McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, All Rights Reserved Business Plug-In B6 Information Security

B6-2 LEARNING OUTCOMES 1.Describe the relationship between information security policies and an information security plan 2.Provide an example of each of the three primary security areas: (1) authentication and authorization, (2) prevention and resistance, and (3) detection and response 3.Describe the relationships and differences between hackers and viruses

B6-3 INTRODUCTION Information security – a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization This plug-in discusses how organizations can implement information security lines of defense through people first and technology second

B6-4 The First Line of Defense - People The biggest issue surrounding information security is not a technical issue, but a people issue 38% of security incidents originate within the organization –Insiders –Social engineering

B6-5 The First Line of Defense - People The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan –Information security policies – identify the rules required to maintain information security –Information security plan – details how an organization will implement the information security policies

B6-6 The First Line of Defense - People Five steps to creating an information security plan 1.Develop the information security policies 2.Communicate the information security policies 3.Identify critical information assets and risks 1.Firewall (hardware and/or software) 2.Intrusion detection software (IDS) 4.Test and re-evaluate risks 5.Obtain stakeholder support

B6-7 The First Line of Defense - People

B6-8 The Second Line of Defense - Technology Three primary information security areas 1.Authentication and authorization 2.Prevention and resistance 3.Detection and response

B6-9 AUTHENTICATION AND AUTHORIZATION Authentication – a method for confirming users’ identities Authorization – the process of giving someone permission to do or have something The most secure type of authentication involves a combination of the following: 1.Something the user knows such as a user ID and password 2.Something the user has such as a smart card or token 3.Something that is part of the user such as a fingerprint or voice signature

B6-10 Something the User Knows such as a User ID and Password User ID and passwords are the most common way to identify individual users, and are the most ineffective form of authentication Identity theft – the forging of someone’s identity for the purpose of fraud Phishing – a technique to gain personal information for the purpose of identity theft

B6-11 Something the User Knows such as a User ID and Password

B6-12 Something the User Has such as a Smart Card or Token Smart cards and tokens are more effective than a user ID and a password –Token – small electronic devices that change user passwords automatically –Smart card – a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing

B6-13 Smart Cards

B6-14 Something That Is Part of the User such as a Fingerprint or Voice Signature This is by far the best and most effective way to manage authentication –Biometrics – the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting Unfortunately, this method can be costly and intrusive

B6-15 Biometrics

B6-16 PREVENTION AND RESISTANCE Downtime can cost an organization anywhere from $100 to $1 million per hour A 22-hour outage in June 2000 caused eBay’s market cap to plunge $5.7 billion Technologies available to help prevent and build resistance to attacks include: 1.Content filtering 2.Encryption 3.Firewalls

B6-17 Top Ten Cell Phone Security Problems

B6-18 Prevention-Content Filtering Organizations can use content filtering technologies to filter and prevent s containing sensitive information from transmitting and stop spam and viruses from spreading –Content filtering – occurs when organizations use software that filters content to prevent the transmission of unauthorized information –Spam – a form of unsolicited

B6-19 Prevention - ENCRYPTION If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it –Encryption – scrambles information into an alternative form that requires a key or password to decrypt the information –Public & private key encryption – uses two keys: a public key that everyone can have and a private key for only the recipient

B6-20 ENCRYPTION It would take many hundreds of years a hacker to break an encryption code

B6-21 Encryption Demo Public vs Private key encryption

B6-22 Encryption over the Web Secure Hypertext Transfer Protocol –(HTTPS): Most sign-in e-business websites are equipped with –used for encrypting data flowing over the Internet

B6-23 Steganography Steganography is the hiding of information in innocent looking objects and is a part of cryptography. Steganos means hidden and graffein write. Since the arrival of digital files for image and sound, steganography has known an enormous revival.Steganography

B6-24 Prevention- FIREWALLS One of the most common defenses for preventing a security breach is a firewall –Firewall – hardware and/or software that guards a private network by analyzing the information leaving and entering the network

B6-25 FIREWALLS Sample firewall architecture connecting systems located in Chicago, New York, and Boston

B6-26 A Corporate Firewall

B6-27 DETECTION AND RESPONSE If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage Antivirus software is the most common type of detection and response technology

B6-28 DETECTION AND RESPONSE Hacker - people very knowledgeable about computers who use their knowledge to invade other people’s computers –White-hat hacker –Black-hat hacker –Hactivist –Script kiddies or script bunnies –Cracker –Cyberterrorist

B6-29 DETECTION AND RESPONSE Virus - software written with malicious intent to cause annoyance or damage by self – replicating –Spreads as attachments Other forms of viruses –Worm –Trojan-horse virus –Distributed DoS –Denial-of-service attack (DoS)

B6-30 Worms: Programs that copy themselves from one computer to another over networks. Unlike a virus, it does not need to attach itself to an existing program Can destroy data, programs, and halt operation of computer networks In August 2003, the “Blaster worm” infected over 50,000 computers worldwide Good Worms: The “Welchia” worm, for example, tries to download then install patches from Microsoft's website to fix various vulnerabilities in the host system DETECTION AND RESPONSE

B6-31 Trojan Horse: A software program that appears to be gentle, but then does something unexpected Often “transports” a virus into a computer system Name is based on classic Greek myth during Trojan war DETECTION AND RESPONSE

B6-32 Denial of Service (DoS) Attacks Hackers flood a server with false communications in order to crash the system Distributed DoS: uses numerous computers to crash the network DETECTION AND RESPONSE

B6-33 DETECTION AND RESPONSE Security threats to e-business include: –Elevation of privilege –Hoaxes –Malicious code –Spoofing –Spyware –Sniffer

B6-34 Spoofing: masquerading as someone else, or redirecting a Web link to an unintended address ( see Phishing) Sniffing: an eavesdropping program that monitors information traveling over a network DETECTION AND RESPONSE

B6-35 Phishing ( web spoofing)Phishing Setting up fake Web sites or sending messages that look legitimate, and using them to ask for confidential data DETECTION AND RESPONSE

B6-36 Slide 36 Additional Material Microsoft Videos on PhishingMicrosoft Videos Phishing Video

B6-37 Wireless Security Wired Equivalent Privacy (WEP) can provide security for Wi-Fi if users turn it on –It is a code that you choose to protect your wireless connections

B6-38 War Driving: the eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic. Wireless Security

B6-39 Wireless hacking Wireless hacking video