information security1

7/30/2019 Information Security1

1/39

Information Security

information security is about how to prevent attacks, or failingthat, to detect attacks on information-based systems

Information Security requirements have changed in recenttimes

traditionally provided by physical and administrativemechanisms

computer use requires automated tools to protect files andother stored information

use of networks and communications links requires measures

to protect data during transmission


2/39

Introduction

Primary mission of information security is to ensure systems and contents stay

the same

If no threats existed, resources could be focused on improving systems, resulting

in vast improvements in ease of use and usefulness

Attacks on information systems are a daily occurrence


3/39

Information security performs four important functions for an organization

Protects ability to function

Enables safe operation of applications implemented on its IT systems

Protects data the organization collects and uses

Safeguards technology assets in use


4/39

Protecting the Functionality of an Organization

Management (general and IT) responsible for implementation

Information security is both management issue and people issue

Organization should address information security in terms of business impactand cost


5/39

Enabling the Safe Operation of Applications

Organization needs environments that safeguard applications using IT systems

Management must continue to oversee infrastructure once in placenot

relegate to IT department


6/39

Protecting Data that Organizations Collect and Use

Organization, without data, loses its record of transactions and/or ability

to deliver value to customers

Protecting data in motion and data at rest are both critical aspects of

information security


7/39

Safeguarding Technology Assets in Organizations

Organizations must have secure infrastructure

services based on size and scope of enterprise

Additional security services may be needed as

organization grows

More robust solutions may be needed to replacesecurity programs the organization has outgrown


8/39

Critical Characteristics of Information The value of information comes from the

characteristics it possesses: Availability

Confidentiality

Integrity

Accuracy

Authenticity Utility

Possession


9/39

Three basic security concepts important to information on the internet are:

Confidentiality

Integrity

Availability.

Concepts relating to the people who use that information are:

Authentication

Authorization

Nonrepudiation.


10/39

Confidentiality

When information is read or copied by someone not authorized to do so, the

result is known as loss of confidentiality. For some types of information,

confidentiality is a very important attribute. Confidentiality is the property of preventing disclosure of information to

unauthorized individuals or systems.

Examples include research data, medical and insurance records, new product

specifications, and corporate investment strategies. In some locations, there may

be a legal obligation to protect the privacy of individuals. This is particularly true

for banks and loan companies; debt collectors; businesses that extend credit to

their customers or issue credit cards; hospitals, doctors offices, and medical

testing laboratories; individuals or agencies that offer services such as

psychological counseling or drug treatment; and agencies that collect taxes.

In highly secure government agencies ,such as Department Of Defence

,confidentiality ensures that the public can not access private information. In businesses , confidentiality ensures that private information ,such as payroll and

personal data,is protected from competitors and other organisations.

In the e-commerce world ,confidentiality ensures that customers data cannot be

used for illegal purpose.


11/39

Integrity

Information can be corrupted when it is available on an insecure network.

When information is modified in unexpected ways, the result is known as

loss of integrity. This means that unauthorized changes are made to

information, whether by human error or intentional tampering. Integrity isparticularly important for critical safety and financial data used for

activities such as electronic funds transfers, air traffic control, and financial

accounting.

In Information Security Integrity means data can not be modified without

authorization. Integrity is violated when virus infects a computer ,when an employee is

able to modify his own salary in a payroll database,when an unauthorized

user vandalizes a website


12/39

availability

Information can be erased or become inaccessible, resulting in loss of

availability.This means that people who are authorized to get information

cannot get what they need. Availability is often the most important

attribute in service-oriented businesses that depend on information (for

example, airline schedules and online inventory systems).

Availability of the network itself is important to anyone whose business or

education relies on a network connection. When users cannot access the

network or specific services provided on the network, they experience a

denial of service.


13/39

To make information available to those who need it and who can be

trusted with it, organizations use authentication and authorization


14/39

Authentication is proving that a user is the person he or she claims to be.

That proof may involve something the user knows (such as a password),

something the user has (such as a smartcard), or something about the

user that proves the persons identity (such as a fingerprint).

Authorization is the act of determining whether a particular user (or

computer system) has the right to carry out a certain activity, such as

reading a file or running a program.


15/39

Authentication and authorization go hand in hand. Users must be

authenticated before carrying out the activity they are authorized to

perform. Security is strong when the means of authentication cannot later

be refutedthe user cannot later deny that he or she performed the

activity. This is known as nonrepudiation.


16/39

Threats

Threat: an object, person, or other entity that represents a constant

danger to an asset

Management must be informed of the different threats facing the

organization

Overall security is improving


17/39

17


18/39

Compromises to Intellectual Property(Piracy , Copyright, infringement)

Intellectual property (IP): ownership of ideas and control over the tangible or virtual

representation of those ideas

The most common IP breaches involve software piracy

Two watchdog organizations investigate software abuse:

Software & Information Industry Association (SIIA)

Business Software Alliance (BSA)

Enforcement of copyright law has been attempted with technical security mechanisms


19/39

Deliberate Software Attacks

Malicious software (malware) designed to damage, destroy, or denyservice to target systems

Includes:

Viruses

Worms

Trojan horses

Logic bombs

Back door or trap door

Polymorphic threats

Virus and worm hoaxes


20/39

A computer virus is a program written to enter your computer system

surreptitiously(secretly) and "infect" it by installing or modifying files or establishing itself in

memory. Some viruses are benign and won't harm your system, while others are destructive

and can damage or destroy your data. Viruses can spread via any of the methods used to get

information into your computer: network connections, shared folders, e-mail, and shared

media such as flash memory, CDs, and diskettes. Once they are established on your

computer, viruses work at transferring themselves to other computers.

