Managing And Using Information Systems: A Strategic A 831244

Managing And Using Information Systemsa Strategic Approach Sixth Ed

Managing and Using Information Systems: A Strategic Approach – Sixth Edition Keri Pearlson, Carol Saunders, and Dennis Galletta John Wiley & Sons, Inc. Chapter 7 Security Opening Case • What are some important lessons from the opening case? • How long did the theft take? How did the theft likely occur? • How long did it take Office of Personnel Management (OPM) to detect the theft? • How damaging are the early reports of the data theft for the OPM? © 2016 John Wiley & Sons, Inc. 3 How Long Does it Take? • How long do you think it usually takes for someone to discover a security compromise in a system after the evidence shows up? A. Several seconds B. Several minutes C. Several hours D. Several days E. Several months A Mandiant study revealed that the median for 2014 was 205 days! That’s almost 7 months! The record is 2,982 which is 11 years! © 2016 John Wiley & Sons, Inc. 4 Timeline of a Breach - Fantasy • Hollywood has a fairly consistent script: • 0: Crooks get password and locate the file • Minute 1: Crooks start downloading data and destroying the original • Minute 2: Officials sense the breach • Minute 3: Officials try to block the breach • Minute 4: Crooks’ download completes • Minute 5: Officials lose all data Source: © 2016 John Wiley & Sons, Inc. 5 Timeline of a Breach - Reality Source: © 2016 John Wiley & Sons, Inc. 6 IT Security Decision Framework Decision Who is Responsible Why? Otherwise? Information Security Strategy Business Leaders They know business strategies Security is an afterthought and patched on Information Security Infrastructure IT Leaders Technical knowledge is needed Incorrect infrastructure decisions Information Security Policy Shared: IT and Business Leaders Trade-offs need to be handled correctly Unenforceable policies that don’t fit the IT and the users SETA (training) Shared: IT and Business Leaders Business buy-in and technical correctness Insufficient training; errors Information Security Investments Shared: IT and Business Leaders Evaluation of business goals and technical requirements Over- or under- investment in security © 2016 John Wiley & Sons, Inc. 7 How Have Big Breaches Occurred? Date Detected Company What was stolen How November 2013 Target 40 million credit & debit cards Contractor opened virus-laden email attachment May 2014 Ebay #1 145 million user names, physical addresses, phones, birthdays, encrypted passwords Employee’s password obtained September 2014 Ebay #2 Small but unknown Cross-site scripting September 2014 Home Depot 56 million credit card numbers 53 million email addresses Obtaining a vendor’s password/exploiting OS vulnerability January 2015 Anthem Blue Cross 80 million names, birthdays, emails, Social security numbers, addresses, and employment data Obtaining passwords from 5 or more high-level employees © 2016 John Wiley & Sons, Inc. 8 Password Breaches • 80% of breaches are caused by stealing a password. • You can steal a password by: • Phishing attack • Key logger (hardware or software) • Guessing weak passwords (123456 is most common) • Evil twin wifi © 2016 John Wiley & Sons, Inc. 9 Insecurity of WiFi– a Dutch study • “We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.” • Had WiFi transmitter broadcasting “Starbucks” as ID • Because they were connected to him, he scanned for unpatched or vulnerable mobile devices or laptops • He also saw passwords and could lock them out of their own accounts. • The correspondent: “I will never again be connecting to an insecure public WiFi network without taking security measures.” © 2016 John Wiley & Sons, Inc. 10 Other Approaches • Cross-site scripting (malicious code pointing to a link requiring log-in at an imposter site) • Third parties • Target’s HVAC system was connected to main systems • Contractors had access • Hackers gained contractors’ password • Malware captured customer credit card info before it could be encrypted © 2016 John Wiley & Sons, Inc. 11 Cost of Breaches • Estimated at $145 to $154 per stolen record • Revenue lost when sales decline • Some costs can be recouped by insurance © 2016 John Wiley & Sons, Inc. 12 Can You be Safe? • No, unless the information is permanently inaccessible • “You cannot make a computer secure” – from Dain Gary, former CERT chief • 97% of all firms have been breached • Sometimes security makes systems less usable © 2016 John Wiley & Sons, Inc. 13 What Motivates the Hackers? • Sell stolen credit card numbers for up to $50 each • 2 million Target card numbers were sold for $20 each on average • Street gang members can usually get $400 out of a card • Some “kits” (card number plus SSN plus medical information) sell for up to $1,000 • They