informationsecurity
TRANSCRIPT
Threats
Security Controls
Protecting Information System
What is Information Security?
Known as InfoSec, which is the practice ofdefending information from unauthorizedaccess, use, disclosure, disruption,modification, perusal, inspection, recordingor destruction.
It is a general term that can be usedregardless of the form the data may take(electronic, physical, etc...)
Two major aspects of Information Security:
I.T. Security: Sometimes referred toas computer security, InformationTechnology Security is information securityapplied to technology (most often someform of computer system).
It is worthwhile to note thata computer does not necessarily mean ahome desktop. A computer is any devicewith a processor and some memory.
IT security specialists are almost alwaysfound in any majorenterprise/establishment due to the natureand value of the data within largerbusinesses.
They are responsible for keeping all ofthe technology within the company securefrom malicious cyber attacks that oftenattempt to breach into critical privateinformation or gain control of the internalsystems.
Two major aspects of information security:
Information assurance: The act of ensuringthat data is not lost when critical issuesarise.
These issues include but are not limited to:natural disasters, computer/servermalfunction, physical theft, or any otherinstance where data has the potential ofbeing lost.
• Since most information is stored oncomputers in our modern era,information assurance is typically dealtwith by IT security specialists.
• One of the most common methods ofproviding information assurance is tohave an off-site backup of the data incase one of the mentioned issues arise.
Threats to Information System
• There are many informationsecurity threats that we need tobe constantly aware of andprotect against in order to ensureour sensitive information remainssecure.
Unauthorized Access –Enter at your own risk
• The attempted or successful access of
information or systems, without permission
or rights to do so.
Ensure you have a properly configured
firewall, up to date malware prevention
software and all software has the latest
security updates.
Protect all sensitive information, utilizing
encryption where appropriate, and use strong
passwords that are changed regularly.
Cyber Espionage –Hey, get off my network!
• The act of spying through the use of
computers, involving the covert access or
‘hacking’ of company or
government networks to obtain sensitive
information.
Be alert for social engineering attempts and
verify all requests for sensitive information.
Ensure software has the latest security
updates, your network is secure and monitor
for unusual network behavior.
Malware – You installed what?!
• A collective term for malicious software, such
as viruses, worms and trojans; designed to
infiltrate systems and information for criminal,
commercial or destructive purposes.
Ensure you have a properly configured
firewall, up to date malware prevention and
all software has the latest security updates.
Do not click links or open attachments in
emails from unknown senders, visit un-
trusted websites or install dubious software.
Data Leakage – I seek what you leak.
• The intentional or accidental loss, theft or
exposure of sensitive company or personal
information
Ensure all sensitive information stored on
removable storage media, mobile devices or
laptops is encrypted
Be mindful of what you post online, check
email recipients before pressing send, and
never email sensitive company information
to personal email accounts
Mobile Device Attack – Lost, but not forgotten
• The malicious attack on, or unauthorized
access of mobile devices and the information
stored or processed by them; performed
wirelessly or through physical possession.
Keep devices with you at all times, encrypt
all sensitive data and removable storage
media, and use strong passwords.
Avoid connecting to insecure, un-trusted
public wireless networks and ensure
Bluetooth is in ‘undiscoverable’ mode.
Social Engineering – Go find
some other mug
• Tricking and manipulating others by phone,email, online or in-person, into divulgingsensitive information, in order to accesscompany information or systems.
Verify all requests for sensitive information, nomatter how legitimate they may seem, andnever share your passwords with anyone – noteven the helpdesk.
Never part with sensitive information if indoubt, and report suspected social engineeringattempts immediately.
Insiders – I see bad people
• An employee or worker with malicious intent
to steal sensitive company information,
commit fraud or cause damage to company
systems or information
Ensure access to sensitive information is
restricted to only those that need it and
revoke access when no longer required
Report all suspicious activity or workers
immediately
Phishing – Think before you link
• A form of social engineering, involving the sendingof legitimate looking emails aimed at fraudulentlyextracting sensitive information from recipients,usually to gain access to systems or for identitytheft.
• Look out for emails containing unexpected orunsolicited requests for sensitive information, orcontextually relevant emails from unknown senders.
• Never click on suspicious looking links withinemails, and report all suspected phishing attemptsimmediately.
System Compromise –Only the strong survive
• A system that has been attacked and taken over bymalicious individuals or ‘hackers’, usually throughthe exploitation of one or more vulnerabilities, andthen often used for attacking other systems.
Plug vulnerable holes by ensuring software has thelatest security updates and any internally developedsoftware is adequately security reviewed.
Ensure systems are hardened and configuredsecurely, and regularly scan them for vulnerabilities.
Spam – Email someone else
• Unsolicited email sent in bulk to many
individuals, usually for commercial gain, but
increasingly for spreading malware.
Only give your email to those you trust and
never post your address online for others to
view.
Use a spam filter and never reply to spam
emails or click links within them.
Denial of Service – Are you still there?
• An intentional or unintentional attack on asystem and the information stored on it,rendering the system unavailable andinaccessible to authorized users.
Securely configure and harden all networksand network equipment against known DoSattacks.
Monitor networks through log reviews and theuse of intrusion detection or preventionsystems
Identity Theft – You will never be me
• The theft of an unknowing individual’spersonal information, in order to fraudulentlyassume that individual’s identity to commit acrime, usually for financial gain.
• Never provide personal information to un-trusted individuals or websites.
• Ensure personal information is protected whenstored and securely disposed of when nolonger needed.
Protecting Information System
1. Data security is fundamental
Data security is crucial to all academic,
medical and business operations.
All existing and new business and data
processes should include a data security
review to be sure data is safe from loss and
secured against unauthorized access.
