CHAPTER 4: Information Security

In these post I will highlight the most important point in every section of chapter four

4.1 Introduction to Information Security

*Five Factors Increasing the Vulnerability of Information Resources:-

• Today’s interconnected, interdependent, wirelessly-networked business environment
• Smaller, faster, cheaper computers and storage devices
• Decreasing skills necessary to be a hacker
• Organized crime taking over cybercrime
• Lack of management support

4.2 Unintentional Threats to Information Systems

*Human Errors:

• Carelessness with laptops and portable computing devices
• Opening questionable e-mails
• Careless Internet surfing
• Poor password selection and use

*Social Engineering:

Social engineering is an attack where the attacker uses social skills to trick a legitimate employee into providing confidential company information such as passwords.

Two examples:

• Tailgating: To deter tailgating, many companies have anti-tailgating doors protecting the entrance into high-security areas.  Note that only one person at a time can go through this type of door.
  
  

  

  
  
• Shoulder surfing: Shoulder surfing occurs when the attacker watches another person’s computer screen over that person’s shoulder. Particularly dangerous in public areas such as airports, commuter trains, and on airplanes.
  

  

  
  
  

 4.3  Deliberate Threats to Information Systems

*There are many types of deliberate attacks including:

• Espionage or Trespass
• Information extortion
• Sabotage or vandalism
• Theft of equipment or information
• Identity theft
• Compromises to intellectual property
• Software attacks
• Alien software
• Supervisory control and data acquisition (SCADA) attacks
• Cyberterrorism and cyberwarfare

*Espionage or trespass

Espionage or trespass:  Competitive intelligence consists of legal information-gathering techniques. 

Industrial espionage crosses the legal boundary.

*Compromises to intellectual property

Intellectual property: Property created by individuals or corporations which is protected under trade secret, patent, and copyright laws.

Trade secret: Intellectual work, such as a business plan, that is a company secret and is not based on public information.

Patent: Document that grants the holder exclusive rights on an invention or process for 20 years.

Copyright: Statutory grant that provides creators of intellectual property with ownership of the property for life of the creator plus 70 years.

*Software attacks

Virus: A virus is a segment of computer code that performs malicious actions by attaching to another computer program.

Worm: A worm is a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program.

Trojan horse: A Trojan horse is a software program that hides in other computer programs and reveal its designed behavior only when it is activated.  A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.

Logic Bomb: A logic bomb is a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.

Phishing attacks: Phishing attacks use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages.

Distributed denial-of-service attacks: In a distributed denial-of-service attack, the attacker first takes over many computers.  These computers are called zombies or bots.  Together, these bots form a botnet.

*Alien Software

Spyware: Spyware collects personal information about users without their consent.  Two types of spyware are keystroke loggers (keyloggers) and screen scrapers.  Keystroke loggers record your keystrokes and your Web browsing history.  Screen scrapers record a continuous “movie” of what you do on a screen.

Spamware: Spamware is alien software that is designed to use your computer as a launchpad for spammers.  Spam is unsolicited e-mail.

Cookies: Cookies are small amounts of information that Web sites store on your computer.

*Supervisory control and data acquisition (SCADA) attacks

A supervisory control and data acquisition (SCADA) system is a large-scale, distributed, measurement and control system.

SCADA systems are the link between the electronic world and the physical world.

4.4 What Organizations Are Doing to Protect Themselves

*Risk Management:-

Risk: the probability that a threat will impact an information resource.

Risk management: to identify, control and minimize the impact of threats.

Risk analysis: to assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.

Risk mitigation: is when the organization takes concrete actions against risk. It has two functions:

(1) Implement controls to prevent identified threats from occurring, and

(2) Developing a means of recovery should the threat become a reality.

*Risk Mitigation Strategies:-

Risk Acceptance:  accept the potential risk, continue operating with no controls, and absorb any damages that occur.

Risk limitation: limit the risk by implementing controls that minimize the impact of threat.

Risk transference: transfer the risk by using other means to compensate for the loss, such as purchasing insurance.

4.5 Information Security Controls

Physical controls: Physical protection of computer facilities and resources.

Access controls: Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.

Communications (network) controls: To protect the movement of data across networks and include border security controls, authentication and authorization.

*Authentication (Access controls):

Authentication - Major objective is proof of identity.

Something the User Is - Also known as biometrics, these access controls examine a user's innate physical characteristics. 

Something the User Has - These access controls include regular ID cards, smart cards, and tokens.

Something the User Does - These access controls include voice and signature recognition.

Something the User Knows - These access controls include passwords and passphrases. A password is a private combination of characters that only the user should know. A passphrase is a series of characters that is longer than a password but can be memorized easily.

*Communications Controls:

Firewalls: System that enforces access-control policy between two networks.

 
Anti-malware systems (also called antivirus software): are software packages that attempt to identify and eliminate viruses, worms, and other malicious software.

Whitelisting: is a process in which a company identifies the software that it will allow to run and does not try to recognize malware.

Blacklisting: is a process in which a company allows all software to run unless it is on the blacklist.

Encryption: Process of converting an original message into a form that cannot be read by anyone except the intended receiver.

*Network Controls:

Virtual private networking: A virtual private network is a private network that uses a public network (usually the Internet) to connect users.

Secure Socket Layer (now transport layer security): Secure socket layer (SSL), now called transport layer security (TLS), is an encryption standard used for secure transactions such as credit card purchases and online banking.

Employee monitoring systems: Employee monitoring systems monitor employees’ computers,  e-mail activities, and Internet surfing activities.

*Business Continuity Planning, Backup, and Recovery:-

Hot Site: Hot Site is a fully configured computer facility, with all services, communications links, and physical plant operations.

Warm Site: Warm Site provides many of the same services and options of the hot site, but it typically does not include the actual applications the company runs.

Cold Site: Cold Site provides only rudimentary services and facilities and so does not supply computer hardware or user workstations.

*Information Systems Auditing:-

Information systems auditing: Independent or unbiased observers task to ensure that information systems work properly.

Audit: Examination of information systems, their inputs, outputs and processing.

Types of Auditors and Audits

Internal: Performed by corporate internal auditors.

External: Reviews internal audit as well as the inputs, processing and outputs of information systems.

*IS Auditing Procedure:-

Auditing around the computer:  Auditing around the computer means verifying processing by checking for known outputs or specific inputs.

Auditing through the computer: Auditing through the computer means inputs, outputs and processing are checked.

Auditing with the computer: Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware.