the need for security in information security
TRANSCRIPT
-
7/29/2019 The Need for Security in Information security
1/45
The Need for SecurityChapter 2
-
7/29/2019 The Need for Security in Information security
2/45
Principles of Information Security - Chapter 2 Slide 2
Business Needs First,Technology Needs Last
Information security performs fourimportant functions for an organization:
Protects the organizations ability to function
Enables the safe operation of applicationsimplemented on the organizations IT systems
Protects the data the organization collects and
uses Safeguards the technology assets in use at the
organization
-
7/29/2019 The Need for Security in Information security
3/45
Principles of Information Security - Chapter 2 Slide 3
Protecting the Ability to Function
Management is responsible
Information security is
a management issue a people issue
Communities of interest must argue
for information security in terms ofimpact and cost
-
7/29/2019 The Need for Security in Information security
4/45
Principles of Information Security - Chapter 2 Slide 4
Enabling Safe Operation
Organizations must create integrated,
efficient, and capable applications
Organization need environments thatsafeguard applications
Management must not abdicate to the IT
department its responsibility to makechoices and enforce decisions
-
7/29/2019 The Need for Security in Information security
5/45
Principles of Information Security - Chapter 2 Slide 5
Protecting Data
One of the most valuable assets is data
Without data, an organization loses itsrecord of transactions and/or its ability to
deliver value to its customersAn effective information security program
is essential to the protection of the
integrity and value of the organizationsdata
-
7/29/2019 The Need for Security in Information security
6/45
Principles of Information Security - Chapter 2 Slide 6
Safeguarding Technology Assets
Organizations must have secureinfrastructure services based on the sizeand scope of the enterprise
Additional security services may have tobe provided
More robust solutions may be needed toreplace security programs the organizationhas outgrown
-
7/29/2019 The Need for Security in Information security
7/45Principles of Information Security - Chapter 2 Slide 7
Threats
Management must be informed of thevarious kinds of threats facing theorganization
A threat is an object, person, or otherentity that represents a constant danger toan asset
By examining each threat category in turn,management effectively protects itsinformation through policy, education andtraining, and technology controls
-
7/29/2019 The Need for Security in Information security
8/45Principles of Information Security - Chapter 2 Slide 8
Threats
The 2002 CSI/FBI survey found: 90% of organizations responding detected computer
security breaches within the last year
80% lost money to computer breaches, totaling over$455,848,000 up from $377,828,700 reported in
2001
The number of attacks that came across the Internet
rose from 70% in 2001 to 74% in 2002 Only 34% of organizations reported their attacks to
law enforcement
-
7/29/2019 The Need for Security in Information security
9/45Principles of Information Security - Chapter 2 Slide 9
Threats to Information Security
-
7/29/2019 The Need for Security in Information security
10/45Principles of Information Security - Chapter 2 Slide 10
Acts of Human Error or Failure
Includes acts done without malicious intentCaused by:
Inexperience
Improper training
Incorrect assumptions
Other circumstances
Employees are greatest threats to information
security They are closest to the organizationaldata
-
7/29/2019 The Need for Security in Information security
11/45Principles of Information Security - Chapter 2 Slide 11
Acts of Human Error or Failure
Employee mistakes can easily lead to thefollowing:
revelation of classified data
entry of erroneous data accidental deletion or modification of data
storage of data in unprotected areas
failure to protect informationMany of these threats can be prevented
with controls
-
7/29/2019 The Need for Security in Information security
12/45Principles of Information Security - Chapter 2 Slide 12
-
7/29/2019 The Need for Security in Information security
13/45Principles of Information Security - Chapter 2 Slide 13
Deviations in Quality of Serviceby Service Providers
Situations of product or services not deliveredas expected
Information system depends on many inter-
dependent support systems Three sets of service issues that dramatically
affect the availability of information and systemsare
Internet service Communications
Power irregularities
-
7/29/2019 The Need for Security in Information security
14/45Principles of Information Security - Chapter 2 Slide 14
