Information Security
Security: the degree of protection against criminal
activity, danger, damage and loss.
Information Security:
all the process and policies designed to
protect an organization's information and information systems (IS) from
unauthorized access, use, disclosure,
disruption, modification or destruction.
Key Information Security Terms
Threat: any danger to which a system may be
exposed
Exposure: the harm, loss or damage that can result
if a threat compromises that resource
Vulnerability: the possibility that the system will
suffer harm by a threat
Threats to Information Security
Today’s
interconnected, interdependent, wirelessly-networked business environment
untrusted network: any network external to your organization
Smaller,
faster, cheaper computers and storage devices (flash drives)
Decreasing
skills necessary to be a computer
hacker
Hacker: a
person who finds out weaknesses in the computer system and exploits it
International organized crime turning to cybercrime
Cybercrime: illegal activities conducted over
computer networks , particularly the Internet
iDefense
Lack
of management support
insufficient funding
Technological obsolescence
lack of attention
Unintentional Threats to Information Systems
nHuman
Errors
nCarelessness with laptops and portable
computing devices
nOpening questionable e-mails
nCareless Internet surfing
nPoor password selection
nSocial Engineering: an
attack in which the perpetrator uses social
skills to trick or manipulate a legitimate
employee into providing confidential information such as passwords
oTailgating: it occurs when an unauthorized person
slips in through a door before it closes
oShoulder surfing: it
occurs when the attacker watches another person’s computer screen over that
person’s shoulder
Deliberate
Threats to Information Systems
Espionage
or trespass:
occurs when an unauthorized individual
attempts to gain illegal access to organizational information
Information
extortion: occurs when an attacker either threatens
to steal or actually steals
information from a company
Sabotage
or vandalism: defacing
an organization's website
Theft
of equipment
or information
Pod slurping: perpetrator
plugs portable device into a USB port in a computer and downloads sensitive
information
Dumpster diving:
rummaging through commercial or residential trash to find information that has
been discarded
Identity
theft : assumption
of another person’s identity, usually to gain access to their financial
information or to frame them for a crime
nCompromises to Intellectual
Property (IP)
nTrade secret: an intellectual work such as business
plan, that is a company secret and not based on public information
nPatent: a document that grants the holder
exclusive rights on an invention or process for 20 years.
nCopyright: a statuary grant that provides the
creator of IP with ownership of the property for the life of the creator plus
70 years
nPiracy: the illegal copying of software
Software attacks
Virus:
a segment of computer code that performs
malicious actions by attaching to another computer program.
Worm:
a segment of computer code that spreads
by itself and performs malicious actions without requiring another computer
program
Trojan
horse:
a software program that hides in other
computer programs and reveal its designed behavior only when it is
activated. A typical behavior of a
Trojan horse is to capture your sensitive information (e.g., passwords, account
numbers, etc.) and send them to the creator of the Trojan horse.
Logic
Bomb:
a segment of computer code that is
embedded within an organization’s existing computer programs and is designed to
activate and perform a destructive action at a certain time and date.
Phishing
attacks
use deception to acquire sensitive
personal information by masquerading as official-looking e-mails
Denial-of-service attack
Attackers sends
so many information requests to a target computer system that the system cannot
handle them successfully, and typically crashes
Alien
Software
ØKeystroke loggers: record your keystrokes and your Web
browsing history
ØScreen scrapers: record a continuous “movie” of what you
do on a screen
Spamware: alien software that is designed to use
your computer as a launchpad for spammers. Spam is
unsolicited (unwanted) e-mail
Cookies
Cybercrime
Supervisory Control and Data Acquisition
(SCADA) Attacks
Cyber-terrorism and Cyber-warfare
Attackers use a target’s computer
systems, particularly via the Internet, to cause physical, real-world harm or
sever disruption, usually to carry out a political agenda
In
2008, the Cyber- invasion of Georgia by the Russian
What Organizations Are Doing to Protect Information Resources?
