CSC 382 exam 1
Other Privacy Challenges
Employment Challenges Working Conditions Individuality Issues Health Issues
Ethical Concepts in Information Security "The Ten Commandments of Computer Ethics from The Computer Ethics Institute
Ethical Concepts in Information Security "The Ten Commandments of Computer Ethics from The Computer Ethics Institute 1. Thou shalt not use a computer to harm other people. 2. Thou shalt not interfere with other people's computer work. 3. Thou shalt not snoop around in other people's computer files. 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false witness. 6. Thou shalt not copy or use proprietary software for which you have not paid. 7. Thou shalt not use other people's computer resources without authorization or proper compensation. 8. Thou shalt not appropriate other people's intellectual output. 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans."
key terms
Key Terms Access - a subject or object's ability to use, manipulate, modify, or affect another subject or object. Asset - the organizational resource that is being protected. Attack - an act that is an intentional or unintentional attempt to cause damage or compromise to the information and/or the systems that support it. Control, Safeguard, or Countermeasure - security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization. Exploit - to take advantage of weaknesses or vulnerability in a system. Exposure - a single instance of being open to damage. Hack - Good: to use computers or systems for enjoyment; Bad: to illegally gain access to a computer or system. Object - a passive entity in the information system that receives or contains information. Risk - the probability that something can happen. Security Blueprint - the plan for the implementation of new security measures in the organization. Security Model - a collection of specific security rules that represents the implementation of a security policy. Security Posture or Security Profile - a general label for the combination of all policies, procedures, technologies, and programs that make up the total security effort currently in place. Subject - an active entity that interacts with an information system and causes information to move through the system for a specific end purpose Threats - a category of objects, persons, or other entities that represents a potential danger to an asset. Threat Agent - a specific instance or component of a more general threat. Vulnerability - weaknesses or faults in a system or protection mechanism that expose information to attack or damage.
What is Security?
§"The quality or state of being secure—to be free from danger" §A successful organization should have multiple layers of security in place: §Physical security §Personal security §Operations security §Communications security §Network security §Information security §The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information §Necessary tools: policy, awareness, training, education, technology §C.I.A. triangle was standard based on confidentiality, integrity, and availability §C.I.A. triangle now expanded into list of critical characteristics of information
Information Security Project Team
§A number of individuals who are experienced in one or more facets of required technical and nontechnical areas: §Champion §Team leader §Security policy developers §Risk assessment specialists §Security professionals §Systems administrators §End users
The 1970s and 80s
§ARPANET grew in popularity as did its potential for misuse §Fundamental problems with ARPANET security were identified §No safety procedures for dial-up connections to ARPANET §Nonexistent user identification and authorization to system §Late 1970s: microprocessor expanded computing capabilities and security threats §Information security began with Rand Report R-609 (paper that started the study of computer security) §Scope of computer security grew from physical security to include: §Safety of data §Limiting unauthorized access to data §Involvement of personnel from multiple levels of an organization
Senior Management
§Chief Information Officer (CIO) §Senior technology officer §Primarily responsible for advising senior executives on strategic planning §Chief Information Security Officer (CISO) §Primarily responsible for assessment, management, and implementation of IS in the organization §Usually reports directly to the CIO
Securing Components
§Computer can be subject of an attack and/or the object of an attack §When the subject of an attack, computer is used as an active tool to conduct attack §When the object of an attack, computer is the entity being attacked
Data Ownership
§Data owner: responsible for the security and use of a particular set of information §Data custodian: responsible for storage, maintenance, and protection of information §Data users: end users who work with information to perform their daily jobs supporting the mission of the organization
Security as Science
§Dealing with technology designed to operate at high levels of performance §Specific conditions cause virtually all actions that occur in computer systems §Nearly every fault, security hole, and systems malfunction are a result of interaction of specific hardware and software §If developers had sufficient time, they could resolve and eliminate faults
Approaches to Information Security Implementation: Bottom-Up Approach
§Grassroots effort: systems administrators attempt to improve security of their systems §Key advantage: technical expertise of individual administrators §Seldom works, as it lacks a number of critical features: §Participant support §Organizational staying power
Communities of Interest
§Group of individuals united by similar interests/values within an organization §Information security management and professionals §Information technology management and professionals §Organizational management and professionals
Information Security: Is it an Art or a Science?
