1. CHAPTER 4 Information Security

2. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate Threats to Information Security 4.4 What Organizations Are Doing to Protect Information Resources 4.5 Information Security Controls

3. LEARNING OBJECTIVES 1. Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one. 2. Compare and contrast human mistakes and social engineering, and provide a specific example of each one. 3. Discuss the nine types of deliberate attacks.

4. LEARNING OBJECTIVES (continued) 4. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home. 5. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.

5. 7.1 Introduction to Information Security © Sebastian/AgeFotostock America, Inc.

6. Key Information Security Terms Information Security Threat Exposure Vulnerability Example of a threat (video)video © Sebastian/AgeFotostock America, Inc.

7. Five Factors Increasing the Vulnerability of Information Resources Today’s interconnected, interdependent, wirelessly-networked business environment Smaller, faster, cheaper computers and storage devices Decreasing skills necessary to be a hacker Organized crime taking over cybercrime Lack of management support

8. Networked Business Environment

9. Smaller, Faster Devices © PhotoEdit/Alamy Limited © laggerbomber-Fotolia.com © Dragonian/iStockphoto

10. Decreasing Skills Needed to be a Hacker New & Easier Tools make it very easy to attack the Network Attacks are becoming increasingly sophisticated © Sven Taubert/Age Fotostock America, Inc.

11. Organized Crime Taking Over Cybercrime © Stockbroker xtra/AgeFotostock America, Inc.

12. Lack of Management Support © Sigrid Olsson/Photo Alto/Age Fotostock

13. 7.2 Unintentional Threats to Information Systems George Doyle/ImageSource Limited

14. Security Threats

15. Most Dangerous Employees Human resources and MIS These employees hold ALL the information © WAVEBREAKMEDIA LTD/Age Fotostock America, Inc.

16. Consultants, Janitors and Security Guards © fatihhoca/iStockphotoSource: YouraPechkin/iStockphoto

17. Human Errors Carelessness with laptops and portable computing devices Opening questionable e-mails Careless Internet surfing Poor password selection and use And more

18. Social Engineering Two examples Tailgating Shoulder surfing © Purestock/Age Fotostock America, Inc

19. The “King” of Social Engineering 60 Minutes Interview60 Minutes Interview with Kevin Mitnick Kevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulting firm, advising companies on how to deter people like him See his company herehere

20. 7.3 Deliberate Threats to Information Systems

21. There are many types of deliberate attacks including: Espionage or Trespass Information extortion Sabotage or vandalism Theft of equipment or information Identity theft Compromises to intellectual property Soft ware attacks Alien soft ware Supervisory control and data acquisition (SCADA) attacks Cyberterrorism and cyberwarfare

22. Deliberate Threats Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information For example, dumpster diving © Diego Cervo/Age Fotostock America, Inc.

23. Deliberate Threats (continued) Identify theft Identity theft video Compromises to intellectual property Frederic Lucano/Stone/Getty Images, Inc.

24. Deliberate Threats (continued) Software attacks Virus Worm 1988: first widespread worm, created by Robert T. Morris, Jr.Robert T. Morris, Jr. (see the rapid spread of the Slammer worm)Slammer worm Trojan horse Logic Bomb

25. Software attacks (continued) Phishing attacks Phishing slideshowslideshow Phishing quizquiz Phishing exampleexample Phishing exampleexample Distributed denial-of-service attacks See botnet demonstrationdemonstration Deliberate Threats (continued)

26. How to Detect a Phish E-mail

27. Is the email really from eBay, or PayPal, or a bank? As Spammers get better, their emails look more genuine. How do you tell if it’s a scam and phishing for personal information? Here’s how...

28. Is the email really from eBay, or PayPal, or a bank? As an example, here is what the email said: Return-path: From: "PayPal" Subject: You have 1 new Security Message Alert ! Note that they even give advice in the right column about security

29. Example Continued – bottom of the email

30. How to see what is happening View Source In Outlook, right click on email, click ‘view source’ In GroupWise, open email and click on the Message Source tab In Mozilla Thunderbird, click on View, and Source. Below is the part of the text that makes the email look official – the images came from the PayPal website.

31. View Source – The Real Link In the body it said, “If you are traveling, “Travelling Confirmation Here” Here is where you are really being sent href=3Dftp://futangiu:futangiu@209.202.224.140/in dex.htmftp://futangiu:futangiu@209.202.224.140/in dex.htm Notice that the link is not only not PayPal, it is an IP address, 2 giveaways of a fraudulent link.

32. Another Example – Amazon View Source

33. Deliberate Threats (continued) Alien Software Spyware (see video)video Spamware Cookies Cookie demodemo © Manfred Grafweg/Age Fotostock America, Inc.

34. Example of CAPTCHA

35. Deliberate Threats (continued) Supervisory control and data acquisition (SCADA) attacks © SergeyTitov/iStockphoto

36. What if a SCADA attack were successful? Northeastern U.S. power outage in 2003 Results in NYC Many tourists simply slept on the street or on in hotel lobbies, as elevators were not working Hundreds of thousands of people walked home from Manhattan during the blackout

37. Example of SCADA attack (and cyberwarfare) The Stuxnet Worm (IT’s About Business 7.2) © Vladimir Mucibabic/Age Fotostock America, Inc.

38. Cyberwarfare and Cyberterrorism See video of cyber warfarevideo directed at Estonia

39. 7.4 What Organizations Are Doing to Protect Themselves

40. Risk Management Risk Risk management Risk analysis Risk mitigation © Youri van der Schalk/Age Fotostock America, Inc.

41. Risk Mitigation Strategies Risk Acceptance Risk limitation Risk transference

42. 7.5 Information Security Controls Physical controls Access controls Communications (network) controls

43. Where Defense Mechanisms (Controls) Are Located

44. Access Controls Authentication Something the user is (biometrics powerpoints)biometrics Video on biometrics Video The latest biometric: gait recognitiongait recognition Something the user hashas Something the user doesdoes Something the user knows passwords passphrases

45. Access Controls (continued) Authorization Privilege Least privilege

46. Communications Controls Firewalls Anti-malware systems Whitelisting and Blacklisting Encryption

47. Communication or Network Controls (continued) Virtual private networking Secure Socket Layer (now transport layer security) Employee monitoring systems

48. Basic Home Firewall (top) and Corporate Firewall (bottom)

49. How Public Key Encryption Works

50. How Digital Certificates Work

51. Virtual Private Network and Tunneling

52. Employee Monitoring System Popular Employee Monitoring Systems include: SpectorSoft Websense © Harald Richter/AgeFotostock America, Inc.

53. Business Continuity Planning, Backup, and Recovery Hot Site Warm Site Cold Site

54. Information Systems Auditing Types of Auditors and Audits Internal External

55. IS Auditing Procedure Auditing around the computer Auditing through the computer Auditing with the computer

56. Chapter Closing Case The Business Problem The IT Solutions The Results