ISSC 481 AMU Ways COs Deal with Employees Regarding Information Security Discussion

It is know that employees are the weakest link in the information security chain. How can companies deal with problems associated with the weakest link? When answering the question be sure to draw upon items listed in Chapter 9. (Write a 1-page paper discussing your answer in APA format. I have attacked a few pages from Chapter 9

Firefox
File Edit
View
History Bookmarks
Tools
Window
Help
36% (4)
Sun 1:07 PM
Q
E
VitalSource Bookshelf: Security X
+
Hom Hor
✓ I
( [
Past
Pa
C
or
.
E Q
en
do
to
m
0 https://online.vitalsource.com/#/books/9781284070637/cfi/254/4/4@0.00:7.73
The Weakest Link in the Information Security Chain
Security experts consider people the weakest link in security. Unlike automated security
controls, different people have different skill levels. People can also let their guard down.
They get tired or distracted, and may not have information security in mind when they
do their jobs. Automated controls have advantages over people. An automated control
never sleeps or takes a vacation. An automated control can work relentlessly and execute
flawlessly. The major advantage people have over automated controls is the ability
to deal with the unexpected. An automated control is limited because it can mitigate
only risks that it has been designed for.
This section looks at different ways in which humans earn the distinction of
the weakest link in the security chain.” As you’ll learn social engineering, human
mistakes, and the actions of insiders account for many security violations. However,
lack of leadership support for security policies is another reason security measures fail.
As a future security leader, keep in mind why employees at every level must accept
and follow security policies.
Social Engineering
People can be manipulated. Social engineering occurs when
NOTE
you manipulate or trick a person into weakening the security
There are many different of an organization. Social engineering comes in many forms.
techniques for social
One form is simply having a hacker befriend an employee. The
engineering. However, they more intimate the relationship, the more likely the employee
all rely on a person revealing may reveal knowledge that can be used to compromise security.
sensitive information. To be Another method is pretending to be from the IT department.
successful, they typically This is sometimes called pretexting. A hacker might call an
require the attacker to get one employee and convince him or her to reveal sensitive information.
or more employees to violate For example, a hacker asks an employee to enter data the hacker
company policy. That’s why
knows won’t work. The hacker then simply asks for the employee’s
security awareness training
ID and password to give it a try.” Hackers who use pretexting
programs should address
are usually highly skilled in manipulating people. They can
social engineering
present simple or elaborate stories that seem compelling to
an unsuspecting employee.
Another technique is to ask an employee to link to an internal Web page to verify
the network performance. On that internal Web page. the user is then prompted to enter
an ID and password and provide some random number noting that the response time on
the network is good. What the user doesn’t realize is that the internal Web page is a fake
that has just captured the user’s ID and password. As the methods and sophistications
>
th
it
2
A
0
234
0
Aa »
*
х
Q weakes
Highlight All
Match Case
Match Diacritics
Whole Words
7
W
N
tv
Firefox File
37% (4)
Sun 1:08 PM
Q
E
Edit View History Bookmarks Tools Window Help
VitalSource Bookshelf: Security X
: +
Hom Hor
O
https://online.vitalsource.com/#/books/9781284070637/cfi/259!/4/4@0.00:5.34
✓ I
( [
+ → C
Go forward one page
Pull down to show history
Past
Pa
Head of Database
Administration
FIGURE 9-1
Types of users.
or
jij
User
Types
DB2 DBA
Team
MSSQL DBA
Team
Oracle DBA
Team
en
Q
.
do
User
DBO
Team
to
Sub-types
Backup Operator
Team
m
田公回目
< >
thi
it
• Contractors-Temporary workers who can be assigned to any role: contractors
are directly managed by the company in the same manner as employees.
Vendors—These are outside companies, or individuals working for such companies,
hired to provide ongoing services to the organization, such as building cleaning.
Unlike contractors, vendor employees are directly managed by the vendor company
to perform specific services on the organization’s network.
. Guests and general public-A class or group of users who access a specific set
of applications
• Control partners Individuals who evaluate controls for design and effectiveness
In addition to these (human) user types, all with different access needs, you should
also be aware of two other groups. They are really account types, rather than user types.
System accounts are non-human accounts used by the system to support automated
service. Contingent IDs are non-human accounts until they are assigned to individuals
who use them to recover a system in the event of a major outage.
9
AL
User Domain Policies
O:
FYI
Continent accounts or contingent Ins are interesting tune nf arrunt heralise the do not
239
:
6 Aa
Aa »
*
PO
х
Q weakes
Highlight All
Match Case
Match Diacritics Whole Words
JUN
15
7
W
N
tv
DOC
Firefox
File
Edit
View
History Bookmarks
Tools
Window
Help
36% (4)
Sun 1:07 PM
Q
E
VitalSource Bookshelf: Security X
+
Hom Hor
✓ I
( [
Past
Pa
C
or
en
o
do
to
m
th
O https://online.vitalsource.com/#/books/9781284070637/cfi/255/4/4@0.00:7.59
Social engineering accounted for 29 percent of data breaches in 2013, according to
a report published in 2014 by Verizon. Social engineering is attractive because of the ease
with which data can be obtained compared with hacking, Breaking through automated
controls like a firewall can take weeks, months, or years. Hackers may never be able to
bypass the controls of a well-protected network. If they do, they still might not get access
to the information they want. Breaking through a firewall does not necessarily provide
access to data on a protected server. And even if hackers access data, they might not be
able to send it outside the network. The bottom line for a hacker is that it may be easier to
call employees and pose as an IT department employee. This can be accomplished within
a short time and takes only one individual letting his or her guard down to succeed.