§Implementation of information security often described as combination of art and science §"Security artesan" idea: based on the way individuals perceive systems technologists since computers became commonplace
Balancing Information Security and Access
§Impossible to obtain perfect security—it is a process, not an absolute §Security should be considered balance between protection and availability §To achieve balance, level of security must allow reasonable access, yet protect against threats
Components of an Information System
§Information system (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization
Approaches to Information Security Implementation: Top-Down Approach
§Initiated by upper management §Issue policy, procedures, and processes §Dictate goals and expected outcomes of project §Determine accountability for each required action §The most successful also involve formal development strategy referred to as systems development life cycle
Security as Art
§No hard and fast rules nor many universally accepted complete solutions §No manual for implementing security through entire system
Security as a Social Science
§Social science examines the behavior of individuals interacting with systems §Security begins and ends with the people that interact with the system §Security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles
The Systems Development Life Cycle
§Systems Development Life Cycle (SDLC) is methodology for design and implementation of information system within an organization §Methodology is formal approach to problem solving based on structured sequence of procedures §Using a methodology: §Ensures a rigorous process §Avoids missing steps §Goal is creating a comprehensive security posture/program §Traditional SDLC consists of six general phases
The Security Systems Development Life Cycle
§The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project §Identification of specific threats and creating controls to counter them §SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions
Critical Characteristics of Information
§The value of information comes from the characteristics it possesses: §Availability §Accuracy §Authenticity §Confidentiality §Integrity §Utility §Possession
Health Data Security
• •"All organizations that handle patient-identifiable health care information - regardless of size - should adopt the set of technical and organizational policies, practices, and procedures described below to protect such information." 1- Organizational Practices: •Security and confidentiality policies •Information security officers •Education and training programs •Sanctions • 2- Technical Practices and procedures •Individual authentication of users •Access controls •Audit trails •Physical security and disaster recovery •Protection of remote access points •Protection of external electronic communications •Software discipline •System assessment •
FOIA
•Allows access to federal agency records or information not determined to be matter of national security •U.S. government agencies required to disclose any requested information upon receipt of written request •Some information protected from disclosure
ACM
•Association of Computing Machinery (ACM) -Established in 1947 as "the world's first educational and scientific computing society" -Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others' privacy, and respecting others' intellectual property Association of Computing Machinery The ACM (www.acm.org) is a respected professional society, originally established in 1947 as "the world's first educational and scientific computing society." The ACM's code of ethics requires members to perform their duties in a manner befitting an ethical computing professional. The code contains specific references to protecting the confidentiality of information, causing no harm, protecting the privacy of others, and respecting the intellectual property and copyrights of others.
Ping of death attack
•Attack that uses IP packets to 'ping a target system with an IP size over the maximum of 65,535 bytes. •IP packets of this size are not allowed, so attacker fragments the IP packet. •Once the target system reassembles the packet, it can experience buffer overflows and other crashes. •
Information Extortion
•Attacker steals information from computer system and demands compensation for its return or nondisclosure •Commonly done in credit card number theft
attacks
•Attacks -Acts or actions that exploits vulnerability (i.e., an identified weakness) in controlled system -Accomplished by threat agent that damages or steals organization's information •Types of attacks -Malicious code: includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information -Hoaxes: transmission of a virus hoax with a real virus attached; more devious form of attack •
•Consequence-based ethics
•Consequence-based •Egoism: the "right choice" benefits self •Utilitarianism: the "right choice" benefits the interests of others •Rule-based: •Pluralism: stresses fidelity to a sense of duty and principle ("never tell a lie") •Rule-based: rules exist for the benefit of society and should be followed
Missing, Inadequate, or Incomplete
•In policy or planning, can make organizations vulnerable to loss, damage, or disclosure of information assets •With controls, can make an organization more likely to suffer losses when other threats lead to attacks
ISSA
•Information Systems Security Association (ISSA) -Nonprofit society of information security (IS) professionals -Primary mission to bring together qualified IS practitioners for information exchange and educational development -Promotes code of ethics similar to (ISC)2, ISACA, and ACM
Hierarchy of Regulations
•International: •International Cyber crime Treaty •Federal: •FERPA, GLB, HIPAA, DMCA, Teach Act, Patriot Act, Sarbanes-Oxley Act, .... •State: •UCITA, SB 1386, .... •Organization: •Computer use policy
Deliberate Software Attacks
•Malicious software (malware) designed to damage, destroy, or deny service to target systems •Includes: -Viruses -Worms -Trojan horses -Logic bombs -Back door or trap door -Polymorphic threats -Virus and worm hoaxes
Smurfing
•Operates like a Ping Flood •Commonly perpetrate and turn down a system completely. • Carried out by sending a slews of ICMP Echo request packets.
Consequence-Based Ethics
•Priority is given to choices that lead to a "good" outcome (consequence) •The outcome outweighs the method •Egoism: the "right choice" benefits self •Utilitarianism: the "right choice" benefits the interests of others
threats
•Threat: an object, person, or other entity that represents a constant danger to an asset •Management must be informed of the different threats facing the organization •Overall security is improving •The 2009 CSI/FBI survey found -64 percent of organizations had malware infections -14 percent indicated system penetration by an outsider
Framework for Ethics
•What motivates us to view issues a certain way? •Are we consistent in the way we approach ethical issues? •How do we resolve conflicts in approach? •Two basic camps: •consequence-based •rule-based
exploit kit
•a smart program that won't give up until it finds a vulnerability in your computer •does that through researching the traffic that is exchanged between a certain web page and your computer. Then, when the Exploit Kit finds the vulnerability, it will attack your computer • are packaged with exploits that can target commonly installed software such as Adobe Flash, Java, Microsoft Silverlight.
ransomware
•a type of malicious software designed to block access to a computer system until a sum of money is paid •occurs when a hacker(s) infects a computer, either with •a malicious software shutting down their system (locker-ransomware) or •by custom encrypting important files in their system and demanding a ransom (typically in bitcoins) in return for their systems/files (crypto-ransomware).
adware
•malicious code used for tracking all the things you do online as well as for feeding ads so that the advertisers can find you much faster and more easier •any software application in which advertising banners are displayed while a program is running. The ads are delivered through pop-up windows or bars that appear on the program's user interface
botnet
•refers to a network of computers that are infected, and all of them are controlled by a control center simultaneously. •This sort of network is used in severe attacks such as DDoS
Ethics in Security
•refers to all activities needed to secure information and systems that support it in order to facilitate its ethical use.
