Information Security

First, Introduction to Information Security

Security:  the degree of protection against criminal activity, danger, damage and loss.

Information Security: all the process and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification or destruction.

Key Information Security Terms

Threat: any danger to which a system may be exposed

Exposure: the harm, loss or damage that can result if a threat compromises that resource

Vulnerability: the possibility that the system will suffer harm by a threat

Threats to Information Security

Today’s interconnected, interdependent, wirelessly-networked business environment

untrusted network: any network external to your organization

Smaller, faster, cheaper computers and storage devices (flash drives)

Decreasing skills necessary to be a computer hacker

Cybercrime: illegal activities conducted over computer networks , particularly the Internet

 

Second,Unintentional Threats to Information   Systems

n  Human Errors

n  Carelessness with laptops and portable computing devices

n  Opening questionable e-mails

n  Careless Internet surfing

n  Poor password selection

n  Social Engineering: an attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential information such as passwords 

n  Tailgating: it occurs when an unauthorized person slips in through a door before it closes

n  Shoulder surfing: it occurs when the attacker watches another person’s computer screen over that person’s shoulder

 

Thirdly, Deliberate Threats to Information   Systems

Espionage or trespass: occurs when an unauthorized individual attempts to gain illegal access to organizational information 

Information extortion: occurs when an attacker either threatens to steal or actually steals information from a company

Sabotage or vandalism: defacing an organization's website

 

Theft of equipment or information

Pod slurping: perpetrator plugs portable device into a USB port in a computer and downloads sensitive information

Dumpster diving: rummaging through commercial or residential trash to find information that has been discarded

Identity theft : assumption of another person’s identity, usually to gain access to their financial information or to frame them for a crime

 

n  Compromises to Intellectual Property (IP)

n  Trade secret: an intellectual work such as business plan, that is a company secret and not based on public information

n  Patent: a document that grants the holder exclusive rights on an invention or process for 20 years.

n  Copyright: a statuary grant that provides the creator of IP with ownership of the property for the life of the creator plus 70 years

n  Piracy: the illegal copying of software

 

Fourth, What Organizations Are Doing to Protect Information Resources

Risk: the probability that a threat will impact an information resource

Risk management: to identify, control and minimize the impact of threats.

Risk analysis: to assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.

Risk mitigation: is when the organization takes concrete actions against risk. It has two functions:

(1) implement controls to prevent identified threats from occurring

(2) develop a means of recovery should the threat become a reality

Risk Acceptance: accept the potential risk, continue operating with no controls, and absorb any damages that occur.

Risk limitation: Limit the risk by implementing controls that minimize the impact of threat.

Risk transference: Transfer the risk by using other means to compensate for the loss, such as purchasing insurance and having off-site backups 

Finally, Information Security Controls

Controls evaluation

     Is the control cost effective?

Physical controls: physical protection of computer facilities and resources (Guards, doors,alarm systems)

Access controls: restriction of unauthorized user access to computer resources

Communications (network) controls: protect the movement of data across networks and include border security controls, authentication and authorization.

Application controls: protect specific applications

Access Controls

Authentication

Determines/confirms the identity of the person requiring access

Something the user is: access controls that examine a user's physiological or behavioral characteristics

Biometrics

Voice verification

Fingerprints

Retina scan

Something the user has : these access controls include regular ID cards, smart cards

Something the user does : these access controls include voice and signature recognition

Something the user knows

Password : a private combination of characters that only the user should know

  example: nam3-beeS

Passphrases: a series of characters that is longer than a password but can be memorized easily

example: omanFT2brazilworldcup

CAPTCHA

Completely Automated Public Turing test to tell Computers and Humans Apart

A challenge response test used as an attempt to ensure that the response is generated by a person

 

Communication / Network Controls

Whitelisting: a process in which a company identifies the software that it will allow to run and does not try to recognize malware

Blacklisting: a process in which a company allows all software to run unless it is on the blacklist

Intrusion detection systems: designed to detect all types of malicious network traffic and computer usage that cannot be detected by a firewall

Encryption Process of converting an original message into a form that cannot be read by anyone except the intended receiver.

