Information Systems (Chapter 13)

Three main categories of threats

-Denial/disruption of service -Unauthorized Access -Theft and Fraud

Passwords

Any password that can be memorized is weak must be long and complex, but these are hard to memorize and type

CIA Triad

Confidentiality Integrity Availability

Biometrics

Devices that require input based on quantifiable human element

Security policy

Documents and defines an organization's security requirements Includes the controls and sanctions needed to meet requirements Outlines what needs to be done, but not how to do it Companies now include special security requirements for mobile devices as part of their security policies

Summarizing the authentication process

Identification - credentials presented Authentication - checks to see if present in authentication DB Authorization - allowed to log onto computer Access - granted access to resources according to role permissions assigned

Private-key encryption

Symmetric Encryption because it uses the same key to encrypt and decrypt Thus, it requires all parties that are communicating to share the key If someone were to have a ciphertext (encrypted) and its corresponding plaintext message, it is possible to figure out the encryption algorithm and break the code

Digital signature

an encrypted code that a person, Web site, or organization attaches to an electronic message to verify the identity of the sender Often used to ensure that an impostor is not participating in an Internet transaction Used when sending over a non-secure channel Supports non-repudiation, signer cannot claim that they did not sign the message and agree to the terms in the message

Worm

an independent program which replicates itself and sends copies from computer to computer across network connections. Upon arrival the worm may be activated to replicate

Threats result from

intentional acts, careless behavior, natural disasters

Limiting access

reduces the threat against it Access must be limited for a subject (a person or a computer program running on a system) to interact with an object (a computer or a database stored on a server) The amount of access granted to someone should be limited to what that person needs to know to do their job

Threats are those that,

render a system inoperative ​ limit its capability to operate ​ make data unavailable

Corrective controls

repair damages after a security problem has occurred (anti-virus quarantine)

Botnet for mining

"All the cryptocurrencies today use some variant of the mining concept to create more of their currency. People can download software, install it on their machines and at every X-interval, a new unit of the currency will be born, and credited to the miner who unearthed it.​ This is where your PC or other internet connected device enters the picture, because why stop at just the machines owned and controlled by the hackers themselves? If they can infect 100,000 or more computers and put them all to work, quietly mining for currency, then that's money in the bank for them."​ As of September 2017, there have been 1.65 million such attacks reported for the year, on target to exceed prior years.

Defense in depth

(inside-out) Data Data Access Policies and Controls Application Access Control Network and Host Access Control

Rootkit

A collection of programs that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network. Upon penetrating a computer, a hacker installs a collection of programs Removes evidence of break-in​ ​Modifies the operating system so that a backdoor is available for re-entry

Authentication Credentials can include

A user name and password Tokens, such as those created by token cards Digital certificates

How a virus works

A virus attaches itself to a program, file, or disk​ When the program is executed, the virus activates and replicates itself​ The virus may be benign or malignant but executes its payload at some point (often upon contact)​ ---Viruses may result in crashing of the computer and loss of data.

Spoofing

An attacker pretends to be your final destination on the network. If a person tries to connect to a web server, an attacker can mislead him to his computer, pretending to be that access point or server

A strong security program begins by

Assessing threats to the organization's computers and network Identifying actions that address the most serious vulnerabilities Educating users about the risks involved and the actions they must take to prevent a security incident

Public-key encryption

Asymmetric Encryption because it uses two different keys to encrypt and decrypt A cryptographic system that uses two keys -- a public key known to everyone and a private or secret key known only to a particular entity. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.

Sing sign-on authentication

Authenticate once to access multiple resources (can be a set of servers) holds authentication information Once authenticated with one device on the system, access is granted to many resources according to access level

In order to recover/prevent virus/attacks

Avoid potentially unreliable websites/emails​ If hacked, may need to,​ --Do a System Restore​ --Re-install operating system​ Should use Anti-virus (i.e. Avira, AVG, Norton)

Smart cards

Card that can present information or accept programming the size of credit card and contains many of the same elements on a computer, -Microprocessor with OS -RAM -Data bus -Secondary storage Accomplishes multifactor authentication -Card "what-you-have" -PIN "what-you-know" Most secure method for storing private keys used in encryption

