Ch01_MoIS5e_v02.pptx business business business business

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Learning Objectives Upon completion of this material, you should be able to: Describe the importance of the manager’s role in securing an organization’s use of information technology List and discuss the key characteristics of information security List and describe the dominant categories of threats to information security Discuss the key characteristics of leadership and management Differentiate information security management from general business management 2 Management of Information Security, 5th Edition © Cengage Learning

Introduction to Information Security Chapter 01: Introduction to the Management of Information Security 3 Management of Information Security, 5th Edition © Cengage Learning

Introduction Information technology is the vehicle that stores and transports information from one business unit to another But what happens if the vehicle breaks down? Over time the concept of computer security has been replaced by the concept of information security Information security is no longer the sole responsibility of a discrete group of people in the company; rather, it is the responsibility of every employee, and especially managers 4 Management of Information Security, 5th Edition © Cengage Learning

Introduction Organizations must realize that information security decisions should involve three distinct groups of managers and professionals, or communities of interest: Those in the field of information security Those in the field of IT Those from the rest of the organization 5 Management of Information Security, 5th Edition © Cengage Learning

Communities of Interest InfoSec: protects the organization’s information assets from the many threats they face IT: supports the business objectives of the organization by supplying and supporting IT appropriate to the business’ needs General business: articulates and communicates organizational policy and objectives and allocates resources to the other groups 6 Management of Information Security, 5th Edition © Cengage Learning

What Is Security? In order to understand the technical aspects of information security you must know the definitions of certain information technology terms and concepts In general, security is defined as “being free from danger.” To be secure is to be protected from the risk of loss, damage, unwanted modification, or other hazards Security is often achieved by means of several strategies undertaken simultaneously or used in combination with one another It is the role of management to ensure that security strategies are properly planned, organized, staffed, directed, and controlled 7 Management of Information Security, 5th Edition © Cengage Learning

Specialized areas of security Physical security Operations security Communications security Cyber (or computer) security Network security 8 Management of Information Security, 5th Edition © Cengage Learning

9 Management of Information Security, 5th Edition © Cengage Learning Parameters CYBER SECURITY INFORMATION SECURITY Basic Definition It is the practice of protecting the data from outside the resource on the internet. It is all about protecting information from unauthorized users, access, and data modification or removal in order to provide confidentiality, integrity, and availability. Protect It is about the ability to protect the use of cyberspace from cyber attacks. It deals with the protection of data from any form of threat. Scope Cybersecurity to protect anything in the cyber realm. Information security is for information irrespective of the realm. Threat Cybersecurity deals with the danger in cyberspace. Information security deals with the protection of data from any form of threat. Attacks Cybersecurity strikes against Cyber crimes, cyber frauds, and law enforcement. Information security strikes against unauthorized access, disclosure modification, and disruption. Professionals Cyber security professionals deal with the prevention of active threats or Advanced Persistent threats (APT). Information security professionals are the foundation of data security and security professionals associated with it are responsible for policies, processes, and organizational roles and responsibilities that assure CIA. Deals with It deals with threats that may or may not exist in the cyber realm such as protecting your social media account, personal information, etc. It deals with information Assets and integrity, confidentiality, and availability.

10 Management of Information Security, 5th Edition © Cengage Learning Parameters CYBER SECURITY INFORMATION SECURITY Defence Acts as first line of defence. Comes into play when security is breached. Threats Primarily deals with digital threats, such as hacking, malware, and phishing Addresses a wider range of threats, including physical theft, espionage, and human error Goal Protects against unauthorized access, use, disclosure, disruption, modification, or destruction of digital information Protects the confidentiality, integrity, and availability of all types of information, regardless of the medium in which it is stored Technologies Relies on a variety of technologies, such as firewalls, antivirus software, and intrusion detection systems Uses a range of technologies, including encryption, access controls, and data loss prevention tools Skills required Requires specialized knowledge of computer systems and networks, as well as programming and software development skills Requires knowledge of risk management, compliance, legal and regulatory issues, as well as technical knowledge Focus on data Emphasizes protecting the data itself, regardless of where it is stored or how it is transmitted Emphasizes the protection of information assets, which includes data but also other information such as intellectual property, trade secrets, and confidential customer information Threat landscape Deals with constantly evolving threats, such as new forms of malware and emerging cybercrime techniques Deals with a wide range of threats, including physical security breaches, insider threats, and social engineering attacks

