Information Systems (Chapter 13)
Three main categories of threats
-Denial/disruption of service -Unauthorized Access -Theft and Fraud
Passwords
Any password that can be memorized is weak must be long and complex, but these are hard to memorize and type
CIA Triad
Confidentiality Integrity Availability
Biometrics
Devices that require input based on quantifiable human element
Security policy
Documents and defines an organization's security requirements Includes the controls and sanctions needed to meet requirements Outlines what needs to be done, but not how to do it Companies now include special security requirements for mobile devices as part of their security policies
Summarizing the authentication process
Identification - credentials presented Authentication - checks to see if present in authentication DB Authorization - allowed to log onto computer Access - granted access to resources according to role permissions assigned
Private-key encryption
Symmetric Encryption because it uses the same key to encrypt and decrypt Thus, it requires all parties that are communicating to share the key If someone were to have a ciphertext (encrypted) and its corresponding plaintext message, it is possible to figure out the encryption algorithm and break the code
Digital signature
an encrypted code that a person, Web site, or organization attaches to an electronic message to verify the identity of the sender Often used to ensure that an impostor is not participating in an Internet transaction Used when sending over a non-secure channel Supports non-repudiation, signer cannot claim that they did not sign the message and agree to the terms in the message
Worm
an independent program which replicates itself and sends copies from computer to computer across network connections. Upon arrival the worm may be activated to replicate
Threats result from
intentional acts, careless behavior, natural disasters
Limiting access
reduces the threat against it Access must be limited for a subject (a person or a computer program running on a system) to interact with an object (a computer or a database stored on a server) The amount of access granted to someone should be limited to what that person needs to know to do their job
Threats are those that,
render a system inoperative limit its capability to operate make data unavailable
Corrective controls
repair damages after a security problem has occurred (anti-virus quarantine)
Botnet for mining
"All the cryptocurrencies today use some variant of the mining concept to create more of their currency. People can download software, install it on their machines and at every X-interval, a new unit of the currency will be born, and credited to the miner who unearthed it. This is where your PC or other internet connected device enters the picture, because why stop at just the machines owned and controlled by the hackers themselves? If they can infect 100,000 or more computers and put them all to work, quietly mining for currency, then that's money in the bank for them." As of September 2017, there have been 1.65 million such attacks reported for the year, on target to exceed prior years.
Defense in depth
(inside-out) Data Data Access Policies and Controls Application Access Control Network and Host Access Control
Rootkit
A collection of programs that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network. Upon penetrating a computer, a hacker installs a collection of programs Removes evidence of break-in Modifies the operating system so that a backdoor is available for re-entry
Authentication Credentials can include
A user name and password Tokens, such as those created by token cards Digital certificates
How a virus works
A virus attaches itself to a program, file, or disk When the program is executed, the virus activates and replicates itself The virus may be benign or malignant but executes its payload at some point (often upon contact) ---Viruses may result in crashing of the computer and loss of data.
Spoofing
An attacker pretends to be your final destination on the network. If a person tries to connect to a web server, an attacker can mislead him to his computer, pretending to be that access point or server
A strong security program begins by
Assessing threats to the organization's computers and network Identifying actions that address the most serious vulnerabilities Educating users about the risks involved and the actions they must take to prevent a security incident
Public-key encryption
Asymmetric Encryption because it uses two different keys to encrypt and decrypt A cryptographic system that uses two keys -- a public key known to everyone and a private or secret key known only to a particular entity. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.
