Presentation is loading. Please wait.

Presentation is loading. Please wait.

CHAPTER 13 Information Security and Controls. 13.1 Introduction to Information Security 13.2 Unintentional Threats to Information Security 13.3 Deliberate.

Published byBasil Jennings Modified over 7 years ago

Similar presentations

Presentation on theme: "CHAPTER 13 Information Security and Controls. 13.1 Introduction to Information Security 13.2 Unintentional Threats to Information Security 13.3 Deliberate."— Presentation transcript:

1 CHAPTER 13 Information Security and Controls

2 13.1 Introduction to Information Security 13.2 Unintentional Threats to Information Security 13.3 Deliberate Threats to Information Security 13.4 What Organizations Are Doing to Protect Information Resources 13.5 Information Security Controls Chapter 13: INFORMATION SECURITY AND CONTROLS 2Copyright John Wiley & Sons Canada

3 LEARNING OBJECTIVES 1.Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one. 2.Compare and contrast human mistakes and social engineering, and provide a specific example of each one. 3.Discuss the ten types of deliberate software attacks. 3Copyright John Wiley & Sons Canada

4 LEARNING OBJECTIVES (CONTINUED) 4.Define the three risk mitigation strategies and provide an example of each one in the context of owning a home. 5.Identify the three major types of controls that organizations can use to protect their information resources and provide an example of each one. 4Copyright John Wiley & Sons Canada

5 OPENING CASE: CYBER-CRIMINALS USE [SOCIAL] NETWORKS FOR TARGETED ATTACKS THE PROBLEM –Each infected personal computer in a corporate network represents a potential point of access to valuable intellectual property, such as customer information, patents, and strategic documents. Cybercriminals aggressively take advantage of an unanticipated gap in corporate defences: the use of social networks in corporate settings. Attackers increasingly are using the personal information provided by individuals who communicate on social networks such as Facebook and Twitter. Source: Karen Rouch/Shutterstock 5Copyright John Wiley & Sons Canada

6 OPENING CASE (CONTINUED) An Attempted Solution –Facebook, the dominant social network and therefore the biggest target, is partnering with Microsoft and security firm McAfee to help filter malicious programs. A Facebook spokesperson claimed that this process should keep compromised accounts to a minimum. He added that Facebook is “constantly working to improve complex systems that quickly detect and block suspicious activity, delete malicious links, and help people restore access to their accounts.”McAfee 6Copyright John Wiley & Sons Canada

7 OPENING CASE (CONTINUED) The Results –Unfortunately, attackers continue to exploit vulnerabilities in social networking Web sites. Many owners of infected zombie computers do not know that their computers are compromised. The best solution to this problem is for all users of social networks to be extremely careful of what information they post on their pages. Further, all computer users should be very careful when clicking on any link in an e-mail, and if they do decide to click on a link, its source should be one that they can trust. 7Copyright John Wiley & Sons Canada

8 OPENING CASE (CONTINUED) Discussion –Do social networking sites show due diligence in protecting sensitive, classified information? –Are security breaches of social networking sites caused by members’ carelessness, by the sites’ poor security, or by some combination of these factors? –How should social networks protect their members more effectively? –Does better protection on social networking sites involve technology, policy, or both? –It is possible to secure the Internet? 8Copyright John Wiley & Sons Canada

9 IT’S ABOUT (SMALL) BUSINESS 13.1 THOMAS TAX SERVICE Thomas Tax Service relied completely on the QuickBooks program to maintain all of his customers’ financial information. One morning the computer motherboard failed and there was no backup. After this incident, a backup plan in place. Each of his three employees received a USB drive to back up their Quick- Books files which are stored in a fireproof safe.. When the employees back up each Friday, QuickBooks erases the oldest backup and creates a new one. Therefore, two safe backups can still be accessed if there is a problem when the new backup is being created. QuickBooks 9Copyright John Wiley & Sons Canada

10 13.1 INTRODUCTION TO INFORMATION SECURITY Information security refers to all of the processes and policies designed to protect an organization’s information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction. 10Copyright John Wiley & Sons Canada

11 INFORMATION SECURITY Five key factors that affect the vulnerability and security organizational information resources: –Today’s interconnected, interdependent, wirelessly networked business environment; –Smaller, faster, cheaper computers and storage devices; –Decreasing skills necessary to be a computer hacker; –International organized crime taking over cybercrime; –Lack of management support. 11Copyright John Wiley & Sons Canada

12 13.2 UNINTENTIONAL THREATS TO INFORMATION SYSTEMS Information systems are vulnerable to many potential hazards and threats. There are two major categories of threats: – unintentional threats – deliberate threats 12Copyright John Wiley & Sons Canada

