Information Security: The Management Perspective

Carnegie Mellon University ©2006 - 2011 Robert T. Monroe 70-451 Management Information Systems

Information Security:The Management Perspective

70-451 Management Information SystemsRobert Monroe

November 20, 2011


Quiz

1. True or false: according to today’s article, information security management decisions are best left to IT specialists because they are the ones who deeply understand the technologies in use.

2. True of false: according to today’s article, the first step in IS security is to identify your company’s key digital assets and prioritize their importance.

3. Name one type of information security threats discussed in today’s article.


Goals For Today

By the end of today's class you should be able to:

– Explain why information security is a management issue first and a technology issue second.

– Apply simple risk management techniques and frameworks to uncover the largest information security risks in an organization, and to focus your information security resources appropriately.

– Evaluate the information security technologies and techniques we will cover in Tuesday's class in both a management and a technical context.


Think Like A Thief…

• You are in charge of information security at Q-Tel

• What kinds of information security threats should you worry about?– What information would be very damaging if compromised/released?– Who might be interested in disrupting Q-Tel’s systems and why?– Who might be interested in covertly destroying the integrity of Q-Tel’s

systems?

• Flip the roles - now you are a thief - how might you:– Retrieve important confidential information– Disrupt their systems– Destroy the integrity of their systems for fun or profit

• To secure systems, you have to think like the bad guys


Information Security Matters To Businesses

• Because your customers are concerned about it• Potential for direct financial losses (such as fraud)• Potential for indirect financial losses (such as loss of

customers, cost to recover after attack, etc.)• Legal liability – civil and criminal• Ethical issues


What Is Information Security?

• Information Security:The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.

• U.S. National Information Systems Security Glossary, via Wikipedia

InformationSecurity

ComputerSecurity

DataSecurity

PhysicalSecurity

NetworkSecurity


Some Questions To Consider:

• How do you measure security?

• How do you know if your information systems are secure?

• Is security always important in an information system?– Why? – If it is important, is it always critical?– Would you ever be willing to use an ‘insecure’ system?


CIA – Three Fundamental Information Security Goals

• Confidentiality– Only users authorized to access a specific piece of information

may do so

• Integrity– Only users authorized to modify or delete a specific piece of

information may do so

• Availability– When an authorized user wants to access some information,

that information needs to be available


Additional Information Security Goals

• Authentication– Insure that the person or machine making a request is actually

who they claim to be

• Non-repudiation– Insure that once a transaction has been completed it is possible

to prove that both sides participated in it as recorded

• Audit trail– Leave a record of all important transactions, data accesses, or

data modifications on a system


Information Security Threats


Common Information Security Threats

• Exposure of confidential data• Loss or destruction of data• Changes to data• Destruction or disabling of IT infrastructure

– Immediately, or in the future with ‘time bombs’– By denying legitimate access to systems

• Fraud• Breaches of privacy

• This is an incomplete list…


Threat – Denial of Service Network Attacks (DoS)

• Overwhelm servers with massive quantities of requests over the network

• Net effect – Access denied (busy signal) to legitimate users• High frequency, low damage

ServerFirewall

`

Attacker

`

LegitimateUser


Threat – Distributed DoS Attacks (DDoS)

• Much like DoS, except attacks are sent from many (thousands+) of separate clients

• The distributed attack makes it much harder to detect which requests are legit and which are not

• Net effect – Access is denied for legitimate users

ServerFirewall

`

Attacker

`

LegitimateUser

`Zombies

`

` ``


Technical Countermeasure - Denial of Service

• The standard way to counter a (D)DoS attack is to stop accepting requests from the offending clients

• This is generally done with firewall or router software• Relatively straightforward, provided infrastructure is in place

ServerFirewall

`

Attacker

Hundredsor thousandsof requestsper second

`

LegitimateUser

Unable to

access

(busy signal)

`Zombies

`

` ``


Threat – Malicious Code

• Malicious code exploits security flaws in software to propogate throughout a network

• Viruses– Small malicious programs that spread from computer to computer with

some user interaction (e.g. running a program, opening an e-mail, etc.)

