Transcript ch04
CHAPTER 4
Information Security
CHAPTER OUTLINE
4.1
4.2
4.3
4.4
Introduction to Information Security
Unintentional Threats to Information Security
Deliberate Threats to Information Security
What Organizations Are Doing to Protect
Information Resources
4.5 Information Security Controls
LEARNING OBJECTIVES
1. Identify the five factors that contribute to the
increasing vulnerability of information
resources, and provide a specific example of
each one.
2. Compare and contrast human mistakes and
social engineering, and provide a specific
example of each one.
3. Discuss the nine types of deliberate attacks.
LEARNING OBJECTIVES (continued)
4. Define the three risk mitigation strategies,
and provide an example of each one in the
context of you owning a home.
5. Identify the three major types of controls that
organizations can use to protect their
information resources, and provide an example
of each one.
7.1 Introduction to Information Security
© Sebastian/AgeFotostock America, Inc.
Key Information Security Terms
Information Security
Threat – a resource in danger
Exposure – the magnitude of loss or
damage
Vulnerability – the possibility (i.e. the
‘odds’) that the system will suffer
harm
© Sebastian/AgeFotostock America, Inc.
Example of a threat; bank attacks
Get Protection
C-Net
Spyware
UNCW resources
Microsoft Security Essentials
Threats / Protection
Firewalls
Anti-malware
Whitelisting and blacklisting
Encryption
Public key
Private key
Digital certificates
Network issues
Virtual private network (VPN)
Secure socket layer (SSL) – see also HTTPS
Monitor employees
Use IT audits (both internal and external)
When all else fails – business continuity plan
Five Factors Increasing the Vulnerability
of Information Resources
Today’s interconnected, interdependent,
wirelessly-networked business
environment
Smaller, faster, cheaper computers and
storage devices
Decreasing skills necessary to be a hacker
Organized crime taking over cybercrime
Lack of management support
Networked Business Environment
Especially WIRELESS networks
Smaller, Faster Devices
© laggerbomber-Fotolia.com
© Dragonian/iStockphoto
© PhotoEdit/Alamy Limited
Decreasing Skills Needed to be a Hacker
New & Easier Tools make it
very easy to attack the Network
Attacks are becoming
increasingly sophisticated
© Sven Taubert/Age Fotostock America, Inc.
Organized Crime Taking Over Cybercrime
An international threat
Are
government
agencies
involved in
cybercrime?
© Stockbroker xtra/AgeFotostock America, Inc.
Lack of Management Support
© Sigrid Olsson/Photo Alto/Age Fotostock
7.2 Unintentional Threats to
Information Systems
George Doyle/ImageSource Limited
Security Threats
Most Dangerous Employees
Human resources and MIS
These
employees hold
ALL the
information
© WAVEBREAKMEDIA LTD/Age Fotostock America, Inc.
Consultants, Janitors and Security Guards
Source: YouraPechkin/iStockphoto
© fatihhoca/iStockphoto
These employees get wide access without much supervision
Human Errors
Carelessness with laptops and portable
computing devices
Opening questionable e-mails
Careless Internet surfing
Poor password selection and use
And more
Social Engineering
Two examples
Tailgating
Shoulder surfing
© Purestock/Age Fotostock America, Inc
The “King” of Social Engineering
Hacker Caught Kevin Mitnick
Social engineering is a typically unintentional
human error on the part of an employee, but it
is the result of a deliberate action on the part of
an attacker
Kevin Mitnick served several years in a
federal prison. Upon his release, he opened
his own consulting firm, advising companies
on how to deter people like him
See his company here
7.3 Deliberate Threats to
Information Systems
There are many types of deliberate
attacks including:
• Espionage or Trespass
• Information extortion
• Sabotage or vandalism
• Theft of equipment or information
• Identity theft
• Compromises to intellectual property
• Soft ware attacks
• Alien soft ware
• Supervisory control and data acquisition (SCADA)
attacks
• Cyberterrorism and cyberwarfare
Deliberate Threats
Espionage or trespass
Information extortion
Sabotage or vandalism
Theft of equipment or information
For example, dumpster diving
© Diego Cervo/Age Fotostock America, Inc.
