Chapter 4
Information Security
*Introduction to Information Security:
Security: the degree of protection against criminal
activity, danger, damage and loss.
Information
Security: all the process and
policies designed to protect an organization's information and information
systems (IS) from unauthorized access, use, disclosure, disruption,
modification or destruction.
·
Key
Information Security Terms
Threat: any danger to which a
system may be exposed
Exposure: the harm, loss or
damage that can result if a threat compromises that resource
Vulnerability: the possibility
that the system will suffer harm by a threat
·
Threats
to Information Security
Today’s
interconnected, interdependent, wirelessly-networked business environment
Ø untrusted
network: any network external to your organization
Smaller, faster,
cheaper computers and storage devices (flash drives)
Decreasing skills
necessary to be a computer
hacker
International
organized crime turning to cybercrime
Ø Cybercrime: illegal activities
conducted over computer networks , particularly the Internet
iDefense
Lack of management
support
o insufficient
funding
o Technological
obsolescence
o lack of attention
*Unintentional Threats to Information
Systems:
Ø Human Errors
·
Carelessness with laptops and portable computing
devices
·
Opening questionable e-mails
·
Careless Internet surfing
·
Poor password selection
Ø Social Engineering: an attack in which the perpetrator uses social skills to trick or
manipulate a legitimate employee into providing confidential information such
as passwords
·
Tailgating: it occurs when an
unauthorized person slips in through a door before it closes
·
Shoulder
surfing: it occurs when the attacker watches another person’s computer screen
over that person’s shoulder
*Deliberate
Threats to Information Systems:
v
Espionage or trespass: occurs when an unauthorized individual attempts to gain illegal access
to organizational information
v
Information extortion: occurs when an attacker either threatens to steal or actually steals
information from a company
v
Sabotage or vandalism: defacing an organization's website
v
Theft of equipment or
information
ü
Pod slurping: perpetrator plugs
portable device into a USB port in a computer and downloads sensitive
information
ü
Dumpster
diving: rummaging through commercial or residential trash to find information
that has been discarded
v
Identity theft : assumption of another person’s identity, usually to gain access to
their financial information or to frame them for a crime
v
Compromises to Intellectual Property (IP)
o
Trade secret: an intellectual work
such as business plan, that is a company secret and not based on public
information
o
Patent: a document that grants the holder exclusive
rights on an invention or process for 20 years.
o
Copyright: a statuary grant that provides the creator of
IP with ownership of the property for the life of the creator plus 70 years
o
Piracy: the illegal copying of software
v Software attacks
o
Virus: a segment of
computer code that performs malicious actions by attaching to another computer
program.
o
Worm: a segment of
computer code that spreads by itself and performs malicious actions without
requiring another computer program
o
Trojan horse: a software program that hides in other computer programs and reveal
its designed behavior only when it is activated. A typical behavior of a Trojan horse is to
capture your sensitive information (e.g., passwords, account numbers, etc.) and
send them to the creator of the Trojan horse.
o
Logic
Bomb: a segment of
computer code that is embedded within an organization’s existing computer
programs and is designed to activate and perform a destructive action at a
certain time and date.
*Categories of Threats to Information Systems:
v Software attacks:
o
Phishing
attacks : use deception to acquire sensitive personal information by masquerading
as official-looking e-mails
o
Denial-of-service
attack : Attackers sends so many information requests to a target computer
system that the system cannot handle them successfully, and typically
crashes
*Alien
Software:
v Spyware: software that collect personal information about users without their
consent
Ø
Keystroke loggers: record your keystrokes and your Web browsing history
Ø
Screen scrapers: record a continuous “movie” of what you do on a screen
v Spamware: alien software that is designed to use your computer as a launchpad
for spammers. Spam is unsolicited (unwanted) e-mail
v Cookies
*Cybercrime:
§ Supervisory Control and Data Acquisition (SCADA)
Attacks Cyber-terrorism and
Cyber-warfare
§ Attackers use a
target’s computer systems, particularly via the Internet, to cause physical,
real-world harm or sever disruption, usually to carry out a political agenda
*What
Organizations Are Doing to Protect Information Resources?
