CHAPTER 4 Information Security Before, during, or after this chapter, you might want to show your students the PBS DVD entitled “Cyberwar”. It was done in 2003, but the topics remain current today (particularly in light of the cyber attack on Estonia and the Republic of Georgia). Further, see the cyber attack on the U.S. electrical grid in the Wall Street Journal, April, 8, 2009).
CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate Threats to Information Security 4.4 What Organizations Are Doing to Protect Information Resources 4.5 Information Security Controls
LEARNING OBJECTIVES 1. Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one. 2. Compare and contrast human mistakes and social engineering, and provide a specific example of each one. 3. Discuss the ten types of deliberate attacks.
LEARNING OBJECTIVES (continued) 4. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home. 5. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.
Opening Case: Kim Dotcom
4.1 Introduction to Information Security
Key Information Security Terms Threat Exposure Vulnerability Information security refers to all of the processes and policies designed to protect an organization’s information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. A threat to an information resource is any danger to which a system may be exposed. The exposure of an information resources is the harm, loss or damage that can result if a threat compromises that resource. A system’s vulnerability is the possibility that the system will suffer harm by a threat. Example of a threat (video)
Five Factors Increasing the Vulnerability of Information Resources Today’s interconnected, interdependent, wirelessly-networked business environment Smaller, faster, cheaper computers and storage devices Decreasing skills necessary to be a hacker Organized crime taking over cybercrime Lack of management support Organizations and individuals are now exposed to untrusted networks. An untrusted network, in general, is any network external to your organization. The Internet, by definition, is an untrusted network.
Networked Business Environment
Smaller, Faster Devices
Decreasing Skills Needed to be a hacker New & Easier Attack Tools Increasing Sophistication of Attacks High Attack Sophistication WEPCrack WiGLE.net Low AirJack 1980 2011 Note: The tools in this slide are designed for legitimate purposes, but they can be used for attacks as well. Knowledge Required by Intruder HostAP New & Easier Tools make it very easy to attack the Network
Organized Crime Taking Over Cybercrime
Lack of Management Support
4.2 Unintentional Threats to Information Systems
Security Threats (Figure 4.1)
Most Dangerous Employees Human resources and MIS These employees hold ALL the information As we are discussing human errors, we should note that the biggest threat to the security of an organization’s information assets are the company’s employees. In fact, the most dangerous employees are those in human resources and MIS. HR employees have access to sensitive personal data on all employees. MIS employees not only have access to sensitive personal data, but also control the means to create, store, transmit, and modify these data. The image represents how a human resources or MIS employee has access to, or controls, sensitive information in the organization.
Consultants, Janitors and Security Guards
Human Errors Carelessness with laptops and portable computing devices Opening questionable e-mails Careless Internet surfing Poor password selection and use And more
Social Engineering Two examples Tailgating Shoulder surfing
Anti-Tailgating Door To deter tailgating, many companies have anti-tailgating doors protecting the entrance into high-security areas. Note that only one person at a time can go through this door.
Shoulder Surfing Shoulder surfing occurs when the attacker watches another person’s computer screen over that person’s shoulder. Particularly dangerous in public areas such as airports, commuter trains, and on airplanes.
The “King” of Social Engineering 60 Minutes Interview with Kevin Mitnick Kevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulting firm, advising companies on how to deter people like him See his company here Social engineering is an attack where the attacker uses social skills to trick a legitimate employee into providing confidential company information such as passwords. Social engineering is a typically unintentional human error on the part of an employee, but it is the result of a deliberate action on the part of an attacker. The video shows Kevin Mitnick being interviewed by Ed Bradley of “60 Minutes.” It is interesting to note Mitnick’s reaction as to whether or not he considered himself to be a criminal.
4.3 Deliberate Threats to Information Systems
Deliberate Threats Espionage or trespass Information extortion Sabotage or vandalism Theft of equipment or information For example, dumpster diving Espionage or trespass: Competitive intelligence consists of legal information-gathering techniques. Industrial espionage crosses the legal boundary. The two images show dumpster divers. Many dumpster divers wear protective clothing and use snorkels, as it is not a good idea to receive cuts from items in the dumpster, and the air is foul.
Deliberate Threats (continued) Identify theft Identity theft video Compromises to intellectual property Medical identity theft video The identity theft video gives an excellent overview of the problem and how it affects lives. The video continues with a look at how to prevent identity theft. Compromises to intellectual property Intellectual property. Property created by individuals or corporations which is protected under trade secret, patent, and copyright laws. Trade secret. Intellectual work, such as a business plan, that is a company secret and is not based on public information. Patent. Document that grants the holder exclusive rights on an invention or process for 20 years. Copyright. Statutory grant that provides creators of intellectual property with ownership of the property for life of the creator plus 70 years. Piracy. Copying a software program without making payment to the owner. Virus is a segment of computer code that performs malicious actions by attaching to another computer program. Worm is a segment of computer code that performs malicious actions and will spread by itself without requiring another computer program. Trojan horse is a computer program that hides in another computer program and reveals its designated behavior only when it is activated. Logic bomb is a segment of computer code that is embedded inside an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time or date.
