1) Introduction to Information Security:
⭐Security: the degree of protection against criminal activity, danger, damage, and/or loss.
⭐Information Security: all the processes and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.
* Key Information Security Terms:
- Threat: is any danger to which a system may be exposed.
- Exposure: is the harm, loss or damage that can result if a threat compromises that resource.
- Vulnerability: is the possibility that the system will suffer by a threat.
* Threats to Information Security:
● Today's interconnected, interdependent, wirelessly- networked business environment.
- Untrusted network: any network external to your organization.
● Smaller, faster, cheaper computers and storage devices (flash drives).
● Decreasing skills necessary to be a computer hacker.
- Hacker: a person who finds out weaknesses in the computer system and exploits it.
● International organized crime turning to cybercrime.
- Cybercrime: illegal activities conducted over computer networks, particularly the Internet.
- Information Systems are vulnerable to many potential hazards and threats.
- The two major categories of threats are:
1) Deliberate threats
2) Unintentional threats: are acts performed without malicious intent that nevertheless represent a serious threat to information security.
- A major category of unintentional threats is human error.
♢ Human Errors:
• Carelessness with laptops and portable computing devices.
• Opening questionable emails.
• Careless Internet surfing.
• Poor password selection.
♢ Social Engineering: an attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential information such as passwords.
• Tailgating: it occurs when an unauthorized person slips in through a door before it closes.
• Shoulder surfing: it occurs when the attacker watches another person's computer screen over that person's shoulder.
------------------------------------------------------------------------------------
3) Deliberate Threats to Information Systems:
1. Espionage or Trespass: occurs when an unauthorized individual attempts to gain illegal access to organizational information.
2. Information Extortion: occurs when an attacker either threatens to steal, or actually steals, information from a company.
3. Sabotage or Vandalism: are deliberate acts that involve defacing an organization's website, possibly damaging the organization's image and causing its customers to lose faith.
4. Theft of Equipment or Information:
• Pod slurping: perpetrator plugs portable device into a USB port in a computer and downloads sensitive information.
• Dumpster diving: rummaging through commercial or residential trash to find information that has been discarded.
5. Identity theft: is the deliberate assumption of another person's identity, usually to gain access to their financial information or to frame them for a crime.
6. Compromises to Intellectual Property (IP):
• Trade secret: is an intellectual work such as business plan, that is a company secret and not based on public information.
• Patent: a document that grants the holder exclusive rights on an invention or process for 20 years.
• Copyright: a statuary grant that provides the creator of IP with ownership of the property for the life of the creator plus 70 years.
• Piracy: the illegal copying of software.
7. Software Attacks:
• Virus: a segment of computer code that performs malicious actions by attaching to another computer program.
• Worm: a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program.
• Trojan horse: a software program that hides in other computer programs and reveal its designed behavior only when it is activated. A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.
• Logic Bomb: a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.
• Phishing attacks: use deception to acquire sensitive personal information by masquerading as official-looking emails.
• Denial-of-service attack: attackers sends so many information requests to a target computer system that the system cannot handle them successfully, and typically crashes.
8. Alien Software: is clandestine software that is installed on your computer through duplicitous methods.
• Spyware: software that collects personal information about users without their consent.
▪ Keystroke loggers: records your keystrokes and your Web browsing history.
▪ Screen scrapers: record a continuous "movie" of what you do on a screen.
• Spamware: alien software that is designed to use your computer as a launchpad for stammers. Spam is unsolicited (unwanted) email.
• Cookies.
9. Supervisory Control and Data Acquisition (SCADA) Attacks.
10. Cyber terrorism and Cyber warfare:
- Attackers use a target's computer systems, particularly via the Internet, to cause physical, real world harm or server disruption, usually to carry out a political agenda.
-----------------------------------------------------------------------------------
4) What Organizations Are Doing to Protect Information Resources:
• Risk: is the probability that a threat will impact an information resource.
• Risk management: to identify, control, and minimize the impact of threats.
• Risk analysis: to assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.
• Risk mitigation: is when the organization takes concrete actions against risk. It has two functions:
1. Implement controls to prevent identified threats from occurring.
2. Develop a means of recovery should the threat become a reality.
• Risk acceptance: accept the potential risk, continue operating with no controls, and absorb any damages that occur.
• Risk limitation: limit the risk by implementing controls that minimize the impact of the threat.
• Risk transference: transfer the risk by using other means to compensate for the loss, such as by purchasing insurance.
------------------------------------------------------------------------------------
5) Information Security Controls:
- To protect their information assets, organizations implement controls, or defense mechanisms (countermeasures). These controls are designed to protect all of the components of an information system, including data, software, hardware, and networks. Because there are so many diverse threats, organizations utilize layers of controls, or Defense - in - depth.
- Controls are intended to prevent accidental hazards, deter intentional acts, detect problems as early as possible, enhance damage recovery, and correct problems.
- There are three major type of controls:
1) Physical Controls: physical protection of computer facilities and resources ( walls, doors, fencing, gates, locks, guards, and alarm systems).