Information Security Information security (InfoSec) focuses on the protection of information and the characteristics that give it value, such as confidentiality, integrity, and availability, and includes the technology that houses and transfers that information through a variety of protection mechanisms such as policy, training and awareness programs, and technology 11 Management of Information Security, 5th Edition © Cengage Learning

Components of Information Security 12 Management of Information Security, 5th Edition © Cengage Learning

The CIA Triangle and the CNSS Model The C.I.A. triangle - confidentiality, integrity, and availability - has expanded into a more comprehensive list of critical characteristics of information The NSTISSI ( N ational S ecurity T elecommunications and I nformation S ystems S ecurity I nstruction ) (or CNSS [ C ommittee on N ational S ecurity S ystems]) Security Model (also known as the McCumber Cube) provides a more detailed perspective on security While the NSTISS C ( C ommittee) model covers the three dimensions of information security, it omits discussion of detailed guidelines and policies that direct the implementation of controls Another weakness of using this model with too limited an approach is to view it from a single perspective 13 Management of Information Security, 5th Edition © Cengage Learning

The figure below is a cube with three labeled sides to show the three foundational principles: Information States, Critical Information Characteristics, and Security Measures. Information states include Transmission, storage, and processing. Critical Information Characteristics include confidentiality, integrity, and availability. Security Measures include technology, policies and practice, and the education, training, and awareness of people. 14 Management of Information Security, 5th Edition © Cengage Learning

15 Management of Information Security, 5th Edition © Cengage Learning

The CNSS Security Model 16 Management of Information Security, 5th Edition © Cengage Learning

The C.I.A. Triad 17 Management of Information Security, 5th Edition © Cengage Learning

The Principles of Security The first dimension of the cybersecurity cube identifies the goals to protect cyberspace. The goals identified in the first dimension are the foundational principles. These three principles are confidentiality, integrity, and availability, commonly referred to as the CIA Triad. The second dimension of the Cybersecurity Cube focuses on the problem of protecting the data in cyberspace in each of its possible states: Data in transit Data at rest or in storage Data in process The third dimension of the Cybersecurity Cube defines the skills and discipline a cybersecurity professional can call upon to protect cyberspace. Cybersecurity professionals use a range of different skills and disciplines when protecting the data in the cyberspace, being careful to always remain on the ‘right side’ of the law 18 Management of Information Security, 5th Edition © Cengage Learning

Confidentiality Confidentiality is “An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems” Confidentiality means limiting access to information only to those who need it, and preventing access by those who don’t To protect the confidentiality of information, a number of measures are used: Information classification Secure document (and data) storage Application of general security policies Education of information custodians and end users Cryptography (encryption) 19 Management of Information Security, 5th Edition © Cengage Learning

Integrity Integrity is “an attribute of information that describes how data is whole, complete, and uncorrupted” The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state Corruption can occur while information is being entered, stored, or transmitted 20 Management of Information Security, 5th Edition © Cengage Learning

Availability Availability is “An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction” Availability of information means that users, either people or other systems, have access to it in a usable format Availability does not imply that the information is accessible to any user; rather, it means it can be accessed when needed by authorized users 21 Management of Information Security, 5th Edition © Cengage Learning

Privacy Privacy is “in the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality” The information that is collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected In this context, privacy does not mean freedom from observation (the meaning usually associated with the word); it means that the information will be used only in ways approved by the person who provided it 22 Management of Information Security, 5th Edition © Cengage Learning

Information Aggregation Many organizations collect, swap, and sell personal information as a commodity Today, it is possible to collect and combine personal information from several different sources, (known as information aggregation), which has resulted in databases that could be used in ways the original data owner hasn’t agreed to or even knows about 23 Management of Information Security, 5th Edition © Cengage Learning