Human Mistakes
One characteristic all humans share is that they all make
NOTE
mistakes. Mistakes come from carelessness, fatigue, lack of A survey conducted by Help Net
knowledge, or inadequate oversight or training. Humans may
Security found that employee
perceive a security threat that does not exist. And someone
carelessness is ranked fourth in
might miss a real threat that is obvious to an objective observer.
the top 10 information security
Carelessness can be as simple as writing your password on a
threats of 2010.
sticky note and leaving it on your keyboard. It can also be failing
to read warning messages but still clicking OK. Carelessness can
occur because an employee is untrained or does not perceive
NOTE
information security as important. Careless employees are prime When employees feel compelled
targets of hackers who develop malicious code. These hackers
by management to violate their
count on individuals to be their point of entry into the network. organization’s own established
Another form of carelessness is intimidating people into
security policies and depart
weakening security controls out of convenience. This can happen from normal processes, that’s
when a supervisor or an executive, for example, asks an employee a strong indication of the lack
to take shortcuts or to bypass normal control procedures. The
of a good risk culture within
9
employee feels compelled to follow the instructions of his or the organization. Neither
her superior
employees nor managers
Carelessness can also be a result of a lack of common computer
have truly “bought in to
knowledge. Technology often outpaces an employee’s skills. Just as
the importance of managing
some employees acquire solid understanding of a system or appli-
security risk, in other words.
cation, it’s upgraded or replaced. Too much change in an organi-
zation is unsettling and can lead to portions of your workforce being inadequately trained.
An untrained worker can create a security weakness inadvertently, such as by failing
to log off a system and leaving information on the screen exposed.
Programmers can also make mistakes. This is particularly a concern when those
nemom.cn intendan nondine
ait nunda …ith millions of … That’s
235 NA
Waiting for jigsaw.vitalsource.com…
it
2
A
User Domain Policies
0
0
Aa »
*
х
Q weakes
Highlight All
Match Case
Match Diacritics
Whole Words
7
W
N
tv
Firefox
File
Edit
View
History Bookmarks
Tools
Window
Help
37% (4)
Sun 1:08 PM
Q
E
VitalSource Bookshelf: Security X
+
Hom Hor
0
A https://online.vitalsource.com/#/books/9781284070637/cfi/258!/4/4@0.00:21.6
✓ I
( [
Past
Pa
C !!!
or
.
Insiders breaching security can have a devastating effect on an organization’s reputation
and viability. For example. Jerome Kerviel was a trader at a major European bank. He was
blamed for losing $7.9 billion. Kerviel was an insider who placed unauthorized trades.
putting the bank at serious risk. He covered up the trades by falsifying records and
hacking into company computers to hide the trades. This reportedly went on for almost
two years until he was caught in 2008.
Security policies and controls can help limit damages and threats. Security policies
ensure access is limited to individual roles and responsibilities. This means the damage
from using an insider’s credentials is limited to that function. Additionally, a policy may
require that an individual’s access be removed immediately upon leaving the organization.
These types of user controls can reduce risk.
Seven Types of Users
en
do
Q BA回
to
m
>
th
it
The User Domain, one of seven domains of a typical IT infrastructure, consists of
a variety of users. Each user type has unique access needs. As the different types of
users in the domain grow, so does the security complexity. At a minimum, each type
of user has unique business needs and thus requires unique rights
to access certain information. Within each of these major types of users, the rights
are further refined into subtypes. Each subtype might be further broken up, and so on.
For example, your organization might have many types of administrators. The number
depends on the size of the organization, complexity, and team specializations. You may
further separate rights between Oracle and Microsoft SQL database administrators.
Figure 9-1 is an example of types and subtypes of users.
You can build better security policies and controls by understanding user needs.
There is no fixed number of user types possible on a network. For example, a salaried
employee may be full-time experienced professional, or a part-time college student.
Depending on the business, though there may be different sets of security issues
associated with those two types of employee. To illustrate common user needs, this
chapter focuses on seven basic user types, as follows:
Employees-Salaried or hourly staff members of the organization
Systems administrators-Employees who work in the IT department to provide
technical support to the systems
• Security personnel—Individuals responsible for designing and implementing
a security program within an organization
A
0
238
Σ
0
Aa »
*
х
Q weakes
Highlight All
Match Case
Match Diacritics
Whole Words
7
W
N
wir
tv