1. CHAPTER 4
Information Security

2. CHAPTER OUTLINE
4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate Threats to Information Security 4.4 What Organizations Are Doing to Protect Information Resources 4.5 Information Security Controls

3. LEARNING OBJECTIVES
Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one.
Compare and contrast human mistakes and social engineering, and provide a specific example of each one.
Discuss the nine types of deliberate attacks.
Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home.
Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.

4. 4.1 Introduction to Information Security

5. Key Information Security Terms
Threat
Exposure
Vulnerability

6. Five Factors Increasing the Vulnerability of Information Resources
Today’s interconnected, interdependent, wirelessly-networked business environment
Smaller, faster, cheaper computers and storage devices
Decreasing skills necessary to be a hacker

7. Five Factors Increasing the Vulnerability of Information Resources continued
Organized crime taking over cybercrime
Lack of management support

8. 4.2 Unintentional Threats to Information Security

9. Categories of Unintentional Threats
Human Errors
Social Engineering

10. Human Errors Carelessness with laptops and portable computing devices
Opening questionable s
Careless Internet surfing
Poor password selection and use

11. Social Engineering
Tailgating
Shoulder Surfing

12. 4.3 Deliberate Threats to Information Security

13. Deliberate Threats Espionage or trespass Information extortion
Sabotage or vandalism
Theft of equipment or information

14. Deliberate Threats (continued)
Identity Theft
Compromised to Intellectual Property
Software Attacks
SCADA Attacks
Cyberterrorism and Cyberwarfare

15. Software Attacks Virus Worm Trojan Horse Logic Bomb Phishing attacks
Distributed denial-of-service attacks

16. 4.4 What Organizations Are Doing to Protect Information Resources

17. Risk Management
Risk
Risk management
Risk analysis
Risk mitigation

18. Risk Mitigation Strategies
Risk Acceptance
Risk limitation
Risk transference

19. 4.5 Information Security Controls

20. Information Security Controls
Physical controls
Access controls
Communications (network) controls

21. Access Controls
Authentication
Authorization

22. Communication or Network Controls
Firewalls
Anti-malware systems
Whitelisting and Blacklisting
Encryption

23. Communication or Network Controls (continued)
Virtual private networking
Secure Socket Layer
Employee monitoring systems

24. Business Continuity Planning, Backup, and Recovery
Hot Site
Warm Site
Cold Site

25. Information Systems Auditing
Types of Auditors and Audits
Internal
External

26. IS Auditing Procedure Auditing around the computer
Auditing through the computer
Auditing with the computer

27. Closing Case Information Security at the International Fund for Animal Welfare
The Problem
The Solution
The Results