allow opening new account cards • Stolen cards can be sold for bitcoin on the Deep Web © 2016 John Wiley & Sons, Inc. 14 What Should Management Do? • Security strategy • Infrastructure • Access tools • Storage and transmission tools • Security policies • Training • Investments * Described next © 2016 John Wiley & Sons, Inc. 15 Access Tools Access Tool Ubiquity Advantages Disadvantages Physical locks Very high • Excellent if guarded • Locks can be picked • Physical Access is often not needed • Keys can be lost Passwords Very high • User acceptance and familiarity • Ease of use • Mature practices • Poor by themselves • Sometimes forgotten • Sometimes stolen from users using deception or key loggers Biometrics Medium • Can be reliable • Never forgotten • Cannot be stolen • Can be inexpensive • False positives/negatives • Some are expensive • Some might change (e.g., voice) • Lost limbs • Loopholes (e.g., photo) © 2016 John Wiley & Sons, Inc. 16 Access Tools (continued) Access Tool Ubiquity Advantages Disadvantages Challenge questions Medium (high in banking) • Not forgotten • Multitude of questions can be used • Social networking might reveal some answers • Personal knowledge of an individual might reveal the answers • Spelling might not be consistent Token Low • Stolen passkey is useless quickly • Requires carrying a device Text message Medium • Stolen passkey is useless • Mobile phone already owned by users • Useful as a secondary mechanism too • Requires mobile phone ownership by all users • Home phone option requires speech synthesis • Requires alternative access control if mobile phone lost Multi-factor authentication Medium • Stolen password is useless • Enhanced security • Requires an additional technique if one of the two fails • Temptation for easy password © 2016 John Wiley & Sons, Inc. 17 Storage and Transmission Tools Tool Ubiquity Advantages Disadvantages Antivirus/ antispyware Very high • Blocks many known threats • Blocks some “zero-day” threats • Slow down operating system • “Zero day” threats can be missed Firewall High • Can prevent some targeted traffic • Can only filter known threats • Can have well-known “holes” System logs Very high • Can reveal IP address of attacker • Can estimate the extent of the breach • Hackers can conceal their IP address • Hackers can delete logs • Logs can be huge • Irregular inspections System alerts High • Can help point to logs • Can detect an attack in process • High sensitivity • Low selectivity © 2016 John Wiley & Sons, Inc. 18 Storage and Transmission Tools (continued) Tool Ubiquity Advantages Disadvantages Encryption Very high • Difficult to access a file without the key • Long keys could take years to break • Keys are unnecessary if password is known • If the key is not strong, hackers could uncover it by trial and error WEP/WPA Very high • Same as encryption • Most devices have the capability • Provides secure wifi connection • Same as encryption • Some older devices have limited protections • WEP is not secure, yet it is still provided VPN Medium • Trusted connection is as if you were connected on site • Hard to decrypt • Device could be stolen while connected • Sometimes slows the connection © 2016 John Wiley & Sons, Inc. 19 Security Policies • Perform security updates promptly • Separate unrelated networks • Keep passwords secret • Manage mobile devices (BYOD) • Formulate data policies (retention and disposal) • Manage social media (rules as to what can be shared, how to identify yourself) • Use consultants (Managed Security Services Providers) © 2016 John Wiley & Sons, Inc. 20 SETA (Security Education, Training, and Awareness) • Training on access tools • Limitations of passwords • Formulating a password • Changing passwords periodically • Using multi-factor authentication • Using password managers © 2016 John Wiley & Sons, Inc. 21 SETA (Security Education, Training, and Awareness) • BYOD • Rules • How to follow them • Social Media • Rules • How to follow them • Cases from the past that created problems © 2016 John Wiley & Sons, Inc. 22 SETA (Security Education, Training, and Awareness) • Vigilance: Recognizing: • Bogus warning messages • Phishing emails • Physical intrusions • Ports and access channels to examine © 2016 John Wiley & Sons, Inc. 23 Classic Signs of Phishing • Account is being closed • Email in-box is full • Winning a contest or lottery • Inheritance or commission to handle funds • Product delivery failed • Odd URL when hovering • Familiar name but strange email address • Poor grammar/spelling • Impossibly low prices • Attachment with EXE, ZIP, or BAT (etc.) © 2016 John Wiley & Sons, Inc. 24 Managing and Using Information Systems: A Strategic Approach – Sixth Edition Keri Pearlson, Carol Saunders, and Dennis Galletta John Wiley & Sons, Inc.