2) Access Controls: restriction of unauthorized user access to computer resources.
- There are two major Functions:
1. Authentication: determines/confirms the identity of the person requiring access.
▪ Something the user does: these access controls include voice and signature recognition.
▪ Something the user knows:
- Password: a private combination of characters that only the user should know.
Example: nam3-beeS
- Passphrases: a series of characters that is longer than a password but can be memorized easily.
Example: Omanft2Brazilworldcup.
2. Authorization: determines which actions, rights, or privileges the person has, do certain activities with information resources, based on his/her verified identity.
▪ Privilege: is a collection of related computer system operations that can be performed by users of the system.
▪ Least privilege: a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.
3) Communications (network) controls: protect the movement of data across networks and include border security controls, authentication and authorization.
▪ Firewall: is a system that enforces access - control policy between two networks.
▪ Anti-male ware Systems: software packages that attempt to identify and eliminate viruses, worms, and other malicious software.
▪ Whitelisting and Blacklisting:
- Whitelisting: is a process in which a company identified the software that it will allow to run and does not try to recognize.
- Blacklisting: a process in which a company allows all software to run unless it is on the blacklist.
▪ Encryption: process of converting an original message into a form that cannot be read by anyone except the intended receiver.
- Public-key encryption: uses two different keys: a public key and a private key.
- Certificate authorities: an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format.
For Example of certificate authorities, see www.entrust.com.
- Digital Certificate: trusted intermediaries between two organizations, issue digital certificates.
▪ Virtual Private Networking (VPN): a private network that uses a public network (usually the Internet) to connect users.
- Privacy: the right to be left alone and to be free of unreasonable personal intrusion.
- Tunneling: encrypts each data Packet to be sent and places each encrypted packet inside another packet.
▪ Secure Socket Layer: now called transport layer security (TLS): is an encryption standard used for secure transactions such as credit card purchases and online banking.
▪ Employee Monitoring Systems: which monitor their employees' computers, email activities, and Internet surfing activities.
-----------------------------------------------------------------------------------
♣ Information Systems Auditing:
- Is independent or unbiased observers task to ensure that information systems work property.
- Audit: examination of information systems, their inputs, outputs and processing.
- Types of Auditors and Audits:
• Internal: performed by corporate internal auditors.
• External: reviews internal audit as well as the inputs, processing and outputs of information systems.
⭐Security: the degree of protection against criminal activity, danger, damage, and/or loss.
⭐Information Security: all the processes and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.
* Key Information Security Terms:
- Threat: is any danger to which a system may be exposed.
- Exposure: is the harm, loss or damage that can result if a threat compromises that resource.
- Vulnerability: is the possibility that the system will suffer by a threat.
* Threats to Information Security:
● Today's interconnected, interdependent, wirelessly- networked business environment.
- Untrusted network: any network external to your organization.
● Smaller, faster, cheaper computers and storage devices (flash drives).
● Decreasing skills necessary to be a computer hacker.
- Hacker: a person who finds out weaknesses in the computer system and exploits it.
● International organized crime turning to cybercrime.
- Cybercrime: illegal activities conducted over computer networks, particularly the Internet.
Example: iDefense.
● Lack of management support.
- Insufficient funding.
- Technological Obsolescence.
- Lack of attention.
------------------------------------------------------------------------------------
2) Unintentional Threats to Information Systems:- Information Systems are vulnerable to many potential hazards and threats.
- The two major categories of threats are:
1) Deliberate threats
2) Unintentional threats: are acts performed without malicious intent that nevertheless represent a serious threat to information security.
- A major category of unintentional threats is human error.
♢ Human Errors:
• Carelessness with laptops and portable computing devices.
• Opening questionable emails.
• Careless Internet surfing.
• Poor password selection.
♢ Social Engineering: an attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential information such as passwords.
• Tailgating: it occurs when an unauthorized person slips in through a door before it closes.
• Shoulder surfing: it occurs when the attacker watches another person's computer screen over that person's shoulder.
------------------------------------------------------------------------------------
3) Deliberate Threats to Information Systems:
1. Espionage or Trespass: occurs when an unauthorized individual attempts to gain illegal access to organizational information.
2. Information Extortion: occurs when an attacker either threatens to steal, or actually steals, information from a company.
3. Sabotage or Vandalism: are deliberate acts that involve defacing an organization's website, possibly damaging the organization's image and causing its customers to lose faith.
4. Theft of Equipment or Information:
• Pod slurping: perpetrator plugs portable device into a USB port in a computer and downloads sensitive information.
• Dumpster diving: rummaging through commercial or residential trash to find information that has been discarded.
5. Identity theft: is the deliberate assumption of another person's identity, usually to gain access to their financial information or to frame them for a crime.
6. Compromises to Intellectual Property (IP):
• Trade secret: is an intellectual work such as business plan, that is a company secret and not based on public information.
• Patent: a document that grants the holder exclusive rights on an invention or process for 20 years.
