Phishing attacks
advertisement
CHAPTER 4 Information Security CHAPTER OUTLINE 4.1 4.2 4.3 4.4 Introduction to Information Security Unintentional Threats to Information Security Deliberate Threats to Information Security What Organizations Are Doing to Protect Information Resources 4.5 Information Security Controls LEARNING OBJECTIVES 1. Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one. 2. Compare and contrast human mistakes and social engineering, and provide a specific example of each one. 3. Discuss the nine types of deliberate attacks. LEARNING OBJECTIVES (continued) 4. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home. 5. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one. 7.1 Introduction to Information Security © Sebastian/AgeFotostock America, Inc. Key Information Security Terms Information Security Threat Exposure Vulnerability © Sebastian/AgeFotostock America, Inc. Example of a threat (video) Five Factors Increasing the Vulnerability of Information Resources Today’s interconnected, interdependent, wirelessly-networked business environment Smaller, faster, cheaper computers and storage devices Decreasing skills necessary to be a hacker Organized crime taking over cybercrime Lack of management support Networked Business Environment Smaller, Faster Devices © laggerbomber-Fotolia.com © Dragonian/iStockphoto © PhotoEdit/Alamy Limited Decreasing Skills Needed to be a Hacker New & Easier Tools make it very easy to attack the Network Attacks are becoming increasingly sophisticated © Sven Taubert/Age Fotostock America, Inc. Organized Crime Taking Over Cybercrime © Stockbroker xtra/AgeFotostock America, Inc. Lack of Management Support © Sigrid Olsson/Photo Alto/Age Fotostock 7.2 Unintentional Threats to Information Systems George Doyle/ImageSource Limited Security Threats Most Dangerous Employees Human resources and MIS These employees hold ALL the information © WAVEBREAKMEDIA LTD/Age Fotostock America, Inc. Consultants, Janitors and Security Guards Source: YouraPechkin/iStockphoto © fatihhoca/iStockphoto Human Errors Carelessness with laptops and portable computing devices Opening questionable e-mails Careless Internet surfing Poor password selection and use And more Social Engineering Two examples Tailgating Shoulder surfing © Purestock/Age Fotostock America, Inc The “King” of Social Engineering 60 Minutes Interview with Kevin Mitnick Kevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulting firm, advising companies on how to deter people like him See his company here 7.3 Deliberate Threats to Information Systems There are many types of deliberate attacks including: • Espionage or Trespass • Information extortion • Sabotage or vandalism • Theft of equipment or information • Identity theft • Compromises to intellectual property • Soft ware attacks • Alien soft ware • Supervisory control and data acquisition (SCADA) attacks • Cyberterrorism and cyberwarfare Deliberate Threats Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information For example, dumpster diving © Diego Cervo/Age Fotostock America, Inc. Deliberate Threats (continued) Identify theft Identity theft video Frederic Lucano/Stone/Getty Images, Inc. Compromises to intellectual property Deliberate Threats (continued) Software attacks Virus Worm 1988: first widespread worm, created by Robert T. Morris, Jr. (see the rapid spread of the Slammer worm) Trojan horse Logic Bomb Deliberate Threats (continued) Software attacks (continued) Phishing attacks Phishing slideshow Phishing quiz Phishing example Phishing example Distributed denial-of-service attacks See botnet demonstration How to Detect a Phish E-mail Is the email really from eBay, or PayPal, or a bank? As Spammers get better, their emails look more genuine. How do you tell if it’s a scam and phishing for personal information? Here’s how ... Is the email really from eBay, or PayPal, or a bank? As an example, here is what the email said: Return-path: <service@paypal.com> From: "PayPal"<service@paypal.com> Subject: You have 1 new Security Message Alert ! Note that they even give advice in the right column about security Example Continued – bottom of the email How to see what is happening View Source In Outlook, right click on email, click ‘view source’ In GroupWise, open email and click on the Message Source tab In Mozilla Thunderbird, click on View, and Source. Below is the part of the text that makes the email look official – the images came from the PayPal website. View Source – The Real Link In the body it said, “If you are traveling, “Travelling Confirmation Here” Here is where you are really being sent href=3Dftp://futangiu:futangiu@209.202.224.140/in dex.htm Notice that the link is not only not PayPal, it is an IP address, 2 giveaways of a fraudulent link. Another Example – Amazon View Source Deliberate Threats (continued) Alien Software Spyware (see video) Spamware Cookies Cookie demo © Manfred Grafweg/Age Fotostock America, Inc. Example of CAPTCHA Deliberate Threats (continued) Supervisory control and data acquisition (SCADA) attacks © SergeyTitov/iStockphoto What if a SCADA attack were successful? Northeastern U.S. power outage in 2003 Results in NYC Many tourists simply slept on the street or on in hotel lobbies, as elevators were not working Hundreds of thousands of people walked home from Manhattan during the blackout Example of SCADA attack (and cyberwarfare) The Stuxnet Worm (IT’s About Business 7.2) © Vladimir Mucibabic/Age Fotostock America, Inc. Cyberwarfare and Cyberterrorism See video of cyber warfare directed at Estonia 7.4 What Organizations Are Doing to Protect Themselves Risk Management Risk Risk management Risk analysis Risk mitigation © Youri van der Schalk/Age Fotostock America, Inc. Risk Mitigation Strategies Risk Acceptance Risk limitation Risk transference 7.5 Information Security Controls Physical controls Access controls Communications (network) controls Where Defense Mechanisms (Controls) Are Located Access Controls Authentication Something the user is (biometrics powerpoints) Video on biometrics The latest biometric: gait recognition Something the user has Something the user does Something the user knows passwords passphrases Access Controls (continued) Authorization Privilege Least privilege Communications Controls Firewalls Anti-malware systems Whitelisting and Blacklisting Encryption Communication or Network Controls (continued) Virtual private networking Secure Socket Layer (now transport layer security) Employee monitoring systems Basic Home Firewall (top) and Corporate Firewall (bottom) How Public Key Encryption Works How Digital Certificates Work Virtual Private Network and Tunneling Employee Monitoring System Popular Employee Monitoring Systems include: • SpectorSoft • Websense © Harald Richter/AgeFotostock America, Inc. Business Continuity Planning, Backup, and Recovery Hot Site Warm Site Cold Site Information Systems Auditing Types of Auditors and Audits Internal External IS Auditing Procedure Auditing around the computer Auditing through the computer Auditing with the computer Chapter Closing Case • The Business Problem • The IT Solutions • The Results