Identification Identification is “the access control mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system” An information system possesses the characteristic of identification when it is able to recognize individual users Identification and authentication are essential to establishing the level of access or authorization that an individual is granted Identification is typically performed by means of a user name or other ID 24 Management of Information Security, 5th Edition © Cengage Learning

Authentication Authentication is “The access control mechanism that requires the validation and verification of an unauthenticated entity’s purported identity” It is the process by which a control establishes whether a user (or system) has the identity it claims to have Individual users may disclose a personal identification number (PIN), a password, or a passphrase to authenticate their identities to a computer system 25 Management of Information Security, 5th Edition © Cengage Learning

Authorization Authorization is “the access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels” After the identity of a user is authenticated, authorization defines what the user (whether a person or a computer) has been specifically and explicitly permitted by the proper authority to do, such as access, modify, or delete the contents of an information asset 26 Management of Information Security, 5th Edition © Cengage Learning

Accountability Accountability is “the access control mechanism that ensures all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity. Also known as auditability” Accountability of information occurs when a control provides assurance that every activity undertaken can be attributed to a named person or automated process Accountability is most commonly associated with system audit logs 27 Management of Information Security, 5th Edition © Cengage Learning

Key concepts of Information Security: Threats and attacks Chapter 01: Introduction to the Management of Information Security 28 Management of Information Security, 5th Edition © Cengage Learning

Sun Tzu Wu’s The Art of War Therefore I say: One who knows the enemy and knows himself will not be in danger in a hundred battles One who does not know the enemy but knows himself will sometimes win, sometimes lose One who does not know the enemy and does not know himself will be in danger in every battle To protect your organization’s information, you must: know yourself; that is, be familiar with the information assets to be protected and the systems, mechanisms, and methods used to store, transport, process, and protect them; and know the threats you face 29 Management of Information Security, 5th Edition © Cengage Learning

Key Concepts of Information Security: Threats and attacks A threat represents a potential risk to an information asset, whereas an attack represents an ongoing act against the asset that could result in a loss Threat agents damage or steal an organization’s information or physical assets by using exploits to take advantage of a vulnerability where controls are not present or no longer effective Unlike threats, which are always present, attacks exist only when a specific act may cause a loss 30 Management of Information Security, 5th Edition © Cengage Learning

Key Concepts in Information Security 31 Management of Information Security, 5th Edition © Cengage Learning

12 Categories of Threats to InfoSec 32 Management of Information Security, 5th Edition © Cengage Learning

Top 10 types of InfoSec threats for IT teams A security threat is a malicious act that aims to corrupt or steal data or disrupt an organization's systems or the entire organization. A security event refers to an occurrence during which company data or its network may have been exposed. And an event that results in a data or network breach is called a security incident . As cybersecurity threats continue to evolve and become more sophisticated, enterprise IT must remain vigilant when it comes to protecting their data and networks. To do that, they first have to understand the types of security threats and potential attacks they're up against. 33 Management of Information Security, 5th Edition © Cengage Learning

1. Insider threats An insider threat occurs when individuals close to an organization who have authorized access to its network intentionally or unintentionally misuse that access to negatively affect the organization's critical data or systems. to prevent insider threats the organizations can do to minimize the risks associated with insider threats include the following: Limit employees' access to only the specific resources they need to do their jobs. Train new employees and contractors on security awareness before allowing them to access the network. Incorporate information about unintentional and malicious insider threat awareness into regular security training. Set up contractors and other freelancers with temporary accounts that expire on specific dates, such as the dates their contracts end. Implement two-factor authentication, which requires each user to provide a second piece of identifying information in addition to a password. Install employee monitoring software to help reduce the risk of data breaches and the theft of intellectual property by identifying careless, disgruntled or malicious insiders. 34 Management of Information Security, 5th Edition © Cengage Learning