• Copyright: a statuary grant that provides the creator of IP with ownership of the property for the life of the creator plus 70 years.
• Piracy: the illegal copying of software.
7. Software Attacks:
• Virus: a segment of computer code that performs malicious actions by attaching to another computer program.
• Worm: a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program.
• Trojan horse: a software program that hides in other computer programs and reveal its designed behavior only when it is activated. A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.
• Logic Bomb: a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.
• Phishing attacks: use deception to acquire sensitive personal information by masquerading as official-looking emails.
• Denial-of-service attack: attackers sends so many information requests to a target computer system that the system cannot handle them successfully, and typically crashes.
8. Alien Software: is clandestine software that is installed on your computer through duplicitous methods.
• Spyware: software that collects personal information about users without their consent.
▪ Keystroke loggers: records your keystrokes and your Web browsing history.
▪ Screen scrapers: record a continuous "movie" of what you do on a screen.
• Spamware: alien software that is designed to use your computer as a launchpad for stammers. Spam is unsolicited (unwanted) email.
• Cookies.
9. Supervisory Control and Data Acquisition (SCADA) Attacks.
10. Cyber terrorism and Cyber warfare:
- Attackers use a target's computer systems, particularly via the Internet, to cause physical, real world harm or server disruption, usually to carry out a political agenda.
-----------------------------------------------------------------------------------
4) What Organizations Are Doing to Protect Information Resources:
• Risk: is the probability that a threat will impact an information resource.
• Risk management: to identify, control, and minimize the impact of threats.
• Risk analysis: to assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.
• Risk mitigation: is when the organization takes concrete actions against risk. It has two functions:
1. Implement controls to prevent identified threats from occurring.
2. Develop a means of recovery should the threat become a reality.
• Risk acceptance: accept the potential risk, continue operating with no controls, and absorb any damages that occur.
• Risk limitation: limit the risk by implementing controls that minimize the impact of the threat.
• Risk transference: transfer the risk by using other means to compensate for the loss, such as by purchasing insurance.
------------------------------------------------------------------------------------
5) Information Security Controls:
- To protect their information assets, organizations implement controls, or defense mechanisms (countermeasures). These controls are designed to protect all of the components of an information system, including data, software, hardware, and networks. Because there are so many diverse threats, organizations utilize layers of controls, or Defense - in - depth.
- Controls are intended to prevent accidental hazards, deter intentional acts, detect problems as early as possible, enhance damage recovery, and correct problems.
- There are three major type of controls:
1) Physical Controls: physical protection of computer facilities and resources ( walls, doors, fencing, gates, locks, guards, and alarm systems).
2) Access Controls: restriction of unauthorized user access to computer resources.
- There are two major Functions:
1. Authentication: determines/confirms the identity of the person requiring access.
▪ Something the user is: access controls that examine a user's physiological or behavioral characteristics.
• Biometrics:
- Voice verification.
- Fingerprints.
- Retina scan.
▪ Something the user does: these access controls include voice and signature recognition.
▪ Something the user knows:
- Password: a private combination of characters that only the user should know.
Example: nam3-beeS
- Passphrases: a series of characters that is longer than a password but can be memorized easily.
Example: Omanft2Brazilworldcup.
2. Authorization: determines which actions, rights, or privileges the person has, do certain activities with information resources, based on his/her verified identity.
▪ Privilege: is a collection of related computer system operations that can be performed by users of the system.
▪ Least privilege: a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.
3) Communications (network) controls: protect the movement of data across networks and include border security controls, authentication and authorization.
▪ Firewall: is a system that enforces access - control policy between two networks.
▪ Whitelisting and Blacklisting:
- Whitelisting: is a process in which a company identified the software that it will allow to run and does not try to recognize.
- Blacklisting: a process in which a company allows all software to run unless it is on the blacklist.
▪ Encryption: process of converting an original message into a form that cannot be read by anyone except the intended receiver.
- Public-key encryption: uses two different keys: a public key and a private key.
- Certificate authorities: an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format.
For Example of certificate authorities, see www.entrust.com.
- Digital Certificate: trusted intermediaries between two organizations, issue digital certificates.
▪ Virtual Private Networking (VPN): a private network that uses a public network (usually the Internet) to connect users.
- Privacy: the right to be left alone and to be free of unreasonable personal intrusion.
- Tunneling: encrypts each data Packet to be sent and places each encrypted packet inside another packet.
▪ Secure Socket Layer: now called transport layer security (TLS): is an encryption standard used for secure transactions such as credit card purchases and online banking.
▪ Employee Monitoring Systems: which monitor their employees' computers, email activities, and Internet surfing activities.
-----------------------------------------------------------------------------------
♣ Information Systems Auditing:
- Is independent or unbiased observers task to ensure that information systems work property.
- Audit: examination of information systems, their inputs, outputs and processing.
- Types of Auditors and Audits:
• Internal: performed by corporate internal auditors.
• External: reviews internal audit as well as the inputs, processing and outputs of information systems.