INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer Fundamentals and Programming I

Protecting Intellectual Assets Organizational information is intellectual capital and must be protected Health Insurance Portability Act (HIPA) is one example of information security in action

People are the first line of defense Insiders account for 33% of security incidents in an organization Information security policies – identify the rules required to maintain information security Information security plan – details how an organization will implement the information security policies.

Steps for creating an Information Security Plan Develop the information security policies Designate responsibility and accountability to individual to follow the security plans 2. Communicate the information security policies Training employees to follow security policies and communicate consequences for not following those policies.

Steps for creating an Information Security Plan 3. Identify critical information assets and risks Require user IDs, passwords and anti-virus software. Implement firewalls and Intrusion Detection Software. 4. Test and reevaluate risks Continually perform security reviews, audits, background checks, and security assessments.

Steps for creating an Information Security Plan Obtain Stakeholder support Gain the approval and support of the board of directors and stakeholders concerning the security

Second line of Defense-Technology Authentication and Authorization Prevention and Resistance Detection and Response

Authentication and Authorization Authentication – method for confirming users identities Authorization – process of giving someone permission to do or have something

Authentication and Authorization Something the user knows – user IDs and passwords. Identity theft – forging of someone’s identity for the purpose of fraud. Phishing – an online form of identity theft, commonly through e-mail. B. Something the user has – Smart Card – a device the size of a credit card that can store small amount of information. Tokens – small electronic devices that change user passwords automatically.

Authentication and Authorization C. Something that is part of the user – fingerprint or voice signature 1. Biometrics – the identification of a user based on a physical characteristics, such as finger print, iris, face, voice or handwriting.

Prevention and Resistance Content filtering – occurs when software is used that filters content to prevent the transmission of unauthorized information. Encryption – scrambles information into an alternative form that requires a key or password to decrypt the information. Firewall – hardware and/or software that guards a private network by analyzing the information leaving and entering the network.

Detection and Response If prevention and resistance strategies fail an organization can use detection and response technologies to minimize and correct any damage. The most common being anti virus software, software that scans the system for potential threats to that system.

Detection and Response Hacker – people very knowledgeable about computers who use their knowledge to invade other people’s computers. White-hat hacker Black-hat hacker Hactivists Script kiddies or Script bunnies Cracker Cyberterrorists

Detection and Response Virus – software written with malicious intent to cause annoyance or damage. Worm Denial-of-service Attack (DoS) Distributed Denial-of-service Attack (DDoS) Trojan horse virus Backdoor program Polymorphic virus and worm

END