20101102_The Need for Security v1.2

The Need for Security
Lecture #2
Learning Objectives
the business need for information security
Understand a successful information security program is
the responsibility of both an organisations general
management and IT management
Identify the threats posed to information security and the
more common attacks associated with those threats
Differentiate threats to the information within systems
from attacks against the information within systems
Primary mission of information security to ensure
systems and contents stay the same
If no threats, could focus on improving systems, resulting
in vast improvements in ease of use and usefulness
Attacks on information systems are a daily occurrence
Business Needs First,
Technology Needs Last
security performs four important functions for
an organisation
Protects ability to function
Enables safe operation of applications
implemented on its
IT systems
Protects data the organisation collects and uses
Safeguards technology assets in use
Protecting the Functionality of
an Organisation
Management (general
and IT) responsible for
Many shy away because of technical complexity
Information security has more to do with management
than with technology
Information security is both management issue and
people issue
Organisation should address information security in
terms of business impact and cost
Enabling the Safe Operation
of Applications
Organisations are under pressure
Organisation need environments that safeguard
applications using IT systems
Management must continue to oversee infrastructure
once in place'not defer to IT department
Protecting Data that Organisations
Collect and Use
One of the most valuable assets is the data
Organisation, without
data, loses its record of
transactions and/or ability to deliver value to customers
Protecting data in motion and data at rest both critical
aspects of information security
Safeguarding Technology Assets in
Organisations must have secure infrastructure services
based on size and scope of enterprise
Additional security services may be needed as
organisation expands
More robust solutions may be needed to replace security
programs the organisation has outgrown
Threat: an
object, person, or other entity that represents
a constant danger to an asset
Management must be informed of the different threats
facing the organisation
By examining each threat category, management
effectively protects information through policy, education,
training, and technology controls
Threats are
divided into twelve categories (see next
These twelve categories are organised into five groups:
Inadvertent acts
Deliberate acts
Acts of God
Technical failures
Management failures
Threat Group 1: Inadvertent Acts
Malicious intent is absent and cannot be proven
Two threat categories:
Acts of human error or failure
Deviations in quality of service by service providers
Acts of Human Error or Failure
Includes acts performed without
malicious intent
Causes include:
Improper training
Incorrect assumptions
are among the greatest threats to an
organisations data
Acts of Human Error or Failure
mistakes can easily lead to:
Revelation of classified data
Entry of erroneous data
Accidental data deletion or modification
Data storage in unprotected areas
Failure to protect information
Many of these threats
can be prevented with controls
Deviations in Quality of Service
Includes situations
where products or services not
delivered as expected
Information system depends on many interdependent
support systems
This degradation is a form of availability disruption
Internet service, communications, and power
irregularities dramatically affect availability of information
and systems
Internet Service Issues
Internet service provider (ISP) failures can considerably
undermine availability of information
Outsourced Web hosting provider assumes responsibility
for all Internet services as well as hardware and Web
site operating system software
SLAs are usually arranged
Communications and other Service
Provider Issues
Other utility services affect organisations: telephone,
water, wastewater, trash pickup, etc.
Loss of these services can affect organisations ability to
Power Irregularities
Lead to fluctuations such as power excesses, power
shortages, and power losses
The voltage levels:
Uninterruptible power supply (UPS)
Threat Group 2: Deliberate Acts
Purposeful acts to harm people,
organisations or culture
Six threat categories:
Deliberate acts of espionage or trespass
Deliberate acts of information extortion
Deliberate acts of sabotage or vandalism
Deliberate acts of theft
Deliberate acts of software attacks
Compromises to intellectual property
Deliberate Acts of Espionage or
Access of protected information
by unauthorized
Competitive intelligence (legal) vs. industrial espionage
Shoulder surfing occurs anywhere a person accesses
confidential information
Deliberate Acts of Espionage or
The threat
of trespass can lead to unauthorised, real or
virtual actions that enable information gatherers to enter
premises or systems
Controls let trespassers know they are encroaching on
organisations cyberspace
Authentication and authorisation
Deliberate Acts of Espionage or
Hackers uses skill, guile, or fraud
to bypass controls
protecting others information
6people who use and create computer software for
enjoyment7 or 6to gain access to information illegally7
Deliberate Acts of Espionage or
Expert hacker
Develops software scripts and program exploits
Usually a master of many skills
Will often create attack software and share with others
Deliberate Acts of Espionage or
Unskilled hacker
Many more unskilled hackers than expert hackers
Use expertly written software to exploit a system
Do not usually fully understand the systems they hack
Deliberate Acts of Espionage or
Other terms for system rule breakers:
Script kiddy: use expertly written software to exploit a
Cracker: 6cracks7 or removes software protection designed
to prevent unauthorised duplication
Phreaker: hacks the public telephone network
Deliberate Acts of Information Extortion
Attacker steals information from
computer system and
demands compensation for its return or nondisclosure
Commonly done in credit card number theft
Deliberate Acts of Sabotage or
Attacks on the face of an organisation'its Web site
Threats can range from petty vandalism to
Web site defacing can erode consumer confidence,
dropping sales and organisations net worth
Deliberate Acts of Sabotage or
Hacktivist or Cyberactivist
Technology becomes a tool for high-tech civil disobedience
Hacking to protest the operations, policies or actions of an
organisation or government agencies
Deliberate Acts of Sabotage or
6The premeditated, politically motivated attack against
