Information Security

The Enigma

Slide 2
 Vulnerability
It is a weakness which helps an attacker
to reduce a system's information
assurance.
Vulnerability is the intersection of three
elements: a system susceptibility or flaw,
attacker access to the flaw, and attacker
capability to exploit the flaw.
To exploit vulnerability, an attacker must
have at least one applicable tool or
technique that can connect to a system
weakness.
 Vulnerability
In this frame, vulnerability is also known
as the attack surface.
Vulnerability management is the cyclical
practice of identifying, classifying,
remediating, and mitigating
vulnerabilities.
This practice generally refers to software
vulnerabilities in computing systems
 Backdoors
It is a method of bypassing normal
authentication, securing remote access
to a computer, obtaining access to
plaintext, and so on, while attempting to
remain undetected.
The backdoor may take the form of an
installed program or could be a
modification installed program or
hardware.
It may also fake information about disk
and memory usage
 Cyber Crime Prevention
1. Use Strong Passwords
Use different user ID / password
combinations for different accounts and
avoid writing them down.
Make the passwords more complicated
by combining letters, numbers, special
characters (minimum 10 characters in
total) and change them regularly.
 Cyber Crime Prevention
Activate your firewall Use anti-
irus/malware software Prevent viruses
from infecting your computer by
installing and regularly updating
anti-virus software.
Block spyware attacks Prevent spyware
from infiltrating your computer by
installing and updating anti-spyware
software
 Cyber Crime Prevention
Be Social-Media Savvy Make sure your
social networking profiles are set to
private.
Check your security settings. Be careful
what information you post online.
 Cyber Crime Prevention
Secure your Mobile Devices.
Be aware that your mobile device is not
vulnerable to viruses and hackers.
Download applications from trusted
sources.
 Cyber Crime Prevention
Install the latest operating system
updates Keep your applications and
operating system current with the latest
system updates.
Turn on automatic updates to prevent
potential attacks on older software
 Cyber Crime Prevention
Protect your Data
Use encryption for your most sensitive
files such as tax returns or financial
records,
make regular back-ups of all your
important data, and store it in another
location.
 Cyber Crime Prevention
Secure your wireless network Wi-Fi
(wireless) networks at home are
vulnerable to intrusion if they are not
properly secured.
Public Wi-Fi, “Hot Spots”, are also
vulnerable. Avoid conducting financial or
corporate transactions on these
networks
 Cyber Crime Prevention
Protect your e-identity
Be cautious when giving out personal
information such as your name, address,
phone number or financial information
on the Internet.
Make sure that websites are secure
when making online purchases and
while using social networking sites)
 Cyber Crime Prevention
Avoid being scammed.
Don’t feel pressured by any emails.
When in doubt, verify the source.
Never reply to emails that ask you to
verify your information or confirm your
user ID or password.
 Cyber Crime Prevention
Call the right person for help Don’t
panic! If you are a victim, if you
encounter illegal Internet content.
if you suspect a computer crime, identity
theft or a commercial scam, report this
to your local police.
 Critical Characteristics Of
Information
The value of information comes from the
characteristics it possesses.
■ Availability
■ Accuracy
■ Authenticity
■ Confidentiality
■ Integrity
■ Utility
■ Possession
 Components of an Information
System

To fully understand the importance of

information security, you need to know the
elements of an information system

An Information System (IS) is much more than

computer hardware; it is the entire set of
software, hardware, data, people, and
procedures necessary to use information as a
resource in the organization
 CNSS Security Model

• Intersection of information states (x-axis)