Deliberate Threats (continued) Software attacks Virus Worm 1988: first widespread worm, created by Robert T. Morris, Jr. (see the rapid spread of the Slammer worm) Trojan horse Logic Bomb A virus is a segment of computer code that performs malicious actions by attaching to another computer program. A worm is a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program. A Trojan horse is a software program that hides in other computer programs and reveal its designed behavior only when it is activated. A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse. A logic bomb is a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.
Deliberate Threats (continued) Software attacks (continued) Phishing attacks Phishing slideshow Phishing quiz Phishing example Distributed denial-of-service attacks See botnet demonstration Phishing attacks use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages. The phishing slideshow presents a nice demonstration of how phishing works. The phishing quiz presents a variety of e-mails. You must decide which are legitimate and which are phishing attempts. The phishing examples show actual phishing attempts. In a distributed denial-of-service attack, the attacker first takes over many computers. These computers are called zombies or bots. Together, these bots form a botnet. The botnet demonstration shows how botnets are created and how they work.
How to Detect a Phish E-mail
Is the email really from eBay, or PayPal, or a bank? As Spammers get better, their emails look more genuine. How do you tell if it’s a scam and phishing for personal information? Here’s how ...
Is the email really from eBay, or PayPal, or a bank? As an example, here is what the email said: Return-path: <service@paypal.com> From: "PayPal"<service@paypal.com> Subject: You have 1 new Security Message Alert ! Note that they even give advice in the right column about security
Example Continued – bottom of the email
How to see what is happening View Source In Outlook, right click on email, click ‘view source’ In GroupWise, open email and click on the Message Source tab In Mozilla Thunderbird, click on View, and Source. Below is the part of the text that makes the email look official – the images came from the PayPal website.
View Source – The Real Link In the body it said, “If you are traveling, “Travelling Confirmation Here” Here is where you are really being sent href=3Dftp://futangiu:futangiu@209.202.224.140/index.htm Notice that the link is not only not PayPal, it is an IP address, 2 giveaways of a fraudulent link.
Another Example – Amazon View Source
Deliberate Threats (continued) Alien Software Spyware (see video) Spamware Cookies Cookie demo Spyware collects personal information about users without their consent. Two types of spyware are keystroke loggers (keyloggers) and screen scrapers. Keystroke loggers record your keystrokes and your Web browsing history. Screen scrapers record a continuous “movie” of what you do on a screen. The spyware video provides a nice overview of spyware and how to avoid it. Spamware is alien software that is designed to use your computer as a launchpad for spammers. Spam is unsolicited e-mail. Cookies are small amounts of information that Web sites store on your computer. The cookie demo will show you how much information your computer sends when you connect to a Web site.
Keystroke Logger (Keylogger) Plugs in between monitor and computer
Example of CAPTCHA
Deliberate Threats (continued) Supervisory control and data acquisition (SCADA) attacks Wireless sensor A supervisory control and data acquisition (SCADA) system is a large-scale, distributed, measurement and control system. SCADA systems are the link between the electronic world and the physical world. The picture shows wireless sensors (black boxes with yellow faces) controlling valves in a chemical plant. Note the old manual wheel used to control the valve. These sensors are typically connected to the company’s network. If the company’s network is compromised, these sensors can be made to perform malicious actions.
What if a SCADA attack were successful? Northeastern U.S. power outage in 2003 The northeastern power outage shown here was caused by a tree limb breaking a high-voltage wire. However, a successful SCADA attack on the U.S. power grid could have the same results.
Results of the power outage in NYC New York City during the blackout (on the left). People walking home during the blackout (on the right).
More results of power outage in NYC Many tourists simply slept on the street or on in hotel lobbies, as elevators were not working (above left). Hundreds of thousands of people walking home from Manhattan during the blackout (above right).
Example of SCADA attack (and cyberwarfare) The Stuxnet Worm (IT’s About Business 4.3) Where Stuxnet struck Stuxnet video
Cyberwarfare and Cyberterrorism See video
4.4 What Organizations Are Doing to Protect Themselves
Risk! There is always risk!
And then there is real risk! One has to wonder what this soldier did to have this job assigned to him!
Risk Management Risk Risk management Risk analysis Risk mitigation Risk. The probability that a threat will impact an information resource. Risk management. To identify, control and minimize the impact of threats. Risk analysis. To assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it. Risk mitigation is when the organization takes concrete actions against risk. It has two functions: (1) implement controls to prevent identified threats from occurring, and (2) developing a means of recovery should the threat become a reality. --------------------------------------
Risk Mitigation Strategies Risk Acceptance Risk limitation Risk transference Risk Acceptance. Accept the potential risk, continue operating with no controls, and absorb any damages that occur. Risk limitation. Limit the risk by implementing controls that minimize the impact of threat. Risk transference. Transfer the risk by using other means to compensate for the loss, such as purchasing insurance.
