chapter 7 information security. 1.introduction to information security 2.unintentional threats to...
TRANSCRIPT
![Page 1: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/1.jpg)
CHAPTER 7Information Security
![Page 2: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/2.jpg)
1. Introduction to Information Security2. Unintentional Threats to Information
Systems3. Deliberate Threats to Information
Systems4. What Organizations Are Doing to
Protect Information Resources5. Information Security Controls
![Page 3: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/3.jpg)
>>>1. Identify the five factors that contribute to the
increasing vulnerability of information resources, and provide a specific example of each one.
2. Compare and contrast human mistakes and social engineering, and provide a specific example of each one.
3. Discuss the 10 types of deliberate attacks.
![Page 4: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/4.jpg)
>>>4. Define the three risk mitigation strategies,
and provide an example of each one in the context of owning a home.
5. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.
![Page 5: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/5.jpg)
OPENING >• Shodan: Good Tool or Bad Tool?
Is Shodan more useful for hackers or for security defenders? Provide specific examples to support your choice.
What impact should Shodan have on the manufacturers of devices that connect to the Internet?
As an increasingly large number of devices are connected to the Internet, what will Shodan’s impact be? Provide examples to support your answer.
![Page 6: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/6.jpg)
Introduction to Information Security
7.1
• Information Security• Threat• Exposure• Vulnerability• Five Key Factors Increasing
Vulnerability• Cybercrime
![Page 7: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/7.jpg)
Primary Goals of SecurityGeneral Security Goals (“CIA”)• Confidentiality
Protection of data from unauthorized disclosures of customers and proprietary data simply put:
Attackers cannot access or understand protected info
• Integrity Assurance that data have not been altered or
destroyed simply put: If attackers change messages, this will be detected
• Availability Providing continuous operations of hardware and
software so that parties involved can be assured of uninterrupted service simply put:
System is available to serve users
![Page 8: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/8.jpg)
Five Key Factors Increasing Vulnerability
1. Today’s interconnected, interdependent, wirelessly networked business environment
2. Smaller, faster, cheaper computers and storage devices
3. Decreasing skills necessary to be a computer hacker
4. International organized crime taking over cybercrime
5. Lack of management support
The newer edition of Rainer’s book took away my discussion!
![Page 9: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/9.jpg)
9
Whom are we protecting our IS against?
• What is missing here?• The most powerful and MIGHTY?!• - YES:
![Page 10: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/10.jpg)
Unintentional Threats to Information Systems
7.2
• Human Errors• Social Engineering
![Page 11: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/11.jpg)
Human Errors
• Higher employee levels = higher levels of security risk
• Most Dangerous Employees• Human Mistakes
![Page 12: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/12.jpg)
Dangerous Employees
• Two organizational areas pose the greatest riskHuman ResourcesInformation Systems
• Janitors and Guards Frequently Overlooked
![Page 13: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/13.jpg)
Figure 7.1Security Threats:
![Page 14: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/14.jpg)
Human Mistakes
• Carelessness with laptops• Carelessness with computing devices• Opening questionable e-mails• Careless Internet surfing• Poor password selection and use• Carelessness with one’s office
![Page 15: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/15.jpg)
Human Mistakes (continued)
• Carelessness using unmanaged devices
• Carelessness with discarded equipment
• Careless monitoring of environmental hazards
![Page 16: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/16.jpg)
Table 7.1: Human Mistakes
![Page 17: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/17.jpg)
Social Engineering
• Social Engineering: an attack in which the perpetrator uses
social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords.
![Page 18: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/18.jpg)
Deliberate Threats to Information Systems
7.3
1. Espionage or Trespass2. Information Extortion3. Sabotage or Vandalism4. Theft of Equipment or Information5. Identity Theft6. Compromises to Intellectual
Property
![Page 19: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/19.jpg)
Deliberate Threats to Information Systems (continued)
7.3
7. Software Attacks8. Alien Software9. Supervisory Control and Data
Acquisition (SCADA) Attacks10. Cyberterrorism and
Cyberwarfare
![Page 20: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/20.jpg)
Compromises to Intellectual Property
• Intellectual Property• Trade Secret• Patent• Copyright
![Page 21: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/21.jpg)
Software Attacks: Three Categories
1. Remote Attacks Requiring User ActionVirusWormPhishing AttackSpear Phishing
![Page 22: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/22.jpg)
Software Attacks: Three Categories (continued)
2. Remote Attacks Needing No User ActionDenial-of-Service AttackDistributed Denial-of-Service Attack
![Page 23: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/23.jpg)
Software Attacks: Three Categories (continued)
3. Attacks by a Programmer Developing a System Trojan Horse Back Door Logic bomb
![Page 24: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/24.jpg)
’S ABOUT BUSINESS 7.1
• Stealing Cash from ATMs with Text Messages Other than the ones mentioned in this case,
what countermeasures could banks take to defend against ATM hacks such as these?
Why are some banks still using Windows XP on their ATMs, when newer, more secure operating systems are available?
