chapter 4

Information Security

 

 

Security:  the degree of protection against criminal activity, danger, damage and loss.

Information Security:

all the process and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure,

 

 

 

disruption, modification or destruction.

 

 

Key Information Security Terms

Threat: any danger to which a system may be exposed

 

Exposure: the harm, loss or damage that can result if a threat compromises that resource

Vulnerability: the possibility that the system will suffer harm by a threat

 

 

Threats to Information Security

Today’s interconnected, interdependent, wirelessly-networked business environment

untrusted network: any network external to your organization

Smaller, faster, cheaper computers and storage devices (flash drives)

 

Decreasing skills necessary to be a computer hacker

Hacker: a person who finds out weaknesses in the computer system and exploits it

International organized crime turning to cybercrime

   

Cybercrime: illegal activities conducted over computer networks , particularly the Internet

 

iDefense

 

Lack of management support

insufficient funding

Technological obsolescence

lack of attention

 

 

Unintentional Threats to Information Systems

 

 

nHuman Errors

nCarelessness with laptops and portable computing devices

nOpening questionable e-mails

nCareless Internet surfing

nPoor password selection

 

nSocial Engineering: an attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential information such as passwords 

oTailgating: it occurs when an unauthorized person slips in through a door before it closes

oShoulder surfing: it occurs when the attacker watches another person’s computer screen over that person’s shoulder

 

Deliberate Threats to Information Systems

Espionage or trespass: occurs when an unauthorized individual attempts to gain illegal access to organizational information 

Information extortion: occurs when an attacker either threatens to steal or actually steals information from a company

Sabotage or vandalism: defacing an organization's website

Theft of equipment or information

Pod slurping: perpetrator plugs portable device into a USB port in a computer and downloads sensitive information

Dumpster diving: rummaging through commercial or residential trash to find information that has been discarded

Identity theft : assumption of another person’s identity, usually to gain access to their financial information or to frame them for a crime

 

 

nCompromises to Intellectual Property (IP)

nTrade secret: an intellectual work such as business plan, that is a company secret and not based on public information

nPatent: a document that grants the holder exclusive rights on an invention or process for 20 years.

nCopyright: a statuary grant that provides the creator of IP with ownership of the property for the life of the creator plus 70 years

nPiracy: the illegal copying of software

 

 

 

 

Software attacks

Virus: a segment of computer code that performs malicious actions by attaching to another computer program.

Worm: a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program

Trojan horse: a software program that hides in other computer programs and reveal its designed behavior only when it is activated.  A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.

Logic Bomb: a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.

 

Phishing attacks

use deception to acquire sensitive personal information by masquerading as official-looking e-mails

 

Denial-of-service attack

Attackers sends so many information requests to a target computer system that the system cannot handle them successfully, and typically crashes  

Alien Software

Spyware: software that collect personal information about users without their consent (see video)

ØKeystroke loggers: record your keystrokes and your Web browsing history

ØScreen scrapers: record a continuous “movie” of what you do on a screen

Spamware: alien software that is designed to use your computer as a launchpad for spammers.  Spam is unsolicited  (unwanted)  e-mail

Cookies

Cybercrime

Supervisory Control and Data Acquisition (SCADA) Attacks

Cyber-terrorism  and Cyber-warfare

Attackers use a target’s computer systems, particularly via the Internet, to cause physical, real-world harm or sever disruption, usually to carry out a political agenda

In 2008, the Cyber- invasion of Georgia by the Russian

What Organizations Are Doing to Protect Information Resources?

 

Risk: the probability that a threat will impact an information resource

Risk management: to identify, control and minimize the impact of threats.

Risk analysis: to assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.

Risk mitigation: is when the organization takes concrete actions against risk. It has two functions:

(1) implement controls to prevent identified threats from occurring

(2) develop a means of recovery should the threat become a reality

Risk Mitigation Strategies

 

Risk Acceptance: accept the potential risk, continue operating with no controls, and absorb any damages that occur.

Risk limitation: Limit the risk by implementing controls that minimize the impact of threat.

 

Risk transference: Transfer the risk by using other means to compensate for the loss, such as purchasing insurance and having off-site backups 

Information Security Controls

Controls evaluation

     Is the control cost effective?

Physical controls: physical protection of computer facilities and resources (Guards, doors, alarm systems)

Access controls: restriction of unauthorized user access to computer resources

Communications (network) controls: protect the movement of data across networks and include border security controls, authentication and authorization.

Application controls: protect specific applications

 

Access Controls

Authentication

Determines/confirms the identity of the person requiring access

Something the user is: access controls that examine a user's physiological or behavioral characteristics

Biometrics

Voice verification

Fingerprints

Retina scan

Something the user has : these access controls include regular ID cards, smart cards

 

Authentication

Something the user does : these access controls include voice and signature recognition

Something the user knows

Password : a private combination of characters that only the user should know

  example: nam3-beeS

Passphrases: a series of characters that is longer than a password but can be memorized easily

example: omanFT2brazilworldcup

*** Multifactor authentication

 

 

 

Authorization

Determines which actions, rights or privileges the person has to do certain activities with information resources, based on his/her verified identity

Privilege: a collection of related computer system operations that can be performed by users of the system

Least privilege: a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization

 

 

 

Completely Automated Public Turing test to tell Computers and Humans Apart

A challenge response test used as an attempt to ensure that the response is generated by a person

 

Communication / Network Controls

 

Firewall: System that enforces access-control policy between two networks.

Anti-malware systems: software packages that attempt to identify and eliminate viruses, worms, and other malicious software

 

Whitelisting: a process in which a company identifies the software that it will allow to run and does not try to recognize malware

Blacklisting: a process in which a company allows all software to run unless it is on the blacklist

 

Intrusion detection systems: designed to detect all types of malicious network traffic and computer usage that cannot be detected by a firewall

 

Encryption Process of converting an original message into a form that cannot be read by anyone except the intended receiver.

 

------------------------------------------------------------

 

 

 

Digital Certificate: an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format

Certificate authorities: trusted intermediaries between two organizations, issue digital certificates

Virtual private networking (VPN) : a private network that uses a public network (usually the Internet) to connect users

 

Secure Socket Layer now called transport layer security (TLS): is an encryption standard used for secure transactions such as credit card purchases and online banking.

Vulnerability management systems: (also called security on demand) extend the security perimeter that exists for the organization’s managed devices, to unmanaged, remote devices.

 

Virtual Private Network and Tunneling

 

 

Tunneling encrypts each data packet that is sent and places each encrypted packet inside another packet.

 

 

 

Information Systems Auditing

Information systems auditing: Independent or unbiased observers task to ensure that information systems work properly.

 

Audit: Examination of information systems, their inputs, outputs and processing.

 

Types of Auditors and Audits:

ØInternal: Performed by corporate internal auditors.

ØExternal: Reviews internal audit as well as the inputs, processing and outputs of information systems.