• Key objectives of C.I.A. (y-axis), and
• Three primary means to implement (policy, education and
technology).
 Securing the Components
The computer can be either or both the
subject of an attack and/or the object of
an attack
When a computer is
■ the subject of an attack, it is used as an
active tool to conduct the attack
■ the object of an attack, it is the entity being
attacked
Subject and Object of Attack
 Balancing Security and Access
It is impossible to obtain perfect security - it is
not an absolute; it is a process
Security should be considered a balance
between protection and availability
To achieve balance, the level of security must
allow reasonable access, yet protect against
threats
Balancing Security and Access
Approaches to Security
Implementation
 Bottom Up Approach
Security from a grass-roots effort - systems
administrators attempt to improve the security
of their systems
Key advantage - technical expertise of the
individual administrators
Seldom works, as it lacks a number of critical
features:
■ participant support
■ organizational staying power
 Top-down Approach
Initiated by upper management:
■ issue policy, procedures, and processes
■ dictate the goals and expected outcomes of the
project
■ determine who is accountable for each of the
required actions
This approach has strong upper management
support, a dedicated champion, dedicated
funding, clear planning, and the chance to
influence organizational culture
 Information Security:
Is It an Art or a Science?
With the level of complexity in today’s
information systems, the implementation of
information security has often been described
as a combination of art and science
Security as art:
■ No hard and fast rules nor are there many
universally accepted complete solutions
■ No magic user’s manual for the security of the
entire system
■ Complex levels of interaction between users,
policy, and technology controls
 Security as Science
Dealing with technology designed to perform
at high levels of performance
Specific conditions cause virtually all actions
that occur in computer systems
Almost every fault, security hole, and systems
malfunction is a result of the interaction of
specific hardware and software
If the developers had sufficient time, they
could resolve and eliminate these faults
 Security as a Social Science
Social science examines the behavior of
individuals interacting with systems
Security begins and ends with the people that
interact with the system
End users may be the weakest link in the
security chain
Security administrators can greatly reduce the
levels of risk caused by end users, and create
more acceptable and supportable security
profiles
 Business Needs First,
Technology Needs Last

Information security performs four important

functions for an organization:
1. Protects the organization’s ability to function
2. Enables the safe operation of applications
implemented on the organization’s IT systems
3. Protects the data the organization collects and
uses
4. Safeguards the technology assets in use at the
organization
 1. Protecting the Ability to Function

Management is responsible
Information security is
■ a management issue
■ a people issue
Communities of interest must argue for
information security in terms of impact and
cost
 2. Enabling Safe Operation

Organizations must create integrated, efficient,

and capable applications
Organization need environments that
safeguard applications
Management must not abdicate to the IT
department its responsibility to make choices
and enforce decisions
 3. Protecting Data

One of the most valuable assets is data

Without data, an organization loses its record
of transactions and/or its ability to deliver
value to its customers
An effective information security program is
essential to the protection of the integrity and
value of the organization’s data
 4. Safeguarding Technology
Assets
Organizations must have secure infrastructure
services based on the size and scope of the
enterprise
Additional security services may have to be
provided
More robust solutions may be needed to
replace security programs the organization has
outgrown
 Threats-1

Management must be informed of the various

kinds of threats facing the organization
A threat is an object, person, or other entity
that represents a constant danger to an asset
By examining each threat category in turn,
management effectively protects its
information through policy, education and
training, and technology controls
 Threats-2

The 2002 CSI/FBI survey found:

