First, Introduction to Information
Security
Security: the
degree of protection against criminal activity, danger, damage and loss.
Information Security: all the process and policies designed to
protect an organization's information and information systems (IS) from
unauthorized access, use, disclosure, disruption, modification or destruction.
Key Information Security Terms
Threat: any danger to which a system may be
exposed
Exposure: the harm, loss or damage that can
result if a threat compromises that resource
Vulnerability: the possibility that the system
will suffer harm by a threat
Threats to Information Security
Today’s interconnected, interdependent,
wirelessly-networked business environment
untrusted network: any network external to your
organization
Smaller, faster, cheaper computers and storage
devices (flash drives)
Decreasing skills necessary to be a computer
hacker
Cybercrime: illegal activities conducted over
computer networks , particularly the Internet
Second,Unintentional Threats to
Information Systems
n Human Errors
n Carelessness with
laptops and portable computing devices
n Opening questionable
e-mails
n Careless Internet
surfing
n Poor password selection
n Social Engineering: an
attack in which the perpetrator uses social skills to trick or
manipulate a legitimate employee into providing confidential information such
as passwords
n Tailgating: it occurs
when an unauthorized person slips in through a door before it closes
n Shoulder surfing: it
occurs when the attacker watches another person’s computer screen over that
person’s shoulder
Thirdly, Deliberate Threats to
Information Systems
Espionage or trespass: occurs when an
unauthorized individual attempts to gain illegal access to organizational
information
Information extortion: occurs when an attacker
either threatens to steal or actually steals information from a company
Sabotage or vandalism: defacing an
organization's website
Theft of equipment or information
Pod slurping: perpetrator plugs portable device
into a USB port in a computer and downloads sensitive information
Dumpster diving: rummaging through commercial
or residential trash to find information that has been discarded
Identity theft : assumption of another person’s
identity, usually to gain access to their financial information or to frame
them for a crime
n Compromises to
Intellectual Property (IP)
n Trade secret: an
intellectual work such as business plan, that is a company secret and not based
on public information
n Patent: a document that
grants the holder exclusive rights on an invention or process for 20 years.
n Copyright: a statuary
grant that provides the creator of IP with ownership of the property for the
life of the creator plus 70 years
n Piracy: the illegal
copying of software
Fourth, What Organizations Are Doing
to Protect Information Resources
Risk: the probability that a threat will impact
an information resource
Risk management: to identify, control and
minimize the impact of threats.
Risk analysis: to assess the value of each
asset being protected, estimate the probability it might be compromised, and
compare the probable costs of it being compromised with the cost of protecting
it.
Risk mitigation: is when the organization takes
concrete actions against risk. It has two functions:
(1)
implement controls to prevent identified threats from occurring
(2)
develop a means of recovery should the threat become a reality
Risk Acceptance: accept the potential risk,
continue operating with no controls, and absorb any damages that occur.
Risk limitation: Limit the risk by implementing
controls that minimize the impact of threat.
Risk transference: Transfer the risk by using
other means to compensate for the loss, such as purchasing insurance and having
off-site backups
Finally, Information Security
Controls
Controls evaluation
Is
the control cost effective?
Physical controls: physical protection of
computer facilities and resources (Guards, doors,alarm systems)
Access controls: restriction of unauthorized
user access to computer resources
Communications (network) controls: protect the
movement of data across networks and include border security controls,
authentication and authorization.
Application controls: protect specific
applications
Access Controls
Authentication
Determines/confirms the identity of the person
requiring access
Something the user is: access controls that
examine a user's physiological or behavioral characteristics
Biometrics
Voice verification
Fingerprints
Retina scan
Something the user has : these access controls
include regular ID cards, smart cards
Something the user does : these access controls
include voice and signature recognition
Something the user knows
Password : a private combination of characters
that only the user should know
example: nam3-beeS
Passphrases: a series of characters that is
longer than a password but can be memorized easily
example: omanFT2brazilworldcup
CAPTCHA
Completely Automated Public Turing test to tell
Computers and Humans Apart
A challenge response test used as an attempt to
ensure that the response is generated by a person
Communication / Network Controls
Whitelisting: a process in which a company
identifies the software that it will allow to run and does not try to recognize
malware
Blacklisting: a process in which a company
allows all software to run unless it is on the blacklist
Intrusion detection systems: designed to detect
all types of malicious network traffic and computer usage that cannot be
detected by a firewall
Encryption Process of converting an original
message into a form that cannot be read by anyone except the intended receiver.
How Digital Certificates Work?
Digital Certificate: an electronic document
attached to a file certifying that the file is from the organization that it
claims to be from and has not been modified from its original format
Certificate authorities: trusted intermediaries
between two organizations, issue digital certificates
Virtual private networking (VPN) : a private
network that uses a public network (usually the Internet) to connect users
Secure Socket Layer now called transport layer
security (TLS): is an encryption standard used for secure transactions such as
credit card purchases and online banking.
Vulnerability management systems: (also called
security on demand) extend the security perimeter that exists for the
organization’s managed devices, to unmanaged, remote devices.
ليست هناك تعليقات:
إرسال تعليق