 

How Digital Certificates Work?

Digital Certificate: an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format

Certificate authorities: trusted intermediaries between two organizations, issue digital certificates

Virtual private networking (VPN) : a private network that uses a public network (usually the Internet) to connect users

Secure Socket Layer now called transport layer security (TLS): is an encryption standard used for secure transactions such as credit card purchases and online banking.

Vulnerability management systems: (also called security on demand) extend the security perimeter that exists for the organization’s managed devices, to unmanaged, remote devices.

 

Network

Computer Network

First, Computer Network: a system that connects computers and other devices (e.g. printers, smart phones) via communications media so that data can be transmitted among them 

In a computer network,

connected computers:

ü    Work together

ü    Are interdependent

ü    Exchange data  with each other

 

Bandwidth: the transmission capacity of a network. It is stated in bits per second (bps)

 Broadband: Network transmission capacities ranging from approximately 1 million bps (megabits/second) up to several terabits / second

Types of Computer Networks

v   Local Area Networks (LAN)

connects two or more devices in a limited geographical region(usually within the same building) so that every device on the network can communicate with every other device.

Trade-offs between:

Ø   Speed

Ø    Distance

Ø    Cost

v  Wide Area Networks (WAN)

•    covers a large geographical area and have large capacity
•    Provided by telecommunication companies
•    WANs also contain routers

Router: a communication processor that routes messages from LAN to the Internet , across several connected LANs

v  Enterprise Networks

• A network, encompassing an organization, composed of interconnected multiple LANs and WANs
• Backbone Network:

high-speed central network

 to which multiple smeller

networks connect

seond,Network Fundamentals

Networks transmit information with two types of signals:

1. Analog Signals

Continuous waves that transmit information by altering the

 characteristics of the waves

Have two parameters : amplitude (higher the wave) and

                                    frequency (more closely packed)

  

2. Digital Signals

Discrete pulses that are either ON or OFF ,

 representing a series of bits (0s and 1s)

 

Modem (modulator-demodulator)

Converts digital signals to analog signals and vice versa

D → A  = Modulation

A → D  = Demodulation   

Communication Media and Channels

Pathways for communicating data from one location to another

1. Wireline Media  (Cable)

v  Twisted-Pair Wire

v  Coaxial Cable

v  Fiber-optic Cable

2. Wireless Media    (Broadcast)

v  Microwave

v  Satellite

v  Radio

v  Infrared

Transmission Technologies

Digital Subscriber Line (DSL)

A technology that provides high-speed

transmission of digital data over existing

copper telephone lines

• OmantTel ADSL offers bandwidth up to 40 Mbps

Asynchronous Transfer Mode (ATM)

• Can transmit up to 2.5 Gbps
• Requires fiber-optic cables
• More expensive than DSL

Network Protocol

Set of rules and procedures that govern transmission across a network

Ethernet

• A common LAN protocol

Transmission Control Protocol / Internet Protocol (TCP/IP)

• The Protocol of the Internet

Packet Switching

Technology that breaks blocks of text into small, fixed bundles of data

and routes them in the most economical way through any available

communication channel

Types of Network Processing

Distributed Processing

Divides processing work among two or more computers

Client-Server Computing

Links two or more computers in an arrangement in which some

machines, called Servers, provide computing services of users PCs,

called Clients.

