4 Information Security 70 slides.

4 Information Security 70 slides

[ LEARNING OBJECTIVES]
Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one. Compare and contrast human mistakes and social engineering, and provide a specific example of each one. Discuss the 10 types of deliberate attacks. Define the three risk mitigation strategies, and provide an example of each one in the context of owning a home. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.

Introduction to Information Security
4.1 Introduction to Information Security Security Security: involves the degree of protection against criminal activity, danger, damage, and/or loss.

4.1 Introduction to Information Security Security Information Security Information Security: involves protecting an organization’s information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.

4.1 Introduction to Information Security Security Information Security Threat Threat (to an information resource): any danger to which a system may be exposed. It doesn’t just happen to be hacking, it just mean a cat walking across a keyboard

4.1 Introduction to Information Security Security Information Security Threat Exposure Exposure: is the harm, loss, or damage that can result if a threat compromises an information resource.

4.1 Introduction to Information Security Security Information Security Threat Exposure Vulnerability Vulnerability (of an information resource): is the possibility that the system will be harmed by a threat.

Five Factors Contributing to Vulnerability
What are some of the things going on today that make information so vulnerable?

Today’s interconnected, interdependent, wirelessly networked business environment Wireless networks are inexpensive to set up, but the signals are also easy to intercept.

Today’s interconnected, interdependent, wirelessly networked business environment Smaller, faster, cheaper computers & storage devices Years ago, we just had to worry about computers. Today we have to worry about tablets and smartphones as well.

Today’s interconnected, interdependent, wirelessly networked business environment Smaller, faster, cheaper computers & storage devices Decreasing skills necessary to be a computer hacker A lot of hackers actually get hired by companies to purposely hack into system. The companies want to see where and how they do this. They also want to see the damage that can happen.

Today’s interconnected, interdependent, wirelessly networked business environment Smaller, faster, cheaper computers & storage devices Decreasing skills necessary to be a computer hacker International organized crime taking over cybercrime Organized crime and cyber-terrorism are relatively new concepts. People now take out identity theft insurance. Companies now take out insurance that would compensate customers and workers if there’s a theft of data. Every month, you hear about another company being hacked.

Today’s interconnected, interdependent, wirelessly networked business environment Smaller, faster, cheaper computers & storage devices Decreasing skills necessary to be a computer hacker International organized crime taking over cybercrime Lack of management support Lack of management support This comes from managers believing that an attack can’t happen to our company. Everyone is going to get hacked or compromised. It’s not a question of “If”, but a question of “when”

FIGURE 4.1: Security Threats
Look at this diagram. What are the two types of security threats? How are inside threats different from outside threats?

Unintentional Threats to Information Systems
4.2 Unintentional Threats to Information Systems Human Errors Social Engineering Unintentional Threats: acts performed without malicious intent that nevertheless represent a serious threat to information security. And there are two types of unintentional threats

Human Errors Higher level employees + greater access privileges = greater threat The higher your level of access, the more likely it is that you pose a threat. Hackers usually get in by posing as legitimate users with a elevated level of access.

Human Errors Higher level employees + greater access privileges = greater threat Two areas pose significant threats Human Resources Information Systems You establish something called an intranet to allow your employees to look up their paystubs or their direct deposit information. They can now do things on their own without having to bother somebody in human resources, but that opens your server up to threats.

Human Errors Higher level employees + greater access privileges = greater threat Two areas pose significant threats Human Resources Information Systems Other areas of threats: Contract Labor, consultants, janitors, & guards …Same thing with companies that provide services for your company.

Human Errors Common Human Error Carelessness with Laptops
Carelessness with Computing Devices Opening Questionable Careless Internet Surfing Poor Password Selection and Use See if you can give me an example of each of these: Carelessness with laptops: Losing or misplacing laptops, leaving them in taxis, and so on. Carelessness with computing devices: Losing or misplacing these devices, or using them carelessly so that malware is introduced into an organization’s network. Opening questionable s: Opening s from someone unknown, or clicking on links embedded in s (see phishing attack in Table 4.2). Careless Internet surfing: Accessing questionable Web sites; can result in malware and/or alien software being introduced into the organization’s network. Poor password selection and use: Choosing and using weak passwords, no 2-step authentication.

