Transcript Information Technology Security

Introduction to Security
Chapter 11
Information Technology (IT) Security
1
Information Technology Overview



This topic is very daunting for many
security managers
FBI example – making upgrades to
current equipment is akin to
changing a tire on a speeding car –
difficult to do, but you have no
choice.
This example highlights the need for
quality, fully integrated IT security.
2
New Technologies & Security





IP Video Surveillance – allows a company to use
its existing network for video surveillance
Voice over Protocol (VoIP) – an underused
technology that holds great promise
USB Technology – presents an easy way for
people to steal data or engineer their way into
corporate systems
Mesh Networks – a wireless communication
system allowing both voice and data to be
transmitted and received
CTI – allows interactions on a telephone and a PC
to be integrated or coordinated
3
Common Equipment that Can Pose
Security Threats





Laptops
Cell Phones
PDAs and smart phones
Fax machines
All other telecommunication devices
4
Tips for Information Asset Protection


Employees using equipment that
can store info should sign a release
any info on it is the employer’s
property.
Use of mobile devices with cameras
should be discouraged, especially
around sensitive material and in
locker rooms.
5
Tips for Information Asset Protection


Discourage employees from storing
info such as social security
numbers, credit card numbers,
account numbers and passwords
on any wireless device.
Be careful about posting cell
numbers and email addresses
6
Tips for Information Asset Protection




Consider locking your phone when
not using it, or installing software
that allows you to lock it, in the
event of loss/theft.
Do not follow links in emails or text
messages.
Asset tag or engrave laptops
Be careful about logging onto
wireless hotpots.
7
Other IT Security Threats:

Trojan horses


install malicious software under the
guise of doing something else
Viruses & worms

An FBI survey revealed that despite
protection programs, 82% of
organizations have been infected by a
virus.
8
Other IT Security Threats:

Spyware


A dangerous, prolific code that logs a
users activity and collects personnel
information, which it then sends to a
third party.
Adware

A relative of spyware. Typically found
with free software, they display
advertisements when the program is
running. They may also contain
spyware.
9
Other IT Security Threats:

Bots

A type of malware that allows an
attacker to gain control over the
infected computer (also called
“zombie computers”) and allow them
to use a company’s network to send
spam, launch attacks and infect other
computers.
10
Targets of attack
 Intellectual property
 Trade secrets
 Patented material
 Copyrighted Material
11
Piracy and Protection



$23 billion lost in 2004 as a result
of digital piracy of music, movies,
software and games
This piracy is accomplished through
peer-to-peer sites, mass email, FTP
and Web sites.
These groups can be very difficult to
penetrate and prosecute.
12
Piracy and Protection
Protection:
 DRM (Digital Rights Management)


Antipiracy technology used by digital copyright
owners to control who has access to their work
Watermark Technology

An evolution of watermarks on currency, it
helps companies by embedding these
watermarks into pictures of their property that
are invisible to the human eye.
13
Threats to Proprietary Information




Employees – often have
unrestricted access as part of their
job which puts them in an ideal
position to steal information
Vendors
Visitors
Discarded information and paper in
trash containers
14
Competitive Intelligence




What is competitive intelligence?
Non-disclosure agreements
Common targets of CI.
What is cloaking?
15
Basic Principles of Information Asset
Protection

Classifying & Labeling Information







Unrestricted
Internal Use
Restricted
Highly Restricted
Protocols for Distribution
Security Awareness Training
Audits
16
3 Security Measures against IT Threats
1.
2.
3.
Logical Controls
Physical Access Controls
Administrative Controls
17
1. Logical Controls



Special programs written into the
software
Most common are those that require
a password for access
Data encryption
18
2. Physical Controls



Restrict actual physical access to
computer terminals, equipment and
software
Key and key card controls, ID
badges, or biometrics are
imperative
Hardening access points such as
vents, doors and windows
19
3. Administrative Controls



Comprehensive background checks
on all new employees
Stressing of security during
management meetings
Having managers assume
responsibility for security
20
Recommendations for IT Security
Program






Deploy HTTP Scanning methods
Block unnecessary protocols
Deploy vulnerability scanning
software
Do not give out administrator
privileges to all users
Deploy corporate spyware scanning
Educate users, enforce strict
security policy within the netwoork
21