2. Viruses and worms Viruses and worms are malicious software programs ( malware ) aimed at destroying an organization's systems, data and network. A computer virus is a malicious code that replicates by copying itself to another program, system or host file. It remains dormant until someone knowingly or inadvertently activates it, spreading the infection without the knowledge or permission of a user or system administration. To reduce the risk of these types of information security threats caused by viruses or worms, companies should install antivirus and antimalware software on all their systems and networked devices and keep that software up to date. In addition, organizations must train users not to download attachments or click on links in emails from unknown senders and to avoid downloading free software from untrusted websites. Users should also be very cautious when they use P2P file sharing services and they shouldn't click on ads, particularly ads from unfamiliar brands and websites. 35 Management of Information Security, 5th Edition © Cengage Learning

3. Botnets A botnet is a collection of Internet-connected devices, including PCs, mobile devices, servers and IoT devices that are infected and remotely controlled by a common type of malware. Typically, the botnet malware searches for vulnerable devices across the internet. The goal of the threat actor creating a botnet is to infect as many connected devices as possible, using the computing power and resources of those devices for automated tasks that generally remain hidden to the users of the devices. to prevent botnets Organizations have several ways to prevent botnet infections: Monitor network performance and activity to detect any irregular network behavior. Keep OSes up to date. Keep all software up to date, and install any necessary security patches. Educate users not to engage in any activity that puts them at risk of bot infections or other malware, including opening emails or messages, downloading attachments or clicking links from unfamiliar sources. Implement antibotnet tools that find and block bot viruses. In addition, most firewalls and antivirus software include basic tools to detect, prevent and remove botnets. 36 Management of Information Security, 5th Edition © Cengage Learning

4. Drive-by download attacks In a drive-by download attack, malicious code is downloaded from a website via a browser, application or integrated OS without a user's permission or knowledge. A user doesn't have to click on anything to activate the download. Just accessing or browsing a website can start a download. Cybercriminals can use drive-by downloads to inject banking Trojans , steal and collect personal information as well as introduce exploit kits or other malware to endpoints. to prevent drive-by download attacks One of the best ways a company can prevent drive-by download attacks is to regularly update and patch systems with the latest versions of software, applications, browsers and OSes. Users should also be warned to stay away from insecure websites. Installing security software that actively scans websites can help protect endpoints from drive-by downloads. 37 Management of Information Security, 5th Edition © Cengage Learning

5. Phishing attacks Phishing attacks are a type of information security threat that employs social engineering to trick users into breaking normal security practices and giving up confidential information, including names, addresses, login credentials, Social Security numbers, credit card information and other financial information. In most cases, hackers send out fake emails that look as if they're coming from legitimate sources, such as financial institutions, eBay, PayPal -- and even friends and colleagues. In phishing attacks, hackers attempt to get users to take some recommended action, such as clicking on links in emails that take them to fraudulent websites that ask for personal information or install malware on their devices. Opening attachments in emails can also install malware on users' devices that are designed to harvest sensitive information, send out emails to their contacts or provide remote access to their devices. to prevent phishing attacks Enterprises should train users not to download attachments or click on links in emails from unknown senders and to avoid downloading free software from untrusted websites 38 Management of Information Security, 5th Edition © Cengage Learning

6. Distributed denial-of-service attacks In a distributed denial-of-service ( DDoS ) attack, multiple compromised machines attack a target, such as a server, website or other network resource, making the target totally inoperable. The flood of connection requests, incoming messages or malformed packets forces the target system to slow down or to crash and shut down, denying service to legitimate users or systems. to prevent DDoS attacks , companies should take the following steps: Implement technology and tools to monitor networks visually and know how much bandwidth a site uses on average. DDoS attacks offer visual clues so administrators who understand the normal behaviors of their networks will be better able to catch these attacks. Ensure servers have the capacity to handle heavy traffic spikes and the necessary mitigation tools necessary to address security problems. Update and patch firewalls and network security programs. Set up protocols outlining the steps to take in the event of a DDoS attack occurring. 39 Management of Information Security, 5th Edition © Cengage Learning

