Ch.5 It Security, Crime, Compliance, and Continuity

Lecture 4

5.1 Protecting Data and Business Operations

5-2

IT security: the protection of data, systems,networks, and operations.

Technology defenses are necessary, but they’re not sufficient because protecting data and business op-erations also involves:

• Implementing and enforcing acceptable use policies (AUPs).

• Complying with government regulations and laws.

• Making data available 24x7 while restricting access.

• Promoting secure and legal sharing of information.

IT Security Principles

5-3

Know Your Enemy and Your Risks

• IT security risks are business risks

• Threats range from high-tech exploits to gain ac-cess to a company’s networks to non-tech tactics such as stealing laptops or items of value. Com-mon examples:

– Malware (malicious software): viruses, worms, trojan horses, spyware, and disruptive or destructive programs

– insider error or action, either intentional or uninten-tional.

– Fraud

– Fire, flood, or other natural disasters

5-4

IT at Work 5.1 $100 Million Data Breach

• May 2006: a laptop and external hard drive be-longing to the U.S. Dept of Veterans Affairs (VA) were stolen during a home burglary.

• Data on 26.5 million veterans and spouses had been stored in plaintext.

• VA Secretary Jim Nicholson testified before Congress that it would cost at least $10 million just to inform veterans of the security breach.

• Total cost of data breach: $100 million

5-5

Risks• Cloud computing• Social networks• Phishing• Search engine manipulation• Money laundering• Organized crime• Terrorist financing

5-6

IT Security Defense-in-Depth Model

5-7

5.2 IS Vulnerabilities and Threats

• Unintentional– human error– environmental hazards– computer system failure

• Intentional– hacking– malware – manipulation

5-8

5-9

Figure 5.4 How a computer virus can spread

Malware and Botnet De-fenses• Anti-virus software

• Firewalls

• Intrusion detection systems (IDS)

• Intrusion prevention systems (IPS)

5-10

5.4 IT and Network Secu-rity

Objectives of a defense strategy

1. Prevention and deterrence

2. Detection

3. Containment (minimize loses, damage con-

trol)

4. Recovery

5. Correction

6. Awareness and compliance

5-11

Major categories of general controls

• physical controls

• access controls

• biometric controls

• communication network controls

• administrative controls

• application controls

• endpoint security and control

5-12

5-13

Figure 5.7 Intelligent agents

5.5 Network Security

5-14

Figure 5.8 Three layers of network security measures

Ethical issues

• Implementing security programs raises many ethical issues.

• Handling the privacy versus security dilemma is tough.

• Ethical and legal obligations that may require compa-nies to “invade the privacy” of employees and monitor their actions.

• Under the doctrine of duty of care, senior managers and directors have a obligation to use reasonable care to protect the company’s business operations.

5-15