13 FIGURE 13.1 SECURITY THREATS 13Copyright John Wiley & Sons Canada

14 HUMAN ERRORS There are two important points to be made about employees. The higher the level of employee, the greater the threat he or she poses to information security. Employees in two areas of the organization pose especially significant threats to information security: human resources and information systems (IS). 14Copyright John Wiley & Sons Canada

15 HUMAN ERRORS (CONTINUED) Human mistakes manifest themselves in many different ways: –Carelessness with computing devices –Opening questionable e-mails –Careless Internet surfing –Poor password selection and use –Carelessness with one’s office –Carelessness using unmanaged devices –Carelessness with discarded equipment –Careless monitoring of environmental hazards 15Copyright John Wiley & Sons Canada

16 Social Engineering Techniques: –Tailgating –Shoulder surfing –Impersonation 16Copyright John Wiley & Sons Canada

17 13.3 DELIBERATE THREATS TO INFORMATION SYSTEMS Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information Identity theft Compromises to intellectual property Software attacks Alien software Supervisory control and data acquisition (SCADA) attacks Cyberterrorism and cyberwarfare 17Copyright John Wiley & Sons Canada

18 ESPIONAGE OR TRESPASS Competitive intelligence: legal information-gathering techniques. –Example: studying a company’s Web site Industrial espionage crosses the legal boundary. –Example: theft of confidential data 18Copyright John Wiley & Sons Canada

19 THEFT OF EQUIPMENT OR INFORMATION Small, powerful device with increased storage such as laptops, BlackBerry® units, personal digital assistants, smart phones, digital cameras, thumb drives, and iPods are becoming easier to steal and easier for attackers to use to steal information. –Example: dumpster diving, involves the practice of rummaging through commercial or residential trash to find information that has been discarded. 19Copyright John Wiley & Sons Canada

20 IDENTITY THEFT Identity Theft Techniques:Identity Theft –stealing mail or dumpster diving; –stealing personal information in computer databases; –infiltrating organizations that store large amounts of personal information (e.g., data aggregators such as Acxiom)Acxiom –impersonating a trusted organization in an electronic communication (phishing). 20Copyright John Wiley & Sons Canada

21 COMPROMISES TO INTELLECTUAL PROPERTY Trade secret: intellectual work that is a company secret and is not based on public information. Patent: grants the holder exclusive rights on an invention or process for 20 years. Copyright: provides creators of intellectual property with ownership of the property for life of the creator plus 70 years. Piracy: copying a software program without making payment to the owner. 21Copyright John Wiley & Sons Canada

22 SOFTWARE ATTACKS Remote attacks requiring user action: virus, worm, phishing attack, speak phishing attackRemote attacks requiring user action Remote attacks needing no user action: denial-of- service attack, distributed denial-of-service attackRemote attacks needing no user action Attacks by a programmer developing a system: Trojan horse, back door, logic bomb Click on the links in this slide for more information on phishing and denial-of-service attacks. 22Copyright John Wiley & Sons Canada

23 IT’S ABOUT BUSINESS 13.2 Virus Attack Hits the University of Exeter In January 2010, the University of Exeter, in England, became the target of a massive virus attack. The virus attack, which exploited computers running Microsoft Windows® Vista Service Pack 2, caused the university to temporarily take its entire network offline. The interactive teaching boards in all classrooms became inoperable, so professors could not use PowerPoint presentations or access the Internet in class. Perhaps the most serious problem was that they lost access to the university’s Virtual Learning Environment (VLE). It took three days to clean infected computers and bring the network back into operation. As of May 2011, no one had identified the perpetrators or determined how they managed to infect the university network.University of Exeter 23Copyright John Wiley & Sons Canada

24 ALIEN SOFTWARE Adware: software that causes pop-up advertisements to appear on your screen. Spyware: collects personal information about users without their consent. –Keystroke loggers (keyloggers) –Screen scrapers (screen grabbers) Spamware: un-solicited e-mail, usually advertising for products and services. Cookies: small amounts of information that Web sites store on your computer, temporarily or more or less permanently. 24Copyright John Wiley & Sons Canada

25 EXAMPLE OF CAPTCHA Companies have attempted to counter keyloggers by switching to other forms of identifying users. For example, at some point all of us have been forced to look at wavy, distorted letters and type them correctly into a box. That string of letters is called a CAPTCHA, and it is a test. The point of CAPTCHA is that computers cannot (yet) accurately read those distorted letters. 25Copyright John Wiley & Sons Canada