2. Plan ahead
Create a plan to review your data securitystatus and policies and create routineprocesses to access, handle and store thedata safely as well as archive unneededdata.
Make sure you and your colleagues knowhow to respond if you have a data loss ordata breach incident.
3. Know what data you have
The first step to secure computing isknowing what data you have andwhat levels of protection arerequired to keep the data bothconfidential and safe from loss.
4. Scale down the data
Keep only the data you need forroutine current business, safely archiveor destroy older data, and remove itfrom all computers and other devices(smart phones, laptops, flash drives,external hard disks).
5. Lock up!
Physical security is the key to safe andconfidential computing.
All the passwords in the world won't getyour laptop back if the computer itself isstolen.
Back up the data to a safe place in the eventof loss.
Security is generally defined as the freedom
from danger or as the condition of safety.
Computer security, specifically, is the
protection of data in a system against
unauthorized disclosure, modification, or
destruction and protection of the computer
system itself against unauthorized use,
modification, or denial of service.
Information Security Controls
It is the use of locks, security guards, badges,
alarms, and similar measures to control access
to computers, related equipment (including
utilities), and the processing facility itself.
In addition, measures are required for
protecting computers, related equipment, and
their contents from espionage, theft, and
destruction or damage by accident, fire, or
natural disaster (e.g., floods and earthquakes).
Physical Controls
Involves the use of safeguards
incorporated in computer hardware,
operations or applications software,
communications hardware and
software, and related devices.
Technical controls are sometimes
referred to as logical controls.
Technical Controls
Preventive technical controls are used to preventunauthorized personnel or programs from gainingremote access to computing resources. Examples ofthese controls include:
o Access control software
oAntivirus software
oLibrary control systems
oPasswords
oSmart cards
oEncryption
oDial-up access control and callback systems
Technical Controls
Consists of management constraints, operational
procedures, accountability procedures, and
supplemental administrative controls established
to provide an acceptable level of protection for
computing resources.
In addition, administrative controls include
procedures established to ensure that all
personnel who have access to computing
resources have the required authorizations and
appropriate security clearances.
Administrative Controls
Preventive administrative controls are personnel-oriented
techniques for controlling people’s behavior to ensure the
confidentiality, integrity, and availability of computing data
and programs. Examples of preventive administrative
controls include:
o Security awareness and technical training
o Separation of duties
o Procedures for recruiting and terminatingemployees
o Security policies and procedures
o Supervision.
o Disaster recovery, contingency, and emergency plans
o User registration for computer access
Administrative Controls
Sites that allow users to do more than just retrieve
information.
Instead of merely reading, a user is invited to
comment on published articles, or create a user
account or profile on the site, which may enable
increased participation.
By increasing emphasis on these already-extant
capabilities, they encourage the user to rely more
on their browser for user interface, application
software and file storage facilities.
Web 2.0
This has been called "network as platform"computing.
Major features of Web 2.0 include socialnetworking sites, user created Web sites,self-publishing platforms, tagging, and socialbookmarking.
Users can provide the data that is on a Web2.0 site and exercise some control over thatdata.
Web 2.0
Web 2.0 offers all users the samefreedom to contribute.
While this opens the possibility forserious debate and collaboration, italso increases the incidence of"spamming" and "trolling" byunscrupulous or misanthropic users.
Web 2.0
Folksonomy- free classification of information; allows users to
collectively classify and find information (e.g. Tagging)
Rich User Experience- dynamic content; responsive to user input
User as a Contributor- information flows two ways between site owner
and site user by means of evaluation, review, and commenting
Long tail- services offered on demand basis; profit is realized through
monthly service subscriptions more than one-time purchases of goods
over the network
User Participation - site users add content for others to see (e.g.
Crowdsourcing)
Features of Web 2.0 Technologies
Software as a service - Web 2.0 sites developed API to
allow automated usage, such as by an app or mashup
Basic Trust - contributions are available for the world to
use, reuse, or re-purpose
Dispersion - content delivery uses multiple channels (e.g.
file sharing, permalinks); digital resources and services are
sought more than physical goods
Features of Web 2.0 Technologies
Web 2.0 can be described in three parts:
Rich Internet application (RIA) — defines the experience
brought from desktop to browser whether it is from a
graphical point of view or usability point of view.
Web-oriented architecture (WOA) — is a key piece in Web
2.0, which defines how Web 2.0 applications expose their
functionality so that other applications can leverage and
integrate the functionality providing a set of much richer
applications.
Examples are feeds, RSS, Web Services, mash-ups.
Features of Web 2.0 Technologies
Web 2.0 can be described in three parts:
Social Web — defines how Web 2.0 tends tointeract much more with the end user andmake the end-user an integral part.
Features of Web 2.0 Technologies
1. Mashups - sites using existing technologies for an
entirely new purpose...like WikiMapia.org.
It takes the functions of a wiki and overlays it with Google
Maps for an entirely new kind of map. You can see
ProgrammableWeb.com for more mashups.
2. Aggregators - A site or program that gathers data from
multiple sources and organizes the information to present in
a new, more streamlined or appropriate format.
Examples: Digg.com is a top aggregator site. So is Slashdot
for the more technical people. And of course our dearly
beloved, Google (and any other search engine for that matter)
are the mothers of all aggregators.
Categories of Web 2.0
3. Social Networking - Websites focusing on connecting peoplewith other people directly like MySpace.
4. Social Media - User-generated content like blogs or Flickr.
5. Video - Online television such as YouTube.
6. Web Applications - online programs that can do virtuallyeverything your existing software programs can do.
Zoho for instance can replace your Microsoft Officeprograms.
Categories of Web 2.0