• Worms– Like viruses, except that they are able to propogate without user interaction

• Trojan Horses– Programs that appear to be benign but covertly deposit malicious code on

to the machine on which they are run

• Zombies– Machines that have been infected with malicious code that hackers can use

to launch future attacks (such as DDoS or further network intrusion)


Technical Countermeasures – Malicious Code

• Countering malicious code is an ongoing struggle

• Anti-virus and anti-spyware utilities are the first step– Deploy them broadly and thoroughly– Keep them up-to-date (regularly and automatically)

• Block malicious code at the perimiter where possible (firewalls)

• Constant arms race – consistent vigilence is critical

• Warning: This is difficult to do in practice, especially as an organization gets larger


Threat – Intrusion


Threat - Intrusion

• Intrusion is the art of bypassing network and computer defenses to access machines and data internal to a corporate network

• Technical goal of most intrusions is to ‘own’ machines inside the network

• Approaches for doing so include:– Installing software that puts a ‘backdoor’ into the system– Gaining high-privilege logins and/or passwords– Circumventing normal authentication and access controls


Threat – Intrusion

• Intrusions are generally the most dangerous category of information security threats. Why?– Once a system is compromised, your system is at the mercy of the

attacker– It can be very difficult to detect that an intrusion has taken place, or (once

it is found) that the problem has been eradicated– An effective intrusion can be a launching point for the other categories of

threats

• Two basic approaches for an intruder:– Technical attack (network penetration, malware, etc.)– Social Engineering


Technical Countermeasures – Intrusion

• See Securing IT Infrastructure in Tuesday’s talk


Threat – Breach of Privacy

• Privacy:The ability of an individual or group to stop information about themselves from becoming known to people other than those they choose to give the information to. - Wikipedia

• Privacy ≠ Security

• Your customers care about their privacy– Decide how you are going to handle customer privacy– Set a privacy policy

• Make it easy to understand• Make it readily available

– Do what you say you are going to do


Threat – Identity Fraud

• Generally considered a threat for e-commerce sites– Fundamental problem caused by authentication failure

• But the general threat of fraud is larger than just identity theft– There are many, many scenarios in which a business can be

defrauded through illicit theft or modification of data – This is frequently a larger internal threat than external threat– What are some specific examples of fraud threats?


Technical Countermeasures – Identity Fraud

• Strong authentication systems– Biometrics, smart cards, strong passwords, etc.– This won’t stop a truly determined attacker, though– … and it can reduce ease of use or drive customers away

• Fraud detection software– Detects and flags patterns of fraudulent behavior


Information Security Management


Information Security Is A Management Issue First

• Creating information security policies and prioritizing threats is a business issue and responsibility– If the business team doesn’t set policies and prioritize threats

then the technical team will…– Why is this a problem?

• The role of the IT team is to provide a secure IT infrastructure that mitigates the threats identified by the business team– It is, of course, frequently helpful for the IT team to work with

the business team to help them identify the technical threats– … and vice-versa with the business team helping the IT team

understand the business reasons for the prioritizations


The Information Security Management Problem

• Why do so many management teams abdicate their responsibility for information security?– Incentive structure (costs for failure, success is invisible)– Ignorance, fear, and loathing of technology/technologists– Lack of understanding of threat (wait for the crisis)– Other reasons?


Information Security Management Is Risk Management

• You can’t afford to completely secure all digital information in your organization

• Recognize this and address the challenge as a standard risk management problem– Identify and prioritize risks– Plan to meet them so as to minimize expected losses– Focus on your primary business


Identifying and Prioritizing Threats

• Identify and catalog your company’s digital assets– Assign appropriate and explicit levels of importance to them

• Identify threats to those assets– Catastrophic threats – Expensive threats– Non-critical threats

• What would the cost be of having the digital assets– Exposed (stolen)– Destroyed (lost)– Changed

• Prioritize specific threats that need to addressed– Through technical measures– Through personnel and policy measures


Match Your Response To The Threat

• Determine probability and cost of each threat– Why is this is really hard to do accurately with IT?

• Determine whether you need to mitigate the threat through technical measures, policy measures, or both

• Work with technical or policy teams to implement threat mitigation plan


Match Your Response To The Threat: Example

Secure the penwith a leash

Secure the cashwith a vault

Two levels of security in a bank branch:

vs.


Develop Security Policies And Enforce Them

• Set policies defining appropriate usage of IT resources– Make it clear how information is categorized and what the categories mean (e.g.

confidential, company-only, publicly available)– Identify who can access or change what information– Identify who has access to which systems. Why and for how long?– How do you handle sensitive data that has to leave your company?– Identify what employees are allowed to do with their machines

• Can they modify them and install software on them?• Can they surf the web for personal use? Limits to which sites?

• Automate enforcement where it makes sense to do so, put policies in place where automated enforcement might not make sense

• Create policies and procedures for dealing with network/computer attacks– Plan how to handle common problems before they happen so that they don’t run

out of control


Information Security Management Summary

• Information Security is a management issue first– Your IT security policies and approach should be driven by

business goals and constraints– Fundamentally a matter of risk management

• It is non-trivial to identify, quantify, and prioritize your organization’s information security threats – The basic categories and types of threats are quite common– There are standard ways to mitigate most of these threats

• Match your strategy to threats appropriately


References

[AD03] Robert Austin and Christopher Darby, The Myth of Secure Computing, Harvard Business Review, June 2003.

Documents

Information Security: The Management Perspective