Sing sign-on authentication
Authenticate once to access multiple resources (can be a set of servers) holds authentication information Once authenticated with one device on the system, access is granted to many resources according to access level
In order to recover/prevent virus/attacks
Avoid potentially unreliable websites/emails If hacked, may need to, --Do a System Restore --Re-install operating system Should use Anti-virus (i.e. Avira, AVG, Norton)
Smart cards
Card that can present information or accept programming the size of credit card and contains many of the same elements on a computer, -Microprocessor with OS -RAM -Data bus -Secondary storage Accomplishes multifactor authentication -Card "what-you-have" -PIN "what-you-know" Most secure method for storing private keys used in encryption
Simplicity strategy
Complex security systems can be difficult to understand, troubleshoot, and feel secure about Everybody in the organization has to understand the importance of security, and how it is basically being implemented, for it to be effective The Simplicity strategy challenge is to make the system simple from the inside, but complex from the outside
Certificates
Dedicated message attached to network transmission designed to authenticate users and encrypt sessions
A rootkit enables
Easy access for the hacker Often includes Keystroke logger
Security policy implementation
Educating employees and constituents Assessment on-going Prevention measures -Firewall (NGFW) -Security Dashboard -Antivirus Software -Credentialing (login & password) and roles (access levels defined) -Staying abreast of vulnerabilities (US-CERT) -Security Audits (being sure policies are followed) -Incident Response Plans ---Containment ---Eradication ---Recovery ---Follow-up to ensure future prevention -System monitoring ---Intrusion Detection Systems ---Logging
Information/data computer security
Ensures that protective measures are properly implemented It is intended to protect information from the following perspectives, ----Confidentiality - only those authorized have access ----Integrity - information is correct and timely ----Availability - information is available as needed to authorized users Note, it involves more than protecting the information from theft
Availability
Ensuring that authorized parties can readily access information
Biometrics strategies
Fingerprints Hand geometry Voice recognition Retinal scans (most effective method) Iris scans Face recognition Vascular patterns DNA recognition Ear recognition Signature recognition
Steps in a general risk assessment process
Identify the set of IS assets about which the organization is most concerned Identify the loss events or the risks or threats that could occur Assess the frequency of events or the likelihood of each potential threat Determine the impact of each threat occurring Determine how each threat can be mitigated so it is less likely to occur Assess the feasibility of implementing the mitigation options Perform a cost-benefit analysis to ensure that your efforts will be cost effective Make the decision on whether or not to implement a particular countermeasure
Mutual authentication
Identities of all parties determined, often using a 3rd party
Risks caused by poor security knowledge and practice
Identity Theft Monetary Theft Legal Ramifications (for yourself and companies) Termination if company policies are not followed
Tokens
Item presented during authentication process Often a challenge phrase is presented, security question response
Digital Signature example
John agrees to a foreign contract that has been emailed to him, so he signs by, -Encrypting the doc to create a message digest (SW hash) -Message digest is encrypted using John's private key to create digital signature -Digital signature is attached to original doc and returned -Only John's public key can decrypt digital signature
Security strategies
Layering Diversity Limiting Obscurity Simplicity
User name and password
Less secure because it can be intercepted
Malware
Malicious Software It takes many different forms and is the general term for viruses, worms, spyware, ransomware, etc.
Logic Bomb
Malware logic executes upon certain conditions -Software which malfunctions if maintenance fee is not paid -Employee triggers a database erase when he is fired
Trojan Horse
Masquerades as beneficial program while quietly destroying data or damaging your system. -Download a game: Might be fun popular game but has hidden part that emails your password file without you knowing.
If an intrusion occurs, there must be a clear reaction plan, incidence response, that addresses
Notification Evidence protection Activity log maintenance Containment Eradication Recovery
Robert Morris the Internet Worm
On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. The Morris worm or Internet worm was one of the first computer worms distributed via the Internet. It was the first to gain significant mainstream media attention. It also resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act. Ended up with 3 years probation, 400 hours of community service and fine of $10, 500 plus
Cybercrime warefare GOP
On November 24, 2014, a hacker group which identified itself by the name "Guardians of Peace" (GOP) leaked a release of confidential data from the film studio Sony Pictures. The data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of then-unreleased Sony films, and other information. The perpetrators then employed a variant of the Shamoon wiper malware to erase Sony's computer infrastructure. In November 2014, GOP then demanded that Sony pull its film The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-un, and threatened terrorist attacks at cinemas screening the film. After major U.S. cinema chains opted not to screen the film in response to these threats, Sony elected to cancel the film's formal premiere and mainstream release, opting to skip directly to a digital release followed by a limited theatrical release the next day. United States intelligence officials, after evaluating the software, techniques, and network sources used in the hack, alleged that the attack was sponsored by North Korea.
