Presentation is loading. Please wait.

Presentation is loading. Please wait.

Principles of Information Security, 4 th Edition 2 Introduction  Primary mission of information security is to ensure systems and contents stay the same.

Published byAbel O’Neal’ Modified over 8 years ago

Similar presentations

Presentation on theme: "Principles of Information Security, 4 th Edition 2 Introduction  Primary mission of information security is to ensure systems and contents stay the same."— Presentation transcript:

1

2 Principles of Information Security, 4 th Edition 2 Introduction  Primary mission of information security is to ensure systems and contents stay the same  If no threats, could focus on improving systems, resulting in vast improvements in ease of use and usefulness  Attacks on information systems are a daily occurrence

3 Principles of Information Security, 4 th Edition Business Needs First  Information security performs four important functions for an organization  Protects ability to function  Enables safe operation of applications implemented on its IT systems  Protects data the organization collects and uses  Safeguards technology assets in use 3

4 Principles of Information Security, 4 th Edition Threats  Threat: an object, person, or other entity that represents a constant danger to an asset  Management must be informed of the different threats facing the organization  By examining each threat category, management effectively protects information through policy, education, training, and technology controls 4

5 5 Table 2-1 Threats to Information Security

6 Principles of Information Security, 4 th Edition 6 Compromises to Intellectual Property  Intellectual property (IP): “ownership of ideas and control over the tangible or virtual representation of those ideas”  The most common IP breaches involve software piracy  Two watchdog organizations investigate software abuse:  Software & Information Industry Association (SIIA)  Business Software Alliance (BSA) ‏  Enforcement of copyright law has been attempted with technical security mechanisms

7 Principles of Information Security, 4 th Edition 7 Deliberate Software Attacks  Malicious software (malware) designed to damage, destroy, or deny service to target systems  Includes viruses, worms, Trojan horses, logic bombs, back doors, polymorphic threats, virus and worm hoaxes

8 Principles of Information Security, 4 th Edition 8

9 9 Deviations in Quality of Service  Includes situations where products or services are not delivered as expected  Information system depends on many interdependent support systems  Internet service, communications, and power irregularities dramatically affect availability of information and systems

10 Principles of Information Security, 4 th Edition 10 Espionage or Trespass  Access of protected information by unauthorized individuals  Competitive intelligence (legal) vs. industrial espionage (illegal) ‏  Shoulder surfing can occur anywhere a person accesses confidential information  Controls let trespassers know they are encroaching on organization’s cyberspace  Hackers use skill, guile, or fraud to bypass controls protecting others’ information

11 Principles of Information Security, 4 th Edition 11 Deliberate Acts of Trespass (continued) ‏  Expert hacker  Unskilled hacker  Cracker  Phreaker

12 Principles of Information Security, 4 th Edition 12 Forces of Nature  Forces of nature are among the most dangerous threats  Disrupt not only individual lives, but also storage, transmission, and use of information  Organizations must implement controls to limit damage and prepare contingency plans for continued operations

13 Principles of Information Security, 4 th Edition 13 Acts of Human Error or Failure  Includes acts performed without malicious intent  Causes include:  Inexperience  Improper training  Incorrect assumptions  Employees are among the greatest threats to an organization’s data

14 Principles of Information Security, 4 th Edition 14 Figure 2-1 – Acts of Human Error or Failure

15 Principles of Information Security, 4 th Edition 15 Deliberate Acts of Information Extortion  Attacker steals information from computer system and demands compensation for its return or nondisclosure  Commonly done in credit card number theft

16 Principles of Information Security, 4 th Edition Missing, Inadequate, or Incomplete  In policy or planning, can make organizations vulnerable to loss, damage, or disclosure of information assets  With controls, can make an organization more likely to suffer losses when other threats lead to attacks 16

17 Principles of Information Security, 4 th Edition 17 Deliberate Acts of Sabotage or Vandalism  Attacks on the face of an organization—its Web site  Threats can range from petty vandalism to organized sabotage  Web site defacing can erode consumer confidence, dropping sales and organization’s net worth  Threat of hacktivist or cyberactivist operations rising  Cyberterrorism: much more sinister form of hacking

18 Principles of Information Security, 4 th Edition 18 Figure 2-5 - Cyber Activists Wanted

19 Principles of Information Security, 4 th Edition 19 Deliberate Acts of Theft  Illegal taking of another’s physical, electronic, or intellectual property  Physical theft is controlled relatively easily  Electronic theft is more complex problem; evidence of crime not readily apparent

20 Principles of Information Security, 4 th Edition 20 Technical Hardware Failures or Errors  Occur when manufacturer distributes equipment containing flaws to users  Can cause system to perform outside of expected parameters, resulting in unreliable or poor service  Some errors are terminal; some are intermittent

21 Principles of Information Security, 4 th Edition 21 Technical Software Failures or Errors  Purchased software that contains unrevealed faults  Combinations of certain software and hardware can reveal new software bugs  Entire Web sites dedicated to documenting bugs

22 Principles of Information Security, 4 th Edition 22 Technological Obsolescence  Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems  Proper managerial planning should prevent technology obsolescence; IT plays large role