Risk Optimization This graph comes from Spies Among Us by Ira Winkler (page 37, Figure 2.3). Note: It is important to optimize risk rather than minimize risk. Companies can slide the vertical line (risk optimization line) back and forth. In doing so, companies can see the trade-offs between the amount they spend on countermeasures and the potential loss they can expect. If the line slides to the left, company will spend less on countermeasures, but have greater potential loss. If the line slides to the right, the company will spend more on countermeasures, but have lower potential loss.
4.5 Information Security Controls
Information Security Controls Physical controls Access controls Communications (network) controls Physical controls. Physical protection of computer facilities and resources. Access controls. Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification. Communications (network) controls. To protect the movement of data across networks and include border security controls, authentication and authorization.
Where Defense Mechanisms (Controls) Are Located
Access Controls Authentication Something the user is (biometrics powerpoints) Video on biometrics The latest biometric: gait recognition Something the user has Something the user does Something the user knows passwords passphrases Authentication - Major objective is proof of identity. Something the User Is - Also known as biometrics, these access controls examine a user's innate physical characteristics. Something the User Has - These access controls include regular ID cards, smart cards, and tokens. Something the User Does - These access controls include voice and signature recognition. Something the User Knows - These access controls include passwords and passphrases. A password is a private combination of characters that only the user should know. A passphrase is a series of characters that is longer than a password but can be memorized easily.
Access Controls (continued) Authorization Privilege Least privilege Authorization - Permission issued to individuals and groups to do certain activities with information resources, based on verified identity. A privilege is a collection of related computer system operations that can be performed by users of the system. Least privilege is a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.
Communications Controls Firewalls Anti-malware systems Whitelisting and Blacklisting Encryption Firewalls. System that enforces access-control policy between two networks. Anti-malware systems (also called antivirus software) are software packages that attempt to identify and eliminate viruses, worms, and other malicious software. The logos show three well-known anti-malware companies. Clicking on the link will take you to each company’s homepage, respectively. Whitelisting is a process in which a company identifies the software that it will allow to run and does not try to recognize malware. Blacklisting is a process in which a company allows all software to run unless it is on the blacklist. Encryption. Process of converting an original message into a form that cannot be read by anyone except the intended receiver.
Communication or Network Controls (continued) Virtual private networking Secure Socket Layer (now transport layer security) Employee monitoring systems A virtual private network is a private network that uses a public network (usually the Internet) to connect users. Secure socket layer (SSL), now called transport layer security (TLS), is an encryption standard used for secure transactions such as credit card purchases and online banking. Employee monitoring systems monitor employees’ computers, e-mail activities, and Internet surfing activities.
Basic Home Firewall (top) and Corporate Firewall (bottom) In a basic home firewall, the firewall is implemented as software on the home computer. An organizational firewall has the following components: (1) external firewall facing the Internet (2) a demilitarized zone (DMZ) located between the two firewalls; the DMZ contains company servers that typically handle Web page requests and e-mail. (3) an internal firewall that faces the company network
Whitelisting and Blacklisting
How Digital Certificates Work A digital certificate is an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format. Certificate authorities, which are trusted intermediaries between two organizations, issue digital certificates.
Virtual Private Network and Tunneling Tunneling encrypts each data packet that is sent and places each encrypted packet inside another packet.
Transport Layer Security
Popular Employee Monitoring Systems The logos are of companies that provide employee monitoring systems. Clicking on the logo will take you to each company’s home page.
Employee Monitoring System This image provides a demonstration of how an employee monitoring system looks to the network administrator. He or she sees the screens that everyone is on, and c “zoom in” on any one person’s screen.
Business Continuity Planning, Backup, and Recovery Hot Site Warm Site Cold Site Hot Site is a fully configured computer facility, with all services, communications links, and physical plant operations. Warm Site provides many of the same services and options of the hot site, but it typically does not include the actual applications the company runs. Cold Site provides only rudimentary services and facilities and so does not supply computer hardware or user workstations.
Information Systems Auditing Types of Auditors and Audits Internal External Information systems auditing. Independent or unbiased observers task to ensure that information systems work properly. Audit. Examination of information systems, their inputs, outputs and processing. Types of Auditors and Audits Internal. Performed by corporate internal auditors. External. Reviews internal audit as well as the inputs, processing and outputs of information systems.
IS Auditing Procedure Auditing around the computer Auditing through the computer Auditing with the computer Auditing around the computer means verifying processing by checking for known outputs or specific inputs. Auditing through the computer means inputs, outputs and processing are checked. Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware.
Chapter Closing Case
Chapter Closing Case