Internet Service Issues
Loss of Internet service can lead to considerableloss in the availability of information
organizations have sales staff and telecommuters
working at remote locationsWhen an organization outsources its web
servers, the outsourcer assumes responsibility for
All Internet Services
The hardware and operating system software used tooperate the web site
-
7/29/2019 The Need for Security in Information security
15/45Principles of Information Security - Chapter 2 Slide 15
Communications and OtherServices
Other utility services have potential impact
Among these are
telephone
water & wastewater trash pickup
cable television
natural or propane gas
custodial services
The threat of loss of services can lead toinability to function properly
-
7/29/2019 The Need for Security in Information security
16/45Principles of Information Security - Chapter 2 Slide 16
Power IrregularitiesVoltage levels can increase, decrease, or cease:
spike momentary increase
surge prolonged increase
sag momentary low voltage
brownout prolonged drop fault momentary loss of power
blackout prolonged loss
Electronic equipment is susceptible to
fluctuations, controls can be applied to managepower quality
-
7/29/2019 The Need for Security in Information security
17/45Principles of Information Security - Chapter 2 Slide 17
Espionage/Trespass
Broad category of activities that breach confidentiality Unauthorized accessing of information Competitive intelligence vs. espionage Shoulder surfing can occur any place a person is
accessing confidential information Controls implemented to mark the boundaries of an
organizations virtual territory giving notice totrespassers that they are encroaching on theorganizations cyberspace
Hackers uses skill, guile, or fraud to steal the property ofsomeone else
-
7/29/2019 The Need for Security in Information security
18/45Principles of Information Security - Chapter 2 Slide 18
-
7/29/2019 The Need for Security in Information security
19/45Principles of Information Security - Chapter 2 Slide 19
-
7/29/2019 The Need for Security in Information security
20/45Principles of Information Security - Chapter 2 Slide 20
Espionage/TrespassGenerally two skill levels among hackers:
Expert hacker develops software scripts and codes exploits
usually a master of many skills
will often create attack software and share with others
Script kiddies hackers of limited skill use expert-written software to exploit a system
do not usually fully understand the systems they hack
Other terms for system rule breakers: Cracker - an individual who cracks or removes
protection designed to prevent unauthorizedduplication
Phreaker - hacks the public telephone network
-
7/29/2019 The Need for Security in Information security
21/45Principles of Information Security - Chapter 2 Slide 21
Information Extortion
Information extortion is an attacker orformerly trusted insider stealinginformation from a computer system and
demanding compensation for its return ornon-use
Extortion found in credit card number theft
-
7/29/2019 The Need for Security in Information security
22/45
Principles of Information Security - Chapter 2 Slide 22
Sabotage or Vandalism
Individual or group who want to deliberately sabotagethe operations of a computer system or business, orperform acts of vandalism to either destroy an asset ordamage the image of the organization
These threats can range from petty vandalism toorganized sabotage
Organizations rely on image so Web defacing can leadto dropping consumer confidence and sales
Rising threat of hacktivist or cyber-activist operationsthe most extreme version is cyber-terrorism
-
7/29/2019 The Need for Security in Information security
23/45
Principles of Information Security - Chapter 2 Slide 23
Deliberate Acts of Theft Illegal taking of anothers property - physical,
electronic, or intellectual
The value of information suffers when it iscopied and taken away without the owners
knowledge Physical theft can be controlled - a wide variety
of measures used from locked doors to guardsor alarm systems
Electronic theft is a more complex problem tomanage and control - organizations may noteven know it has occurred
-
7/29/2019 The Need for Security in Information security
24/45
Principles of Information Security - Chapter 2 Slide 24
Deliberate Software AttacksWhen an individual or group designs software to
attack systems, they create maliciouscode/software called malware Designed to damage, destroy, or deny service to the
target systems
Includes: macro virus boot virus worms Trojan horses
logic bombs back door or trap door denial-of-service attacks polymorphic hoaxes
-
7/29/2019 The Need for Security in Information security
25/45