23 Principles of Information Security, 4 th Edition 23 Attacks  Act or action that exploits vulnerability (i.e., an identified weakness) in controlled system  Accomplished by threat agent that damages or steals organization’s information

24 Principles of Information Security, 4 th Edition 24 Attacks (continued) ‏  Malicious code: includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information  Hoaxes: transmission of a virus hoax with a real virus attached; more devious form of attack  Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism

25 Principles of Information Security, 4 th Edition 25 Table 2-2 - Attack Replication Vectors New Table

26 Principles of Information Security, 4 th Edition 26 Attacks (continued) ‏  Password crack: attempting to reverse calculate a password  Brute force: trying every possible combination of options of a password  Dictionary: selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses

27 Principles of Information Security, 4 th Edition 27 Attacks (continued) ‏  Denial-of-service (DoS): attacker sends large number of connection or information requests to a target  Target system cannot handle successfully along with other, legitimate service requests  May result in system crash or inability to perform ordinary functions  Distributed denial-of-service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously

28 Principles of Information Security, 4 th Edition 28 Attacks (continued) ‏  Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP address  Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network  Spam: unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks

29 29 Figure 2-12 IP Spoofing

30 30 Figure 2-13 Man-in-the-Middle Attack

31 Principles of Information Security, 4 th Edition 31 Attacks (continued) ‏  Mail bombing: also a DoS; attacker routes large quantities of e-mail to target  Sniffers: program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network  Social engineering: using social skills to convince people to reveal access credentials or other valuable information to attacker

32 Principles of Information Security, 4 th Edition 32 Attacks (continued) ‏  “People are the weakest link. You can have the best technology; firewalls, intrusion-detection systems, biometric devices... and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything.” — Kevin Mitnick  Phishing: an attempt to gain personal/financial information from individual, usually by posing as legitimate entity

33 Principles of Information Security, 4 th Edition 33

34 Principles of Information Security, 4 th Edition 34 Attacks (continued) ‏  Pharming: redirection of legitimate Web traffic (e.g., browser requests) to illegitimate site for the purpose of obtaining private information  Timing attack: relatively new; works by exploring contents of a Web browser’s cache to create malicious cookie

35 Principles of Information Security, 4 th Edition 35 Secure Software Development  Many information security issues discussed here are caused by software elements of system  Development of software and systems is often accomplished using methodology such as Systems Development Life Cycle (SDLC) ‏  Many organizations recognize need for security objectives in SDLC and have included procedures to create more secure software  This software development approach known as Software Assurance (SA) ‏

36 Principles of Information Security, 4 th Edition 36 Software Assurance and the SA Common Body of Knowledge  National effort underway to create common body of knowledge focused on secure software development  US Department of Defense and Department of Homeland Security supported Software Assurance Initiative, which resulted in publication of Secure Software Assurance (SwA) Common Body of Knowledge (CBK) ‏  SwA CBK serves as a strongly recommended guide to developing more secure applications

37 Principles of Information Security, 4 th Edition 37 Software Development Security Problems  Problem areas in software development:  Buffer overruns  Command injection  Cross-site scripting  Failure to handle errors  Failure to protect network traffic  Failure to store and protect data securely  Failure to use cryptographically strong random numbers  Format string problems  Neglecting change control  Improper file access

38 Principles of Information Security, 4 th Edition 38 Software Development Security Problems (continued) ‏  Problem areas in software development (continued):  Improper use of SSL  Information leakage  Integer bugs (overflows/underflows) ‏  Race conditions  SQL injection  Trusting network address resolution  Unauthenticated key exchange  Use of magic URLs and hidden forms  Use of weak password-based systems  Poor usability

Download ppt "Principles of Information Security, 4 th Edition 2 Introduction  Primary mission of information security is to ensure systems and contents stay the same."

Similar presentations

Principles of Information Security, 2nd Edition1 Threats and Attacks.

Principles of Information Security, 2nd Edition1 Threats and Attacks.
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
1Principles of Information Security – Lecture by Sulafa Talha2012 The Need for Security.

1Principles of Information Security – Lecture by Sulafa Talha2012 The Need for Security.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.

7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
ISA 3200 NETWORK SECURITY Chapter 1: Introduction to Information Security.

ISA 3200 NETWORK SECURITY Chapter 1: Introduction to Information Security.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Principles of Information Security, 3rd Edition2  Recognize that organizations have a business need for information security  Understand that a successful.

Principles of Information Security, 3rd Edition2  Recognize that organizations have a business need for information security  Understand that a successful.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs,

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs,
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Threats and Attacks Principles of Information Security, 2nd Edition

Threats and Attacks Principles of Information Security, 2nd Edition
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
The Need for Security Chapter 2 Our bad neighbor makes us early stirrers, Which is both healthful and good husbandry. -- William Shakespeare (1564–1616),

The Need for Security Chapter 2 Our bad neighbor makes us early stirrers, Which is both healthful and good husbandry. -- William Shakespeare (1564–1616),
Our bad neighbor makes us early stirrers, Which is both healthful and good husbandry. -- William Shakespeare (1564–1616), King Henry, in Henry V, act 4,

Our bad neighbor makes us early stirrers, Which is both healthful and good husbandry. -- William Shakespeare (1564–1616), King Henry, in Henry V, act 4,
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Similar presentations

Ads by Google