the disclosure of personal information were information were bankingbanking(20%), (20%), shoppingshopping(15%), and (15%), and travel bookingtravel booking(10%). (10%).

http://www.lexisnexis.com.ezproxy.umsl.edu, Inter Business News on Jan 9, 2007 View on Mar 3, 2008

29

Risk of Phishing Risk of Phishing

Presently, the risk of phishing is attacking Presently, the risk of phishing is attacking both both businessbusiness and and personal personal transactions.transactions.

The main purpose of phishing is to steal The main purpose of phishing is to steal financial datafinancial data..

There were around 14,156 fake websites in There were around 14,156 fake websites in 2006, increase from 1,713 in 2005. (The Sun) 2006, increase from 1,713 in 2005. (The Sun)

http://www.lexisnexis.com.ezproxy.umsl.edu, The Sun: Still @ IT on Oct 23, 2007 View on Mar 3, 2008

30

Risk of Phishing (Cont)Risk of Phishing (Cont)

According to the Sun poll as of 2007, According to the Sun poll as of 2007, a thirda third of the internet users responded to the email of the internet users responded to the email they did not know. they did not know.

15%15% thought a website was secure if it thought a website was secure if it claimed to belong to a well know company claimed to belong to a well know company but were unable to distinguish a secure but were unable to distinguish a secure website from the fake one.website from the fake one.

http://www.lexisnexis.com.ezproxy.umsl.edu, The Sun: Still @ IT on Oct 23, 2007, Viewed on Mar 3, 2008

Most Targeted Industry Sectors in December 2007

http://www.antiphishing.org, Phishing Activity Trends Report for 2007 by Anti-Phishing Working Group (APWG) viewed March 4, 2008

Financial service is the most targeted industry sector of all attacks record at 91.7%.

Top 10 Phishing Sites Hosting Countries

http://www.antiphishing.org, Phishing Activity Trends Report for 2007 by Anti-Phishing Working Group (APWG) viewed March 4, 2008

The United States is the 1st rank phishing sites hosting.

33

Example of the phishingExample of the phishing

The real example happened to an UMSL The real example happened to an UMSL email several recently.email several recently.

The UMSL email sever was attacked from the The UMSL email sever was attacked from the phishing email which claimed that it came phishing email which claimed that it came from the Central Bank from the Central Bank

34

Example of the phishing Example of the phishing (Con’t)(Con’t)

http://www.centralbank.net7idpersonalbanking-secure-survey-id-58274.28secure.net.jikao.com.tw/.https://www.centralbank.net/

35

Some Tips to avoid risk of Some Tips to avoid risk of phishing phishing

Do not complete a form in an e-mail message Do not complete a form in an e-mail message that ask you for personal informationthat ask you for personal information

Enter personal information only at the secure Enter personal information only at the secure website (https)website (https)

Avoid clicking the link in the e-mail messageAvoid clicking the link in the e-mail message Never type PIN or secret data via e-mailNever type PIN or secret data via e-mail

36

Man Made Security Man Made Security ThreatsThreats

Identity TheftIdentity TheftCrimes involving illegal usage of another individual's identity. The most common form of identity theft is credit card fraud. While the term is relatively new, the practice of stealing money or getting other benefits by pretending to be a different person is thousands of years old.

http://en.wikipedia.org/wiki/Identity_Theft, Viewed April 2, 2008

37

Types/ Cost of Identity theftTypes/ Cost of Identity theft

Crimes involving illegal usage of another individual's Crimes involving illegal usage of another individual's identity identity

Types:Types: Financial Identity TheftFinancial Identity Theft (using another's identity to obtain (using another's identity to obtain

goods and services)goods and services) Criminal Identity TheftCriminal Identity Theft (posing as another when (posing as another when

apprehended for a crime) apprehended for a crime) Identity CloningIdentity Cloning (using another's information to assume his or (using another's information to assume his or

her identity in daily life)her identity in daily life) Business/Commercial Identity TheftBusiness/Commercial Identity Theft (using another's (using another's

business name to obtain credit) business name to obtain credit)

38“Identity Theft by Victims Age”. Identity Theft Data Clearinghouse. May 12 2006. PP 2-32.