Public Key Encryption is accomplished with ____
PKI
One-time passwords (OTP)
Password allowed only once, form of token
Access control
Process by which use of resources and services is granted or denied Allowing authorized person access to a resource
Auditing or Accounting
Process of tracking users and their actions on the network
Authentication
Process used to identify an agent requesting the use of resources Determining identity via a trusted process
Authentication methods
Proving what you know -Most common is password Showing what you have -Physical item; i.e. smart card, digital certificate Demonstrating who you are -Based on some physical, genetic or human characteristic -This area is under biometrics Identifying where you are -Weakest form of authentication Identity determined based upon location; i.e. IP address
Digital signature is based on __________ and is legally binding, actually more so than actual physical signature
Public Key Encryption
Great Chicago Flood - April 13, 1992
The Chicago Board of Trade and Chicago Mercantile Exchange closed. Banks were unable to process transactions. Workers rushed to save important documents — including Cook County birth, death and marriage certificates dating back to 1871 — stored in subterranean levels of office buildings. The flood became national news and led Gov. Jim Edgar and President George H.W. Bush to declare Chicago a disaster area. It caused at least $1 billion in damages and business losses, sparked numerous lawsuits and turned into a political hot potato for then-Mayor Richard M. Daley over who was to blame for a leak in the then-47-mile tunnel system near the Kinzie Street Bridge.
Confidentiality
The ability to keep data secret and viewable only by authorized parties
Cybercrime
The global cost of cybercrime will reach $2 trillion by 2019, a threefold increase from the 2015 estimate of $500 billion. The financial hit resulting from theft of trade secrets ranges from 1 to 3 percent of an entire nation's gross domestic product (GDP), according to IDG's "Global State of Information Security Survey 2016." The cost ranges from $749 billion to $2.2 trillion annually.
Risk assessment
The process of assessing security-related risks to an organization's computer and networks form both internal and external threats
Cybercrime warfare
The use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. "A recent New York Times report uncovered a secret operation to derail North Korea's nuclear-missile program that has been raging for at least three years. Essentially, the report attributes North Korea's high rate of failure with Russian-designed missiles to the US meddling in the country's missile software and networks."
Integrity
Verifying that illicit changes have not been made to data
Types of threats
Virus Worm Trojan Horse / Logic Bomb Social Engineering DoS or DDoS Botnets / Zombies Rootkits Sypware
Safety
We must behave in ways that protect us against risks and threats that come with technology. (Focus is protecting people) The we behave while using the internet. E.g. Safe email behavior, safe software downloading behavior
Security
We must protect our computers and data in the same way that we secure the doors to our homes. (Focus is protecting the assets.) The way in which we protect access to our computers and information. E.g. Anti-virus software, firewall
According to www.SANS.org, the top vulnerabilities available for a cyber criminal are:
Web Browser Instant Messaging (IM) Clients Web Applications Excessive User Rights Poor passwords
Distributed Denial of Service (DDoS) Attacks
When DoS attacks are carried by many computers (working together) distributed over the internet
Security and multifactor authentication
When multiple methods are combined Called strong authentication ATM card and PIN number Written invitation plus personal recognition to party
Phising
a 'trustworthy entity' asks via e-mail for sensitive information such as SSN, credit card numbers, login IDs or passwords fake email The act of fraudulently using email to try to get the recipient to reveal personal data Con artists send legitimate-looking emails urging recipients to take action to avoid a negative consequence or to receive a reward Spear-phishing is a variation of phishing where fraudulent emails are sent to a certain organization's employees --Much more precise and narrow --Designed to look like they came from high-level executives within organization
Information security
a broad concept that involves dealing with any threat to computerized systems, such as viruses, hackers, accidental loss of data or systems, natural disasters (e.g., earthquakes, floods), fires etc.
Botnet
a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages to cause a distributed denial of service attack. When your computer becomes infected, it is likely to become a bot. Because attacks are intentional, they are hard to eliminate.