Principles of Information Security - Chapter 2 Slide 25
C i I ll l
-
7/29/2019 The Need for Security in Information security
26/45
Principles of Information Security - Chapter 2 Slide 26
Compromises to IntellectualProperty
Intellectual property is the ownership of ideas
and control over the tangible or virtualrepresentation of those ideas
Many organizations are in business to createintellectual property
trade secrets
copyrights trademarks
patents
C i t I t ll t l
-
7/29/2019 The Need for Security in Information security
27/45
Principles of Information Security - Chapter 2 Slide 27
Compromises to IntellectualProperty
Most common IP breaches involvesoftware piracy
Watchdog organizations investigate: Software & Information Industry Association
(SIIA)
Business Software Alliance (BSA)
Enforcement of copyright has beenattempted with technical securitymechanisms
-
7/29/2019 The Need for Security in Information security
28/45
Principles of Information Security - Chapter 2 Slide 28
Forces of Nature Forces of nature, force majeure, or acts of God
are dangerous because they are unexpectedand can occur with very little warning
Can disrupt not only the lives of individuals, butalso the storage, transmission, and use ofinformation
Include fire, flood, earthquake, and lightning aswell as volcanic eruption and insect infestation
Since it is not possible to avoid many of thesethreats, management must implement controlsto limit damage and also prepare contingencyplans for continued operations
T h i l H d F il
-
7/29/2019 The Need for Security in Information security
29/45
Principles of Information Security - Chapter 2 Slide 29
Technical Hardware Failuresor Errors
Technical hardware failures or errors occur when amanufacturer distributes to users equipment containingflaws
These defects can cause the system to perform outside
of expected parameters, resulting in unreliable serviceor lack of availability
Some errors are terminal, in that they result in theunrecoverable loss of the equipment
Some errors are intermittent, in that they onlyperiodically manifest themselves, resulting in faults thatare not easily repeated
T h i l S ft F il
-
7/29/2019 The Need for Security in Information security
30/45
Principles of Information Security - Chapter 2 Slide 30
Technical Software Failures orErrors This category of threats comes from purchasing
software with unrevealed faults
Large quantities of computer code are written,
debugged, published, and sold only todetermine that not all bugs were resolved
Sometimes, unique combinations of certainsoftware and hardware reveal new bugs
Sometimes, these items arent errors, but are
purposeful shortcuts left by programmers forhonest or dishonest reasons
-
7/29/2019 The Need for Security in Information security
31/45
Principles of Information Security - Chapter 2 Slide 31
Technological Obsolescence
When the infrastructure becomes antiquated oroutdated, it leads to unreliable anduntrustworthy systems
Management must recognize that whentechnology becomes outdated, there is a risk ofloss of data integrity to threats and attacks
Ideally, proper planning by management shouldprevent the risks from technology obsolesce,but when obsolescence is identified,management must take action
-
7/29/2019 The Need for Security in Information security
32/45
Principles of Information Security - Chapter 2 Slide 32
AttacksAn attack is the deliberate act that exploits
vulnerability
It is accomplished by a threat-agent to damageor steal an organizations information or physical
asset An exploit is a technique to compromise a system
A vulnerability is an identified weakness of acontrolled system whose controls are not present or
are no longer effective An attack is then the use of an exploit to achieve the
compromise of a controlled system
-
7/29/2019 The Need for Security in Information security
33/45
Principles of Information Security - Chapter 2 Slide 33
Malicious Code
This kind of attack includes the execution ofviruses, worms, Trojan horses, and active webscripts with the intent to destroy or steal
information The state of the art in attacking systems in 2002
is the multi-vector worm using up to six attackvectors to exploit a variety of vulnerabilities incommonly found information system devices
-
7/29/2019 The Need for Security in Information security
34/45
Principles of Information Security - Chapter 2 Slide 34
-
7/29/2019 The Need for Security in Information security
35/45
Principles of Information Security - Chapter 2 Slide 35
Attack Descriptions IP Scan and Attack Compromised system
scans random or local range of IP addressesand targets any of several vulnerabilities knownto hackers or left over from previous exploits