PING FLOOD
•relies on the ICMP echo command, more popularly known as ping . •In legitimate situations the ping command is used by network administrators to test connectivity between two computers. •In the ping flood attack, it is used to flood large amounts of data packets to the victim's computer in an attempt to overload it
Right to Privacy
Computer Profiling Computer Matching Privacy Laws Computer Libel and Censorship Spamming Flaming
Legal vs Ethical
legal: •Based on laws created and enforced by government •Observance of laws is mandatory •Non-adherence is punishable Ethical: •Based on codes of conduct or morals observed by a certain population •Observance of ethical standards is voluntary •Non-adherence is not usually punishable
SDLC
planning requirements design and prototype software development testing and deploying operations and maintenance
Replay
•An attack in which the attacker repeats or delays a valid transmission and fraudulently re-transmits it.
ethical differences across cultures
•Cultural differences create difficulty in determining what is and is not ethical •Difficulties arise when one nationality's ethical behavior conflicts with ethics of another national group •Scenarios are grouped into: -Software License Infringement -Illicit Use -Misuse of Corporate Resources •Cultures have different views on the scenarios
Key US federal agencies
•Department of Homeland Security (DHS) -Made up of five directorates, or divisions -Mission is to protect the people as well as the physical and informational assets of the US •Federal Bureau of Investigation's National InfraGard Program -Maintains an intrusion alert network -Maintains a secure Web site for communication about suspicious activity or intrusions -Sponsors local chapter activities -Operates a help desk for questions •National Security Agency (NSA) -Is the Nation's cryptologic organization -Protects US information systems -Produces foreign intelligence information -Responsible for signal intelligence and information system security •U.S. Secret Service -In addition to protective services, charged with the detection and arrest of persons committing a federal office relating to computer fraud or false identification
Technological Obsolescence
•Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems •Proper managerial planning should prevent technology obsolescence •IT plays large role
types of cyber attacks
•Malware attacks •SQL Injection Attack •Denial of Service (DoS) attack •Cross-Site Scripting attack (XSS) •Social Engineering attacks •Man in the Middle (MitM) attack •
catfishing
•when an attacker uses dating sites and pretend to be someone else in order to get the money from an emotionally vulnerable person. •The two people will text each other, but they will never meet since the scammer would claim that lives in another country. •Then, at some moment, the scammer will make up a story/problem that requires a certain amount of money to be sent to him so that he can solve that "urgent problem." Not only a victim loses their money, but he/she also ends up with a broken heart. •
HIPAA Security Areas
1.Administrative procedures to guard data CIA. Documented formal procedures to select and measure security mechanisms 2.Physical safeguards to protect computers, buildings, data. 3.Technical security services, including processes to protect information 4.Technical security mechanisms to prevent unauthorized access to stored or transmitted data
The 1960s
§Advanced Research Project Agency (ARPA) began to examine feasibility of redundant networked communications §Larry Roberts developed ARPANET from its inception
The History of Information Security
§Began immediately after the first mainframes were developed §Groups developing code-breaking computations during World War II created the first modern computers §Physical controls to limit access to sensitive military locations to authorized personnel §Rudimentary in defending against physical theft, espionage, and sabotage
MULTICS
§Early focus of computer security research was a system called Multiplexed Information and Computing Service (MULTICS) §First operating system created with security as its primary goal §Mainframe, time-sharing OS developed in mid-1960s by General Electric (GE), Bell Labs, and Massachusetts Institute of Technology (MIT) §Several MULTICS key players created UNIX §Primary purpose of UNIX was text processing
The 1990s
§Networks of computers became more common; so too did the need to interconnect networks §Internet became first manifestation of a global network of networks §In early Internet deployments, security was treated as a low priority
The Present
§The Internet brings millions of computer networks into communication with each other—many of them unsecured §Ability to secure a computer's data influenced by the security of every computer to which it is connected
Distributed Denial of Services (DDoS) Attacks
• An attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. •one of the most common attacks used to compromise an organization's system. •Uses multiple compromised systems to target a single system. These compromised systems are typically infected with a Trojan and are used to overwhelm an online service, impacting abilities to publish and access important information.