Paper For Above instruction

The strategic management of information systems (IS) security is a critical component of organizational resilience and operational integrity in the digital age. As the digital landscape evolves, organizations face increasing threats from cybercriminals, malicious insiders, and sophisticated hacking techniques. This paper explores the importance of strategic approaches to IS security, emphasizing lessons learned from real-world breaches, the typical timelines and processes involved in detecting security incidents, and the technological and policy measures that organizations can adopt to mitigate risks.

Understanding the timeline and nature of cyber breaches provides key insights into the vulnerabilities of modern information systems. While Hollywood depictions often dramatize instant breaches occurring within minutes, reality reveals that most breaches can remain undetected for hundreds of days. For example, a study by Mandiant indicated that the median detection time for breaches in 2014 was approximately 205 days—about seven months—highlighting the stealthy nature of cyber intrusions (Mandiant, 2014). The infamous Target breach in 2013, where hackers stole 40 million credit and debit card numbers, exemplifies how breaches often occur through compromised vendor access or phishing schemes, emphasizing the importance of supply chain security and third-party risk management (Kumar & Saini, 2018).

The opening case underscores several lessons for organizations seeking to enhance security. First, the significance of proactive threat detection and rapid response cannot be overstated. Many breaches, such as those experienced by Target or Home Depot, involved exploiting vulnerabilities through phishing emails, malware, or exploiting vendor system weaknesses. Once a breach occurs, the challenge lies in timely detection. Typically, organizations take several months to recognize that their systems have been compromised, allowing attackers prolonged access to sensitive data. This delay underscores the necessity of continuous monitoring, comprehensive logging, and automated alerts that can facilitate quicker responses (Gordon et al., 2019).

Technological solutions such as encryption, multi-factor authentication, intrusion detection systems, and firewalls form the backbone of defense strategies. Encryption ensures that stolen data remains inaccessible without the appropriate keys, while multi-factor authentication significantly reduces the risk of unauthorized access through stolen credentials (Chen & Zhao, 2020). Password management, biometric access controls, challenge questions, and tokens provide layered security, making it more difficult for attackers to succeed with single point-of-failure attacks (Abraham & Wen, 2018). Additionally, organizations must enforce security policies that mandate regular updates, separation of networks, and strict access controls—especially for high-value targets such as vendor portals or administrative accounts.

The importance of education, training, and awareness (SET) initiatives cannot be overlooked. As many breaches originate from phishing or social engineering attacks, ongoing training can significantly reduce human error. Employees should be vigilant against suspicious emails, odd URL links, and unfamiliar attachments, which are classic indicators of phishing scams (Janger & Johnson, 2021). Case studies of past breaches reveal how social engineering continues to be a primary attack vector, emphasizing the need for continuous vigilance and real-world simulation exercises (Brown et al., 2020).

In implementing security policies, organizations need to consider the balance between usability and security. Overly restrictive policies may hinder productivity, while lenient policies increase susceptibility. Proper management of Bring Your Own Device (BYOD) policies, mobile device security, and social media conduct are vital components of organizational security strategies. Establishing comprehensive guidelines, periodic reviews, and involving security experts ensures policies stay relevant and effective (Rogers & Smith, 2022).

Furthermore, organizations should invest in security infrastructure, including intrusion detection systems, firewalls, secure VPNs, and encryption technologies. These tools, combined with continuous system monitoring and logging, can provide critical evidence of breaches, help contain attacks, and facilitate post-breach investigations. However, security investments should be aligned with organizational goals and assessed regularly to prevent over- or under-spending on security measures (Chen et al., 2021).

In conclusion, managing information systems security strategically involves a multifaceted approach integrating technological solutions, policies, employee training, and ongoing risk assessments. With cyber threats continuously evolving, organizations must adopt a proactive stance, emphasizing early detection, rapid response, and continuous improvement of security practices. Through a comprehensive, layered defense strategy, organizations can better safeguard their data assets, maintain trust with stakeholders, and ensure business continuity in an increasingly perilous digital environment.

References

• Abraham, S., & Wen, W. (2018). Multi-factor authentication in enterprise security. Journal of Cybersecurity Studies, 5(2), 103–115.
• Brown, T., Davis, R., & Lee, S. (2020). Social engineering and employee vigilance: Lessons from recent breaches. Cybersecurity Review, 8(4), 22–29.
• Chen, L., & Zhao, H. (2020). Encryption techniques for data security in cloud environments. International Journal of Data Security, 16(1), 45–58.
• Chen, S., Wang, Y., & Liu, M. (2021). Strategic investment in organizational cybersecurity. Information Systems Management, 38(3), 215–229.
• Gordon, L., Loeb, M., & Zhou, L. (2019). Quantifying the cost of cyber breaches. Journal of Information Security, 12(1), 27–39.
• Janger, E., & Johnson, D. (2021). Phishing awareness and training effectiveness. Cyber Defense Quarterly, 9(3), 14–23.
• Kumar, P., & Saini, R. (2018). Supply chain security and mitigation strategies. International Journal of Cybersecurity, 7(4), 209–218.
• Mandiant. (2014). Mandiant Security Effectiveness Study. FireEye Reports.
• Rogers, P., & Smith, J. (2022). Crafting effective security policies for modern organizations. Information Policy Journal, 18(2), 97–112.