informationsecurity

Threats

Security Controls

Protecting Information System

What is Information Security?

Known as InfoSec, which is the practice ofdefending information from unauthorizedaccess, use, disclosure, disruption,modification, perusal, inspection, recordingor destruction.

It is a general term that can be usedregardless of the form the data may take(electronic, physical, etc...)

Two major aspects of Information Security:

I.T. Security: Sometimes referred toas computer security, InformationTechnology Security is information securityapplied to technology (most often someform of computer system).

It is worthwhile to note thata computer does not necessarily mean ahome desktop. A computer is any devicewith a processor and some memory.

IT security specialists are almost alwaysfound in any majorenterprise/establishment due to the natureand value of the data within largerbusinesses.

They are responsible for keeping all ofthe technology within the company securefrom malicious cyber attacks that oftenattempt to breach into critical privateinformation or gain control of the internalsystems.

Two major aspects of information security:

Information assurance: The act of ensuringthat data is not lost when critical issuesarise.

These issues include but are not limited to:natural disasters, computer/servermalfunction, physical theft, or any otherinstance where data has the potential ofbeing lost.

• Since most information is stored oncomputers in our modern era,information assurance is typically dealtwith by IT security specialists.

• One of the most common methods ofproviding information assurance is tohave an off-site backup of the data incase one of the mentioned issues arise.

Threats to Information System

• There are many informationsecurity threats that we need tobe constantly aware of andprotect against in order to ensureour sensitive information remainssecure.

Unauthorized Access –Enter at your own risk

• The attempted or successful access of

information or systems, without permission

or rights to do so.

Ensure you have a properly configured

firewall, up to date malware prevention

software and all software has the latest

security updates.

Protect all sensitive information, utilizing

encryption where appropriate, and use strong

passwords that are changed regularly.

Cyber Espionage –Hey, get off my network!

• The act of spying through the use of

computers, involving the covert access or

‘hacking’ of company or

government networks to obtain sensitive

information.

Be alert for social engineering attempts and

verify all requests for sensitive information.

Ensure software has the latest security

updates, your network is secure and monitor

for unusual network behavior.

Malware – You installed what?!

• A collective term for malicious software, such

as viruses, worms and trojans; designed to

infiltrate systems and information for criminal,

commercial or destructive purposes.

Ensure you have a properly configured

firewall, up to date malware prevention and

all software has the latest security updates.

Do not click links or open attachments in

emails from unknown senders, visit un-

trusted websites or install dubious software.

Data Leakage – I seek what you leak.

• The intentional or accidental loss, theft or

exposure of sensitive company or personal

information

Ensure all sensitive information stored on

removable storage media, mobile devices or

laptops is encrypted

Be mindful of what you post online, check

email recipients before pressing send, and

never email sensitive company information

to personal email accounts

Mobile Device Attack – Lost, but not forgotten

• The malicious attack on, or unauthorized

access of mobile devices and the information

stored or processed by them; performed

wirelessly or through physical possession.

Keep devices with you at all times, encrypt

all sensitive data and removable storage

media, and use strong passwords.

Avoid connecting to insecure, un-trusted

public wireless networks and ensure

Bluetooth is in ‘undiscoverable’ mode.

Social Engineering – Go find

some other mug

• Tricking and manipulating others by phone,email, online or in-person, into divulgingsensitive information, in order to accesscompany information or systems.

Verify all requests for sensitive information, nomatter how legitimate they may seem, andnever share your passwords with anyone – noteven the helpdesk.

Never part with sensitive information if indoubt, and report suspected social engineeringattempts immediately.

Insiders – I see bad people

• An employee or worker with malicious intent

to steal sensitive company information,

commit fraud or cause damage to company

systems or information

Ensure access to sensitive information is

restricted to only those that need it and

revoke access when no longer required

Report all suspicious activity or workers

immediately

Phishing – Think before you link

• A form of social engineering, involving the sendingof legitimate looking emails aimed at fraudulentlyextracting sensitive information from recipients,usually to gain access to systems or for identitytheft.

• Look out for emails containing unexpected orunsolicited requests for sensitive information, orcontextually relevant emails from unknown senders.

• Never click on suspicious looking links withinemails, and report all suspected phishing attemptsimmediately.

System Compromise –Only the strong survive

• A system that has been attacked and taken over bymalicious individuals or ‘hackers’, usually throughthe exploitation of one or more vulnerabilities, andthen often used for attacking other systems.

Plug vulnerable holes by ensuring software has thelatest security updates and any internally developedsoftware is adequately security reviewed.

Ensure systems are hardened and configuredsecurely, and regularly scan them for vulnerabilities.

Spam – Email someone else

• Unsolicited email sent in bulk to many

individuals, usually for commercial gain, but

increasingly for spreading malware.

Only give your email to those you trust and

never post your address online for others to

view.

Use a spam filter and never reply to spam

emails or click links within them.

Denial of Service – Are you still there?

• An intentional or unintentional attack on asystem and the information stored on it,rendering the system unavailable andinaccessible to authorized users.

Securely configure and harden all networksand network equipment against known DoSattacks.

Monitor networks through log reviews and theuse of intrusion detection or preventionsystems

Identity Theft – You will never be me

• The theft of an unknowing individual’spersonal information, in order to fraudulentlyassume that individual’s identity to commit acrime, usually for financial gain.

• Never provide personal information to un-trusted individuals or websites.

• Ensure personal information is protected whenstored and securely disposed of when nolonger needed.

Protecting Information System

1. Data security is fundamental

Data security is crucial to all academic,

medical and business operations.

