Anderson School of Management

University of New Mexico

Trade offs in information security.

Finding the balance between efficiency and effectiveness.

Introduction

• What is information security?• Why is information security important

today?• Does information security only apply to

organizations?• The history and evolution of information

security.

History

• WWII – need for communication code breaking

• 1960’s – ARPANET program developed• 1970’s & 80’s – development of MUTLICS

and the microprocessor• 1990’s – Rise of the internet• 2000 to Present – the internet now

dominates every aspect of daily life

What is Information Security?

Information security is the practice of defending information from unauthorized

access, use, disclosure, disruption, modification, inspection, recording or

destruction.

Information security is the ongoing process of defending and maintaining our

information system as individuals and organizations.

What is Information Security?

Information security ensures:• Integrity• Availability• Accessibility• Utility• Confidentiality

Information System

• Hardware – routers, computers, servers, etc

• Software – programs & operating system• Network – LAN, WAN, Internet, etc• Data – stored, processed, communicated • People • Policy and procedures

What are we defending our information system from?

Threats and Attacks!!• Deliberate software attacks

– Malicious code, viruses, worms, Trojan horses, etc• Deviations in quality of service – denial of service

attack, • Trespassing/Espionage - hackers• Forces of Nature – fire, flood, or any natural disaster• Human error/sabotage/vandalism

Target Data Breach• Up to 70 million individuals personal

information was stolen• Names, address, phone numbers , credit

card numbers• Malicious software on system• Extended credit monitoring and identity

theft protection to all guests

NSA Data Breach

• Snowden accessed unauthorized data• Released confidential information• Internal breach – lack of policy and

procedures, maybe poor oversight

Anonymous Hacking Group

• Attacks governments, businesses, non profits and anybody on their agenda

• Denial service attacks• Stolen data• Lost revenues, reputation implications,

service disruption, national security etc

Recent Threat and Attack Against APD By Anonymous

• Hacktivist group Anonymous had stated that they were going to attack APD’s online presence.

• Denial of Service Attack (shutting down their site for a few hours)

• Planned it for Sunday night (the least busy night)

• Stole data, high ranking APD official’s home addresses and released to public

• Incited protestors to take to the streets

Small Scale Attack

Survey Results

• Many had learned something about information security

• Most realize the importance of keeping passwords secure

• Many realize that there are online predators looking to get information and are good about not giving it out.

Speed VS Security

Network only as strong as its weakest link

Password Security

How are these machines used by Police in the field

BCSO• Bernalillo County Sherriff's Office

– What systems are they using?– What security measures are in place?– Are they achieving their information security

goals?– What do users think of the measures?– Can they do something different?

• Deputies are Dispatched to calls through these machines

• The internal GPS relays their coordinates to dispatchers as well as giving them directions to calls

• Run plates through governmental sites• Looking up individuals to see if they have

outstanding warrants• Write reports

What Security is in place• Saved passwords to log onto a machine• Verizon air card placed in a secure tunnel• Dual authentication key generator• Secure Virtual Private Network (VPN)• Login to separate applications using other

passwords• Automatic logout times

Drawbacks

• Login time (3-5 min)• The amount of passwords • With so many passwords, some can be

forgotten • Long login process can lead to

accidentally messing up in process and locking the user out

• Frustrated users

Thoughts?

• What do you think? • Is it too much security, not enough?

Security Need

• Ability to see location of deputies and other first responders in live time

• Ability to access entire country’s network• Mobility of laptop increases threat of

unauthorized access due to theft or loss• State and Federal guidelines require

minimum security standards

Achieving the balance

• It is the job of everyone involved in information security to determine the trade offs

• Weigh the pros and cons and evaluate the importance of each

• The users and the system need to be evaluated together, to ensure that thorough analysis occurs. Should not evaluate separately.

Large Scale Attack

Pop Quiz (5 Questions)