Upload
robert-park
View
223
Download
0
Tags:
Embed Size (px)
Citation preview
CHAPTER 4
Information Security
Announcements
Friday Class Quiz 1 Review
Monday Class Quiz 1 – Access Basics
Questions/Comments
Security is constantly evolving…
https://www.youtube.com/watch?v=Ie0bRyXNrTs
Personal Security
How secure are you?
Do you secure your information?
How hackable is your digital life?
Key Information Security Terms
Information Security
Vulnerability Threat Exposure/Attack
© Sebastian/AgeFotostock America, Inc.
Introduction to Information Security
© Sebastian/AgeFotostock America, Inc.
Is it possible to secure the Internet?
Five Factors Increasing the Vulnerability of Information Resources
1. Today’s interconnected, interdependent, wirelessly-networked business environment
2. Smaller, faster, cheaper computers and storage devices
3. Decreasing skills necessary to be a hacker
4. Organized crime taking over cybercrime
5. Lack of management support
1. Networked Business Environment
2. Smaller, Faster Devices
© PhotoEdit/Alamy Limited
© laggerbomber-Fotolia.com© Dragonian/iStockphoto
3. Decreasing Skills Needed to be a Hacker
New & Easier Tools make it very easy to attack the Network
Attacks are becoming increasingly sophisticated
© Sven Taubert/Age Fotostock America, Inc.
4. Organized Crime Taking Over Cybercrime
© Stockbroker xtra/AgeFotostock America, Inc.
Cost of Cybercrime
Any Guesses?
http://www.zdnet.com/norton-cybercrime-cost-110-billion-last-year-7000003745/?s_cid=e539
5. Lack of Management Support
© Sigrid Olsson/Photo Alto/Age Fotostock
Categorizing Security Threats
Security Threats:Unintentional and
Deliberate
Unintentional Threats:Most Dangerous EmployeesWho are the most dangerous employees?
Why are these the most
dangerous?
© WAVEBREAKMEDIA LTD/Age Fotostock America, Inc.
Unintentional Threats:Human Errors
Common Human Mistakes:Carelessness
Devices E-mails Internet
Poor password selection and use Ex. Bank Employees Ex. Gawker hack – most popular passwords.
Any guesses on #1?
Unintentional Threats:Social Engineering
the art of manipulating people into performing actions or divulging confidential information.
Pretexting
Phishing
Baiting
Vishing (IVR or phone phishing)
Deliberate Threats to Information Security
Theft of equipment or information Examples
Dumpster diving Laptop stolen from breaking in
Deliberate Threats (continued)
Identify theft Stealing info off org
databases Phishing
Compromises to intellectual property
Frederic Lucano/Stone/Getty Images, Inc.
Deliberate Threats (continued)
Software attacks Virus Worm (see the rapid spread of the Slammer
worm) Trojan horse Logic Bomb Phishing attacks Distributed denial-of-service attacks
Ex. US Banks
Deliberate Threats (continued)
Alien SoftwareSpyware
Spamware
Cookies
Targeted Attack Supervisory control and data acquisition (SCADA) attacks
Stuxnet
© Manfred Grafweg/Age Fotostock America, Inc.
What Organizations Are Doing to Protect Themselves
“The only truly secure system is powered off, cast in a block of concrete, and sealed in a lead room with armed
guards, and even then I have my doubts”
What Organizations Are Doing to Protect Themselves
How do you protect your own networks?
Information Security Controls
1. Physical controls
2. Access controls
3. Communications (network) controls
Physical ControlsAccess Controls
Communication Controls
Information Security Controls
1. Physical controls
2. Access controls
3. Communications (network) controls
Access Controls
Access Controls: Authentication (proof of identity)
Something the user is
Something the user has
Something the user does
Something the user knows passwords passphrases
Access Controls: Authorization
Permissions issued based on verified identity
Privilege – operations that users can perform
Least privilege – idea of granting privlege only if there is a justifiable need
Information Security Controls
1. Physical controls
2. Access controls
3. Communications (network) controls
Communication Controls
Communications Controls
Firewalls
Anti-malware systems
Whitelisting and Blacklisting
Encryption
VPN
Communications Controls -Firewalls
Home
Corporate
China Firewall
Controls: Encryption (PKI)How Public Key Encryption Works
Communication or Network Controls
Virtual private networking
Protection of data
Government Regulations HIPPA Sarbanes-Oxley PA74
Need to understand Risk
Risk Management (identify, control, minimize)
1.Risk analysis
2.Risk mitigation (take action)
1. Acceptance
2. Limitation (most common)
3. Transference
3.Controls Evaluationcontrol > cost of asset then the control is not cost effective
© Youri van der Schalk/Age FotostockAmerica, Inc.
Business Continuity Planning, Backup, and Recovery
Provide guidance to people who keep business operating after a disaster occurs.
Options: Hot Site Warm Site Cold Site
Personal Risk Assessment
To understand your own risk, get with another person and create an assessment.
List out the following:
1.Assets (e.g. laptop, external drive, etc.)
2.Threats (e.g. natural, virus, etc.)
3.Controls (how do you control threats)
Other ways to minimize personal risk
LEARNING OBJECTIVES
1. Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one.
LEARNING OBJECTIVES
2. Compare and contrast human mistakes and social engineering, and provide a specific example of each one.
LEARNING OBJECTIVES (continued)
3. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home.
LEARNING OBJECTIVES (continued)
4. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.