CHAPTER 4 Information Security
CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate Threats to Information Security 4.4 What Organizations Are Doing to Protect Information Resources 4.5 Information Security Controls
LEARNING OBJECTIVES Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one. Compare and contrast human mistakes and social engineering, and provide a specific example of each one. Discuss the nine types of deliberate attacks. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.
4.1 Introduction to Information Security
Key Information Security Terms Information Security Threat Exposure Vulnerability
Five Factors Increasing the Vulnerability of Information Resources Today’s interconnected, interdependent, wirelessly- networked business environment Smaller, faster, cheaper computers and storage devices Decreasing skills necessary to be a hacker
Five Factors Increasing the Vulnerability of Information Resources continued Organized crime taking over cybercrime Lack of management support
4.2 Unintentional Threats to Information Security
Categories of Unintentional Threats Human Errors Social Engineering
Human Errors Carelessness with laptops and portable computing devices Opening questionable s Careless Internet surfing Poor password selection and use
Social Engineering Tailgating Shoulder Surfing
4.3 Deliberate Threats to Information Security
Deliberate Threats Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information
Deliberate Threats (continued) Identity Theft Compromised to Intellectual Property Software Attacks SCADA Attacks Cyberterrorism and Cyberwarfare
Virus Worm Trojan Horse Logic Bomb Phishing attacks Distributed denial-of-service attacks Software Attacks
4.4 What Organizations Are Doing to Protect Information Resources
Risk Management Risk Risk management Risk analysis Risk mitigation
Risk Mitigation Strategies Risk Acceptance Risk limitation Risk transference
4.5 Information Security Controls
Information Security Controls Physical controls Access controls Communications (network) controls
Access Controls Authentication Authorization
Communication or Network Controls Firewalls Anti-malware systems Whitelisting and Blacklisting Encryption
Communication or Network Controls (continued) Virtual private networking Secure Socket Layer Employee monitoring systems
Business Continuity Planning, Backup, and Recovery Hot Site Warm Site Cold Site
Information Systems Auditing Types of Auditors and Audits –Internal –External
IS Auditing Procedure Auditing around the computer Auditing through the computer Auditing with the computer
Closing Case The Problem The Solution The Results