7. Ransomware In a ransomware attack, the victim's computer is locked, typically by encryption, which keeps the victim from using the device or data that's stored on it. To regain access to the device or data, the victim has to pay the hacker a ransom, typically in a virtual currency such as Bitcoin. Ransomware can be spread via malicious email attachments, infected software apps, infected external storage devices and compromised websites. To protect against ransomware attacks , users should regularly back up their computing devices and update all software, including antivirus software. Users should avoid clicking on links in emails or opening email attachments from unknown sources. Victims should do everything possible to avoid paying ransom. Organizations should also couple a traditional firewall that blocks unauthorized access to computers or networks with a program that filters web content and focuses on sites that may introduce malware. In addition, limit the data a cybercriminal can access by segregating the network into distinct zones, each of which requires different credentials. 40 Management of Information Security, 5th Edition © Cengage Learning

8. Exploit kits An exploit kit is a programming tool that enables a person without any experience writing software code to create, customize and distribute malware. Exploit kits are known by a variety of names, including infection kit , crimeware kit , DIY attack kit and malware toolkit . Cybercriminals use these toolkits to attack system vulnerabilities to distribute malware or engage in other malicious activities, such as stealing corporate data, launching denial of service attacks or building botnets. How to prevent exploit kits , an organization should deploy antimalware software as well as a security program that continually evaluates if its security controls are effective and provide protection against attacks. Enterprises should also install antiphishing tools, because many exploit kits use phishing or compromised websites to penetrate the network. 41 Management of Information Security, 5th Edition © Cengage Learning

9. Advanced persistent threat attacks An advanced persistent threat ( APT ) is a targeted cyberattack in which an unauthorized intruder penetrates a network and remains undetected for an extended period of time. Rather than causing damage to a system or network, the goal of an APT attack is to monitor network activity and steal information to gain access, including exploit kits and malware. Cybercriminals typically use APT attacks to target high-value targets, such as large enterprises and nation-states, stealing data over a long period. to prevent APT attacks Detecting anomalies in outbound data may be the best way for system administrators to determine if their networks have been targeted. Indicators of APTs include the following. Unusual activity on user accounts. Extensive use of backdoor Trojan horse malware, a method that enables APTs to maintain access. Odd database activity, such as a sudden increase in database operations involving massive amounts of data. The presence of unusual data files, possibly indicating that data that has been bundled into files to assist in the exfiltration process. To combat this type of information security threat, an organization should also deploy a software, hardware or cloud firewall to guard against APT attacks. Organizations can also use a web application firewall to detect and prevent attacks coming from web applications by inspecting HTTP traffic. 42 Management of Information Security, 5th Edition © Cengage Learning

10. Malvertising Malvertising is a technique cybercriminals use to inject malicious code into legitimate online advertising networks and web pages. This code typically redirects users to malicious websites or installs malware on their computers or mobile devices. Users' machines may get infected even if they don't click on anything to start the download. Cybercriminals may use malvertising to deploy a variety of moneymaking malware, including cryptomining scripts, ransomware and banking Trojans. Some of the websites of well-known companies, including Spotify, The New York Times and the London Stock Exchange, have inadvertently displayed malicious ads, putting users at risk. To prevent malvertising , ad networks should add validation; this reduces the chances a user could be compromised. Validation could include vetting prospective customers by requiring legal business paperwork; requiring two-factor authentication; scanning potential ads for malicious content before publishing an ad; or converting Flash ads to animated GIFs or other types of content. 43 Management of Information Security, 5th Edition © Cengage Learning

Compromises to Intellectual Property Intellectual property (IP) can be trade secrets, copyrights, trademarks, and patents IP is protected by copyright and other laws, carries the expectation of proper attribution or credit to its source, and potentially requires the acquisition of permission for its use, as specified in those laws The unauthorized appropriation of IP constitutes a threat to information security This category includes two primary areas: Software piracy Copyright protection and user registration 44 Management of Information Security, 5th Edition © Cengage Learning

Deviations in Quality of Service An organization’s information system depends on the successful operation of many interdependent support systems, including power grids, data and telecommunications networks, parts suppliers, service vendors, and even janitorial staff and garbage haulers Any of these support systems can be interrupted by severe weather, employee illnesses, or other unforeseen events Irregularities in Internet service, communications, and power supplies can dramatically affect the availability of information and systems Subcategories of this threat include the following: Internet Service Issues Communications and Other Service Provider Issues Power Irregularities 45 Management of Information Security, 5th Edition © Cengage Learning