26 SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) ATTACKS SCADA systems are used to monitor or to control chemical, physical, and transport processes used in:SCADA systems –oil refineries –water and sewage treatment plants –electrical generators –nuclear power plants 26Copyright John Wiley & Sons Canada

27 IT’S ABOUT BUSINESS 13.3 The Stuxnet Worm –Stuxnet, discovered in July 2010, is a worm that targets SCADA systems. In particular, Stuxnet targets Siemens SCADA systems that are configured to control and monitor specific industrial processes. The worm fakes the sensor signals that control industrial processes so that an infected system does not shut down when it behaves abnormally. Stuxnet heralds a frightening new era in cyberwarfare. Experts studying Stuxnet have concluded that the worm is so complex that only a nation state would have the capabilities to produce it.Stuxnet Click on the link in this slide to read more about Stutnex 27Copyright John Wiley & Sons Canada

28 13.4 WHAT ORGANIZATIONS ARE DOING TO PROTECT THEMSELVES Companies are developing software and services that deliver early warnings of trouble on the Internet. Early-warning systems are proactive, scanning the Web for new viruses and alerting companies to the danger. 28Copyright John Wiley & Sons Canada

29 DIFFICULTIES IN PROTECTING INFORMATION RESOURCES 100’s of threats Many locations of computing resources Access to information assets Difficult to protect remote networks Rapid technological changes Crimes go undetected for long periods of time Violation of security procedures Minimal knowledge needed to commit crimes High costs of prevention Difficult to conduct a cost- benefit justification 29Copyright John Wiley & Sons Canada

30 RISK MANAGEMENT Risk management consists of three processes: –risk analysis –risk mitigation –controls evaluation 30Copyright John Wiley & Sons Canada

31 RISK ANALYSIS Risk Analysis involves three steps: 1.assessing the value of each asset being protected 2.estimating the probability that each asset will be compromised 3.comparing the probable costs of the asset’s being compromised with the costs of protecting that asset 31Copyright John Wiley & Sons Canada

32 RISK MITIGATION The three most common risk mitigation strategies: –Risk acceptance: Accept the potential risk, continue operating with no controls, and absorb any damages that occur. –Risk limitation: Limit the risk by implementing controls that minimize the impact of the threat. –Risk transference: Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance. 32Copyright John Wiley & Sons Canada

33 CONTROLS EVALUATION The organization identifies security deficiencies and calculates the cost of implementing. If the costs of implementing a control are greater than the value of the asset being protected, the control is not cost effective. Click here to review risk management solutions.here 33Copyright John Wiley & Sons Canada

34 13.5 CONTROLS General controls apply to more than one functional area. –Example: passwords Application controls are specific to one application. –Example: approval of payroll wage rates 34Copyright John Wiley & Sons Canada

35 FIGURE 13.2 WHERE DEFENSE MECHANISMS (CONTROLS) ARE LOCATED 35Copyright John Wiley & Sons Canada

36 CATEGORIES OF GENERAL CONTROLS Physical: walls, doors, fencing, gates, locks, badges, guards, alarm systems, pressure sensors, and motion detectors. Access Controls: can be physical or logical Communication: firewalls, anti-malware systems, whitelisting and blacklisting, encryption, virtual private networks (VPNs), secure socket layer (SSL), and employee monitoring systems. 36Copyright John Wiley & Sons Canada

37 AUTHENTICATION To authenticate (identify) authorized personnel, an organization can use one or more of the following types of methods: –something the user is (biometrics) –something the user has –something the user does –something the user knows –Click here to watch a video on Canada Immigration use of biometricshere 37Copyright John Wiley & Sons Canada

38 BASIC GUIDELINES FOR CREATING STRONG PASSWORDS Difficult to guess Long rather than short Uppercase letters, lowercase letters, numbers, and special characters Do not use recognizable words Do not use the name of anything or anyone familiar (family names or names of pets) Do not use a recognizable string of numbers (Social Insurance Number or a birthday) 38Copyright John Wiley & Sons Canada

39 AUTHORIZATION Authorization determines which actions, rights, or privileges the person has, based on his or her verified identify. –Privilege –Least privilege 39Copyright John Wiley & Sons Canada

40 IT’S ABOUT BUSINESS 13.4 Information Security at City National Bank and Trust –City National Bank and Trust in its rapid growth in branches and customer service offerings, coupled with the global increase in malicious software, has placed the bank’s networks and its employees at much greater risk. The bank selected M86 Security for its strong content-filtering capabilities and its capability to dynamically set and modify security policies. They quickly applied policy-based standards throughout its network that included configured the system to block e-mail messages with attached batch, executable, and.zip files and preventing employees from downloading potentially dangerous files and accessing offensive Web sites. With this level of control, the IT group can apply basic security policies to all employees and feel secure that employees cannot accidentally download malware.M86 Security 40Copyright John Wiley & Sons Canada

