الثلاثاء، 20 مايو 2014

chapter 4

Information Security
 
 
عبدالرحمن الهندي
Security:  the degree of protection against criminal activity, danger, damage and loss.
Information Security:

all the process and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure,
 
 
 
disruption, modification or destruction.

 
 
Key Information Security Terms
Threat: any danger to which a system may be exposed
 
Exposure: the harm, loss or damage that can result if a threat compromises that resource
Vulnerability: the possibility that the system will suffer harm by a threat
 
 
Threats to Information Security
Today’s interconnected, interdependent, wirelessly-networked business environment
untrusted network: any network external to your organization
Smaller, faster, cheaper computers and storage devices (flash drives)
 
Decreasing skills necessary to be a computer hacker
Hacker: a person who finds out weaknesses in the computer system and exploits it

International organized crime turning to cybercrime

   
Cybercrime: illegal activities conducted over computer networks , particularly the Internet
 
iDefense
 
Lack of management support
insufficient funding
Technological obsolescence
lack of attention
 
 

Unintentional Threats to Information Systems

 

 

nHuman Errors
nCarelessness with laptops and portable computing devices
nOpening questionable e-mails
nCareless Internet surfing
nPoor password selection

 
nSocial Engineering: an attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential information such as passwords 
oTailgating: it occurs when an unauthorized person slips in through a door before it closes
oShoulder surfing: it occurs when the attacker watches another person’s computer screen over that person’s shoulder
 

Deliberate Threats to Information Systems


Espionage or trespass: occurs when an unauthorized individual attempts to gain illegal access to organizational information 

Information extortion: occurs when an attacker either threatens to steal or actually steals information from a company

Sabotage or vandalism: defacing an organization's website


Theft of equipment or information

Pod slurping: perpetrator plugs portable device into a USB port in a computer and downloads sensitive information

Dumpster diving: rummaging through commercial or residential trash to find information that has been discarded

Identity theft : assumption of another person’s identity, usually to gain access to their financial information or to frame them for a crime
 
 

nCompromises to Intellectual Property (IP)

nTrade secret: an intellectual work such as business plan, that is a company secret and not based on public information

nPatent: a document that grants the holder exclusive rights on an invention or process for 20 years.
nCopyright: a statuary grant that provides the creator of IP with ownership of the property for the life of the creator plus 70 years
nPiracy: the illegal copying of software
 

 
 

 
Software attacks
Virus: a segment of computer code that performs malicious actions by attaching to another computer program.

Worm: a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program
Trojan horse: a software program that hides in other computer programs and reveal its designed behavior only when it is activated.  A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.
Logic Bomb: a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.
 
Phishing attacks
use deception to acquire sensitive personal information by masquerading as official-looking e-mails
 
Denial-of-service attack
Attackers sends so many information requests to a target computer system that the system cannot handle them successfully, and typically crashes  

Alien Software

Spyware: software that collect personal information about users without their consent (see video)
ØKeystroke loggers: record your keystrokes and your Web browsing history
ØScreen scrapers: record a continuous “movie” of what you do on a screen

Spamware: alien software that is designed to use your computer as a launchpad for spammers.  Spam is unsolicited  (unwanted)  e-mail

Cookies

Cybercrime
Supervisory Control and Data Acquisition (SCADA) Attacks

Cyber-terrorism  and Cyber-warfare
Attackers use a target’s computer systems, particularly via the Internet, to cause physical, real-world harm or sever disruption, usually to carry out a political agenda

In 2008, the Cyber- invasion of Georgia by the Russian

What Organizations Are Doing to Protect Information Resources?

 

Risk: the probability that a threat will impact an information resource

Risk management: to identify, control and minimize the impact of threats.

Risk analysis: to assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.

Risk mitigation: is when the organization takes concrete actions against risk. It has two functions:
(1) implement controls to prevent identified threats from occurring
(2) develop a means of recovery should the threat become a reality

Risk Mitigation Strategies

 
Risk Acceptance: accept the potential risk, continue operating with no controls, and absorb any damages that occur.
Risk limitation: Limit the risk by implementing controls that minimize the impact of threat.
 
Risk transference: Transfer the risk by using other means to compensate for the loss, such as purchasing insurance and having off-site backups 
Information Security Controls

Controls evaluation
     Is the control cost effective?
Physical controls: physical protection of computer facilities and resources (Guards, doors, alarm systems)
Access controls: restriction of unauthorized user access to computer resources
Communications (network) controls: protect the movement of data across networks and include border security controls, authentication and authorization.
Application controls: protect specific applications

 

Access Controls

Authentication
Determines/confirms the identity of the person requiring access
Something the user is: access controls that examine a user's physiological or behavioral characteristics
Biometrics
Voice verification
Fingerprints
Retina scan

Something the user has : these access controls include regular ID cards, smart cards
 
Authentication
Something the user does : these access controls include voice and signature recognition
Something the user knows
Password : a private combination of characters that only the user should know
  example: nam3-beeS
Passphrases: a series of characters that is longer than a password but can be memorized easily
example: omanFT2brazilworldcup

*** Multifactor authentication
 
 
 

Authorization
Determines which actions, rights or privileges the person has to do certain activities with information resources, based on his/her verified identity
Privilege: a collection of related computer system operations that can be performed by users of the system
Least privilege: a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization
 
 
 
Completely Automated Public Turing test to tell Computers and Humans Apart

A challenge response test used as an attempt to ensure that the response is generated by a person
 
Communication / Network Controls


 
Firewall: System that enforces access-control policy between two networks.
Anti-malware systems: software packages that attempt to identify and eliminate viruses, worms, and other malicious software
 

Whitelisting: a process in which a company identifies the software that it will allow to run and does not try to recognize malware
Blacklisting: a process in which a company allows all software to run unless it is on the blacklist
 
Intrusion detection systems: designed to detect all types of malicious network traffic and computer usage that cannot be detected by a firewall


 

Encryption Process of converting an original message into a form that cannot be read by anyone except the intended receiver.

 
------------------------------------------------------------
 
 
 
Digital Certificate: an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format

Certificate authorities: trusted intermediaries between two organizations, issue digital certificates
Virtual private networking (VPN) : a private network that uses a public network (usually the Internet) to connect users
 
Secure Socket Layer now called transport layer security (TLS): is an encryption standard used for secure transactions such as credit card purchases and online banking.
Vulnerability management systems: (also called security on demand) extend the security perimeter that exists for the organization’s managed devices, to unmanaged, remote devices.
 
Virtual Private Network and Tunneling

 
 
Tunneling encrypts each data packet that is sent and places each encrypted packet inside another packet.
 

 
 
Information Systems Auditing
Information systems auditing: Independent or unbiased observers task to ensure that information systems work properly.
 
Audit: Examination of information systems, their inputs, outputs and processing.
 
Types of Auditors and Audits:
ØInternal: Performed by corporate internal auditors.

ØExternal: Reviews internal audit as well as the inputs, processing and outputs of information systems.
 
 
 

ليست هناك تعليقات:

إرسال تعليق