CHAPTER 4 Information Security

CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate Threats to Information Security 4.4 What Organizations Are Doing to Protect Information Resources 4.5 Information Security Controls

LEARNING OBJECTIVES Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one. Compare and contrast human mistakes and social engineering, and provide a specific example of each one. Discuss the nine types of deliberate attacks. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.

4.1 Introduction to Information Security

Key Information Security Terms Threat Exposure Vulnerability

Five Factors Increasing the Vulnerability of Information Resources Today’s interconnected, interdependent, wirelessly-networked business environment Smaller, faster, cheaper computers and storage devices Decreasing skills necessary to be a hacker

Five Factors Increasing the Vulnerability of Information Resources continued Organized crime taking over cybercrime Lack of management support

4.2 Unintentional Threats to Information Security

Categories of Unintentional Threats Human Errors Social Engineering

Human Errors Carelessness with laptops and portable computing devices Opening questionable e-mails Careless Internet surfing Poor password selection and use

Social Engineering Tailgating Shoulder Surfing

4.3 Deliberate Threats to Information Security

Deliberate Threats Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information

Deliberate Threats (continued) Identity Theft Compromised to Intellectual Property Software Attacks SCADA Attacks Cyberterrorism and Cyberwarfare

Software Attacks Virus Worm Trojan Horse Logic Bomb Phishing attacks Distributed denial-of-service attacks

4.4 What Organizations Are Doing to Protect Information Resources

Risk Management Risk Risk management Risk analysis Risk mitigation

Risk Mitigation Strategies Risk Acceptance Risk limitation Risk transference

4.5 Information Security Controls

Information Security Controls Physical controls Access controls Communications (network) controls

Access Controls Authentication Authorization

Communication or Network Controls Firewalls Anti-malware systems Whitelisting and Blacklisting Encryption

Communication or Network Controls (continued) Virtual private networking Secure Socket Layer Employee monitoring systems

Business Continuity Planning, Backup, and Recovery Hot Site Warm Site Cold Site

Information Systems Auditing Types of Auditors and Audits Internal External

IS Auditing Procedure Auditing around the computer Auditing through the computer Auditing with the computer

Closing Case Information Security at the International Fund for Animal Welfare The Problem The Solution The Results