![Page 25: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/25.jpg)
Alien Software
• Adware• Spyware• Spamware• Spam• Cookies
![Page 26: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/26.jpg)
’S ABOUT BUSINESS 7.2
• The Mask Discuss the implications of the targeted
nature of the Careto malware. Analyze the statement: “Nations use
malware such as Careto when their only alternative is to go to war.”
Discuss the impacts that such sophisticated malware could have on all of us.
![Page 27: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/27.jpg)
What Organizations Are Doing to Protect Information Resources
7.4
• Risk• Risk Management• Risk Analysis• Risk Mitigation
![Page 28: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/28.jpg)
Table 7.3: The Difficulties in Protecting Information Resources
![Page 29: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/29.jpg)
Risk Management
Three Processes of Risk Management:1. risk analysis2. risk mitigation3. controls evaluation
![Page 30: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/30.jpg)
Risk Analysis
Three Steps of Risk Analysis1. assessing the value of each asset
being protected2. estimating the probability that each
asset will be compromised3. comparing the probable costs of the
asset’s being compromised with the costs of protecting that asset
![Page 31: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/31.jpg)
Risk Mitigation
1. Risk Acceptance2. Rick Limitation3. Risk Transference4. Risk avoidance
Note: it is not “how we will shield the risks” – that is risk reduction/removal – “Limitation”!
![Page 32: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/32.jpg)
Information Security Controls
7.5
• Physical Controls• Access Controls• Communications Controls• Business Continuity Planning• Information Systems Auditing
![Page 33: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/33.jpg)
Figure 7.2: Where Defense Mechanisms are Located.
![Page 34: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/34.jpg)
Physical Controls
• Walls• Doors• Fencing• Gates
• Locks• Badges
• Guards• Alarm Systems
![Page 35: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/35.jpg)
Access Controls
• Authentication• Authorization
Something the user isSomething the user hasSomething the user doesSomething the user knows
![Page 36: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/36.jpg)
Communications Controls
• Firewall• Anti-malware Systems• Whitelisting• Blacklisting• Encryption• Virtual Private Network (VPN)
![Page 37: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/37.jpg)
Figure 7.3: (a) Basic Firewall for Home Computer. (b) Organization with Two Firewalls and Demilitarized Zone
![Page 38: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/38.jpg)
Figure 7.4: How Public-key Encryption Works
![Page 39: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/39.jpg)
Figure 7.5: How Digital Certificates Work.
![Page 40: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/40.jpg)
Figure 7.6: Virtual Private Network (VPN) and Tunneling
![Page 41: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/41.jpg)
’S ABOUT BUSINESS 7.3
• A Tale of Two Cybersecurity Firms Describe why it was so important for law enforcement
officials to capture all 96 Rustock command servers at one time.
If the perpetrators of Rustock are ever caught, will it be possible to prove that they were responsible for the malware? Why or why not? Support your answer.
Mandiant has stated that it has no definitive proof that Chinese hackers are behind the numerous attacks on U.S. companies and government agencies. Is such proof even possible to obtain? Why or why not? Support your answer. If such proof were possible to obtain, would it matter? Why or why not? Support your answer.
Discuss the advantages for FireEye of purchasing Mandiant. Then, discuss the benefits that Mandiant obtained from the sale.
![Page 42: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/42.jpg)
Business Continuity Planning
• Business Continuity (BC)• Business Continuity Plan (BC)
• Incident response (IR)StoppingContainmentReportIdentify/traceProsecute/penalty/compensation
![Page 43: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/43.jpg)
43
The Six Stages of Incident Response
• http://www.darkreading.com/vulnerabilities-and-threats/the-six-stages-of-incident-response/d/d-id/1059365?
• Preparation: Be ready with the tools and training for incidents before they happen.
• Identification: Identify incidents thoroughly.• Containment: Contain the incident immediately to prevent
possible collateral damage. This may mean revoking user accounts, blocking access at the
firewall or updating antivirus rules to catch the malicious code.
• Eradication: Get rid of the malicious code, unauthorized account, or bad employee that caused the incident.
• Recovery: Make sure the system meets company standards or baselines, before returning it to service.
• Lessons Learned: Put together a report detailing what happened, why it happened, what could have prevented it, and what you’ll be doing to prevent it from happening again.
![Page 44: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/44.jpg)
Information Systems Auditing
• Internal Audits• External Audits• Three Categories of IS auditing
proceduresAuditing Around the ComputerAuditing Through the ComputerAuditing With the Computer
![Page 45: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/45.jpg)
45
Let’s take care of the Mother Nature here:
• The “nature of threat from Mother Nature”:Large scaleExtent of damageDifficult to fully protected against
• Solution: Backup• Things to note and watch about
backups:
![Page 46: CHAPTER 7 Information Security. 1.Introduction to Information Security 2.Unintentional Threats to Information Systems 3.Deliberate Threats to Information](https://reader035.vdocument.in/reader035/viewer/2022081722/56649f445503460f94c65b32/html5/thumbnails/46.jpg)
46
Let’s take care of the Mother Nature (cont)
• Backup:LocationFrequencyTypes of backup sites
• Policy, procedure, drill!!!