trojan horse
• a program downloaded and installed on a computer that appears harmless, but is, in fact, malicious. •Typically hidden in an innocent-looking email attachment or free download. •type of malware - not a virus. The Trojan horse virus can replicate itself while the Trojan horse can't do that. •Can act as •Spyware •Create a backdoor •Send expensive SMS messages •Turn your endpoint into a zombie •
Cross-Site Scripting attack (XSS)
• a type of attack in which malicious scripts are injected into websites and web applications and run on an end user's platform •does not have to choose a specific target; the attacker simply exploits the vulnerability of the application or site, taking advantage of anyone unlucky enough to trigger an attack. Using XSS attacks, a web application or web site becomes the vector of delivering malicious scripts to the browsers of several victims. •
Espionage or Trespass
•Access of protected information by unauthorized individuals •Competitive intelligence (legal) vs. industrial espionage (illegal) •Shoulder surfing can occur anywhere a person accesses confidential information •Controls let trespassers know they are encroaching on organization's cyberspace •Hackers use skill, guile, or fraud to bypass controls protecting others' information Deliberate Acts of Espionage or Trespass This threat represents a well-known and broad category of electronic and human activities that breach the confidentiality of information. When an unauthorized individual gains access to the information an organization is trying to protect, that act is categorized as a deliberate act of espionage or trespass. When information gatherers employ techniques that cross the threshold of what is legal and/or ethical, they enter the world of industrial espionage. Instances of shoulder surfing occur at computer terminals, desks, ATM machines, public phones, or other places where a person is accessing confidential information. The threat of trespass can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter. Controls are sometimes implemented to mark the boundaries of an organization's virtual territory. These boundaries give notice to trespassers that they are encroaching on the organization's cyberspace. The classic perpetrator of deliberate acts of espionage or trespass is the hacker. In the gritty world of reality, a hacker uses skill, guile, or fraud to attempt to bypass the controls placed around information that is the property of someone else. The hacker frequently spends long hours examining the types and structures of the targeted systems.
spyware
•As the name itself suggests, this program will "spy on you," secretly gathering information about you. •With your passwords, personal photos, and credit card data at hand, attackers can cause quite a damage to you or your wallet. •Usually, you can remove this malware with the help of a good antivirus software or by way of removing malware software. •
types of law
•Civil: governs nation or state; manages relationships/conflicts between organizational entities and people •Criminal: addresses violations harmful to society; actively enforced by the state •Private: regulates relationships between individuals and organizations •Public: regulates structure/administration of government agencies and relationships with citizens, employees, and other governments
malware
•Code with malicious intent that typically steals data or destroys something on the computer. •Most often introduced to a system through email attachments, software downloads or operating system vulnerabilities. virus worms trojan rootkit spyware blended threat remote access adware exploit kit
general computer crime laws
•Computer Fraud and Abuse Act of 1986 (CFA Act): cornerstone of many computer-related federal laws and enforcement efforts •National Information Infrastructure Protection Act of 1996: -Modified several sections of the previous act and increased the penalties for selected crimes -Severity of penalties judged on the purpose •For purposes of commercial advantage •For private financial gain •In furtherance of a criminal act •USA PATRIOT Act of 2001: provides law enforcement agencies with broader latitude in order to combat terrorism-related activities •USA PATRIOT Improvement and Reauthorization Act: made permanent fourteen of the sixteen expanded powers of the Department of Homeland Security and the FBI in investigating terrorist activity •Computer Security Act of 1987: one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices •US Regulations -Privacy of Customer Information Section of the common carrier regulation -Federal Privacy Act of 1974 -Electronic Communications Privacy Act of 1986 -Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act -Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999
Safeguard Rule
•Each company implements its own specific security program. FTC recommends focus on: •Employee Management and Training •Background checks •Security best practices (e.g., passwords) •Information Systems •Record storage, secure backup •Secure data transmission •Disposal of customer information •Managing system failures •Patch management, AV software, change control •Continuity of operations
What is Ethics?
•Ethics are the vehicle to our morals. •Morals in action. •enact the system we've developed in our moral code. the rules of conduct recognized in respect to a particular class of human actions or a particular group, culture, etc. it defines how things are according to the rules ethics are dependent on others for definition they tend to be consistent within a certain context but can vary
Espionage or Trespass (cont'd.)