Web Browsing - If the infected system has writeaccess to any Web pages, it makes all Webcontent files infectious, so that users whobrowse to those pages become infected
Virus - Each infected machine infects certaincommon executable or script files on allcomputers to which it can write with virus codethat can cause infection
-
7/29/2019 The Need for Security in Information security
36/45
Principles of Information Security - Chapter 2 Slide 36
Attack Descriptions
Unprotected Shares - using file shares to copyviral component to all reachable locations
Mass Mail - sending e-mail infections to
addresses found in address book Simple Network Management Protocol - SNMP
vulnerabilities used to compromise and infect
Hoaxes - A more devious approach to attackingcomputer systems is the transmission of a virushoax, with a real virus attached
-
7/29/2019 The Need for Security in Information security
37/45
Principles of Information Security - Chapter 2 Slide 37
Attack Descriptions
Back Doors - Using a known or previously unknown andnewly discovered access mechanism, an attacker cangain access to a system or network resource
Password Crack - Attempting to reverse calculate a
password Brute Force - The application of computing and network
resources to try every possible combination of options ofa password
Dictionary - The dictionary password attack narrows thefield by selecting specific accounts to attack and uses alist of commonly used passwords (the dictionary) toguide guesses
-
7/29/2019 The Need for Security in Information security
38/45
Principles of Information Security - Chapter 2 Slide 38
Attack Descriptions
Denial-of-service (DoS) attacker sends a large number of connection or
information requests to a target
so many requests are made that the target system
cannot handle them successfully along with other,legitimate requests for service
may result in a system crash, or merely an inability toperform ordinary functions
Distributed Denial-of-service (DDoS) - an attackin which a coordinated stream of requests islaunched against a target from many locationsat the same time
-
7/29/2019 The Need for Security in Information security
39/45
Principles of Information Security - Chapter 2 Slide 39
-
7/29/2019 The Need for Security in Information security
40/45
Principles of Information Security - Chapter 2 Slide 40
Attack Descriptions Spoofing - technique used to gain unauthorized
access whereby the intruder sends messages toa computer with an IP address indicating thatthe message is coming from a trusted host
Man-in-the-Middle - an attacker sniffs packetsfrom the network, modifies them, and insertsthem back into the network
Spam - unsolicited commercial e-mail - while
many consider spam a nuisance rather than anattack, it is emerging as a vector for someattacks
-
7/29/2019 The Need for Security in Information security
41/45
Principles of Information Security - Chapter 2 Slide 41
-
7/29/2019 The Need for Security in Information security
42/45
Principles of Information Security - Chapter 2 Slide 42
-
7/29/2019 The Need for Security in Information security
43/45
Principles of Information Security - Chapter 2 Slide 43
Attack DescriptionsMail-bombing - another form of e-mail attack
that is also a DoS, in which an attacker routeslarge quantities of e-mail to the target
Sniffers - a program and/or device that canmonitor data traveling over a network. Sniffers
can be used both for legitimate networkmanagement functions and for stealinginformation from a network
Social Engineering - within the context of
information security, the process of using socialskills to convince people to reveal accesscredentials or other valuable information to theattacker
-
7/29/2019 The Need for Security in Information security
44/45
Principles of Information Security - Chapter 2 Slide 44
Attack Descriptions People are the weakest link. You can
have the best technology; firewalls,intrusion-detection systems, biometricdevices ... and somebody can call an
unsuspecting employee. That's all shewrote, baby. They got everything.
brick attack the best configured firewall
in the world cant stand up to a well placedbrick
-
7/29/2019 The Need for Security in Information security
45/45
Attack Descriptions
Buffer Overflow application error occurs when more data is sent to a bufferthan it can handle
when the buffer overflows, the attacker can make thetarget system execute instructions, or the attacker cantake advantage of some other unintended consequence ofthe failure
Timing Attack relatively new works by exploring the contents of a web browsers cache
can allow collection of information on access to password-protected sites another attack by the same name involves attempting to
intercept cryptographic elements to determine keys andencryption algorithms