Peer-to-peer (P2P) processing

A type of client-server distributed processing where each computer acts as both a client and a server

Microsoft  SharePoint

Thirdly, The Internet and the World Wide Web

The Internet  (“the Net”)

Grew out an experimental project of the Advanced Research

Project Agency (ARPA) of USA DoD in 1969 [ARPAnet)

v  Intranet

v  Extranet

Internet Service Provider (ISP)

A telecommunication company that offers Internet connections for

a fee    www.thelist.com

ISPs connect to one another through NAPs

 

Addresses on the Internet

Internet Protocol Address (IP) Address)

An assigned address that distinguishes each computer on the

Internet from all other computers

135.62.128.91

The Internet Corporation for Assigned Names (ICANN)

www.icann.org

Responsible for coordinating IP addresses throughout the world

ICANN accredits certain companies called registrars to register

names (called Domain Names) that are equivalent to the IP

address  

Fourth, Network Applications

Discovery: the Internet allows users to browse and search data sources, in all topic areas, on the Web.

n  Search engines:  computer programs that search for specific information by keywords and report the results.

n  Metasearch engine searches several engines at once and integrate the findings of  the various search engines to answer queries posted by users

  Translation products include:

n  Altavista

n  Google

n  Trados

n  Portal: a Web-based, personalized gateway to information and knowledge that provides relevant information from different IS systems and the Internet using advanced search and indexing techniques.

Four types of portals:

1.  Commercial (public) portals: offer content for diverse communities and are the most popular portals on the Internet

2. Affinity portals: offer a single point of entry to an entire community of interest, such as a hoppy group or political party

http://www.kooora.com

http://www.brunel.ac.uk/international

3. Corporate/ Enterprise portals: offer a personalized single point of access to information located within the organization

 

4. Industrywide portals: offer a single point of entry to information for an entire industry

www.truck.net

Offers information about:

-          Professional drivers

-          Owner/operators

-          Trucking companies

-          Trucking jobs

-          Drivers (virtual) round table

    Communication

Electronic mail (e-mail): transmission of electronic

messages over the Internet

ü  the largest-volume application running on the Internet

ü  90% of companies conduct business transactions via e-mail

Web-based call centers (customer call center):

are services that provide effective personalize customer contact

as an important part of Web based customer support

 

Electronic chat room: a virtual meeting

place where groups of regulars come

to “gab”/ E-Chitchat

Voice Communication

Internet Telephony/ Voice-over Internet Protocol (VoIP)

digitizes your analog voice signals, sections them into packets, and sends them over the Internet.

 

Collaboration

refers to efforts of two or more entities (individuals, teams, groups, or organizations) who work together to accomplish certain tasks.

Work group refers specifically to two or more individuals who act together to perform some task.

Virtual group (team) is when group members are in different locations.

Crowdsourcing

• Synchronous collaboration 
• Asynchronous collaboration
• Virtual collaboration: the use of digital technologies that enable organizations or individuals to collaboratively plan, design, develop, manage and research products, services and innovative applications.
• Workflow technologies: facilitate the movement of information as it flows through the sequence of steps that make up an organization’s work procedures. Includes workflow management and workflow systems.
• Groupware: software products that support groups of people who share a common task or goal and who collaborate to accomplish it.
• E-Learning: learning supported by the Web
• Easy Learning by OmanTel
• http://easylearning.coursepark.com/educatetheworld/index.cfm/fa/catalog.elearning
• Distance learning: any learning situation in which teachers and students do not meet f2f

 

• Virtual Universities
• http://www.open.ac.uk

 

Benefits:

þ  Students have the flexibility of learning from any place at any time at their own pace.

þ  Online materials deliver high-quality, current content.

þ  Training costs can be reduced.

Drawbacks:

×     Instructors may need training to be able to teach electronically

×     Students must be computer literate

×     There are issues with assessing students’ work

×     Telecommuting/ Teleworking  allows workers to work anytime and anyplace

×     Benefits:

×     For Employees

×     Reduced stress, improved family life

×     Employment opportunities for single parents and persons with disabilities

×     For Employers

×     Increased productivity

×     Ability to retain skilled employees

×     Drawbacks

×     For Employees

×     Feelings of isolation

×     No workplace visibility

×     Potential for slower promotions

×     For Employers

×     Difficulties in supervising work

×     Potential information security problems

×     Additional training costs