•Expert hacker -Develops software scripts and program exploits -Usually a master of many skills -Will often create attack software and share with others •Unskilled hacker -Many more unskilled hackers than expert hackers -Use expertly written software to exploit a system -Do not usually fully understand the systems they hack •Other terms for system rule breakers: -Cracker: "cracks" or removes software protection designed to prevent unauthorized duplication -Phreaker: hacks the public telephone network
HIPAAHealth Insurance Portability and Accountability Act
•Focus: Addresses confidentiality of personal medical data through standards for administrative, physical, and technical security •Became law in 1996 •How does this apply to IT professionals? Will need HIPAA compliance •If you have systems with patient data, and you either •transmit that data or •allows access to systems that store the data •If you transmit protected health information, you are accountable for: Integrity controls; message authentication; alarm; audit trail; entity authentication; event reporting. •If you communicate with others via a network: access controls; encryption. examples •Data Integrity: not altered during transmission: e.g., TLS (transport level security), etc. Regardless of access method (web, shares, etc.) •Message Authentication: validate sender's identity e.g., signature, hash, public key, symmetric key •Alarms: notification of a potential security event, e.g., failed logins, •Audit trails: monitor all access to health information, must be kept around for 6 years or more, •Entity authentication: could be as simple as passwords & unique user ID •Error reporting: error and audit logs may need to be kept for a period of time
Forces of Nature
•Forces of nature are among the most dangerous threats •Disrupt not only individual lives, but also storage, transmission, and use of information •Organizations must implement controls to limit damage and prepare contingency plans for continued operations
FERPAFamily Educational Rights & Privacy Act
•Gives parents certain rights to their child's educational records •Gives adult students right to: •See information the institution is keeping on the student •Seek amendment to the records in certain cases •Consent disclosure of his/her own records •File a complaint with FERPA •Records include: personal information, enrollment records, grades, schedules; on any media
International Cyber crime Treaty
•Goal: facilitate cross-border computer crime investigation •Who: 38 nations, USA has not ratified it yet •Provisions: •Obligates participants to outlaw computer intrusion, commercial copyright infringement, online fraud •Participants must pass laws to support search & seizure of email and computer records, perform internet surveillance, make ISPs preserve logs for investigation •Mutual assistance provision to share data •Opposition: open to countries with poor human rights records; definition of a "crime"
Software Design Principles
•Good software development results in secure products that meet all design specifications •Some commonplace security principles: -Keep design simple and small -Access decisions by permission not exclusion -Every access to every object checked for authority -Design depends on possession of keys/passwords -Protection mechanisms require two keys to unlock -Programs/users utilize only necessary privileges •Some commonplace security principles (cont'd.): -Minimize mechanisms common to multiple users -Human interface must be easy to use so users routinely/automatically use protection mechanisms
Sarbanes-Oxley Act of 2002
•Holds executives personally liable for many operational aspects of a company, including computer security, by making them pledge that the company internal controls are adequate • •Let me repeat, this holds executives personally liable for computer security by making them pledge that companies security mechanisms are adequate
Theft
•Illegal taking of another's physical, electronic, or intellectual property •Physical theft is controlled relatively easily •Electronic theft is more complex problem; evidence of crime not readily apparent Deliberate Acts of Theft Theft is the illegal taking of another's property. Within an organization, that property can be physical, electronic, or intellectual. The value of information suffers when it is copied and taken away without the owner's knowledge. Physical theft can be controlled quite easily. A wide variety of measures can be used from simple locked doors to trained security personnel and the installation of alarm systems. Electronic theft, however, is a more complex problem to manage and control. Organizations may not even know it has occurred.
Human Error or Failure
•Includes acts performed without malicious intent •Causes include: -Inexperience -Improper training -Incorrect assumptions •Employees are among the greatest threats to an organization's data •Employee mistakes can easily lead to: -Revelation of classified data -Entry of erroneous data -Accidental data deletion or modification -Data storage in unprotected areas -Failure to protect information •Many of these threats can be prevented with controls
Deviations in Quality of Service
•Includes situations where products or services are not delivered as expected •Information system depends on many interdependent support systems •Internet service, communications, and power irregularities dramatically affect availability of information and systems •Internet service issues -Internet service provider (ISP) failures can considerably undermine availability of information -Outsourced Web hosting provider assumes responsibility for all Internet services as well as hardware and Web site operating system software •Communications and other service provider issues -Other utility services affect organizations: telephone, water, wastewater, trash pickup, etc. -Loss of these services can affect organization's ability to function •Power irregularities -Commonplace -Organizations with inadequately conditioned power are susceptible -Controls can be applied to manage power quality -Fluctuations (short or prolonged) •Excesses (spikes or surges) - voltage increase •Shortages (sags or brownouts) - low voltage •Losses (faults or blackouts) - loss of power
ISACA
•Information Systems Audit and Control Association (ISACA) -Professional association with focus on auditing, control, and security -Concentrates on providing IT control practices and standards -ISACA has code of ethics for its professionals Information Systems Audit and Control Association The Information Systems Audit and Control Association or ISACA (www.isaca.org) is a professional association with a focus on auditing, control, and security. Although it does not focus exclusively on information security, the Certified Information Systems Auditor or CISA certification does contain many information security components. The ISACA also has a code of ethics for its professionals. It requires many of the same high standards for ethical performance as the other organizations and certifications.
Information security performs four important functions for an organization
•Information security performs four important functions for an organization -Protects ability to function -Enables safe operation of applications implemented on its IT systems -Protects data the organization collects and uses -Safeguards technology assets in use
Compromises to Intellectual Property
•Intellectual property (IP): "ownership of ideas and control over the tangible or virtual representation of those ideas" •The most common IP breaches involve software piracy •Two watchdog organizations investigate software abuse: -Software & Information Industry Association (SIIA) -Business Software Alliance (BSA) •Enforcement of copyright law has been attempted with technical security mechanisms Compromises to Intellectual Property Many organizations create or support the development of intellectual property as part of their business operations. Intellectual property is defined as "the ownership of ideas and control over the tangible or virtual representation of those ideas." Intellectual property for an organization includes trade secrets, copyrights, trademarks, and patents. Once intellectual property (IP) has been defined and properly identified, breaches to IP constitute a threat to the security of this information. Most common IP breaches involve the unlawful use or duplication of software-based intellectual property, known as software piracy. In addition to the laws surrounding software piracy, two watchdog organizations investigate allegations of software abuse: Software & Information Industry Association (SIIA), formerly the Software Publishers Association, and the Business Software Alliance (BSA). Enforcement of copyright violations, piracy, and the like has been attempted through a number of technical security mechanisms, including digital watermarks, embedded codes.