Human Errors Common Human Error Carelessness with One’s Office
Carelessness Using Unmanaged Devices Carelessness with Discarded Equipment Careless Monitoring of Environmental Hazards Elicit more examples Carelessness with one’s office: Leaving desks and filing cabinets unlocked when employees go home at night; not logging off the company network when leaving the office for any extended period of time. Carelessness using unmanaged devices: Unmanaged devices are those outside the control of an organization’s IT department and company security procedures. These devices include computers belonging to customers and business partners, computers in the business centers of hotels, and so on. Carelessness with discarded equipment: Discarding old computer hardware and devices without completely wiping the memory; includes computers, smartphones, BlackBerry® units, and digital copiers and printers. Careless monitoring of environmental hazards: These hazards, which include dirt, dust, humidity, and static electricity, are harmful to the operation of computing equipment.

Social Engineering Example:
an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords. Example: Kevin Mitnick, world famous hacker and former FBI’s most wanted. This is a con man or a con woman

Deliberate Threats to Information Systems
4.3 Deliberate Threats to Information Systems Espionage or Trespass (Spyware) Espionage or Trespass: happens when an unauthorized individual attempts to gain illegal access to organizational information. (Spyware)

4.3 Deliberate Threats to Information Systems Espionage or Trespass (spyware) Information Extortion (ransomware) Information Extortion: occurs when an attacker either threatens to steal, or actually steals, information from a company. The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information.

4.3 Deliberate Threats to Information Systems Espionage or Trespass Information Extortion Sabotage or Vandalism (Digital Graffiti) Sabotage and Vandalism: deliberate acts that involve defacing an organization’s Web site, potentially damaging the organization’s image and causing its customers to lose faith.

4.3 Deliberate Threats to Information Systems Espionage or Trespass Information Extortion Sabotage or Vandalism Theft of Equipment or Information (Dumpster Diving) Theft of Equipment or Information: Just walking away with computer devices and information on paper. Dumpster Diving: rummaging through commercial or residential trash to find discarded information. Why are shredders important?

4.3 Deliberate Threats to Information Systems Espionage or Trespass Information Extortion Sabotage or Vandalism Theft of Equipment or Information Identity Theft Identity Theft: is the deliberate assumption of another person’s identity, usually to gain access to his or her financial information or to frame him or her for a crime.

4.3 Deliberate Threats to Information Systems Espionage or Trespass Information Extortion Sabotage or Vandalism Theft of Equipment or Information Identity Theft Compromises to Intellectual Property (Trade Secrets, Patent, Copyright) Compromises to Intellectual Property: anything involving a Trade Secret, Patent, or Copyright

4.3 Deliberate Threats to Information Systems Software Attacks Alien Software 7. Software Attacks & 8. Alien Software: clandestine software that’s installed on your computer without your knowing about it.

4.3 Deliberate Threats to Information Systems Software Attacks Alien Software Supervisory Control and Data Acquisition (SCADA) Attacks 7. SCADA systems are used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants.

4.3 Deliberate Threats to Information Systems Software Attacks Alien Software Supervisory Control and Data Acquisition (SCADA) Attacks Cyberterrorism and Cyberwarfare 10. Cyberterrorism and Cyberwarfare: refer to malicious acts in which attackers or another government use a target’s computer systems, particularly via the Internet, to cause physical, real-world harm or severe disruption, often to carry out a political agenda.

Software Attacks Remote Attacks Requiring User Action Virus
(1) Remote Attacks Requiring User Action These can be corrected by you, the computer user. There are 4 of them. Virus: Segment of computer code that performs malicious actions by attaching to another computer program.

Software Attacks Remote Attacks Requiring User Action Virus Worm
Worm: code that performs malicious actions and will replicate, or spread, by itself (without requiring another computer program)

Take a minute to read this email.

Phishing Attack Phishing Attack: Phishing attacks use deception to acquire sensitive personal information by masquerading as official-looking s or instant messages.