39

Man Made Security Man Made Security ThreatsThreats

TerrorismTerrorismThose acts which are intended to create fear (terror), are perpetrated for an ideological goal and by a member or members of a group (as opposed to being carried out in a lone attack), and which deliberately target, or else disregard the safety of, non-combatants (civilians).

http://en.wikipedia.org/wiki/Terrorism, Viewed 4/02/2008

40

Threat AssessmentThreat Assessment

You can look at threat assessment two ways:You can look at threat assessment two ways:

QualitativeQualitative – an “educated best guess” based on – an “educated best guess” based on opinions of knowledgeable others gained through opinions of knowledgeable others gained through interviews, history, tests, and personal experienceinterviews, history, tests, and personal experience

QuantitativeQuantitative – uses statistical sampling based on – uses statistical sampling based on mathematical computations determining the mathematical computations determining the probability of an occurrence based on historical probability of an occurrence based on historical datadata

Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003.

41Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007.

Security Audits were 63% useful in evaluating the effectiveness of security technology

42

Insurance PoliciesInsurance Policies

Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007.

43

Practices to Mitigate ThreatsPractices to Mitigate Threats

Biometric SecurityBiometric Security Intrusion Prevention SystemIntrusion Prevention System

44

Biometric SecurityBiometric Security

Use computerized method to identify a Use computerized method to identify a person by their unique physical or behavioral person by their unique physical or behavioral characteristicscharacteristics

Provide extremely accurate and secure Provide extremely accurate and secure access to informationaccess to information

http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm, Biometric Technology. BBC News. March 4, 2008. http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10, Biometric Technology Overview. March 4, 2008.

45

Example of BiometricExample of Biometric Fingerprint Identification – the process of Fingerprint Identification – the process of

automatically matching one or unknown automatically matching one or unknown fingerprint against a database of know and fingerprint against a database of know and unknown patternunknown pattern

Iris Scan - provide an analysis of the rings, Iris Scan - provide an analysis of the rings, furrows, and freckles in the colored ring furrows, and freckles in the colored ring which surrounds the pupil of the eyewhich surrounds the pupil of the eye

http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stmhttp://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10http://en.wikipedia.org/wiki/Biometric

46

Intrusion Prevention SystemIntrusion Prevention System

Next Generation FirewallNext Generation Firewall It is a computer security device that monitors It is a computer security device that monitors

network and system activities for malicious or network and system activities for malicious or unwanted behavior and can react in real-timeunwanted behavior and can react in real-time

http://en.wikipedia.org/wiki/Intrusion_Prevention_System

47

Washington Mutual Phishing Case

48

Washington Mutual Overview

Founded in 1889

Retailer of financial services Mortgage Lending Commercial Banking Other Financial Services

CIO - Debora D. Horvath

Prior to joining WaMu, she served as senior vice president and CIO for Richmond, Virginia-based GE Insurance. There, she led a global information technology organization with a $500 million budget.

Assets of 333.62 billion

More than 2,400 Retail Banking

Source:http://www.rsa.com/press_release.aspx?id=6801, viewed April 10, 2008http://www.wamu.com/business/default.asp, viewed April 11 th, 2008

49

Phishing trip: Washington Mutual

http://www.infectionvectors.com/library/phishing_trip_wamu-iv.pdf,, viewed April 10, 2008

50

Current Practice of Online Banking Security

Washington Mutual further protects its online users with multi-factor authentication solution

http://www.wamu.com/business/default.asp

51

RSA Cyota Consumer Solutions

RSA Cyota Consumer Solutions, a division of RSA Security Inc., offers proven solutions for online banking and e-commerce that range from adaptive

Authentication – with risk-based technology, one-time-passwords and transaction-signing – to anti-Phishing services and real-time transaction monitoring that controls fraud and manages risk.