Ø Risk: the probability
that a threat will impact an information resource
Ø Risk management: to identify,
control and minimize the impact of threats.
Ø Risk analysis: to assess the value
of each asset being protected, estimate the probability it might be
compromised, and compare the probable costs of it being compromised with the
cost of protecting it.
Ø Risk mitigation: is when the
organization takes concrete actions against risk. It has two functions:
(1) implement
controls to prevent identified threats from occurring
(2) develop a
means of recovery should the threat become a reality
*Risk
Mitigation Strategies:
Ø Risk Acceptance: accept the
potential risk, continue operating with no controls, and absorb any damages
that occur.
Ø Risk limitation: Limit the risk by
implementing controls that minimize the impact of threat.
Ø Risk transference: Transfer the risk
by using other means to compensate for the loss, such as purchasing insurance and having off-site backups
*Information Security Controls:
Ø Controls
evaluation : Is the control cost effective?
Ø Physical controls: physical protection
of computer facilities and resources (Guards,
doors, alarm systems)
Ø Access controls: restriction of
unauthorized user access to computer resources
Ø Communications
(network) controls: protect the movement of data across networks and include border
security controls, authentication and authorization.
Ø Application
controls: protect specific
applications
*Access
Controls:
v Authentication
: Determines/confirms
the identity of the person requiring access
Ø
Something the user is: access controls
that examine a user's physiological or behavioral characteristics
Biometrics
o
Voice
verification
o
Fingerprints
o
Retina
scan
Ø
Something the user has : these access
controls include regular ID cards, smart cards
Ø
Something the user does : these access
controls include voice and signature recognition
Ø
Something the user knows
ü
Password : a private
combination of characters that only the user should know . example: nam3-beeS
ü
Passphrases: a series of
characters that is longer than a password but can be memorized easily . example: omanFT2brazilworldcup
v Authorization
: Determines which actions, rights or privileges the person has to do
certain activities with information resources, based on his/her verified
identity
ü
Privilege: a collection of related computer system operations that can be
performed by users of the system
ü
Least privilege: a principle that users be granted the privilege for some activity
only if there is a justifiable need to grant this authorization
*CAPTCHA:
Completely Automated Public Turing test to tell Computers and Humans Apart
A challenge response test used as an attempt to ensure that the
response is generated by a person
*Communication
/ Network Controls:
·
Firewall: System that enforces access-control policy between two networks.
·
Anti-malware systems: software packages that attempt to identify and eliminate viruses,
worms, and other malicious software
·
Whitelisting: a process in which a company identifies the software that it will
allow to run and does not try to recognize malware
·
Blacklisting: a process in which a company allows all software to run unless it is
on the blacklist
·
Intrusion detection systems: designed to detect all types of malicious network traffic and
computer usage that cannot be detected by a firewall
·
Encryption Process of converting an original message into a form that cannot be
read by anyone except the intended receiver
*How
Digital Certificates Work?
v Digital
Certificate: an electronic document attached to a file certifying that the file is
from the organization that it claims to be from and has not been modified from
its original format
v Certificate
authorities: trusted intermediaries between two organizations, issue digital certificates
v Virtual private
networking (VPN) : a private network that uses a public network (usually the Internet) to
connect users
v Secure Socket
Layer now called transport
layer security (TLS): is an encryption standard used for secure
transactions such as credit card purchases and online banking.
v Vulnerability
management systems: (also called security on demand) extend the security perimeter
that exists for the organization’s managed devices, to unmanaged, remote
devices.
*Virtual
Private Network and Tunneling:
·
Tunneling encrypts each data
packet that is sent and places each encrypted packet inside another packet.
*Information
Systems Auditing:
·
Information
systems auditing: Independent or unbiased observers task to ensure that information
systems work properly.
·
Audit: Examination of
information systems, their inputs, outputs and processing.
Types of Auditors and Audits:
Ø Internal: Performed by
corporate internal auditors.
Ø External: Reviews internal
audit as well as the inputs, processing and outputs of information systems.
