Information Security
advertisement
CHAPTER 4 Information Security CHAPTER OUTLINE 4.1 4.2 4.3 4.4 Introduction to Information Security Unintentional Threats to Information Security Deliberate Threats to Information Security What Organizations Are Doing to Protect Information Resources 4.5 Information Security Controls LEARNING OBJECTIVES 1. Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one. 2. Compare and contrast human mistakes and social engineering, and provide a specific example of each one. 3. Discuss the nine types of deliberate attacks. LEARNING OBJECTIVES (continued) 4. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home. 5. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one. 7.1 Introduction to Information Security © Sebastian/AgeFotostock America, Inc. Key Information Security Terms Information Security Threat – a resource in danger Exposure – the magnitude of loss or damage Vulnerability – the possibility (i.e. the ‘odds’) that the system will suffer harm © Sebastian/AgeFotostock America, Inc. Example of a threat; bank attacks Get Protection C-Net Spyware UNCW resources Microsoft Security Essentials Threats / Protection Firewalls Anti-malware Whitelisting and blacklisting Encryption Public key Private key Digital certificates Network issues Virtual private network (VPN) Secure socket layer (SSL) – see also HTTPS Monitor employees Use IT audits (both internal and external) When all else fails – business continuity plan Five Factors Increasing the Vulnerability of Information Resources Today’s interconnected, interdependent, wirelessly-networked business environment Smaller, faster, cheaper computers and storage devices Decreasing skills necessary to be a hacker Organized crime taking over cybercrime Lack of management support Networked Business Environment Especially WIRELESS networks Smaller, Faster Devices © laggerbomber-Fotolia.com © Dragonian/iStockphoto © PhotoEdit/Alamy Limited Decreasing Skills Needed to be a Hacker New & Easier Tools make it very easy to attack the Network Attacks are becoming increasingly sophisticated © Sven Taubert/Age Fotostock America, Inc. Organized Crime Taking Over Cybercrime An international threat Are government agencies involved in cybercrime? © Stockbroker xtra/AgeFotostock America, Inc. Lack of Management Support © Sigrid Olsson/Photo Alto/Age Fotostock 7.2 Unintentional Threats to Information Systems George Doyle/ImageSource Limited Security Threats Most Dangerous Employees Human resources and MIS These employees hold ALL the information © WAVEBREAKMEDIA LTD/Age Fotostock America, Inc. Consultants, Janitors and Security Guards Source: YouraPechkin/iStockphoto © fatihhoca/iStockphoto These employees get wide access without much supervision Human Errors Carelessness with laptops and portable computing devices Opening questionable e-mails Careless Internet surfing Poor password selection and use And more Social Engineering Two examples Tailgating Shoulder surfing © Purestock/Age Fotostock America, Inc The “King” of Social Engineering Hacker Caught Kevin Mitnick Social engineering is a typically unintentional human error on the part of an employee, but it is the result of a deliberate action on the part of an attacker Kevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulting firm, advising companies on how to deter people like him See his company here 7.3 Deliberate Threats to Information Systems There are many types of deliberate attacks including: • Espionage or Trespass • Information extortion • Sabotage or vandalism • Theft of equipment or information • Identity theft • Compromises to intellectual property • Soft ware attacks • Alien soft ware • Supervisory control and data acquisition (SCADA) attacks • Cyberterrorism and cyberwarfare Deliberate Threats Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information For example, dumpster diving © Diego Cervo/Age Fotostock America, Inc. Deliberate Threats (continued) Identify theft Identity theft video Frederic Lucano/Stone/Getty Images, Inc. Compromises to intellectual property Deliberate Threats (continued) Software attacks Virus – segment of malicious computer code attached to another computer program Worm – segment of malicious computer code that does not require another computer program (see the Stuxnet Worm) Trojan horse Logic Bomb – segment of malicious computer code that causes damage at a specified time Deliberate Threats (continued) Software attacks (continued) Phishing attacks Phishing slideshow Phishing quiz Phishing example Phishing example Distributed denial-of-service attacks See botnet demonstration How to Detect a Phish E-mail Is the email really from eBay, or PayPal, or a bank? As Spammers get better, their emails look more genuine. How do you tell if it’s a scam and phishing for personal information? Here’s how ... Is the email really from eBay, or PayPal, or a bank? As an example, here is what the email said: Return-path: <service@paypal.com> From: "PayPal"<service@paypal.com> Subject: You have 1 new Security Message Alert ! Note that they even give advice in the right column about security Example Continued – bottom of the email How to see what is happening View Source In Outlook, right click on email, click ‘view source’ In GroupWise, open email and click on the Message Source tab In Mozilla Thunderbird, click on View, and Source. Below is the part of the text that makes the email look official – the images came from the PayPal website. View Source – The Real Link In the body it said, “If you are traveling, “Travelling Confirmation Here” Notice that the link is not only not PayPal, it is an IP address, 2 giveaways of a fraudulent link. Another Example – Amazon View Source Deliberate Threats (continued) Alien Software Spyware (see Microsoft) Spamware Cookies Cookie © Manfred Grafweg/Age Fotostock America, Inc. Example of CAPTCHA Deliberate Threats (continued) Supervisory control and data acquisition (SCADA) attacks © SergeyTitov/iStockphoto What if a SCADA attack were successful? Northeastern U.S. power outage in 2003 Results in NYC Many tourists simply slept on the street or in hotel lobbies, as elevators were not working Hundreds of thousands of people walked home from Manhattan during the blackout Could cyber attacks on the U.S. power grid work? Example of SCADA attack (and cyberwarfare) The Stuxnet Worm (IT’s About Business 7.2) © Vladimir Mucibabic/Age Fotostock America, Inc. 7.4 What Organizations Are Doing to Protect Themselves Risk Management Risk Risk management Risk analysis Risk mitigation © Youri van der Schalk/Age Fotostock America, Inc. Risk Mitigation Strategies Risk Acceptance Risk limitation Risk transference 7.5 Information Security Controls Physical controls Access controls Communications (network) controls Where Defense Mechanisms (Controls) Are Located Access Controls Authentication Something the user is (biometrics powerpoints) Video on biometrics The latest biometric: gait recognition Something the user has Something the user does Something the user knows passwords passphrases Access Controls (continued) Authorization Privilege Least privilege Communications Controls Firewalls Anti-malware systems Whitelisting and Blacklisting Encryption Communication or Network Controls (continued) Virtual private networking Secure Socket Layer (now transport layer security) Employee monitoring systems Basic Home Firewall (top) and Corporate Firewall (bottom) How Public Key Encryption Works How Digital Certificates Work Virtual Private Network and Tunneling Employee Monitoring System Popular Employee Monitoring Systems include: • SpectorSoft • Websense © Harald Richter/AgeFotostock America, Inc. Business Continuity Planning, Backup, and Recovery Hot Site Warm Site Cold Site Information Systems Auditing Types of Auditors and Audits Internal External IS Auditing Procedure Auditing around the computer Auditing through the computer Auditing with the computer