All existing and new business and data

processes should include a data security

review to be sure data is safe from loss and

secured against unauthorized access.

2. Plan ahead

Create a plan to review your data securitystatus and policies and create routineprocesses to access, handle and store thedata safely as well as archive unneededdata.

Make sure you and your colleagues knowhow to respond if you have a data loss ordata breach incident.

3. Know what data you have

The first step to secure computing isknowing what data you have andwhat levels of protection arerequired to keep the data bothconfidential and safe from loss.

4. Scale down the data

Keep only the data you need forroutine current business, safely archiveor destroy older data, and remove itfrom all computers and other devices(smart phones, laptops, flash drives,external hard disks).

5. Lock up!

Physical security is the key to safe andconfidential computing.

All the passwords in the world won't getyour laptop back if the computer itself isstolen.

Back up the data to a safe place in the eventof loss.

Security is generally defined as the freedom

from danger or as the condition of safety.

Computer security, specifically, is the

protection of data in a system against

unauthorized disclosure, modification, or

destruction and protection of the computer

system itself against unauthorized use,

modification, or denial of service.

Information Security Controls

It is the use of locks, security guards, badges,

alarms, and similar measures to control access

to computers, related equipment (including

utilities), and the processing facility itself.

In addition, measures are required for

protecting computers, related equipment, and

their contents from espionage, theft, and

destruction or damage by accident, fire, or

natural disaster (e.g., floods and earthquakes).

Physical Controls

Involves the use of safeguards

incorporated in computer hardware,

operations or applications software,

communications hardware and

software, and related devices.

Technical controls are sometimes

referred to as logical controls.

Technical Controls

Preventive technical controls are used to preventunauthorized personnel or programs from gainingremote access to computing resources. Examples ofthese controls include:

o Access control software

oAntivirus software

oLibrary control systems

oPasswords

oSmart cards

oEncryption

oDial-up access control and callback systems

Technical Controls

Consists of management constraints, operational

procedures, accountability procedures, and

supplemental administrative controls established

to provide an acceptable level of protection for

computing resources.

In addition, administrative controls include

procedures established to ensure that all

personnel who have access to computing

resources have the required authorizations and

appropriate security clearances.

Administrative Controls

Preventive administrative controls are personnel-oriented

techniques for controlling people’s behavior to ensure the

confidentiality, integrity, and availability of computing data

and programs. Examples of preventive administrative

controls include:

o Security awareness and technical training

o Separation of duties

o Procedures for recruiting and terminatingemployees

o Security policies and procedures

o Supervision.

o Disaster recovery, contingency, and emergency plans

o User registration for computer access

Administrative Controls

Sites that allow users to do more than just retrieve

information.

Instead of merely reading, a user is invited to

comment on published articles, or create a user

account or profile on the site, which may enable

increased participation.

By increasing emphasis on these already-extant

capabilities, they encourage the user to rely more

on their browser for user interface, application

software and file storage facilities.

Web 2.0

This has been called "network as platform"computing.

Major features of Web 2.0 include socialnetworking sites, user created Web sites,self-publishing platforms, tagging, and socialbookmarking.

Users can provide the data that is on a Web2.0 site and exercise some control over thatdata.

Web 2.0

Web 2.0 offers all users the samefreedom to contribute.

While this opens the possibility forserious debate and collaboration, italso increases the incidence of"spamming" and "trolling" byunscrupulous or misanthropic users.

Web 2.0

Folksonomy- free classification of information; allows users to

collectively classify and find information (e.g. Tagging)

Rich User Experience- dynamic content; responsive to user input

User as a Contributor- information flows two ways between site owner

and site user by means of evaluation, review, and commenting

Long tail- services offered on demand basis; profit is realized through

monthly service subscriptions more than one-time purchases of goods

over the network

User Participation - site users add content for others to see (e.g.

Crowdsourcing)

Features of Web 2.0 Technologies

Software as a service - Web 2.0 sites developed API to

allow automated usage, such as by an app or mashup

Basic Trust - contributions are available for the world to

use, reuse, or re-purpose

Dispersion - content delivery uses multiple channels (e.g.

file sharing, permalinks); digital resources and services are

sought more than physical goods


Web 2.0 can be described in three parts:

Rich Internet application (RIA) — defines the experience

brought from desktop to browser whether it is from a

graphical point of view or usability point of view.

Web-oriented architecture (WOA) — is a key piece in Web

2.0, which defines how Web 2.0 applications expose their

functionality so that other applications can leverage and

integrate the functionality providing a set of much richer

applications.

Examples are feeds, RSS, Web Services, mash-ups.


Web 2.0 can be described in three parts:

Social Web — defines how Web 2.0 tends tointeract much more with the end user andmake the end-user an integral part.


1. Mashups - sites using existing technologies for an

entirely new purpose...like WikiMapia.org.

It takes the functions of a wiki and overlays it with Google

Maps for an entirely new kind of map. You can see

ProgrammableWeb.com for more mashups.

2. Aggregators - A site or program that gathers data from

multiple sources and organizes the information to present in

a new, more streamlined or appropriate format.

Examples: Digg.com is a top aggregator site. So is Slashdot

for the more technical people. And of course our dearly

beloved, Google (and any other search engine for that matter)

are the mothers of all aggregators.

Categories of Web 2.0

3. Social Networking - Websites focusing on connecting peoplewith other people directly like MySpace.

4. Social Media - User-generated content like blogs or Flickr.

5. Video - Online television such as YouTube.

6. Web Applications - online programs that can do virtuallyeverything your existing software programs can do.

Zoho for instance can replace your Microsoft Officeprograms.

Categories of Web 2.0

informationsecurity

Education