Risk: the
probability that a threat will impact an information resource
Risk management:
to
identify, control and minimize the impact of threats.
Risk analysis:
to
assess the value of each asset being protected, estimate the probability it
might be compromised, and compare the probable costs of it being compromised
with the cost of protecting it.
Risk mitigation:
is when the organization takes concrete
actions against risk. It has two functions:
(1)
implement controls to prevent identified threats from occurring
(2)
develop a means of recovery should the threat become a reality
Risk Mitigation Strategies
Risk Acceptance:
accept
the potential risk, continue operating with no controls, and absorb any damages
that occur.
Risk limitation:
Limit the risk by implementing controls
that minimize the impact of threat.
Risk transference:
Transfer the risk by using other means to
compensate for the loss, such as purchasing
insurance and
having off-site backups
Information
Security Controls
Controls evaluation
Is the control cost effective?
Physical controls: physical
protection of computer facilities and resources (Guards, doors, alarm systems)
Access controls:
restriction of unauthorized user access to computer
resources
Communications (network) controls:
protect the movement of data across
networks and include border security controls, authentication and
authorization.
Application controls:
protect specific applications
Access Controls
Authentication
Determines/confirms the identity of the
person requiring access
Something the user is:
access controls that examine a user's
physiological or behavioral characteristics
Biometrics
Voice verification
Fingerprints
Retina scan
Something the user has : these access
controls include regular ID cards, smart cards
Authentication
Something the user does : these
access controls include voice and signature recognition
Something the user knows
Password
: a private combination of characters that
only the user should know
example: nam3-beeS
Passphrases:
a series of characters that is longer
than a password but can be memorized easily
example:
omanFT2brazilworldcup
*** Multifactor
authentication
Authorization
Determines which actions, rights or
privileges the person has to do certain activities with information resources,
based on his/her verified identity
Privilege:
a collection of related computer system
operations that can be performed by users of the system
Least privilege: a
principle that users be granted the privilege for some activity only if there
is a justifiable need to grant this authorization
Completely
Automated
Public
Turing
test to tell Computers
and Humans
Apart
A
challenge response test used as an attempt to ensure that the response is
generated by a person
Communication
/ Network Controls
Firewall: System
that enforces access-control policy between two networks.
Anti-malware systems:
software packages that attempt to
identify and eliminate viruses, worms, and other malicious software
Whitelisting:
a process in which a company identifies
the software that it will allow to run and does not try to recognize malware
Blacklisting:
a process in which a company allows all
software to run unless it is on the blacklist
Intrusion detection systems:
designed to detect all types of malicious
network traffic and computer usage that cannot be detected by a firewall
Encryption
Process
of converting an original message into a form that cannot be read by anyone
except the intended receiver.
------------------------------------------------------------
Digital
Certificate: an
electronic document attached to a file certifying that the file is from the
organization that it claims to be from and has not been modified from its
original format
Certificate
authorities: trusted
intermediaries between two organizations, issue digital certificates
Virtual private networking (VPN) :
a private network that uses a public
network (usually the Internet) to connect users
Secure Socket Layer now called transport layer security (TLS): is an encryption standard used for
secure transactions such as credit card purchases and online banking.
Vulnerability management systems:
(also called security on demand) extend the security perimeter that
exists for the organization’s managed devices, to unmanaged, remote devices.
Virtual Private Network and
Tunneling
Tunneling
encrypts
each data packet that is sent and places each encrypted packet inside another
packet.
Information
Systems Auditing
Information
systems auditing: Independent
or unbiased observers task to ensure that information systems work properly.
Audit: Examination of information systems, their
inputs, outputs and processing.
Types
of Auditors and Audits:
ØInternal: Performed by corporate internal
auditors.
ØExternal: Reviews internal audit as well as the
inputs, processing and outputs of information systems.
ليست هناك تعليقات:
إرسال تعليق