Worms are viruses that self-replicate and spread via e-mail or networks.

In computers, a Trojan horse is a program in which malicious or harmful code is containedinside apparently harmless programming or data in such a way that it can get control and do

its chosen form of damage . Trojans are seemingly legitimate computer programs that have

been intentionally designed to disrupt your computing activity or use your computer for

something you did not intend.

A logic bomb is a piece of code intentionally inserted into a software system that will set off a

malicious function when specified conditions are met. For example, a programmer may hide

a piece of code that starts deleting files (such as a salary database trigger). To be considered a

logic bomb, the payload should be unwanted and unknown to the user of the software. As an

example, trial programs with code that disables certain functionality after a set time are not

normally regarded as logic bombs.


21/39

A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing

normal authentication, securing illegal remote access to a computer, obtaining access to

plaintext, and so on, while attempting to remain undetected. Software that is inherently

malicious, such as viruses and worms, often contain logic bombs that execute a certain

payload at a pre-defined time or when some other condition is met. This technique can beused by a virus or worm to gain momentum and spread before being noticed. Some viruses

attack their host systems on specific dates. Trojans that activate on certain dates are often

called "time bombs".

Polymorphic malware is harmful, destructive or intrusive computer software such as a virus,worm, Trojan or spyware that constantly changes ("morphs"), making it difficult to detect

with anti-malware programs.

Hoaxes: transmission of a virus hoax with a real virus attached; more devious form

of attack.


22/39


23/39

Deviations in Quality of Service

Includes situations where products or services are not delivered as

expected

Information system depends on many interdependent support systems

Internet service, communications, and power irregularities dramatically

affect availability of information and systems

Internet service issues

Internet service provider (ISP) failures can considerably undermine

availability of information.

Outsourced Web hosting provider assumes responsibility for all

Internet services as well as hardware and Web site operating system

software.

Communications and other service provider issues


24/39

Deviations in Quality of Service (contd.)

Power irregularities

Commonplace

Organizations with inadequately conditioned power are susceptible

Controls can be applied to manage power quality

Fluctuations (short or prolonged)

Excesses (spikes or surges) voltage increase

Shortages (sags or brownouts) low voltage

Losses (faults or blackouts) loss of power


25/39

Espionage or Trespass

Access of protected information by unauthorized individuals

Competitive intelligence (legal) vs. industrial

espionage (illegal)

Shoulder surfing can occur anywhere a person accesses confidential information

Controls let trespassers know they are encroaching on organizations cyberspace

Hackers use skill, guile, or fraud to bypass controls protecting others information


26/39


27/39


28/39

Espionage or Trespass (contd.)

Expert hacker

Develops software scripts and program exploits

Usually a master of many skills

Will often create attack software and share with others

Unskilled hacker

Many more unskilled hackers than expert hackers

Use expertly written software to exploit a system

Do not usually fully understand the systems they hack


29/39

Espionage or Trespass (contd.)

Other terms for system rule breakers:

Cracker: cracks or removes software protection designed to prevent

unauthorized duplication

Phreaker: hacks the public telephone network


30/39

Forces of Nature

Forces of nature are among the most dangerous threats

Disrupt not only individual lives, but also storage, transmission, and use of

information

Organizations must implement controls to limit damage and prepare

contingency plans for continued operations


31/39

Human Error or Failure

Includes acts performed without malicious intent

Causes include:

Inexperience

Improper training

Incorrect assumptions

Employees are among the greatest threats to an organizations data


32/39

Human Error or Failure (contd.)

Employee mistakes can easily lead to:

Revelation of classified data

Entry of erroneous data

Accidental data deletion or modification

Data storage in unprotected areas

Failure to protect information

Many of these threats can be prevented with controls


33/39

Information Extortion

Attacker steals information from computer system and demands

compensation for its return or nondisclosure.

Commonly done in credit card number theft.


34/39

Missing, Inadequate, or Incomplete

In policy or planning, can make organizations vulnerable to loss, damage,

or disclosure of information assets.

With controls, can make an organization more likely to suffer losses

when other threats lead to attacks


35/39

Sabotage or Vandalism

Threats can range from petty vandalism to organized sabotage

Web site defacing can erode consumer confidence, dropping sales and

organizations net worth.

Threat of hacktivist or cyberactivist operations rising.

Cyberterrorism: much more sinister form of hacking.


36/39

Theft

Illegal taking of anothers physical, electronic, or intellectual property.

Physical theft is controlled relatively easily.

Electronic theft is more complex problem; evidence of crime not readily apparen.t


37/39

Technical Hardware Failures or Errors

Occur when manufacturer distributes equipment containing flaws to users

Can cause system to perform outside of expected parameters, resulting in

unreliable or poor service

Some errors are terminal; some are intermittent


38/39

Technical Software Failures or Errors

Purchased software that contains unrevealed faults.

Combinations of certain software and hardware can reveal new software

bugs.

Entire Web sites dedicated to documenting bugs.


39/39

Technological Obsolescence

Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems

Proper managerial planning should prevent technology obsolescence

IT plays large role

information security1

Documents