Simplicity strategy

Complex security systems can be difficult to understand, troubleshoot, and feel secure about Everybody in the organization has to understand the importance of security, and how it is basically being implemented, for it to be effective The Simplicity strategy challenge is to make the system simple from the inside, but complex from the outside

Certificates

Dedicated message attached to network transmission designed to authenticate users and encrypt sessions

A rootkit enables

Easy access for the hacker​ Often includes Keystroke logger​

Security policy implementation

Educating employees and constituents Assessment on-going Prevention measures -Firewall (NGFW) -Security Dashboard -Antivirus Software -Credentialing (login & password) and roles (access levels defined) -Staying abreast of vulnerabilities (US-CERT) -Security Audits (being sure policies are followed) -Incident Response Plans ---Containment ---Eradication ---Recovery ---Follow-up to ensure future prevention -System monitoring ---Intrusion Detection Systems ---Logging

Information/data computer security

Ensures that protective measures are properly implemented It is intended to protect information from the following perspectives, ----Confidentiality - only those authorized have access ----Integrity - information is correct and timely ----Availability - information is available as needed to authorized users Note, it involves more than protecting the information from theft

Availability

Ensuring that authorized parties can readily access information

Biometrics strategies

Fingerprints Hand geometry Voice recognition Retinal scans (most effective method) Iris scans Face recognition Vascular patterns DNA recognition Ear recognition Signature recognition

Steps in a general risk assessment process

Identify the set of IS assets about which the organization is most concerned Identify the loss events or the risks or threats that could occur Assess the frequency of events or the likelihood of each potential threat Determine the impact of each threat occurring Determine how each threat can be mitigated so it is less likely to occur Assess the feasibility of implementing the mitigation options Perform a cost-benefit analysis to ensure that your efforts will be cost effective Make the decision on whether or not to implement a particular countermeasure

Mutual authentication

Identities of all parties determined, often using a 3rd party

Risks caused by poor security knowledge and practice

Identity Theft​ Monetary Theft​ Legal Ramifications (for yourself and companies)​ Termination if company policies are not followed

Tokens

Item presented during authentication process Often a challenge phrase is presented, security question response

Digital Signature example

John agrees to a foreign contract that has been emailed to him, so he signs by, -Encrypting the doc to create a message digest (SW hash) -Message digest is encrypted using John's private key to create digital signature -Digital signature is attached to original doc and returned -Only John's public key can decrypt digital signature

Security strategies

Layering Diversity Limiting Obscurity Simplicity

User name and password

Less secure because it can be intercepted

Malware

Malicious Software It takes many different forms and is the general term for viruses, worms, spyware, ransomware, etc.

Logic Bomb

Malware logic executes upon certain conditions -Software which malfunctions if maintenance fee is not paid​ -Employee triggers a database erase when he is fired

Trojan Horse

Masquerades as beneficial program while quietly destroying data or damaging your system.​ -Download a game: Might be fun popular game but has hidden part that emails your password file without you knowing.​

If an intrusion occurs, there must be a clear reaction plan, incidence response, that addresses

Notification Evidence protection Activity log maintenance Containment Eradication Recovery

Robert Morris the Internet Worm

On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating, self-propagating program called a worm and injected it into the Internet.​ The Morris worm or Internet worm was one of the first computer worms distributed via the Internet. ​ ​It was the first to gain significant mainstream media attention. It also resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act.​ Ended up with 3 years probation, 400 hours of community service and fine of $10, 500 plus

Cybercrime warefare GOP

On November 24, 2014, a hacker group which identified itself by the name "Guardians of Peace" (GOP) leaked a release of confidential data from the film studio Sony Pictures. The data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of then-unreleased Sony films, and other information. The perpetrators then employed a variant of the Shamoon wiper malware to erase Sony's computer infrastructure.​ In November 2014, GOP then demanded that Sony pull its film The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-un, and threatened terrorist attacks at cinemas screening the film. After major U.S. cinema chains opted not to screen the film in response to these threats, Sony elected to cancel the film's formal premiere and mainstream release, opting to skip directly to a digital release followed by a limited theatrical release the next day.​ ​United States intelligence officials, after evaluating the software, techniques, and network sources used in the hack, alleged that the attack was sponsored by North Korea.​