■ 90% of organizations responding detected
computer security breaches within the last year
■ 80% lost money to computer breaches, totaling
over $455,848,000 up from $377,828,700 reported
in 2001
■ The number of attacks that came across the
Internet rose from 70% in 2001 to 74% in 2002
■ Only 34% of organizations reported their attacks to
law enforcement
1. Threats to Information Security
 Acts of Human Error or Failure
Includes acts done without malicious intent
Caused by:
■ Inexperience
■ Improper training
■ Incorrect assumptions
■ Other circumstances
Employees are greatest threats to information
security – They are closest to the
organizational data
 2. Acts of Human Error or
Failure
Employee mistakes can easily lead to the
following:
■ Revelation (previously unknown) of classified data
■ entry of erroneous data
■ accidental deletion or modification of data
■ storage of data in unprotected areas
■ failure to protect information
Many of these threats can be prevented with
controls
 3. Compromises to IP (Intellectual
Property)
Intellectual property is “the ownership of ideas and
control over the tangible or virtual representation of
those ideas”
Many organizations are in business to create
intellectual property
■ trade secrets
■ copyrights
■ trademarks
■ Patents
Most common IP breaches involve software piracy
Watchdog organizations investigate:
■ Software & Information Industry Association (SIIA)
■ Business Software Alliance (BSA)
Enforcement of copyright has been attempted with
technical security mechanisms
 4. Espionage/Trespass
Broad category of activities that breach confidentiality
■ Unauthorized accessing of information
■ Competitive intelligence (the legal and ethical
collection and analysis of information regarding the
capabilities, vulnerabilities, and intentions of
business competitors) vs. espionage (Using spy)
■ Shoulder surfing can occur any place a person is
accessing confidential information
Controls implemented to mark the boundaries of an
organization’s virtual territory giving notice to
trespassers that they are encroaching on the
organization’s cyberspace
Hackers uses skill, guile, or fraud to steal the property
of someone else
 5. Information Extortion

Information extortion is an attacker or formerly

trusted insider stealing information from a
computer system and demanding
compensation for its return or non-use
Extortion found in credit card number theft
 6. Sabotage or Vandalism

Individual or group who want to deliberately sabotage

(destroy) the operations of a computer system or
business, or perform acts of vandalism to either
destroy an asset or damage the image of the
organization
These threats can range from petty vandalism to
organized sabotage
Organizations rely on image so Web defacing can
lead to dropping consumer confidence and sales
Rising threat of hacktivist or cyber-activist operations
– the most extreme version is cyber-terrorism
 7. Deliberate Acts of Theft
Illegal taking of another’s property - physical,
electronic, or intellectual
The value of information suffers when it is
copied and taken away without the owner’s
knowledge
Physical theft can be controlled - a wide
variety of measures used from locked doors to
guards or alarm systems
Electronic theft is a more complex problem to
manage and control - organizations may not
even know it has occurred
 8. Deliberate Software Attacks
When an individual or group designs software
to attack systems, they create malicious
code/software called malware
■ Designed to damage, destroy, or deny service to
the target systems
Includes:
■ macro virus
■ boot virus
■ worms
■ Trojan horses
■ logic bombs
■ back door or trap door
■ denial-of-service attacks
 9. Forces of Nature
Forces of nature, or acts of
God are dangerous because they are
unexpected and can occur with very little
warning
Can disrupt not only the lives of individuals, but
also the storage, transmission, and use of
information
Include fire, flood, earthquake, and lightning as
well as volcanic eruption and insect infestation
Since it is not possible to avoid many of these
threats, management must implement controls
to limit damage and also prepare contingency
plans for continued operations
 10. Technical Hardware
Failures or Errors

Technical hardware failures or errors occur when a

manufacturer distributes to users equipment
containing flaws
These defects can cause the system to perform
outside of expected parameters, resulting in unreliable
service or lack of availability
Some errors are terminal, in that they result in the
unrecoverable loss of the equipment
Some errors are intermittent, in that they only
periodically manifest themselves, resulting in faults
that are not easily repeated
 11. Technical Software Failures
or Errors

This category of threats comes from purchasing

software with unrevealed faults
Large quantities of computer code are written,
debugged, published, and sold only to determine that
not all bugs were resolved
Sometimes, unique combinations of certain software
and hardware reveal new bugs
Sometimes, these items aren’t errors, but are
purposeful shortcuts left by programmers for honest
or dishonest reasons
 12. Technological Obsolescence
When the infrastructure becomes antiquated
or outdated, it leads to unreliable and
untrustworthy systems
Management must recognize that when
technology becomes outdated, there is a risk
of loss of data integrity to threats and attacks
Ideally, proper planning by management
should prevent the risks from technology
obsolesce, but when obsolescence is
identified, management must take action