ISC^2
•International Information Systems Security Certification Consortium, Inc. (ISC)2 -Nonprofit organization focusing on development and implementation of information security certifications and credentials -Code primarily designed for information security professionals who have certification from (ISC)2 -Code of ethics focuses on four mandatory canons International Information Systems Security Certification Consortium The (ISC)2 (www.isc2.org) is a nonprofit organization that focuses on the development and implementation of information security certifications and credentials. The code of ethics put forth by (ISC)2 is primarily designed for information security professionals who have earned a certification from (ISC)2. This code focuses on four mandatory canons: •Protect society, the commonwealth, and the infrastructure; •Act honorably, honestly, justly, responsibly, and legally; •Provide diligent and competent service to principals; and •Advance and protect the profession.
jurisdiction, long arm jurisdiction
•Jurisdiction: court's right to hear a case if the wrong was committed in its territory or involved its citizenry •Long arm jurisdiction: right of any court to impose its authority over an individual or organization if it can establish jurisdiction
Laws, Ethics, cultural mores
•Laws: rules that mandate or prohibit certain societal behavior •Ethics: define socially acceptable behavior •Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on these •Laws carry sanctions of a governing authority; ethics do not
Ethical vs. Legal Issues
•Legal issues: •Sometimes have a definitive answer •Determination is made by others (not you) •Ethical issues: •Sometimes have a definitive answer •You determine your course of action •The law doesn't make it "right" Being "right" doesn't make it legal
liability, restitution, due care, due dilligence
•Liability: legal obligation of an entity extending beyond criminal or contract law; includes legal obligation to make restitution •Restitution: to compensate for wrongs committed by an organization or its employees •Due care: insuring that employees know what constitutes acceptable behavior and know the consequences of illegal or unethical actions •Due diligence: making a valid effort to protect others; continually maintaining level of effort
Protecting the Functionality of an Organization
•Management (general and IT) responsible for implementation •Information security is both management issue and people issue •Organization should address information security in terms of business impact and cost Protecting the Ability of the Organization to Function Both general management and IR management are responsible for implementing information security to protect the ability of the organization to function. "Information security is a management issue in addition to a technical issue, it is a people issue in addition to the technical issue." To assist management in addressing the needs for information security, communities of interest must communicate in terms of business impact and the cost of business interruption and avoid arguments expressed only in technical terms. •Organization needs environments that safeguard applications using IT systems •Management must continue to oversee infrastructure once in place—not relegate to IT department' •Organization, without data, loses its record of transactions and/or ability to deliver value to customers •Protecting data in motion and data at rest are both critical aspects of information security
ethics and information security
•Many Professional groups have explicit rules governing ethical behavior in the workplace •IT and IT security do not have binding codes of ethics •Professional associations and certification agencies work to establish codes of ethics -Can prescribe ethical conduct -Do not always have the ability to ban violators from practice in field
Privacy Issues
•Many ethical issues (and legal issues, as we will see) in security seem to be in the domain of the individual's right to privacy verses the greater good of a larger entity (a company, society, etc.) •Examples: tracking employee computer use, crowd surveillance, managing customer profiles, tracking travel with a national ID card, location tracking [to spam cell phone with text message advertisements], .... •A key concept in sorting this out is a person's expectation of privacy
Secure Software Development
•Many information security issues discussed here are caused by software elements of system •Development of software and systems is often accomplished using methodology such as Systems Development Life Cycle (SDLC) •Many organizations recognize need for security objectives in SDLC and have included procedures to create more secure software •This software development approach known as Software Assurance (SA)
Software Assurance and the SA Common Body of Knowledge
•National effort underway to create common body of knowledge focused on secure software development •US Department of Defense and Department of Homeland Security supported Software Assurance Initiative, which resulted in publication of Secure Software Assurance (SwA) Common Body of Knowledge (CBK) •SwA CBK serves as a strongly recommended guide to developing more secure applications
ethics and education
•Overriding factor in levelling ethical perceptions within a small population is education •Employees must be trained in expected behaviors of an ethical employee, especially in areas of information security •Proper ethical training is vital to creating informed, well prepared, and low-risk system user
policies
•Policies: body of expectations that describe acceptable and unacceptable employee behaviors in the workplace •Policies function as laws within an organization; must be crafted carefully to ensure they are complete, appropriate, fairly applied to everyone •Difference between policy and law: ignorance of a policy is an acceptable defense •Criteria for policy enforcement: -Dissemination (distribution) -Review (reading) -Comprehension (understanding) -Compliance (agreement) -Uniform enforcement
Rule-Based Ethics
•Priority is given to following the rules without undue regard to the outcome •Rules are often thought to codify principles like truth fulness, right to freedom, justice, etc. •Stress fidelity to a sense of duty and principle ("never tell a lie") •Exist for the benefit of society and should be followed