Public Key Encryption is accomplished with ____

PKI

One-time passwords (OTP)

Password allowed only once, form of token

Access control

Process by which use of resources and services is granted or denied Allowing authorized person access to a resource

Auditing or Accounting

Process of tracking users and their actions on the network

Authentication

Process used to identify an agent requesting the use of resources Determining identity via a trusted process

Authentication methods

Proving what you know -Most common is password Showing what you have -Physical item; i.e. smart card, digital certificate Demonstrating who you are -Based on some physical, genetic or human characteristic -This area is under biometrics Identifying where you are -Weakest form of authentication Identity determined based upon location; i.e. IP address

Digital signature is based on __________ and is legally binding, actually more so than actual physical signature

Public Key Encryption

Great Chicago Flood - April 13, 1992

The Chicago Board of Trade and Chicago Mercantile Exchange closed. Banks were unable to process transactions. Workers rushed to save important documents — including Cook County birth, death and marriage certificates dating back to 1871 — stored in subterranean levels of office buildings.​ The flood became national news and led Gov. Jim Edgar and President George H.W. Bush to declare Chicago a disaster area.​ It caused at least $1 billion in damages and business losses, sparked numerous lawsuits and turned into a political hot potato for then-Mayor Richard M. Daley over who was to blame for a leak in the then-47-mile tunnel system near the Kinzie Street Bridge.

Confidentiality

The ability to keep data secret and viewable only by authorized parties

Cybercrime

The global cost of cybercrime will reach $2 trillion by 2019, a threefold increase from the 2015 estimate of $500 billion.​ The financial hit resulting from theft of trade secrets ranges from 1 to 3 percent of an entire nation's gross domestic product (GDP), according to IDG's "Global State of Information Security Survey 2016." The cost ranges from $749 billion to $2.2 trillion annually.

Risk assessment

The process of assessing security-related risks to an organization's computer and networks form both internal and external threats

Cybercrime warfare

The use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes.​ "A recent New York Times report uncovered a secret operation to derail North Korea's nuclear-missile program that has been raging for at least three years. Essentially, the report attributes North Korea's high rate of failure with Russian-designed missiles to the US meddling in the country's missile software and networks."​

Integrity

Verifying that illicit changes have not been made to data

Types of threats

Virus​ Worm​ Trojan Horse / Logic Bomb​ Social Engineering​ DoS or DDoS​ Botnets / Zombies​ Rootkits​ Sypware

Safety

We must behave in ways that protect us against risks and threats that come with technology. ​ (Focus is protecting people)​ The we behave while using the internet. E.g. Safe email behavior, safe software downloading behavior

Security

We must protect our computers and data in the same way that we secure the doors to our homes. ​ (Focus is protecting the assets.) The way in which we protect access to our computers and information. E.g. Anti-virus software, firewall

According to www.SANS.org, the top vulnerabilities available for a cyber criminal are:

Web Browser​ Instant Messaging (IM) Clients​ Web Applications​ Excessive User Rights​ Poor passwords

Distributed Denial of Service (DDoS) Attacks

When DoS attacks are carried by many computers (working together) distributed over the internet

Security and multifactor authentication

When multiple methods are combined Called strong authentication ATM card and PIN number Written invitation plus personal recognition to party

Phising

a 'trustworthy entity' asks via e-mail for sensitive information such as SSN, credit card numbers, login IDs or passwords fake email The act of fraudulently using email to try to get the recipient to reveal personal data Con artists send legitimate-looking emails urging recipients to take action to avoid a negative consequence or to receive a reward Spear-phishing is a variation of phishing where fraudulent emails are sent to a certain organization's employees --Much more precise and narrow --Designed to look like they came from high-level executives within organization

Information security

a broad concept that involves dealing with any threat to computerized systems, such as viruses, hackers, accidental loss of data or systems, natural disasters (e.g., earthquakes, floods), fires etc.

Botnet

a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages to cause a distributed denial of service attack. When your computer becomes infected, it is likely to become a bot. Because attacks are intentional, they are hard to eliminate.

