Add to collection(s) Add to saved
  1. Social Science

Information Security

advertisement 
CHAPTER 4
Information Security
CHAPTER OUTLINE
4.1
4.2
4.3
4.4
Introduction to Information Security
Unintentional Threats to Information Security
Deliberate Threats to Information Security
What Organizations Are Doing to Protect
Information Resources
4.5 Information Security Controls
LEARNING OBJECTIVES
1. Identify the five factors that contribute to the
increasing vulnerability of information
resources, and provide a specific example of
each one.
2. Compare and contrast human mistakes and
social engineering, and provide a specific
example of each one.
3. Discuss the nine types of deliberate attacks.
LEARNING OBJECTIVES (continued)
4. Define the three risk mitigation strategies,
and provide an example of each one in the
context of you owning a home.
5. Identify the three major types of controls that
organizations can use to protect their
information resources, and provide an example
of each one.
7.1 Introduction to Information Security
© Sebastian/AgeFotostock America, Inc.
Key Information Security Terms
Information Security
Threat – a resource in danger
Exposure – the magnitude of loss or
damage
Vulnerability – the possibility (i.e. the
‘odds’) that the system will suffer
harm
© Sebastian/AgeFotostock America, Inc.
Example of a threat; bank attacks
Get Protection
 C-Net

Spyware
 UNCW resources
 Microsoft Security Essentials
Threats / Protection
 Firewalls
 Anti-malware
 Whitelisting and blacklisting
 Encryption



Public key
Private key
Digital certificates
Network issues
 Virtual private network (VPN)
 Secure socket layer (SSL) – see also HTTPS
 Monitor employees
 Use IT audits (both internal and external)
 When all else fails – business continuity plan
Five Factors Increasing the Vulnerability
of Information Resources
Today’s interconnected, interdependent,
wirelessly-networked business
environment
Smaller, faster, cheaper computers and
storage devices
Decreasing skills necessary to be a hacker
Organized crime taking over cybercrime
Lack of management support
Networked Business Environment
Especially WIRELESS networks
Smaller, Faster Devices
© laggerbomber-Fotolia.com
© Dragonian/iStockphoto
© PhotoEdit/Alamy Limited
Decreasing Skills Needed to be a Hacker
New & Easier Tools make it
very easy to attack the Network
Attacks are becoming
increasingly sophisticated
© Sven Taubert/Age Fotostock America, Inc.
Organized Crime Taking Over Cybercrime
An international threat
Are
government
agencies
involved in
cybercrime?
© Stockbroker xtra/AgeFotostock America, Inc.
Lack of Management Support
© Sigrid Olsson/Photo Alto/Age Fotostock
7.2 Unintentional Threats to
Information Systems
George Doyle/ImageSource Limited
Security Threats
Most Dangerous Employees
Human resources and MIS
These
employees hold
ALL the
information
© WAVEBREAKMEDIA LTD/Age Fotostock America, Inc.
Consultants, Janitors and Security Guards
Source: YouraPechkin/iStockphoto
© fatihhoca/iStockphoto
These employees get wide access without much supervision
Human Errors
 Carelessness with laptops and portable
computing devices
 Opening questionable e-mails
 Careless Internet surfing
 Poor password selection and use
 And more
Social Engineering
Two examples
Tailgating
Shoulder surfing
© Purestock/Age Fotostock America, Inc
The “King” of Social Engineering
Hacker Caught Kevin Mitnick
Social engineering is a typically unintentional
human error on the part of an employee, but it
is the result of a deliberate action on the part of
an attacker
 Kevin Mitnick served several years in a
federal prison. Upon his release, he opened
his own consulting firm, advising companies
on how to deter people like him
See his company here
7.3 Deliberate Threats to
Information Systems
There are many types of deliberate
attacks including:
• Espionage or Trespass
• Information extortion
• Sabotage or vandalism
• Theft of equipment or information
• Identity theft
• Compromises to intellectual property
• Soft ware attacks
• Alien soft ware
• Supervisory control and data acquisition (SCADA)
attacks
• Cyberterrorism and cyberwarfare
Deliberate Threats
Espionage or trespass
Information extortion
Sabotage or vandalism
Theft of equipment or information

For example, dumpster diving
© Diego Cervo/Age Fotostock America, Inc.
Deliberate Threats (continued)
Identify theft
Identity theft video
Frederic Lucano/Stone/Getty Images, Inc.
Compromises to intellectual property
Deliberate Threats (continued)
Software attacks
Virus – segment of malicious computer code
attached to another computer program
Worm – segment of malicious computer code
that does not require another computer program
(see the Stuxnet Worm)
Trojan horse
Logic Bomb – segment of malicious
computer code that causes damage at a
specified time
Deliberate Threats (continued)
Software attacks (continued)
Phishing attacks