Software Development Security Problems
•Problem areas in software development: -Buffer overruns -Command injection -Cross-site scripting -Failure to handle errors -Failure to protect network traffic -Failure to store and protect data securely -Failure to use cryptographically strong random numbers •Problem areas in software development (cont'd.): -Format string problems -Neglecting change control -Improper file access -Improper use of SSL -Information leakage -Integer bugs (overflows/underflows) -Race conditions -SQL injection •Problem areas in software development (cont'd.): -Trusting network address resolution -Unauthenticated key exchange -Use of magic URLs and hidden forms -Use of weak password-based systems -Poor usability
HIPAA
•Protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange •Consumer control of medical information •Boundaries on the use of medical information •Accountability for the privacy of private information •Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual •Security of health information •
Technical Software Failures or Errors
•Purchased software that contains unrevealed faults •Combinations of certain software and hardware can reveal new software bugs •Entire Web sites dedicated to documenting bugs
Financial Modernization Act of 1999(GLB, Gramm-Leach-Bliley Act)
•Requires financial institutions under FTC jurisdiction to secure customer records and information •All "significantly-engaged" financial organizations must comply: check cashing businesses, mortgage, data processors, non-bank lenders, real estate appraisers, ATM, credit reporting agencies, ... •Provides for: mandatory privacy notices and an opt-out for sharing data with some third parties
SQL Injection Attack
•SQLI targets application security weakness and allows attackers to control of an application's database. •An attacker inputs a malicious input into an SQL statement., and the SQL server reads it as programming code. •Some SQLI attacks can release lists of sensitive customer data while others delete part (or all) of a database. And some can even remotely run software applications
Codes of Ethics and Professional Organizations
•Several professional organizations have established codes of conduct/ethics •Codes of ethics can have positive effect; unfortunately, many employers do not encourage joining these professional organizations •Responsibility of security professionals to act ethically and according to policies of employer, professional organization, and laws of society Codes Of Ethics, Certifications, and Professional Organizations A number of professional organizations have established codes of conduct and/or codes of ethics that members are expected to follow. Codes of ethics can have a positive effect on an individual's judgment regarding computer use. Unfortunately, having a code of ethics is not enough, because many employers do not encourage their employees to join these professional organizations. It is the responsibility of security professionals to act ethically and according to the policies and procedures of their employer, their professional organization, and the laws of society.
SANS
•System Administration, Networking, and Security Institute (SANS) -Professional organization with a large membership dedicated to protection of information and systems -SANS offers set of certifications called Global Information Assurance Certification (GIAC) System Administration, Networking, and Security Institute The System Administration, Networking, and Security Institute, or SANS (www.sans.org), is a professional organization with a large membership dedicated to the protection of information and systems. SANS offers a set of certifications called the Global Information Assurance Certification or GIAC.
IP Spoofing
•The creation of Internet Protocol (IP) packets which have a modified source address in order to either hide the identity of the sender, to impersonate another computer system, or both. •a technique often used by bad actors to invoke DDoS attacks against a target device or the surrounding infrastructure.
spear phishing
•The fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information •requires advanced hacking skills and are very hard to detect because they typically rely on the end-user's opening a file in a personal, targeted email ••Typically target decision makers within a company. •Often pretending to be a trusted colleague, friend or partner company- owners, managers and administrators need to be thoroughly trained and taught about "tells" in these cleverly malicious messages
US Patriot Act
•This is a whole legal/ethical/moral debate that we could have some other time. Bottom line, it's the law, and you as an IT professional need to know: •(sunsets 12/05): simple search warrant will gain access to stored voice mail (Title III wiretap not needed) •Govt. can subpoena session times and duration; can request ISP payment information •cable companies can provide customer information without notifying customer •(sunsets): devices can record any information relevant to an investigation, not just info on terrorist activities •the ITSP cannot reveal the purpose of the gathering of "tangible things"
Sabotage or Vandalism
•Threats can range from petty vandalism to organized sabotage •Web site defacing can erode consumer confidence, dropping sales and organization's net worth •Threat of hacktivist or cyberactivist operations rising •Cyberterrorism: much more sinister form of hacking Deliberate Acts of Sabotage or Vandalism Equally popular today is the assault on the electronic face of an organization, its Web site. This category of threat involves the deliberate sabotage of a computer system or business, or acts of vandalism to either destroy an asset or damage the image of an organization. These threats can range from petty vandalism by employees to organized sabotage against an organization. Organizations frequently rely on image to support the generation of revenue, so if an organization's Web site is defaced, a drop in consumer confidence is probable, reducing the organization's sales and net worth. Compared to Web site defacement, vandalism within a network is more malicious in intent and less public. Today, security experts are noticing a rise in another form of online vandalism in what are described as hacktivist or cyberactivist operations. A more extreme version is referred to as cyberterrorism.
