SECTION 4.2
INFORMATION SECURITY
Security is perhaps the most fundamental and critical of all the
technologies/disciplines an organization must have squarely in place to
execute its business strategy. Without solid security processes and
procedures, none of the other technologies can develop business
advantages.
LEARNING OUTCOMES
Learning Outcome 4.3: Describe the relationships and di(erences
between hackers and viruses.
Hackers are experts in technology who use their knowledge to break into
computers and computer networks, either for pro!t or just motivated by the
challenge. A virus is software written with malicious intent to cause
annoyance or damage. Some hackers create and leave viruses causing
massive computer damage.
Learning Outcome 4.4: Describe the relationship between
information security policies and an information security plan.
Information security policies identify the rules required to maintain
information security, such as requiring users to log o% before leaving for
lunch or meetings, never sharing passwords with anyone, and changing
passwords every 30 days. An information security plan details how an
organization will implement the information security policies. The best way a
company can safeguard itself from people is by implementing and
communicating its information
security plan.
Learning Outcome 4.5: Provide an example of each of the three
primary information security areas: (1) authentication and
authorization, (2) prevention and resistance, and (3) detection and
response.
Authentication and authorization: Authentication is a method for
con!rming users’ identities. Once a system determines the authentication
of a user, it can then determine the access privileges (or authorization) for
that user. Authorization is the process of providing a user with permission
including access levels and abilities such as !le access, hours of access,
and amount of allocated storage space.
Prevention and resistance: Content !ltering occurs when organizations
use software that !lters content, such as emails, to prevent the accidental
or malicious transmission of unauthorized information. Encryption
scrambles information into an alternative form that requires a key or
password to decrypt. In a security breach, a thief is unable to read
encrypted information. A !rewall is hardware and/or software that guard a
private network by analyzing incoming and outgoing information for the
correct markings.
Detection and response: Intrusion detection software (IDS) features
full-time monitoring tools that search for patterns in network tra3c to
identify intruders.
CLASSROOM OPENER
GREAT BUSINESS DECISIONS – The American Express
Charge Card
The product that led to the question “cash or charge?” was the American
Express card, or, as Forbes called it: “the late-twentieth-century piece of
magic that replaced checks, money, and charge accounts.” The American
Express card, and every other charge card, evolved from the company’s
greatest invention, the traveler’s check, which was introduced in 1891. With
an American Express traveler’s check in hand, a visitor otherwise unknown,
could obtain hard cash in a matter of moments. It was a whole new concept,
selling people the honor of being trusted, and it caught on. The security of
carrying a traveler’s check instead of cash was one of its biggest bene!ts.
The security of carrying a credit card instead of cash was an even bigger
bene!t. American Express celebrated its 100th birthday in 1950, and its
staying power can be ascribed to its understanding that “A credit card, in
short, is not a mere commodity, {but} it says something about the person
who uses it.” The company understood that the card could be considered
much more than !nancial security; it could be a status symbol.
CLASSROOM EXERCISE
Analyzing Your School’s Security
Break your students into groups and ask them to research and review your
school’s information security plan and policies. Have them answer the
following questions:
What did the plan address that your students found surprising?
What is the plan missing or failing to address?
What policies were missing or not addressed appropriately?
What policies should be added to the plan?
How frequently should the plan be updated?
Who should be responsible for updating the plan?
Who should be asked for sign-o% on the plan?
How should the plan be communicated with all students and sta%?
CLASSROOM EXERCISE
Who Is Stealing Your Password
This is an excellent article and video sent to me by Je% Gaines at San Jose
State – it is scary!!
Who’s Stealing Your Passwords? Global Hackers Create a New Online Crime
Economy
A sophisticated new breed of online criminals is making it easier than ever
for the bad guys to engage in identity theft and other cybercrime.
http://www.cio.com/article/135500/?source=nlt_cioenterprise
CLASSROOM EXERCISE
Nike+iPod = Surveillance Target
Most students are very familiar with Nike and they have iPods… here is a
good article to use for security on RFID privacy concerns with the new
SportKit that is placed in a sneaker and gives workout feedback to an iPod.
http://news.com.com/NikeiPod+raises+RFID+privacy+concerns/2100-1029_3
-6143606.html
Excellent movie that shows how users of the Nike+iPod SportKit can be
tracked by a predator: http://archive.wired.com/science/discoveries/news/2006/11/72202
Ask your students the following:
Describe how the Nike+iPod SportKit caused security issues for the
company. Do you think Nike or Apple acted unethically when they
developed the SportKit? Why or why not?
People could use the Nike+iPod SportKit to track unsuspecting users of the
product. Since the SportKit emits a frequency anyone could use the tool to
track every move of an individual. This could cause tremendous security and
risks for all customers. Apple should have done a complete evaluation of the
tool and ensured security features for any product emitting technology that
could be used to track individuals
CLASSROOM EXERCISE
90% of email will be Spam
A Oood of spam coming out of China and South Korea is fueling a 30% jump
in spam levels in just the past week, according to a new report.
http://www.informationweek.com/news/showArticle.jhtml?
articleID=197008209
Ask you students the following:
How might this e%ect business?
What types of issues should a company anticipate due to spam?
What would you do if your company email was being overtaken by spam?
Here are a few spam management tips from Information Week:
Spammers use special programs that extract email addresses from
Websites and Usenet postings. To avoid ending up on a spammer’s
mailing list when you post to a Web forum or a newsgroup, you can
obscure your email address by inserting something obvious into it. So if
your email address is xyz@yahoo.com, change it to
xyz@yah[delete_this]oo.com. Or, try something like this: “xyz at yahoo
dot com.”
Don’t reply to spam messages, not even to reply to be “removed.” Often
the instructions are fake, or they’re a way to collect more addresses.
Replying con!rms to the spammers that your email address is active, and
you may receive even more junk mail.
Remove your email address from your Website’s pages and o%er a
Web-based mail form instead. That prevents spammers’ robots from
harvesting email addresses and putting them on their mailing lists.
Contact-Us-Online.com can provide you with such a script free of charge.
CLASSROOM EXERCISE
Pizza Video
I’ve used this video in a number of classes and can relate it to a variety of
topics from security and ethics to system implementation and design
https://www.aclu.org/ordering-pizza
Ask your students the biggest security breach with this video – the user does
not authentic the caller. If the phone was stolen the order taker literally
gives away all of his information.
CORE MATERIAL
The core chapter material is covered in detail in the PowerPoint slides. Each
slide contains detailed teaching notes including exercises, class activities,
questions, and examples. Please review the PowerPoint slides for detailed
notes on how to teach and enhance the core chapter material.