KeePass

a password manager Free, rated one of the best by CNET Create a database that holds your passwords for various URLS, with a Master password Enter all passwords in this database, KeePass can generate complex passwords for you Must put KeePass database on every device you use to access sites Allow KeePass to automatically input authentication info

Biometric-based authentication uses

a person's physical characteristics as a basis for identification

Brutalis

a specialized computer to easily break passwords

Ransomware

a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction

Layered security

advantage of creating a barrier of multiple defenses that can be coordinated to thwart a variety of attacks, or an extended attack All the security layers must be properly coordinated to be effective "Onion" paradigm

Repudiation

an illicit attempt to deny sending or receiving a transaction. Examples of transactions include: Web session in which a purchase is made A network host sending a series of port scans to a remote server

Data is the most important asset and you build security ________

around it

Information security typically involves

asymmetrical security warfare --You have to secure all paths that lead to strategic/private resources. ​ --The attacker has to find just one path that is unsecured.

Natural disasters

cannot be prevented but can be planned for (backups, redundancy, etc.)​

Denial-of-Service (DoS) Attack

carried out to intentionally block a service such as a bank's web site from its legitimate users​ It is often achieved by flooding the target system (e.g., a bank's web site) with a large number of unnecessary requests​

Diversity strategy

closely related to layering You should protect data with diverse layers of security, so if attackers penetrate one layer, they cannot use the same techniques to break through all other layers Using diverse layers of defense means that breaching one security layer does not compromise the whole system

Zombie

computers that have been taken over by a hacker without the knowledge of the owner then often used as part of a Botnet

Detective controls

find or discover where and when security threats occurred (audit logs)

The internet allows an attacker to attack _______________ on the planet

from anywhere

Session keys

generated using a logical program called a random number generator, and they are used only once A session key is a near-universal method used during many authentication processes; i.e. e-commerce transactions

Security attacks are ___________ at an alarming rate, as well as _________ in size and impact.

growing, growing

Security controls

implemented procedures, that include manual as well as automated parts, that often use applications as part of the procedure

A number of Trends illustrate why security is becoming increasingly difficult

increase in cybercrime increase in networks increase in things being accomplished with systems

Challenges for information security

keeping networks and computers secure

Spyware

malware that is specifically designed to track activity of users on computing systems ​

Social engineering

manipulates people into performing actions or divulging confidential information. The use of deception to gain information, commit fraud, or access computer systems can occur in-person, over the phone, in emails or fake web pages.​ ​non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threats - used to attack information systems.​

Obscurity strategy

means what goes on inside a system or organization should be hidden Avoid clear patterns of behavior so that attacks from the outside are difficult Guard changes and updates, better if made on an irregular schedule

Automated system rules should ___ an organization's written policies

mirror

Types of social engineering

phising and pharming

Encryption

provides techniques for assuring the security of information as it flows through a communication channel a process of converting readable data into unreadable characters to prevent unauthorized access The basic objective of encryption is that the message should remain secure even if the message is captured by a third-party

Cryptography

provides techniques for assuring the security of information as it flows through a communication channel implemented using encryption

Virus

software programs that are deliberately designed by online attackers to invade your computer, to interfere with its operation, and to copy, corrupt or delete your data. These malicious software programs are called viruses because they are designed not only to infect and damage one computer, but to spread to other computers all across the Internet. ​ Computer viruses are often hidden in what appear to be useful or entertaining programs or e-mail attachments, such as computer games, video clips or photos. Many such viruses are spread inadvertently by computer users, who unwittingly pass them along in e-mail to friends and colleagues. ​

Keyloggers

spyware that can record every keystroke of a user without their knowledge

Preventive controls

stop or limit the security threat from happening in the first place (anti-virus scans)

Careless behaviors

such as forgetting to perform proper backups of one's computer, not installing security updates and tools, leaving computer so that is easily accessible

Information security requires

technology + management

Non-repudiation

the ability to prove that a transaction has, in fact, occurred It is made possible through, Signatures (digital and physical) Encryption Logging of transactions

Pharming

the link provided in e-mail that leads to a fake webpage which collects important information and submits it to the site owner. The fake web page looks like the real thing, but extracts key information​ fake web pages

Information computer security is the tasks of guarding and protecting digital information that is,

typically processed by a computer (such as a personal computer or hand-held device) stored on a magnetic or optical storage device (such as a hard drive or DVD or USB drive or Smart Card) transmitted over a network space