41 COMMUNICATIONS CONTROLS Firewalls Anti-malware systems Whitelisting and blacklisting Encryption Virtual private networks (vpns) Secure socket layer (SSL) Employee monitoring systems Click on the links in this slide to visit industry websites offering communications controls and to view videos. 41Copyright John Wiley & Sons Canada

42 FIGURE 13.3 FIREWALLS FOR HOME (A) AND ORGANIZATION (B) 42Copyright John Wiley & Sons Canada

43 FIGURE 13.4 HOW PUBLIC KEY ENCRYPTION WORKS 43Copyright John Wiley & Sons Canada

44 FIGURE 13.5 HOW DIGITAL CERTIFICATES WORK 44Copyright John Wiley & Sons Canada

45 FIGURE 13.6 VIRTUAL PRIVATE NETWORK AND TUNNELING VPNs have several advantages: allow remote users to access the company network provide flexibility organizations can impose their security policies through VPNs 45Copyright John Wiley & Sons Canada

46 EMPLOYEE MONITORING SYSTEM Employee Monitoring Systems examples: – SpectorSoftSpectorSoft – WebsenseWebsense 46Copyright John Wiley & Sons Canada

47 BUSINESS CONTINUITY PLANNING, BACKUP, AND RECOVERY In the event of a major disaster, organizations can employ several strategies for business continuity including: –hot sites –warm sites –cold sites –off-site data storage 47Copyright John Wiley & Sons Canada

48 INFORMATION SYSTEMS AUDITING Types and examples of auditors: –External: public accounting firm –Government: Canada Revenue Agency –Internal: work for specific organizations –Specialist: IS auditors 48Copyright John Wiley & Sons Canada

49 CHAPTER CLOSING 1.There are five factors that contribute to the increasing vulnerability of information resources such as smaller, faster, cheaper computers and storage devices. 2.Human mistakes are unintentional errors. Social engineering is an attack where the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information. 49Copyright John Wiley & Sons Canada

50 CHAPTER CLOSING (CONTINUED) 3.There are ten types of deliberate attacks to information systems such as espionage. 4.The three risk mitigation strategies are risk acceptance, risk limitation and risk transference. 5.Information systems are protected with a wide variety of controls such as security procedures, physical guards, and detection software. 50Copyright John Wiley & Sons Canada

51 Copyright Copyright © 2014 John Wiley & Sons Canada, Ltd. All rights reserved. Reproduction or translation of this work beyond that permitted by Access Copyright (the Canadian copyright licensing agency) is unlawful. Requests for further information should be addressed to the Permissions Department, John Wiley & Sons Canada, Ltd. The purchaser may make back-up copies for his or her own use only and not for distribution or resale. The author and the publisher assume no responsibility for errors, omissions, or damages caused by the use of these files or programs or from the use of the information contained herein.

Download ppt "CHAPTER 13 Information Security and Controls. 13.1 Introduction to Information Security 13.2 Unintentional Threats to Information Security 13.3 Deliberate."

Similar presentations

4 Information Security.

4 Information Security.
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin CHAPTER FOUR ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS.

Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin CHAPTER FOUR ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 Hossein BIDGOLI Phishing Email that bites Paying for Privacy Pirates.

MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 Hossein BIDGOLI Phishing that bites Paying for Privacy Pirates.
CHAPTER 3 Ethics, Privacy and Information Security.

CHAPTER 3 Ethics, Privacy and Information Security.
CHAPTER 4 Information Security

CHAPTER 4 Information Security
CHAPTER 4 Information Security. Announcements Project 2 – due today before midnight Tuesday Class Quiz 1 – Access Basics Questions/Comments.

CHAPTER 4 Information Security. Announcements Project 2 – due today before midnight Tuesday Class Quiz 1 – Access Basics Questions/Comments.
CHAPTER 4 Information Security. Announcements Friday Class Quiz 1 Review Monday Class Quiz 1 – Access Basics Questions/Comments.

CHAPTER 4 Information Security. Announcements Friday Class Quiz 1 Review Monday Class Quiz 1 – Access Basics Questions/Comments.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 15-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Threats and Attacks Principles of Information Security, 2nd Edition

Threats and Attacks Principles of Information Security, 2nd Edition
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Similar presentations

Ads by Google