mcgraw-hill/irwin © 2008 the mcgraw-hill companies, all rights reserved business plug-in b6...
TRANSCRIPT
McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, All Rights Reserved
Business Plug-In B6Business Plug-In B6
Information SecurityInformation Security
B6-2
LEARNING OUTCOMES
1. Describe the relationship between information security policies and an information security plan
2. Provide an example of each of the three primary security areas: (1) authentication and authorization, (2) prevention and resistance, and (3) detection and response
3. Describe the relationships and differences between hackers and viruses
B6-3
INTRODUCTION
• Information security – a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization
• This plug-in discusses how organizations can implement information security lines of defense through people first and technology second
B6-4
The First Line of Defense - People
• The biggest issue surrounding information security is not a technical issue, but a people issue
• 38% of security incidents originate within the organization– Insiders – Social engineering
B6-5
The First Line of Defense - People
• The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan– Information security policies – identify the
rules required to maintain information security– Information security plan – details how an
organization will implement the information security policies
B6-6
The First Line of Defense - People
• Five steps to creating an information security plan
1. Develop the information security policies
2. Communicate the information security policies
3. Identify critical information assets and risks1. Firewall (hardware and/or software)
2. Intrusion detection software (IDS)
4. Test and re-evaluate risks
5. Obtain stakeholder support
B6-7
The First Line of Defense - People
B6-8
The Second Line of Defense - Technology
• Three primary information security areas
1. Authentication and authorization
2. Prevention and resistance
3. Detection and response
B6-9
AUTHENTICATION AND AUTHORIZATION
• Authentication – a method for confirming users’ identities
• Authorization – the process of giving someone permission to do or have something
• The most secure type of authentication involves a combination of the following:
1. Something the user knows such as a user ID and password
2. Something the user has such as a smart card or token3. Something that is part of the user such as a fingerprint
or voice signature
B6-10
Something the User Knows such as a User ID and Password
• User ID and passwords are the most common way to identify individual users, and are the most ineffective form of authentication
• Identity theft – the forging of someone’s identity for the purpose of fraud
• Phishing – a technique to gain personal information for the purpose of identity theft
B6-11
Something the User Knows such as a User ID and Password
B6-12
Something the User Has such as a Smart Card or Token
• Smart cards and tokens are more effective than a user ID and a password
– Token – small electronic devices that change user passwords automatically
– Smart card – a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing
B6-13
Smart Cards
B6-14
Something That Is Part of the User such as a Fingerprint or Voice Signature
• This is by far the best and most effective way to manage authentication
– Biometrics – the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting
• Unfortunately, this method can be costly and intrusive
B6-15
Biometrics
B6-16
PREVENTION AND RESISTANCE
• Downtime can cost an organization anywhere from $100 to $1 million per hour
• A 22-hour outage in June 2000 caused eBay’s market cap to plunge $5.7 billion
• Technologies available to help prevent and build resistance to attacks include:
1. Content filtering
2. Encryption
3. Firewalls
B6-17
• Top Ten Cell Phone Security Problems
B6-18
Prevention-Content Filtering
• Organizations can use content filtering technologies to filter e-mail and prevent e-mails containing sensitive information from transmitting and stop spam and viruses from spreading
– Content filtering – occurs when organizations use software that filters content to prevent the transmission of unauthorized information
– Spam – a form of unsolicited e-mail
B6-19
Prevention - ENCRYPTION
• If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it
– Encryption – scrambles information into an alternative form that requires a key or password to decrypt the information
– Public & private key encryption – uses two keys: a public key that everyone can have and a private key for only the recipient
B6-20
ENCRYPTION
It would take many hundreds of years a hacker to break an encryption code
B6-21
Encryption Demo
• Public vs Private key encryption
B6-22
Encryption over the Web
• Secure Hypertext Transfer Protocol – (HTTPS):
• Most sign-in e-business websites are equipped with https://
– used for encrypting data flowing over the Internet
B6-23
Steganography
• Steganography is the hiding of information in innocent looking objects and is a part of cryptography. Steganos means hidden and graffein write. Since the arrival of digital files for image and sound, steganography has known an enormous revival.
B6-24
Prevention- FIREWALLS
• One of the most common defenses for preventing a security breach is a firewall
– Firewall – hardware and/or software that guards a private network by analyzing the information leaving and entering the network
B6-25
FIREWALLS
• Sample firewall architecture connecting systems located in Chicago, New York, and Boston
B6-26
A Corporate Firewall
B6-27
DETECTION AND RESPONSE
• If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage
• Antivirus software is the most common type of detection and response technology
B6-28
DETECTION AND RESPONSE
• Hacker - people very knowledgeable about computers who use their knowledge to invade other people’s computers
– White-hat hacker– Black-hat hacker– Hactivist– Script kiddies or script bunnies– Cracker– Cyberterrorist
B6-29
DETECTION AND RESPONSE
• Virus - software written with malicious intent to cause annoyance or damage by self – replicating
– Spreads as email attachments
• Other forms of viruses– Worm– Trojan-horse virus– Distributed DoS– Denial-of-service attack (DoS)
B6-30
• Worms:• Programs that copy themselves from one computer to
another over networks. Unlike a virus, it does not need to attach itself to an existing program
• Can destroy data, programs, and halt operation of computer networks
• In August 2003, the “Blaster worm” infected over 50,000 computers worldwide
• Good Worms: The “Welchia” worm, for example, tries to download then install patches from Microsoft's website to fix various vulnerabilities in the host system
DETECTION AND RESPONSE
B6-31
• Trojan Horse:
• A software program that appears to be gentle, but then does something unexpected
• Often “transports” a virus into a computer system
• Name is based on classic Greek myth during Trojan war
DETECTION AND RESPONSE
B6-32
• Denial of Service (DoS) Attacks
• Hackers flood a server with false communications in order to crash the system
• Distributed DoS: uses numerous computers to crash the network
DETECTION AND RESPONSE
B6-33
DETECTION AND RESPONSE
• Security threats to e-business include:– Elevation of privilege– Hoaxes– Malicious code– Spoofing– Spyware– Sniffer
B6-34
• Spoofing: masquerading as someone else, or redirecting a Web link to an unintended address ( see Phishing)
• Sniffing: an eavesdropping program that monitors information traveling over a network
DETECTION AND RESPONSE
B6-35
• Phishing ( web spoofing)
• Setting up fake Web sites or sending email messages that look legitimate , and using them to ask for confidential data
DETECTION AND RESPONSE
B6-36Slide 36
Additional Material
• Microsoft Videos on Phishing
• Phishing Video
B6-37
Wireless Security
• Wired Equivalent Privacy (WEP) can provide security for Wi-Fi if users turn it on
– It is a code that you choose to protect your wireless connections
B6-38
War Driving: the eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic.
Wireless Security
B6-39
Wireless hacking
• Wireless hacking video