1. CHAPTER 4 Information Security

2. Announcements Project 2 – due today before midnight Tuesday Class Quiz 1 – Access Basics Questions/Comments

3. Security is constantly evolving… Cyber Security 101 Symantec Threats 2014

4. Personal Security How secure are you? Do you secure your information? How hackable is your digital life?

5. Key Information Security Terms Information Security Vulnerability Threat Exposure/Attack

6. Introduction to Information Security © Sebastian/AgeFotostock America, Inc. Is it possible to secure the Internet?

7. Five Factors Increasing the Vulnerability of Information Resources 1. Today’s interconnected, interdependent, wirelessly-networked business environment 2. Smaller, faster, cheaper computers and storage devices 3. Decreasing skills necessary to be a hacker 4. Organized crime taking over cybercrime 5. Lack of management support

8. 1. Networked Business Environment Threat of untrusted networks Largest is the Internet

9. 2. Smaller, Faster Devices © PhotoEdit/Alamy Limited © laggerbomber-Fotolia.com © Dragonian/iStockphoto

10. 3. Decreasing Skills Needed to be a Hacker New & Easier Tools make it very easy to attack the Network Attacks are becoming increasingly sophisticated © Sven Taubert/Age Fotostock America, Inc.

11. 4. Organized Crime Taking Over Cybercrime © Stockbroker xtra/AgeFotostock America, Inc. Cost of Cybercrime Any Guesses? http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf

12. 5. Lack of Management Support © Sigrid Olsson/Photo Alto/Age Fotostock

13. Categorizing Security Threats Security Threats: Unintentional and Deliberate

14. Unintentional Threats: Most Dangerous Employees Who are the most dangerous employees? Why are these the most dangerous?

15. Unintentional Threats: Human Errors Common Human Mistakes: Carelessness Devices E-mails Internet Poor password selection and use Ex. Bank Employees 2014 worst passwords Any guesses on #1?

16. Unintentional Threats: Human Errors

17. Unintentional Threats: Social Engineering the art of manipulating people into performing actions or divulging confidential information. Pretexting Phishing Baiting Vishing (IVR or phone phishing)

18. Deliberate Threats to Information Security Theft of equipment or information Examples Dumpster diving Laptop stolen from breaking in Identify theft Stealing info off org. databases Phishing

19. Deliberate Threats (continued) Software attacks Virus Worm (see the rapid spread of the Slammer worm)Slammer worm Trojan horse Logic Bomb Phishing attacks Distributed denial-of-service attacks Ex. US BanksUS Banks

20. Deliberate Threats (continued) Alien Software Spyware Spamware Cookies Targeted Attack Supervisory control and data acquisition (SCADA) attacks Stuxnet © Manfred Grafweg/Age Fotostock America, Inc.

21. What Organizations Are Doing to Protect Themselves “The only truly secure system is powered off, cast in a block of concrete, and sealed in a lead room with armed guards, and even then I have my doubts”

22. What Organizations Are Doing to Protect Themselves How do you protect your own networks?

23. Information Security Controls 1. Physical controls 2. Access controls 3. Communications (network) controls

24. Information Security Controls 1. Physical controls 2. Access controls 3. Communications (network) controls Access Controls

25. Access Controls: Authentication (proof of identity) Something the user is Something the user has Something the user does Something the user knows passwords passphrases

26. Access Controls: Authorization Permissions issued based on verified identity Privilege – operations that users can perform Idea of Least privilege

27. Information Security Controls 1. Physical controls 2. Access controls 3. Communications (network) controls Communication Controls

28. Communications Controls Firewalls Anti-malware systems Whitelisting and Blacklisting Encryption VPN

29. Communications Controls -Firewalls Home Corporate China Firewall

30. Controls: Encryption (PKI) How Public Key Encryption Work s

31. Communication or Network Controls Virtual private networking Employee monitoring systems

32. Protection of data Government Regulations HIPPA Sarbanes-Oxley PA74

33. Need to understand Risk Risk Management (identify, control, minimize) 1. Risk analysis 2. Risk mitigation (take action) 1. 2. 3. 3. Controls Evaluation control > cost of asset then the control is not cost effective © Youri van der Schalk/Age Fotostock America, Inc.

34. Business Continuity Planning, Backup, and Recovery Provide guidance to people who keep business operating after a disaster occurs. Options: Hot Site Warm Site Cold Site

35. Personal Risk Assessment To understand your own risk, get with another person and create an assessment. List out the following: 1. Assets (e.g. laptop, external drive, etc.) 2. Threats (e.g. natural, virus, etc.) 3. Controls (how do you control threats) Other ways to minimize personal risk

36. Personal Risk Assessment Internet Explorer

37. LEARNING OBJECTIVES 1. Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one. 1. Networked Environment 2. Size and cost of devices 3. Decreasing skills necessary to be a hacker 4. Organized crime taking over cybercrime 5. Lack of management support

38. LEARNING OBJECTIVES 2. Compare and contrast human mistakes and social engineering, and provide a specific example of each one.

39. LEARNING OBJECTIVES (continued) 3. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home. 1. 2. 3.

40. LEARNING OBJECTIVES (continued) 4. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.