The company’s eFraudNetwork™ community is the world’s most effective cross-bank collaborative online fraud network. Today, many of the world’s top 50 banks, including nine of the top 12 banks in North America and the UK, use RSA Cyota solutions to protect approximately 430 million consumers.

http://www.baselinemag.com/c/a/Projects-Security/Security-Case-Washington-Mutual-Gets-a-Line-on-Phishing/

52

Authentication

"Washington Mutual is once again taking a proactive approach to protecting our customers by securing their accounts and personal information with superior, flexible, cutting-edge technology. By doing so, Washington Mutual customers will continue to benefit from the convenience and ease of online banking with the utmost confidence," said Dave Cullinane, chief information security officer at Washington Mutual and International President of the Information Systems Security Association.

Washington Mutual’s enhanced security will analyze every online login and transaction behind the scenes and score the potential risk based on a broad range of criteria, including the user’s IP address, geographic location, prior transaction behaviors and much more. When a potential risky situation is detected, it can invoke additional authentication methods in real-time. In addition, because online fraud crosses international boundaries, WaMu is further protecting its customers by joining a real-time world-wide fraud detection network.

http://www.baselinemag.com/c/a/Projects-Security/Security-Case-Washington-Mutual-Gets-a-Line-on-Phishing/

Case Study:

What is Ameren?

53

Company Overview Provide energy to approximately

2.4 million electric customers and nearly 1 million gas customers in IL and MO.

Ameren created via mergers. Union Electric (UE) Central IL Public Service Co.

(CIPSCO) Central IL Light Co. (CILCO) Illinois Power (IP)

Headquarters in St. Louis, MO 9,000 employees

http://www.ameren.com/AboutUs/ADC_AU_FactSheet.pdf, viewed March 28, 2008

54

CEO Ameren

CEO Ameren Services Other CEO’s

Other VP’s Sr. VP Admin

VP Info Technology

Manager IT Security and Planning

Ameren Organizational Chart

Other Directors and Managers

Supv IT Financial PlanningSupv IT InfrastructureAccount Consultants

http://scholar/orgchart/ChartApp.aspx?defaultredirect=true&action=viewinorgchart&key=19721, March 20, 2008

Managing Supv IT Security & Plan

IT Security Analyst, Architects, Engineers

55

56

Security IT Background 530 IT employees

5 Full time employees for information security.

IT security budget is 1% of annual IT Budget 600K O&M 400K Capital

1 manager type, 6 supervisors, 3 account consultants

30 technical architects, engineers, analyst.

Linda Nappier, Manager IT Security – Planning, Interview with Scott Wibbenmeyer, April 10, 2008

http://scholar/orgchart/ChartApp.aspx?defaultredirect=true&action=viewinorgchart&key=19721, March 20, 2008

56

5757

Linda Nappier, Manager IT Security – Planning, Interview with Scott Wibbenmeyer, April 10, 2008

58

Top Security Risk

1. Data loss (Customer and Corporate) – Image

2. Viruses

3. External Attacks (firewall attacks)

4. Internal Attacks (email virus, spam, bots)

5. Phishing – Social Engineering

Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8, 2008

59

IT Security Technologies

Access Control Systems Physical Security

Enterprise Security Management System Card readers limiting access to hardware rooms and security

personnel.

Data Security Access Policy Network Access Control Software Limiting access to software and networks on an as needed

bases. Disabling Blue tooth capabilities on Ameren equipment (i.e.

cell phones)

Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8, 2008

59

60

IT Security Technologies

Firewalls Intrusion Detection System (IDS) Over 1 million attacks against firewall a year 24 hr personnel monitoring of Firewall 6000 firewall rules Monitors IP address of attack

Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8, 2008

60

61

IT Security Technologies

Two Factor Authentication – Tokens & Passwords RSA SecurID Token

Anti-Virus Software Symantec

Email is evaluated by Symantec off-site

Network Pattern Software Monitors usage patterns of network

Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8, 2008

61

62

IT Security Technologies

Anti-Spam Software Frontbridge – relay service Personnel updating trigger points. Over 4.3 million spam emails blocked a day

Policies Remote Access Internet Usage - Websense Equipment Procurement Communication Policy Disaster Recovery Policy Audit Policy

Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8, 2008

62

63

Walk Away Today Safer - Quick Summary

Protect your personal information. It's valuable. Don’t cut Security to save money. Use antivirus and personal firewall software and update both

regularly. Be sure to set up your operating system, Network and Web

browser software properly, and update them regularly. Protect your passwords. Back up important files. Learn who to contact if something goes wrong online.

