580 likes | 823 Views
CHAPTER 4. Information Security. CHAPTER OUTLINE. 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate Threats to Information Security 4.4 What Organizations Are Doing to Protect Information Resources
E N D
CHAPTER 4 Information Security
CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate Threats to Information Security 4.4 What Organizations Are Doing to Protect Information Resources 4.5 Information Security Controls
LEARNING OBJECTIVES 1. Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one. 2. Compare and contrast human mistakes and social engineering, and provide a specific example of each one. 3. Discuss the nine types of deliberate attacks.
LEARNING OBJECTIVES (continued) 4. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home. 5. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.
7.1Introduction to Information Security © Sebastian/AgeFotostock America, Inc.
Key Information Security Terms Information Security Threat – a resource in danger Exposure – the magnitude of loss or damage Vulnerability – the possibility (i.e. the ‘odds’) that the system will suffer harm © Sebastian/AgeFotostock America, Inc. Example of a threat; bank attacks
Get Protection • C-Net • Spyware • UNCW resources • Microsoft Security Essentials
Threats / Protection • Firewalls • Anti-malware • Whitelisting and blacklisting • Encryption • Public key • Private key • Digital certificates
Network issues • Virtual private network (VPN) • Secure socket layer (SSL) – see also HTTPS • Monitor employees • Use IT audits (both internal and external) • When all else fails – business continuity plan
Five Factors Increasing the Vulnerability of Information Resources Today’s interconnected, interdependent, wirelessly-networked business environment Smaller, faster, cheaper computers and storage devices Decreasing skills necessary to be a hacker Organized crime taking over cybercrime Lack of management support
Networked Business Environment Especially WIRELESS networks
Smaller, Faster Devices © laggerbomber-Fotolia.com © Dragonian/iStockphoto © PhotoEdit/Alamy Limited
Decreasing Skills Needed to be a Hacker New & Easier Tools make it very easy to attack the Network Attacks are becoming increasingly sophisticated © Sven Taubert/Age Fotostock America, Inc.
Organized Crime Taking Over Cybercrime An international threat Are government agencies involved in cybercrime? © Stockbroker xtra/AgeFotostock America, Inc.
Lack of Management Support © Sigrid Olsson/Photo Alto/Age Fotostock
7.2 Unintentional Threats to Information Systems George Doyle/ImageSource Limited
Most Dangerous Employees Human resources and MIS These employees hold ALL the information The biggest threat to the security of an organization’s information assets are the company’s employees © WAVEBREAKMEDIA LTD/Age Fotostock America, Inc.
Consultants, Janitors and Security Guards Source: YouraPechkin/iStockphoto © fatihhoca/iStockphoto These employees get wide access without much supervision
Human Errors • Carelessness with laptops and portable computing devices • Opening questionable e-mails • Careless Internet surfing • Poor password selection and use • And more
Social Engineering Two examples Tailgating Shoulder surfing © Purestock/Age Fotostock America, Inc
The “King” of Social Engineering Hacker CaughtKevin Mitnick • Social engineering is a typically unintentional human error on the part of an employee, but it is the result of a deliberate action on the part of an attacker • Kevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulting firm, advising companies on how to deter people like him See his company here
There are many types of deliberate attacks including: • Espionage or Trespass • Information extortion • Sabotage or vandalism • Theft of equipment or information • Identity theft • Compromises to intellectual property • Soft ware attacks • Alien soft ware • Supervisory control and data acquisition (SCADA) attacks • Cyberterrorism and cyberwarfare
Deliberate Threats Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information • For example, dumpster diving © Diego Cervo/Age Fotostock America, Inc.
Deliberate Threats (continued) Identify theft Identity theft video Compromises to intellectual property Frederic Lucano/Stone/Getty Images, Inc.
Deliberate Threats (continued) Software attacks Virus – segment of malicious computer code attached to another computer program Worm – segment of malicious computer code that does not require another computer program (see the Stuxnet Worm) Trojan horse Logic Bomb – segment of malicious computer code that causes damage at a specified time
Deliberate Threats (continued) Software attacks(continued) Phishing attacks • Phishing slideshow • Phishing quiz • Phishing example • Phishing example Distributed denial-of-service attacks • See botnet demonstration
Is the email really from eBay, or PayPal, or a bank? As Spammers get better, their emails look more genuine. How do you tell if it’s a scam and phishing for personal information? Here’s how ...
Is the email really from eBay, or PayPal, or a bank? As an example, here is what the email said: • Return-path: <service@paypal.com> • From: "PayPal"<service@paypal.com> • Subject: You have 1 new Security Message Alert ! Note that they even give advice in the right column about security
How to see what is happening View Source • In Outlook, right click on email, click ‘view source’ • In GroupWise, open email and click on the Message Source tab • In Mozilla Thunderbird, click on View, and Source. • Below is the part of the text that makes the email look official – the images came from the PayPal website.
In the body it said, “If you are traveling, “Travelling Confirmation Here” Notice that the link is not only not PayPal, it is an IP address, 2 giveaways of a fraudulent link. View Source – The Real Link
View Source Another Example – Amazon
Deliberate Threats (continued) Alien Software Spyware (see Microsoft) Spamware Cookies Cookie © Manfred Grafweg/Age Fotostock America, Inc.
Deliberate Threats (continued) Supervisory control and data acquisition (SCADA) attacks © SergeyTitov/iStockphoto
What if a SCADA attack were successful? Northeastern U.S. power outage in 2003 Results in NYC Many tourists simply slept on the street or in hotel lobbies, as elevators were not working Hundreds of thousands of people walked home from Manhattan during the blackout Could cyber attacks on the U.S. power grid work?
Example of SCADA attack (and cyberwarfare) The Stuxnet Worm (IT’s About Business 7.2) © Vladimir Mucibabic/Age Fotostock America, Inc.
Risk Management Risk Risk management Risk analysis Risk mitigation © Youri van der Schalk/Age Fotostock America, Inc.
Risk Mitigation Strategies Risk Acceptance Risk limitation Risk transference
7.5 Information Security Controls Physical controls Access controls Communications (network) controls
Access Controls Authentication Something the user is (biometrics powerpoints) • Video on biometrics • The latest biometric: gait recognition Something the user has Something the user does Something the user knows • passwords • passphrases
Access Controls (continued) Authorization Privilege Least privilege
Communications Controls • Firewalls • Anti-malware systems • Whitelisting and Blacklisting • Encryption
Communication or Network Controls (continued) Virtual private networking Secure Socket Layer (now transport layer security) Employee monitoring systems