Ch. 4 Information Security Controls
Deliberate threats to information systems
1) Espionage or trespass 2) Information extortion 3) Sabotage or vandalism 4) Theft of equipment or information 5) Identity Theft 6) Compromises to intellectual property 7) Software attacks 8) Alien software 9) Supervisory control and data acquisition attacks (SCADA) 10) Cyberterrorism and Cyber warfare
Mitigation strategies
1) Risk acceptance 2) Risk Limitation 3) Risk transference
What factors contribute to increasing vulnerability of organizational information resources?
1) Today's interconnected, interdependent, wirelessly networked business environment 2) Smaller, faster, cheaper computers and storage devices (much easier to steal or lose) 3) Decreasing skills necessary to be a computer hacker (internet and computer programs contain scripts that users with few skills can download and use to attack any IS connected to the Internet) 4) International organized crime taking over cybercrime (illegal activities conducted over computer networks, particularly the Internet) 5) Lack of management support (needs contact with employees every day because they set the tone)
Risk Analysis
1) assessing the value of each asset being protected 2) estimating the probability each asset will be compromised 3) comparing the probably costs of the asset's being compromised with the costs of protecting that asset
Firewalls
A system that prevents a specific type of information from moving between untrusted networks and private networks
Risk acceptance
Accept potential risk, continue operating with no controls, and absorb any damages that occur
Social Engineering
An attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information such as passwords
Distributed Denial-of-service attack
An attacker first takes over many computers, typically by using malicious software. These computers are called zombies or bots. The attacker uses these bots to deliver a coordinated stream of information requests to a target computer, causing it to crash
Denial-of-Service Attack
Attacker sends so many information requests to a target computer system that the target cannot handle them successfully and typically crashes
Sabotage or vandalism
Deliberate acts that involve defacing an organizations website, damaging the organizations image and causing its customers to lose faith.
Spear Phishing
Find out as much information about an individual as possible to improve their chances that phishing techniques will be able to obtain sensitive, personal information
Unintentional threats to information systems
Human Errors: pose a large problem as the result of laziness, carelessness, or a lack of awareness concerning information security 1) The higher up the employee, the greater the threat they pose to information security 2) human resources and information systems pose a threat to information security 3) Contract labor, consultants, janitors, and guards
Virtual private networks (VPN)
Is a private network that uses a public network to connect users.
Tailgating
Is a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks and card entry
Secure socket layer/transport layer security
Is an encryption standard used for secure transactions such as credit card purchases and online banking
Patent
Is an official document that grants the holder exclusive rights on an invention or a process for a specified period of time
Alien software/pestware:
Is clandestine (secret) software that is installed on your computer through duplicitous methods. (Adware, Spyware, spamware, and cookies)
Risk Limitation
Limit the risk by implementing controls that minimize the impact of the threat
Shoulder surfing
Occurs when a perpetrator watched an employee's computer screen over the employees shoulder
Information extortion
Occurs when an attacker either threatens to steal, or actually steals information from a company. The perpetrator demands payment for not stealing the information, returning it, or agreeing not to disclose it
Espionage or Trespass
Occurs when an authorized individual attempts to gain illegal access to organizational information
Information security controls
Physical Controls, Access controls, and communication controls
Keystroke loggers
Record keystrokes and web browser history
Screen scrapers
Records continuous movies of a screen's contents
Cyberterrorism and Cyberwarfare
Refer to malicious acts in which attackers use target's computer systems, particularly the internet, to cause physical, real-world harm or severe disruption, usually to carry out a political agenda.
SCADA
Refers to a large scale, distributed measurement and control system. These systems are used to monitor or to control chemical, physical, and transport processes. They provide a link between the physical world and the electronic world.
What can organizations do to protect information resources?
Risk management
Communication Controls/network controls
Secure the movement of data across networks.
Logic bomb
Segment of computer code that is embedded within an organization's existing computer programs and is designed to activate and perform a destructive action at a certain time or date
Worm
Segment of computer code that performs malicious actions and will replicate, or spread by itself (without requiring another computer program)
Virus
Segment of computer code that performs malicious actions by attaching to another computer program
Trojan Horse
Software programs that hide in other computer programs and reveal their designed behavior only when they are activated
Risk transference
Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance
Back/trap door
Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to go through any security procedures
Phishing Attack
Use deception to acquire sensitive personal information by masquerading as official looking emails or instant messages
Whitelisting/Blacklisting
Whitelisting: is a process in which a company identifies the software that it will allow to run on its computers. It permits acceptable software to run and prevents any other software from running. Blacklisting: allows everything to run unless it is on the blacklist. The blacklist includes certain types of software that are no allowed to run in the company environment.
Copyright
is a statutory grant that provides the creators or owners of intellectual property with ownership of the property for a specified period of time
Trade Secret
is an intellectual work, such as a business plan, that is company secret and is not based on public information
Spamware
is pestware that uses your computer as a launch pad for spammers
Spyware
is software that collects personal information about users without their consent
Encryption
is the process of converting an original message into a form that cannot be read by anyone accept the intended receiver
Cookies
software that causes pop-up advertisements to appear on your screen
Risk Mitigation
the organization takes concrete actions against risks 1) implementing controls to prevent identified threats from occurring 2) developing a means of recovery should the threat become a reality