?? Questions ??

65

References http://en.wikipedia.org/wiki/It_security, viewed April 2nd, 2007 An Introduction to Computer Security: The NIST Handbook, National Institute of Standards and Technology. U.S.

Department of CommerceSpecial Publication 800-12

http://www.cio.com/article/28648/Data_Breaches_Preparation_Damage_Control_and_a_Recent_History, April 2, 2008 Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”.

Computer Security Institute. 2007. Luftman, J., Kempaiah, R., and Nash, E., Key Issues for IT Executives 2005, MIS Quarterly Executive, Vol. 5, No. 2,

June 2006, pp 81-99 http://http://www.industrialcontroldesignline.com/

showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOSKH0CJUNN2JVN?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008

http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOSKH0CJUNN2JVN?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008

http://en.wikipedia.org/wiki/Chief_Security_Officer, view April 2, 2008 Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82. http://images.google.com/imgres?imgurl=http://www.csointerchange.org/images/

cso_interchange_logo.gif&imgrefurl=http://www.csointerchange.org/bios/bios-chicago-05/&h=93&w=303&sz=5&hl=en&start=19&um=1&tbnid=Zu6MFMM7sH-YvM:&tbnh=36&tbnw=116&prev=/images%3Fq%3Dcso%2BSymantec%2BCorporation%2B%26um%3D1%26hl%3Den, viewed April 10, 2008

Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82. http://www.acunetix.com/websitesecurity/web-hacking.htm, viewed March 27, 2008 Information Security Magazine July 1999 - "Top Obstacle is Budget: What is the SINGLE greatest obstacle to achieving

adequate infosecurity at your organization?" Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”.

Computer Security Institute. 2007. PP 1-25. http://www.esecurityplanet.com/, Viewed April 2, 2008 http://en.wikipedia.org/wiki/Phishing, viewed April 2, 2008

66

References (Continued) http://www.lexisnexis.com.ezproxy.umsl.edu, Inter Business News on Jan 9, 2007 View on Mar 3, 2008 http://www.lexisnexis.com.ezproxy.umsl.edu, The Sun: Still @ IT on Oct 23, 2007 View on Mar 3, 2008 http://en.wikipedia.org/wiki/Identity_Theft, Viewed 4/02/2008 “Identity Theft by Victims Age”. Identity Theft Data Clearinghouse. May 12 2006. PP 2-32. http://en.wikipedia.org/wiki/Terrorism, Viewed 4/02/2008 Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003. Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security

Survey”. Computer Security Institute. 2007. http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm http://en.wikipedia.org/wiki/Biometric, April 2, 2008 http://www.wamu.com/business/default.asp, viewed April 11th, 2008 :http://www.rsa.com/press_release.aspx?id=6801, viewed April 10, 2008 http://www.infectionvectors.com/library/phishing_trip_wamu-iv.pdf,, viewed April 10, 2008 http://www.baselinemag.com/c/a/Projects-Security/Security-Case-Washington-Mutual-Gets-a-Line-on-

Phishing/ http://www.ameren.com/AboutUs/ADC_AU_FactSheet.pdf, viewed March 28, 2008 http://scholar/orgchart/ChartApp.aspx?defaultredirect=true&action=viewinorgchart&key=19721, March 20,

2008 Linda Nappier, Manager IT Security – Planning, Interview with Scott Wibbenmeyer, April 10, 2008 Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8,

2008

References (Continued)

http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm, Biometric Technology. BBC News. March 4, 2008.

http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10, Biometric Technology Overview. March 4, 2008.

• http://www.antiphishing.org, Phishing Activity Trends Report for 2007. Dec. 2007. Anti-Phishing Working Group (APWG). March 4, 2008.

• http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10, Biometric Technology Overview. 4 March 2008.

• http://en.wikipedia.org/wiki/Intrusion_Prevention_System, March 4 2008. • http://www.security-int.com/categories/intrusion-prevention-systems/intrusion-prevention-systems.asp, Intrusion

Prevention Systems on the Security Software Map. March 5, 2008.