Phishing slideshow
Phishing quiz
Phishing example
Phishing example
Distributed denial-of-service attacks

See botnet demonstration
How to Detect a Phish E-mail
Is the email really from eBay, or
PayPal, or a bank?
As Spammers get better, their emails look
more genuine. How do you tell if it’s a scam
and phishing for personal information?
Here’s how ...
Is the email really from eBay, or PayPal,
or a bank?
As an example, here is what the email said:



Return-path: <service@paypal.com>
From: "PayPal"<service@paypal.com>
Subject: You have 1 new Security Message Alert !
Note that they even give
advice in the right column
about security
Example Continued – bottom of the email
How to see what is happening
View Source




In Outlook, right click on email, click ‘view source’
In GroupWise, open email and click on the Message Source tab
In Mozilla Thunderbird, click on View, and Source.
Below is the part of the text that makes the email look official –
the images came from the PayPal website.
View Source – The Real Link
 In the body it said, “If you are traveling,
“Travelling Confirmation Here”
 Notice that the link is not only not PayPal, it is an
IP address, 2 giveaways of a fraudulent link.
Another Example – Amazon
View Source
Deliberate Threats (continued)
Alien Software
Spyware (see Microsoft)
Spamware
Cookies
Cookie
© Manfred Grafweg/Age Fotostock America, Inc.
Example of CAPTCHA
Deliberate Threats (continued)
Supervisory control and data acquisition
(SCADA) attacks
© SergeyTitov/iStockphoto
What if a SCADA attack were successful?
Northeastern U.S. power outage in 2003
Results in NYC
Many tourists simply slept on the street or in hotel lobbies, as
elevators were not working
Hundreds of thousands of people walked home from Manhattan
during the blackout
Could cyber attacks on the U.S. power grid work?
Example of SCADA attack
(and cyberwarfare)
The Stuxnet Worm (IT’s About Business 7.2)
© Vladimir Mucibabic/Age Fotostock America, Inc.
7.4 What Organizations Are Doing
to Protect Themselves
Risk Management
Risk
Risk management
Risk analysis
Risk mitigation
© Youri van der Schalk/Age Fotostock
America, Inc.
Risk Mitigation Strategies
Risk Acceptance
Risk limitation
Risk transference
7.5 Information Security Controls
Physical controls
Access controls
Communications (network) controls
Where Defense Mechanisms
(Controls) Are Located
Access Controls
Authentication
Something the user is (biometrics powerpoints)


Video on biometrics
The latest biometric: gait recognition
Something the user has
Something the user does
Something the user knows


passwords
passphrases
Access Controls (continued)
Authorization
Privilege
Least privilege
Communications Controls
 Firewalls
 Anti-malware systems
 Whitelisting and Blacklisting
 Encryption
Communication or Network Controls
(continued)
Virtual private networking
Secure Socket Layer (now transport layer
security)
Employee monitoring systems
Basic Home Firewall (top) and
Corporate Firewall (bottom)
How Public Key Encryption
Works
How Digital Certificates Work
Virtual Private Network and Tunneling
Employee Monitoring System
Popular Employee Monitoring Systems include:
•
SpectorSoft
•
Websense
© Harald Richter/AgeFotostock America, Inc.
Business Continuity Planning, Backup,
and Recovery
Hot Site
Warm Site
Cold Site
Information Systems Auditing
Types of Auditors and Audits
Internal
External
IS Auditing Procedure
Auditing around the computer
Auditing through the computer
Auditing with the computer
Related documents
Phishing attacks
Phishing attacks
Ch04
Ch04
Information Security
Information Security
WiGLE.net New & Easier Attack Tools
WiGLE.net New & Easier Attack Tools
Internal External
Internal External
Lecture 3
Lecture 3
Chapter 2 - Department of Accounting and Information Systems
Chapter 2 - Department of Accounting and Information Systems
Business Plan Scope Sheet - Cleveland Clinic Academy
Business Plan Scope Sheet - Cleveland Clinic Academy
How Cities Work - Urban Systems Collaborative
How Cities Work - Urban Systems Collaborative
Chapter 2
Chapter 2
sequence authentication
sequence authentication
Word - Brian Martin
Word - Brian Martin
Managing Threats in a Changing World
Managing Threats in a Changing World
SWOT-Analysis-Worksheet
SWOT-Analysis-Worksheet
Web 2.0 and Social Networks Slide Notes
Web 2.0 and Social Networks Slide Notes
CHAPTER 9
CHAPTER 9
Download
advertisement