Phishing Attack Spear Phishing Attack Spear Phishing: the perpetrators find out as much information about an individual as possible to improve their chances that phishing techniques will obtain sensitive, personal information Someone will call you and tell you that you owe money. You give them your social security number

Software Attacks Denial of Service Attack
Then there are other types of software attacks that you can’t do anything about… Denial-of-Service Attack: An attacker sends so many information requests to a company’s server that the target cannot handle them successfully and typically crashes (ceases to function).

Software Attacks Denial of Service Attack
Distributed Denial of Service Attack (Zombies & Botnets) Distributed Denial-of-Service Attack: An attacker first takes over many computers, typically by using malicious soft ware. These computers are called zombies or bots. The attacker uses these bots—which form a botnet—to deliver a coordinated stream of information requests to a target computer, causing it to crash.

Attacks by a Programmer Developing a System
Trojan Horse (3) Attacks by a Programmer Developing a System Trojan Horse: Software programs that hide in other computer programs and reveal their designed behavior only when they are activated.

Trojan Horse Back Door Back Door: An attacker has an exclusive password that allows him or her to access a computer system at will, without having to go through any security procedures (also called a trap door).

Trojan Horse Back Door Logic Bomb Logic bomb: A segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time or date.

Alien Software Adware . Alien Software: clandestine software that is installed on your computer in ways that you not approve of Adware: software that causes pop-up advertisements to appear on your screen.

Alien Software Adware Spyware Keyloggers
. Spyware: soft ware that collects personal information about users without their consent. One common type of spyware actually logs the keys that you type, like when you’re typing a password.

Alien Software Adware Spyware Spamware Keyloggers
. Spamware: software that stays on your computer and uses it a launch pad for spammers. Spam: unsolicited , usually advertising for products and services

Alien Software Adware Spyware Spamware Cookies Keyloggers
Tracking cookies . Cookies: small amounts of information that Web sites store on your computer, temporarily or more or less permanently Did you ever notice that when you log into Amazon, for instance, you start typing in the first 3 numbers of your address and the rest of address pops up for you? A cookie does that.

What Organizations Are Doing to Protect Information Resources
4.4 What Organizations Are Doing to Protect Information Resources Risk Identification & Management Risk: companies look at the probability that a threat will impact an information resource. Risk Management: identifies, controls, and minimizes the impact of threats. In other words, risk management seeks to reduce risk to acceptable levels.

4.4 What Organizations Are Doing to Protect Information Resources Risk Identification & Management Risk Analysis (Planning) Risk Analyses: companies do three things: assessing the value of each asset being protected estimating the probability that each asset will be compromised comparing the probable costs of the asset’s being compromised with the costs of protecting that asset

4.4 What Organizations Are Doing to Protect Information Resources Risk Identification & Management Risk Analysis (Planning) Risk Mitigation (Action) Risk Mitigation: the organization takes concrete actions against risks: implementing controls to prevent identified threats from occurring developing a means of recovery if the threat becomes a reality

Risk Mitigation Risk Acceptance – procedures, controls
Risk Limitation – rules Risk Transference – insurance, data warehouse There are one of three ways to mitigate the risk: One is to Accept the fact that the data may be compromised and have procedures and controls in place to deal with its replacement Two is to limit the amount of risk. You might have rules in place that limit the number of people that can access data or that limit a dollar amount that can be entered into a system. The third startegy involves shifting the risk to either an insurance company or to have a data warehouse hold the data for you.

Information Security Controls
4.5 Information Security Controls Physical Controls There are five things that companies do to control information Physical Controls: prevent unauthorized individuals from gaining access to a company’s facilities. Common physical controls include walls, doors, fencing, gates, locks, badges, guards, and alarm systems.

Physical Controls Prevent unauthorized individuals from gaining access to a company’s facilities. Walls Doors Fencing Gates Locks Badges Guards Alarm systems Physical Controls: prevent unauthorized individuals from gaining access to a company’s facilities. Common physical controls include walls, doors, fencing, gates, locks, badges, guards, and alarm systems.

