Ch. 4 Information Security Controls

Deliberate threats to information systems

1) Espionage or trespass 2) Information extortion 3) Sabotage or vandalism 4) Theft of equipment or information 5) Identity Theft 6) Compromises to intellectual property 7) Software attacks 8) Alien software 9) Supervisory control and data acquisition attacks (SCADA) 10) Cyberterrorism and Cyber warfare

Mitigation strategies

1) Risk acceptance 2) Risk Limitation 3) Risk transference

What factors contribute to increasing vulnerability of organizational information resources?

1) Today's interconnected, interdependent, wirelessly networked business environment 2) Smaller, faster, cheaper computers and storage devices (much easier to steal or lose) 3) Decreasing skills necessary to be a computer hacker (internet and computer programs contain scripts that users with few skills can download and use to attack any IS connected to the Internet) 4) International organized crime taking over cybercrime (illegal activities conducted over computer networks, particularly the Internet) 5) Lack of management support (needs contact with employees every day because they set the tone)

Risk Analysis

1) assessing the value of each asset being protected 2) estimating the probability each asset will be compromised 3) comparing the probably costs of the asset's being compromised with the costs of protecting that asset

Firewalls

A system that prevents a specific type of information from moving between untrusted networks and private networks

Risk acceptance

Accept potential risk, continue operating with no controls, and absorb any damages that occur

Social Engineering

An attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information such as passwords

Distributed Denial-of-service attack

An attacker first takes over many computers, typically by using malicious software. These computers are called zombies or bots. The attacker uses these bots to deliver a coordinated stream of information requests to a target computer, causing it to crash

Denial-of-Service Attack

Attacker sends so many information requests to a target computer system that the target cannot handle them successfully and typically crashes

Sabotage or vandalism

Deliberate acts that involve defacing an organizations website, damaging the organizations image and causing its customers to lose faith.

Spear Phishing

Find out as much information about an individual as possible to improve their chances that phishing techniques will be able to obtain sensitive, personal information

Unintentional threats to information systems

Human Errors: pose a large problem as the result of laziness, carelessness, or a lack of awareness concerning information security 1) The higher up the employee, the greater the threat they pose to information security 2) human resources and information systems pose a threat to information security 3) Contract labor, consultants, janitors, and guards

Virtual private networks (VPN)

Is a private network that uses a public network to connect users.

Tailgating

Is a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks and card entry

Secure socket layer/transport layer security

Is an encryption standard used for secure transactions such as credit card purchases and online banking

Patent

Is an official document that grants the holder exclusive rights on an invention or a process for a specified period of time

Alien software/pestware:

Is clandestine (secret) software that is installed on your computer through duplicitous methods. (Adware, Spyware, spamware, and cookies)

Risk Limitation

Limit the risk by implementing controls that minimize the impact of the threat

Shoulder surfing

Occurs when a perpetrator watched an employee's computer screen over the employees shoulder

Information extortion

Occurs when an attacker either threatens to steal, or actually steals information from a company. The perpetrator demands payment for not stealing the information, returning it, or agreeing not to disclose it

Espionage or Trespass

Occurs when an authorized individual attempts to gain illegal access to organizational information

Information security controls

Physical Controls, Access controls, and communication controls

Keystroke loggers

Record keystrokes and web browser history

Screen scrapers

Records continuous movies of a screen's contents

Cyberterrorism and Cyberwarfare

Refer to malicious acts in which attackers use target's computer systems, particularly the internet, to cause physical, real-world harm or severe disruption, usually to carry out a political agenda.

SCADA

Refers to a large scale, distributed measurement and control system. These systems are used to monitor or to control chemical, physical, and transport processes. They provide a link between the physical world and the electronic world.

What can organizations do to protect information resources?

Risk management

Communication Controls/network controls

Secure the movement of data across networks.

Logic bomb

Segment of computer code that is embedded within an organization's existing computer programs and is designed to activate and perform a destructive action at a certain time or date

Worm

Segment of computer code that performs malicious actions and will replicate, or spread by itself (without requiring another computer program)

Virus

Segment of computer code that performs malicious actions by attaching to another computer program

Trojan Horse

Software programs that hide in other computer programs and reveal their designed behavior only when they are activated

Risk transference

Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance

Back/trap door

Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to go through any security procedures

Phishing Attack

Use deception to acquire sensitive personal information by masquerading as official looking emails or instant messages

Whitelisting/Blacklisting

Whitelisting: is a process in which a company identifies the software that it will allow to run on its computers. It permits acceptable software to run and prevents any other software from running. Blacklisting: allows everything to run unless it is on the blacklist. The blacklist includes certain types of software that are no allowed to run in the company environment.

Copyright

is a statutory grant that provides the creators or owners of intellectual property with ownership of the property for a specified period of time

Trade Secret

is an intellectual work, such as a business plan, that is company secret and is not based on public information

Spamware

is pestware that uses your computer as a launch pad for spammers

Spyware

is software that collects personal information about users without their consent

Encryption

is the process of converting an original message into a form that cannot be read by anyone accept the intended receiver

Cookies

software that causes pop-up advertisements to appear on your screen

Risk Mitigation

the organization takes concrete actions against risks 1) implementing controls to prevent identified threats from occurring 2) developing a means of recovery should the threat become a reality