KeePass
a password manager Free, rated one of the best by CNET Create a database that holds your passwords for various URLS, with a Master password Enter all passwords in this database, KeePass can generate complex passwords for you Must put KeePass database on every device you use to access sites Allow KeePass to automatically input authentication info
Biometric-based authentication uses
a person's physical characteristics as a basis for identification
Brutalis
a specialized computer to easily break passwords
Ransomware
a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction
Layered security
advantage of creating a barrier of multiple defenses that can be coordinated to thwart a variety of attacks, or an extended attack All the security layers must be properly coordinated to be effective "Onion" paradigm
Repudiation
an illicit attempt to deny sending or receiving a transaction. Examples of transactions include: Web session in which a purchase is made A network host sending a series of port scans to a remote server
Data is the most important asset and you build security ________
around it
Information security typically involves
asymmetrical security warfare --You have to secure all paths that lead to strategic/private resources. --The attacker has to find just one path that is unsecured.
Natural disasters
cannot be prevented but can be planned for (backups, redundancy, etc.)
Denial-of-Service (DoS) Attack
carried out to intentionally block a service such as a bank's web site from its legitimate users It is often achieved by flooding the target system (e.g., a bank's web site) with a large number of unnecessary requests
Diversity strategy
closely related to layering You should protect data with diverse layers of security, so if attackers penetrate one layer, they cannot use the same techniques to break through all other layers Using diverse layers of defense means that breaching one security layer does not compromise the whole system
Zombie
computers that have been taken over by a hacker without the knowledge of the owner then often used as part of a Botnet
Detective controls
find or discover where and when security threats occurred (audit logs)
The internet allows an attacker to attack _______________ on the planet
from anywhere
Session keys
generated using a logical program called a random number generator, and they are used only once A session key is a near-universal method used during many authentication processes; i.e. e-commerce transactions
Security attacks are ___________ at an alarming rate, as well as _________ in size and impact.
growing, growing
Security controls
implemented procedures, that include manual as well as automated parts, that often use applications as part of the procedure
A number of Trends illustrate why security is becoming increasingly difficult
increase in cybercrime increase in networks increase in things being accomplished with systems
Challenges for information security
keeping networks and computers secure
Spyware
malware that is specifically designed to track activity of users on computing systems
Social engineering
manipulates people into performing actions or divulging confidential information. The use of deception to gain information, commit fraud, or access computer systems can occur in-person, over the phone, in emails or fake web pages. non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threats - used to attack information systems.
Obscurity strategy
means what goes on inside a system or organization should be hidden Avoid clear patterns of behavior so that attacks from the outside are difficult Guard changes and updates, better if made on an irregular schedule
Automated system rules should ___ an organization's written policies
mirror
Types of social engineering
phising and pharming
Encryption
provides techniques for assuring the security of information as it flows through a communication channel a process of converting readable data into unreadable characters to prevent unauthorized access The basic objective of encryption is that the message should remain secure even if the message is captured by a third-party
Cryptography
provides techniques for assuring the security of information as it flows through a communication channel implemented using encryption
Virus
software programs that are deliberately designed by online attackers to invade your computer, to interfere with its operation, and to copy, corrupt or delete your data. These malicious software programs are called viruses because they are designed not only to infect and damage one computer, but to spread to other computers all across the Internet. Computer viruses are often hidden in what appear to be useful or entertaining programs or e-mail attachments, such as computer games, video clips or photos. Many such viruses are spread inadvertently by computer users, who unwittingly pass them along in e-mail to friends and colleagues.
Keyloggers
spyware that can record every keystroke of a user without their knowledge
Preventive controls
stop or limit the security threat from happening in the first place (anti-virus scans)
Careless behaviors
such as forgetting to perform proper backups of one's computer, not installing security updates and tools, leaving computer so that is easily accessible
Information security requires
technology + management
Non-repudiation
the ability to prove that a transaction has, in fact, occurred It is made possible through, Signatures (digital and physical) Encryption Logging of transactions
Pharming
the link provided in e-mail that leads to a fake webpage which collects important information and submits it to the site owner. The fake web page looks like the real thing, but extracts key information fake web pages
Information computer security is the tasks of guarding and protecting digital information that is,
typically processed by a computer (such as a personal computer or hand-held device) stored on a magnetic or optical storage device (such as a hard drive or DVD or USB drive or Smart Card) transmitted over a network space