Deliberate Threats (continued)
Identify theft
Identity theft video
Frederic Lucano/Stone/Getty Images, Inc.
Compromises to intellectual property
Deliberate Threats (continued)
Software attacks
Virus – segment of malicious computer code
attached to another computer program
Worm – segment of malicious computer code
that does not require another computer program
(see the Stuxnet Worm)
Trojan horse
Logic Bomb – segment of malicious
computer code that causes damage at a
specified time
Deliberate Threats (continued)
Software attacks (continued)
Phishing attacks
Phishing slideshow
Phishing quiz
Phishing example
Phishing example
Distributed denial-of-service attacks
See botnet demonstration
How to Detect a Phish E-mail
Is the email really from eBay, or
PayPal, or a bank?
As Spammers get better, their emails look
more genuine. How do you tell if it’s a scam
and phishing for personal information?
Here’s how ...
Is the email really from eBay, or PayPal,
or a bank?
As an example, here is what the email said:
Return-path: <[email protected]>
From: "PayPal"<[email protected]>
Subject: You have 1 new Security Message Alert !
Note that they even give
advice in the right column
about security
Example Continued – bottom of the email
How to see what is happening
View Source
In Outlook, right click on email, click ‘view source’
In GroupWise, open email and click on the Message Source tab
In Mozilla Thunderbird, click on View, and Source.
Below is the part of the text that makes the email look official –
the images came from the PayPal website.
View Source – The Real Link
In the body it said, “If you are traveling,
“Travelling Confirmation Here”
Notice that the link is not only not PayPal, it is an
IP address, 2 giveaways of a fraudulent link.
Another Example – Amazon
View Source
Deliberate Threats (continued)
Alien Software
Spyware (see Microsoft)
Spamware
Cookies
Cookie
© Manfred Grafweg/Age Fotostock America, Inc.
Example of CAPTCHA
Deliberate Threats (continued)
Supervisory control and data acquisition
(SCADA) attacks
© SergeyTitov/iStockphoto
What if a SCADA attack were successful?
Northeastern U.S. power outage in 2003
Results in NYC
Many tourists simply slept on the street or in hotel lobbies, as
elevators were not working
Hundreds of thousands of people walked home from Manhattan
during the blackout
Could cyber attacks on the U.S. power grid work?
Example of SCADA attack
(and cyberwarfare)
The Stuxnet Worm (IT’s About Business 7.2)
© Vladimir Mucibabic/Age Fotostock America, Inc.
7.4 What Organizations Are Doing
to Protect Themselves
Risk Management
Risk
Risk management
Risk analysis
Risk mitigation
© Youri van der Schalk/Age Fotostock
America, Inc.
Risk Mitigation Strategies
Risk Acceptance
Risk limitation
Risk transference
7.5 Information Security Controls
Physical controls
Access controls
Communications (network) controls
Where Defense Mechanisms
(Controls) Are Located
Access Controls
Authentication
Something the user is (biometrics powerpoints)
Video on biometrics
The latest biometric: gait recognition
Something the user has
Something the user does
Something the user knows
passwords
passphrases
Access Controls (continued)
Authorization
Privilege
Least privilege
Communications Controls
Firewalls
Anti-malware systems
Whitelisting and Blacklisting
Encryption
Communication or Network Controls
(continued)
Virtual private networking
Secure Socket Layer (now transport layer
security)
Employee monitoring systems
Basic Home Firewall (top) and
Corporate Firewall (bottom)
How Public Key Encryption
Works
How Digital Certificates Work
Virtual Private Network and Tunneling
Employee Monitoring System
Popular Employee Monitoring Systems include:
•
SpectorSoft
•
Websense
© Harald Richter/AgeFotostock America, Inc.
Business Continuity Planning, Backup,
and Recovery
Hot Site
Warm Site
Cold Site
Information Systems Auditing
Types of Auditors and Audits
Internal
External
IS Auditing Procedure
Auditing around the computer
Auditing through the computer
Auditing with the computer