GLB Components
•Three basic parts to GLB: •Financial Privacy Rule - governs collection and disclosure of customer personal data •Safeguard Rule - requires you to design, implement, and maintain security safeguards •Pretext rule - protects consumers from individuals and companies who obtain personal information under false pretext
Deterring Unethical and Illegal Behavior
•Three general causes of unethical and illegal behavior: ignorance, accident, intent •Deterrence: best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls •Laws and policies only deter if three conditions are present: -Fear of penalty -Probability of being caught -Probability of penalty being administered
types of attacks
•Types of attacks (cont'd.) -Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism -Password crack: attempting to reverse calculate a password -Brute force: trying every possible combination of options of a password -Dictionary: selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses •Types of attacks (cont'd.) -Denial-of-service (DoS): attacker sends large number of connection or information requests to a target •Target system cannot handle successfully along with other, legitimate service requests •May result in system crash or inability to perform ordinary functions -Distributed denial-of-service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously •Types of attacks (cont'd.) -Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP address -Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network -Spam: unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks -Mail bombing: also a DoS; attacker routes large quantities of e-mail to target •Types of attacks (cont'd.) -Sniffers: program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network -Phishing: an attempt to gain personal/financial information from individual, usually by posing as legitimate entity -Pharming: redirection of legitimate Web traffic (e.g., browser requests) to illegitimate site for the purpose of obtaining private information •Types of attacks (cont'd.) -Social engineering: using social skills to convince people to reveal access credentials or other valuable information to attacker -"People are the weakest link. You can have the best technology; firewalls, intrusion-detection systems, biometric devices ... and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything." — Kevin Mitnick -Timing attack: relatively new; works by exploring contents of a Web browser's cache to create malicious cookie
DMCA
•U.S. contribution to international effort to reduce impact of copyright, trademark, and privacy infringement •A response to European Union Directive 95/46/EC, •Prohibits -Circumvention of protections and countermeasures -Manufacture and trafficking of devices used to circumvent such protections -Prohibits altering information attached or imbedded in copyrighted material •Excludes ISPs from some copyright infringement
phishing
•When internet persons impersonate a business to trick you into giving out your personal information •Primary vector for malware attacks •usually comprised of a malicious e-mail attachment or an e-mail with an embedded, malicious link.
Man in the middle attacks (mitM)
•a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway. •goal of an attack is to steal personal information, such as login credentials, account details and credit card numbers
blended threat
•a sort of attack in which two or more malware work together in order to cause damage to your computer, in a highly efficient way. •are a mix of Trojans, internet worms, viruses, ransomware and more. •Thanks to this powerful combination, this malware spreads quickly and is capable of causing larger damages. •
Session hijacking
•an attacker hijacks a session between a trusted client and network server. •The attacking computer substitutes its IP address for the trusted client while the server continues the session, believing it is communicating with the client
Customer support scams
•an attacker will call a person who is not very skilled with computers, telling them that there is a serious problem with their software or a hardware and that that might turn into a disaster if not solved on time. •Then, an attacker will tell you that you need to pay a certain amount of money so that this problem could be fixed. •
What is Morals?
•formed out of values. •the actual system of beliefs that emerge out of a person's core values. •specific and context-driven rules that govern a person's behavior •system of beliefs is individually tailored to a person's life experience •subject to opinion.
rootkits
•one of the most complicated types of malware in terms of finding and eliminating it •definition from the two component words, "root" and "kit" are Linux/UNIX terms, where "root" is the equivalent of the Windows Administrator, while "kits" are software designed to take root/administrator control of a PC, without informing the user. •Once a rootkit installs itself on your computer, it will boot up at the same time as your PC. On top of that, by having administrator access, it can track everything you do on the device, scan your traffic, install programs without your consent, hijack your computer's resources or enslave it in a botnet. •able to make changes at the most fundamental level, a rootkit is able to conceal itself, execute files, make changes to a system and track its use without the original owner even being aware of its presence. •unable to spread by themselves and instead rely on clandestine tactics to infect your computer.
Ethical Issues
•pertaining to or dealing with morals or the principles of morality; pertaining to right and wrong in conduct. •in accordance with the rules or standards for right conduct or practice, esp., the standards of a profession. •Examples: •Should companies collect and/or sell customer data? •Should IT specialists monitor and report employee computer use? •Should you act on information you inadvertently see due to having administrator privileges?
Logic bombs and time bombs
•primarily used for deleting databases and protecting corrupted code, as well as for using personal information of a victim. •Logic bomb •Malicious piece of code that gets executed when a certain condition is met •Time bomb •Logic Bomb which is triggered in a specific time or day • •
Voice Phishing (Vishing)
•takes place over the telephone •you will be called by a person who wants to take your money. Of course, they will not tell you that, they will pretend that they are bank clerks or someone else who can get access to your personal and financial info, without you starting to wonder if you should give them your info. And when you do, unfortunately, it will be too late.
What are Values?
•the foundation of a person's ability to judge between right and wrong. •include a deep-rooted system of beliefs. •have intrinsic worth, but are not universally accepted. •allows each individual to determine what should and shouldn't be.