4.5 Information Security Controls Physical Controls Access Controls Access Controls: restrict unauthorized individuals from using information resources and involve two major functions: authentication and authorization.

4.5 Information Security Controls Physical Controls Access Controls Communication Controls Communication Controls (also called network controls): secure the movement of data across networks and consist of firewalls, anti-malware systems, whitelisting and blacklisting, encryption, virtual private networks (VPNs), secure socket layer (SSL), and employee monitoring systems.

4.5 Information Security Controls Physical Controls Access Controls Communication Controls Business Continuity Planning Business Continuity: A written set of plans to recover and get back to normal if a breach or a natural disaster happens.

4.5 Information Security Controls Physical Controls Access Controls Communication Controls Business Continuity Planning Information Systems Auditing A series of tests conducted to insure that the data is accurate

FIGURE 4.2 Where defense mechanisms are located.

Access Controls Authentication – identity confirmation
Authorization – actions, rights & privileges Access Controls: restrict unauthorized individuals from using information resources and involve two major functions: authentication and authorization. Authentication: confirms the identity of the person requiring access. Authorization: determines which actions, rights, or privileges the person has, based on his or her verified identity.

Authentication (Passwords & Biometrics)
Something the user is Something the user has Something the user does Something the user knows What’s the difference between a password and biometric authentication?

Basic Guidelines for Passwords
difficult to guess. long rather than short. They should have uppercase letters, lowercase letters, numbers, and special characters. not recognizable words. not the name of anything or anyone familiar, such as family names or names of pets. not a recognizable string of numbers, such as a Social Security number or a birthday. Have students read

Communication Controls
Firewalls There are seven Communication or Network Control. These are designed to insure that only the data you want travels across the network. Firewall: A firewall can be hardware or software based. It stops information from moving between untrusted networks

Firewalls Anti-malware Systems Anti-malware Systems (or antivirus software): software packages that attempt to identify and eliminate viruses and worms, and other malicious software.

Firewalls Anti-malware Systems Whitelisting and Blacklisting Whitelisting & Blacklisting: stops suspicious software from running on the company’s computers.

Firewalls Anti-malware Systems Whitelisting and Blacklisting Encryption Encryption: the process of encoding a message so that no one other than intended receiver, who has the decoder, can read it.

Firewalls Anti-malware Systems Whitelisting and Blacklisting Encryption Virtual Private Networking Virtual Private Network: uses a private channel that over a public network (usually the Internet) to connect users.

Firewalls Anti-malware Systems Whitelisting and Blacklisting Encryption Virtual Private Networking Secure Socket Layer A secure socket layer establishes an encrypted link between a web server (or website) and a browser; or a mail server and a mail client (e.g., Outlook)

Firewalls Anti-malware Systems Whitelisting and Blacklisting Encryption Virtual Private Networking Secure Socket Layer Employee Monitoring Systems Employee monitoring is the use of various methods of workplace surveillance to gather information about the activities and locations of staff members. That’s why you are required to log in whenever you use a company’s computers.

Digital certificates FIGURE 4.5 How digital certificates work. Sony and Dell, business partners, use a digital Certificate from VeriSign for authentication. a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply

Information Systems Auditing
Types of Auditors and Audits Internal: part of accounting internal auditing, frequently performed by corporate internal auditors. External: The external audit of information systems is frequently a part of the overall external auditing performed by a certified public accounting (CPA) firm. How is an internal audit different from an external audit? Have students read.

Information Systems Auditing
How is Auditing Executed? IS auditing considers: All of the potential hazards and controls in information systems Focuses on issues such as operations, data integrity, software applications, security and privacy, budgets and expenditures, cost control, and productivity. Guidelines are available to assist auditors in their jobs Have students read and copy.

4 Information Security The End

4 Information Security 70 slides.

Similar presentations

Presentation on theme: "4 Information Security 70 slides."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

4 Information Security 70 slides.

Similar presentations

Presentation on theme: "4 Information Security 70 slides."— Presentation transcript:

Similar presentations

About project

Feedback