CHAPTER 4

CHAPTER 4

Information Security 

n  CHAPTER OUTLINE

4.1  Introduction to Information Security

4.2  Unintentional Threats to Information Security

4.3  Deliberate Threats to Information Security

4.4  What Organizations Are Doing to Protect

       Information Resources

4.5  Information Security Controls

4.1 Introduction to Information Security

Key Information Security Terms

q     Information security : refers to all of the processes and policies designed to protect an organization’s

q    A threat:  to an information resource is any danger to which a system may be exposed.

q     The exposure : of an information resources is the harm, loss or damage that can result if a threat

q     A system’s vulnerability : is the possibility that the system will suffer harm by a threat.

q    An untrusted network, in general, is any network external to your organization.

Five Factors Increasing the Vulnerability of Information Resources

v Today’s interconnected, interdependent, wirelessly-networked business environment

v Smaller, faster, cheaper computers and storage devices

v Decreasing skills necessary to be a hacker

v Organized crime taking over cybercrime

v Lack of management support


See video about  

What you need to know about... Information Security

4.2 Unintentional Threats to Information Systems

           Security Threats

the most dangerous employees

are those in human resources and MIS.  HR employees have access to sensitive personal data on all employees.  MIS employees not only have access to sensitive personal data, but also control the means to create, store, transmit, and modify these data.

         Human Errors

Social Engineering

q Shoulder surfing occurs when the attacker watches another person’s computer screen over that person’s shoulder.   Particularly dangerous in public areas such as airports, commuter trains, and on airplanes.

q Social engineering is an attack where the attacker uses social skills to trick a legitimate employee into providing confidential company information such as passwords.

7.3  Deliberate Threats to Information Systems

There are many types of deliberate attacks including:

• Espionage or Trespass

• Information extortion

• Sabotage or vandalism

• Theft of equipment or information

• Identity theft

• Compromises to intellectual property

• Soft ware attacks

• Alien soft ware

• Supervisory control and data acquisition (SCADA) attacks

Deliberate Threats

A supervisory control and data acquisition (SCADA) system:  is a large-scale, distributed, measurement and control system.

SCADA systems :  are the link between the electronic world and the physical world.

Example of SCADA attack

     Risk Management :

ç Risk management. To identify, control and minimize the impact of threats.

ç Risk analysis. To assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.

ç Risk mitigation is when the organization takes concrete actions against risk

Risk Mitigation Strategies :

ç Risk Acceptance. Accept the potential risk, continue operating with no controls, and absorb any damages that occur.

ç Risk limitation. Limit the risk by implementing controls that minimize the impact of threat.

ç Risk transference. Transfer the risk by using other means to compensate for the loss, such as purchasing insurance.

   Where Defense Mechanisms (Controls) Are Located

Communications Controls : -

Firewalls. System that enforces access-control policy between two networks.

Anti-malware systems (also called antivirus software) are software packages that attempt to identify and eliminate viruses, worms, and other malicious software.

Whitelisting is a process in which a company identifies the software that it will allow to run and does not try to recognize malware.

Blacklisting is a process in which a company allows all software to run unless it is on the blacklist.

Encryption. Process of converting an original message into a form that cannot be read by anyone except the intended receiver.

How Public Key Encryption
                  Works

See video about  

What is HTTPS ? 

How Digital Certificates Work : 

A digital certificate is an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format.

Certificate authorities, which are trusted intermediaries between two organizations, issue digital certificates.

IS Auditing Procedure :

q Auditing around the computer

q Auditing through the computer

q Auditing with the computer