1 / 57

CHAPTER 4

CHAPTER 4. Information Security. CHAPTER OUTLINE. 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate Threats to Information Security 4.4 What Organizations Are Doing to Protect Information Resources

sandra_john
Download Presentation

CHAPTER 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CHAPTER 4 Information Security

  2. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate Threats to Information Security 4.4 What Organizations Are Doing to Protect Information Resources 4.5 Information Security Controls

  3. LEARNING OBJECTIVES 1. Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one. 2. Compare and contrast human mistakes and social engineering, and provide a specific example of each one. 3. Discuss the nine types of deliberate attacks.

  4. LEARNING OBJECTIVES (continued) 4. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home. 5. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.

  5. 7.1Introduction to Information Security © Sebastian/AgeFotostock America, Inc.

  6. Key Information Security Terms Information Security Threat – a resource in danger Exposure – the magnitude of loss or damage Vulnerability – the possibility (i.e. the ‘odds’) that the system will suffer harm © Sebastian/AgeFotostock America, Inc. Example of a threat; bank attacks

  7. Get Protection • C-Net • Spyware • UNCW resources • Microsoft Security Essentials

  8. Threats / Protection • Firewalls • Anti-malware • Whitelisting and blacklisting • Encryption • Public key • Private key • Digital certificates

  9. Network issues • Virtual private network (VPN) • Secure socket layer (SSL) – see also HTTPS • Monitor employees • Use IT audits (both internal and external) • When all else fails – business continuity plan

  10. Five Factors Increasing the Vulnerability of Information Resources Today’s interconnected, interdependent, wirelessly-networked business environment Smaller, faster, cheaper computers and storage devices Decreasing skills necessary to be a hacker Organized crime taking over cybercrime Lack of management support

  11. Networked Business Environment Especially WIRELESS networks

  12. Smaller, Faster Devices © laggerbomber-Fotolia.com © Dragonian/iStockphoto © PhotoEdit/Alamy Limited

  13. Decreasing Skills Needed to be a Hacker New & Easier Tools make it very easy to attack the Network Attacks are becoming increasingly sophisticated © Sven Taubert/Age Fotostock America, Inc.

  14. Organized Crime Taking Over Cybercrime An international threat Are government agencies involved in cybercrime? © Stockbroker xtra/AgeFotostock America, Inc.

  15. Lack of Management Support © Sigrid Olsson/Photo Alto/Age Fotostock

  16. 7.2 Unintentional Threats to Information Systems George Doyle/ImageSource Limited

  17. Security Threats

  18. Most Dangerous Employees Human resources and MIS These employees hold ALL the information The biggest threat to the security of an organization’s information assets are the company’s employees © WAVEBREAKMEDIA LTD/Age Fotostock America, Inc.

  19. Consultants, Janitors and Security Guards Source: YouraPechkin/iStockphoto © fatihhoca/iStockphoto These employees get wide access without much supervision

  20. Human Errors • Carelessness with laptops and portable computing devices • Opening questionable e-mails • Careless Internet surfing • Poor password selection and use • And more

  21. Social Engineering Two examples Tailgating Shoulder surfing © Purestock/Age Fotostock America, Inc

  22. The “King” of Social Engineering Hacker CaughtKevin Mitnick • Social engineering is a typically unintentional human error on the part of an employee, but it is the result of a deliberate action on the part of an attacker • Kevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulting firm, advising companies on how to deter people like him See his company here

  23. 7.3 Deliberate Threats to Information Systems

  24. There are many types of deliberate attacks including: • Espionage or Trespass • Information extortion • Sabotage or vandalism • Theft of equipment or information • Identity theft • Compromises to intellectual property • Soft ware attacks • Alien soft ware • Supervisory control and data acquisition (SCADA) attacks • Cyberterrorism and cyberwarfare

  25. Deliberate Threats Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information • For example, dumpster diving © Diego Cervo/Age Fotostock America, Inc.

  26. Deliberate Threats (continued) Identify theft Identity theft video Compromises to intellectual property Frederic Lucano/Stone/Getty Images, Inc.

  27. Deliberate Threats (continued) Software attacks Virus – segment of malicious computer code attached to another computer program Worm – segment of malicious computer code that does not require another computer program (see the Stuxnet Worm) Trojan horse Logic Bomb – segment of malicious computer code that causes damage at a specified time

  28. Deliberate Threats (continued) Software attacks(continued) Phishing attacks • Phishing slideshow • Phishing quiz • Phishing example • Phishing example Distributed denial-of-service attacks • See botnet demonstration

  29. How to Detect a Phish E-mail

  30. Is the email really from eBay, or PayPal, or a bank? As Spammers get better, their emails look more genuine. How do you tell if it’s a scam and phishing for personal information? Here’s how ...

  31. Is the email really from eBay, or PayPal, or a bank? As an example, here is what the email said: • Return-path: <service@paypal.com> • From: "PayPal"<service@paypal.com> • Subject: You have 1 new Security Message Alert ! Note that they even give advice in the right column about security

  32. Example Continued – bottom of the email

  33. How to see what is happening View Source • In Outlook, right click on email, click ‘view source’ • In GroupWise, open email and click on the Message Source tab • In Mozilla Thunderbird, click on View, and Source. • Below is the part of the text that makes the email look official – the images came from the PayPal website.

  34. In the body it said, “If you are traveling, “Travelling Confirmation Here” Notice that the link is not only not PayPal, it is an IP address, 2 giveaways of a fraudulent link. View Source – The Real Link

  35. View Source Another Example – Amazon

  36. Deliberate Threats (continued) Alien Software Spyware (see Microsoft) Spamware Cookies Cookie © Manfred Grafweg/Age Fotostock America, Inc.

  37. Example of CAPTCHA

  38. Deliberate Threats (continued) Supervisory control and data acquisition (SCADA) attacks © SergeyTitov/iStockphoto

  39. What if a SCADA attack were successful? Northeastern U.S. power outage in 2003 Results in NYC Many tourists simply slept on the street or in hotel lobbies, as elevators were not working Hundreds of thousands of people walked home from Manhattan during the blackout Could cyber attacks on the U.S. power grid work?

  40. Example of SCADA attack (and cyberwarfare) The Stuxnet Worm (IT’s About Business 7.2) © Vladimir Mucibabic/Age Fotostock America, Inc.

  41. 7.4 What Organizations Are Doing to Protect Themselves

  42. Risk Management Risk Risk management Risk analysis Risk mitigation © Youri van der Schalk/Age Fotostock America, Inc.

  43. Risk Mitigation Strategies Risk Acceptance Risk limitation Risk transference

  44. 7.5 Information Security Controls Physical controls Access controls Communications (network) controls

  45. Where Defense Mechanisms (Controls) Are Located

  46. Access Controls Authentication Something the user is (biometrics powerpoints) • Video on biometrics • The latest biometric: gait recognition Something the user has Something the user does Something the user knows • passwords • passphrases

  47. Access Controls (continued) Authorization Privilege Least privilege

  48. Communications Controls • Firewalls • Anti-malware systems • Whitelisting and Blacklisting • Encryption

  49. Communication or Network Controls (continued) Virtual private networking Secure Socket Layer (now transport layer security) Employee monitoring systems

  50. Basic Home Firewall (top) and Corporate Firewall (bottom)

More Related