CHAPTER 4

Information Security

Announcements

Friday Class Quiz 1 Review

Monday Class Quiz 1 – Access Basics

Questions/Comments

Security is constantly evolving…

https://www.youtube.com/watch?v=Ie0bRyXNrTs

Personal Security

How secure are you?

Do you secure your information?

How hackable is your digital life?

Key Information Security Terms

Information Security

Vulnerability Threat Exposure/Attack

© Sebastian/AgeFotostock America, Inc.

Introduction to Information Security

© Sebastian/AgeFotostock America, Inc.

Is it possible to secure the Internet?

Five Factors Increasing the Vulnerability of Information Resources

1. Today’s interconnected, interdependent, wirelessly-networked business environment

2. Smaller, faster, cheaper computers and storage devices

3. Decreasing skills necessary to be a hacker

4. Organized crime taking over cybercrime

5. Lack of management support

1. Networked Business Environment

2. Smaller, Faster Devices

© PhotoEdit/Alamy Limited

© laggerbomber-Fotolia.com© Dragonian/iStockphoto

3. Decreasing Skills Needed to be a Hacker

New & Easier Tools make it very easy to attack the Network

Attacks are becoming increasingly sophisticated

© Sven Taubert/Age Fotostock America, Inc.

4. Organized Crime Taking Over Cybercrime

© Stockbroker xtra/AgeFotostock America, Inc.

Cost of Cybercrime

Any Guesses?

http://www.zdnet.com/norton-cybercrime-cost-110-billion-last-year-7000003745/?s_cid=e539

5. Lack of Management Support

© Sigrid Olsson/Photo Alto/Age Fotostock

Categorizing Security Threats

Security Threats:Unintentional and

Deliberate

Unintentional Threats:Most Dangerous EmployeesWho are the most dangerous employees?

Why are these the most

dangerous?

© WAVEBREAKMEDIA LTD/Age Fotostock America, Inc.

Unintentional Threats:Human Errors

Common Human Mistakes:Carelessness

Devices E-mails Internet

Poor password selection and use Ex. Bank Employees Ex. Gawker hack – most popular passwords.

Any guesses on #1?

Unintentional Threats:Social Engineering

the art of manipulating people into performing actions or divulging confidential information.

Pretexting

Phishing

Baiting

Vishing (IVR or phone phishing)

Deliberate Threats to Information Security

Theft of equipment or information Examples

Dumpster diving Laptop stolen from breaking in

Deliberate Threats (continued)

Identify theft Stealing info off org

databases Phishing

Compromises to intellectual property

Frederic Lucano/Stone/Getty Images, Inc.

Deliberate Threats (continued)

Software attacks Virus Worm (see the rapid spread of the Slammer

worm) Trojan horse Logic Bomb Phishing attacks Distributed denial-of-service attacks

Ex. US Banks

Deliberate Threats (continued)

Alien SoftwareSpyware

Spamware

Cookies

Targeted Attack Supervisory control and data acquisition (SCADA) attacks

Stuxnet

© Manfred Grafweg/Age Fotostock America, Inc.

What Organizations Are Doing to Protect Themselves

“The only truly secure system is powered off, cast in a block of concrete, and sealed in a lead room with armed

guards, and even then I have my doubts”

What Organizations Are Doing to Protect Themselves

How do you protect your own networks?

Information Security Controls

1. Physical controls

2. Access controls

3. Communications (network) controls

Physical ControlsAccess Controls

Communication Controls

Information Security Controls

1. Physical controls

2. Access controls

3. Communications (network) controls

Access Controls

Access Controls: Authentication (proof of identity)

Something the user is

Something the user has

Something the user does

Something the user knows passwords passphrases

Access Controls: Authorization

Permissions issued based on verified identity

Privilege – operations that users can perform

Least privilege – idea of granting privlege only if there is a justifiable need

Information Security Controls

1. Physical controls

2. Access controls

3. Communications (network) controls

Communication Controls

Communications Controls

Firewalls

Anti-malware systems

Whitelisting and Blacklisting

Encryption

VPN

Communications Controls -Firewalls

Home

Corporate

China Firewall

Controls: Encryption (PKI)How Public Key Encryption Works

Communication or Network Controls

Virtual private networking

Protection of data

Government Regulations HIPPA Sarbanes-Oxley PA74

Need to understand Risk

Risk Management (identify, control, minimize)

1.Risk analysis

2.Risk mitigation (take action)

1. Acceptance

2. Limitation (most common)

3. Transference

3.Controls Evaluationcontrol > cost of asset then the control is not cost effective

© Youri van der Schalk/Age FotostockAmerica, Inc.

Business Continuity Planning, Backup, and Recovery

Provide guidance to people who keep business operating after a disaster occurs.

Options: Hot Site Warm Site Cold Site

Personal Risk Assessment

To understand your own risk, get with another person and create an assessment.

List out the following:

1.Assets (e.g. laptop, external drive, etc.)

2.Threats (e.g. natural, virus, etc.)

3.Controls (how do you control threats)

Other ways to minimize personal risk

LEARNING OBJECTIVES

1. Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one.

LEARNING OBJECTIVES

2. Compare and contrast human mistakes and social engineering, and provide a specific example of each one.

LEARNING OBJECTIVES (continued)

3. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home.

LEARNING OBJECTIVES (continued)

4. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.