information, computer systems, computer programs and data
which result in violence against noncombatant targets by
subnational groups or clandestine agents.7
The use of hacking as a method for conducting terrorist
activities through network or Internet pathways
Deliberate Acts of Theft
Illegal taking of anothers physical, electronic,
intellectual property
The property can be physical, electronic or intellectual
Physical theft is controlled relatively easily
Electronic theft is more complex problem; evidence of
crime not readily apparent
Deliberate Software Attacks
Malicious software (malware) designed to damage,
destroy, or deny service to target systems
Includes viruses, worms, Trojan horses, logic bombs,
back doors, and denial-of-services attacks
Deliberate Software Attacks
Segments of code that perform malicious actions
The code attaches itself to the existing program and takes
control of that programs access to the targeted computer
Macro virus
Boot virus
Deliberate Software Attacks
Malicious programs that replicate themselves constantly
Can continue replicating themselves until they completely fill
available resources
Can redistribute themselves
Can deposit copies onto Web servers
Deliberate Software Attacks
Trojan horses
Software programs that hide their true nature, and reveal
their designed behaviour only when activated
Back door or Trap door
Allows the attacker to access the system at will with special
Deliberate Software Attacks
A polymorphic threat is one that changes its apparent
shape over time, representing a new threat not detectable by
techniques that are looking for a preconfigured signature
Virus and worm hoaxes
Random emails warning of the latest and most dangerous
viruses that are fictitious
Compromises to Intellectual Property
Intellectual property (IP): 6ownership of ideas and
over the tangible or virtual representation of those ideas7
The most common IP breaches involve software piracy
Enforcement of copyright law has been attempted with
technical security mechanisms
Digital watermark
Embedded code
Online registration
Threat Group 3: Acts of God
Threats that result from forces of
prevented or controlled
One threat category:
Forces of nature
nature that cannot be
Forces of Nature
Forces of nature are among the
most dangerous threats
Disrupt not only individual lives, but also storage,
transmission, and use of information
Organisations must implement controls to limit damage
and prepare contingency plans for continued operations
Forces of Nature
Tornado or severe windstorm
Hurricane or typhoon
Electro-static discharge
Dust contamination
Threat Group 4: Technical Failures
machines break in unexpected ways
Two threat category:
Technical hardware failures or errors
Technical software failures or errors
Technical Hardware Failures or Errors
Occur when manufacturer distributes equipment
containing flaws to users
Can cause system to perform outside of expected
parameters, resulting in unreliable or poor service
Some errors are terminal; some are intermittent
Murphys Law: 6if something can possibly go wrong, it
Technical Software Failures or Errors
Purchased software that contains unrevealed faults
Combinations of certain software and hardware can
reveal new software bugs
Sometimes they are purposeful shortcuts (trap doors)
Threat Group 5: Management Failures
Lack of planning and foresight to
anticipate the
technology needed for evolving business requirements
One threat category:
Technological obsolescence
Technological Obsolescence
Antiquated/outdated infrastructure
can lead to unreliable,
untrustworthy systems
Managements strategic planning should always include
an analysis of the current technology in the organisation
Proper managerial planning should prevent technology
obsolescence; IT plays large role
Act or action that exploits vulnerability (i.e., an
weakness) in controlled system
Accomplished by threat agent which damages or steals
organisations information
An exploit: a technique to compromise a system
Vulnerability: an identified weakness of a controlled
Malicious code: includes execution of viruses, worms,
Trojan horses, and active Web scripts with intent to
destroy or steal information
Hoaxes: transmission of a virus hoax with a real virus
attached; more devious form of attack
Back door: gaining access to system or network using
known or previously unknown/newly discovered access
Password crack: attempting to
reverse calculate a
Brute force: trying every possible combination of options
of a password
Dictionary: selects specific accounts to attack and uses
commonly used passwords (i.e., the dictionary) to guide
Denial-of-service (DoS): attacker
sends large number of
connection or information requests to a target
Target system cannot handle successfully along with other,
legitimate service requests
May result in system crash or inability to perform ordinary
Distributed denial-of-service (DDoS): coordinated stream
of requests is launched against target from many
locations simultaneously
Spoofing: technique used to gain
unauthorised access;
intruder assumes a trusted IP address
Man-in-the-middle: attacker monitors network packets,
modifies them, and inserts them back into network
Spam: unsolicited commercial e-mail; more a nuisance
than an attack, though is emerging as a vector for some
Mail bombing: also a
DoS; attacker routes large
quantities of e-mail to target
Sniffers: program or device that monitors data traveling
over network; can be used both for legitimate purposes
and for stealing information from a network
Social engineering: using social skills to convince people
to reveal access credentials or other valuable information
to attacker
6People are the weakest link. You can have
the best
technology; firewalls, intrusion-detection systems,
biometric devices ... and somebody can call an
unsuspecting employee. That's all she wrote, baby. They
got everything.7 ' Kevin Mitnick
Buffer overflow: application error
occurring when more
data is sent to a buffer than can be handled
Timing attack: relatively new; works by exploring
contents of a Web browsers cache to create malicious
Unlike any
other aspect of IT, information securitys
primary mission to ensure things stay the way they are
Information security performs four important functions:
Protects organisations ability to function
Enables safe operation of applications implemented on
organisations IT systems
Protects data the organisation collects and uses
Safeguards the technology assets in use at the organisation
Threat: object, person, or other entity representing a
constant danger to an asset
Management effectively protects its information through
policy, education, training, and technology controls
Attack: a deliberate act that exploits vulnerability