Espionage or Trespass When an unauthorized person gains access to information an organization is trying to protect, the act is categorized as espionage or trespass Attackers can use many different methods to access the information stored in an information system Some information-gathering techniques are legal—for example, using a Web browser to perform market research These legal techniques are collectively called competitive intelligence When information gatherers employ techniques that cross a legal or ethical threshold, they are conducting industrial espionage 46 Management of Information Security, 5th Edition © Cengage Learning

Espionage or Tresspass In the real world, a hacker frequently spends long hours examining the types and structures of targeted systems and uses skill, guile, and/or fraud to attempt to bypass controls placed on information owned by someone else Hackers possess a wide range of skill levels, as with most technology users However, most hackers are grouped into two general categories—the expert hacker and the novice hacker Once an attacker gains access to a system, the next step is to increase privileges (privilege escalation) Most accounts associated with a system have only rudimentary “use” permissions, the attacker needs administrative or “root” privileges 47 Management of Information Security, 5th Edition © Cengage Learning

Espionage or Tresspass Password Attacks Password attacks fall under the category of espionage or trespass just as lock-picking falls under breaking and entering Attempting to guess or reverse-calculate a password is often called cracking There are a alternative approaches to password cracking: Brute Force Attack - The application of computing and network resources to try every possible password combination Dictionary password attack – A variation of the brute force attack that narrows the field by using a dictionary of common passwords and includes information related to the target user Rainbow Tables—A database of hashed values and their unencrypted equivalents against which an encrypted password file can be compared Social Engineering Password - Attackers posing as employees may attempt to gain access to systems information asking other employees for their usernames and passwords, then using the information to gain access to organizational systems 48 Management of Information Security, 5th Edition © Cengage Learning

Forces of Nature Forces of nature can present some of the most dangerous threats because they usually occur with little warning and are beyond control Because it is not possible to avoid these threats, organizations must implement controls to limit damage and prepare contingency plans for continued operations Force majeure – or “superior force,” includes forces of nature as well as civil disorder and acts of war Most forces of nature can only be mitigated through insurance, although careful facilities design and placement can reduce the likelihood of damage 49 Management of Information Security, 5th Edition © Cengage Learning

Forces of Nature Some typical force of nature attacks include the following: Fire Flood Earthquake Lightning Landslide or Mudslide Tornados or Severe Windstorms Hurricanes, Typhoons, and Tropical Depressions Tsunami Electrostatic Discharge (ESD) Dust Contamination Management of Information Security, 5th Edition © Cengage Learning 50

Human Error or Failure This category includes acts performed without intent or malicious purpose or in ignorance by an authorized user When people use information systems, mistakes happen Similar errors happen when people fail to follow established policy Inexperience, improper training, and incorrect assumptions are just a few things that can cause human error or failure One of the greatest threats to an organization’s information security is its own employees, as they are the threat agents closest to the information Human error or failure often can be prevented with training, ongoing awareness activities, Human error or failure often can be prevented with training, ongoing awareness activities, and controls and controls 51 Management of Information Security, 5th Edition © Cengage Learning

Human Error or Failure Some typical human error or failure attacks include the following: Social Engineering Advance-fee Fraud Phishing URL Manipulation Web site forgery Spear Phishing Pretexting 52 Management of Information Security, 5th Edition © Cengage Learning

Information Extortion Information extortion, also known as cyberextortion , is common in the theft of credit card numbers Recent information extortion attacks have involved specialized forms of malware known as ransomware that encrypt the user’s data and offer to unlock it if the user pays the attacker 53 Management of Information Security, 5th Edition © Cengage Learning

Sabotage or Vandalism This category of threat involves the deliberate sabotage of a computer system or business, or acts of vandalism to destroy an asset or damage the image of an organization These acts can range from petty vandalism by employees to organized sabotage against an organization Vandalism to a Web site can erode consumer confidence, diminishing an organization’s sales, net worth, and reputation Activism in the digital age: Online Activism Cyberterrorism and Cyberwarfare Positive Online Activism 54 Management of Information Security, 5th Edition © Cengage Learning

Software Attacks Deliberate software attacks occur when an individual or group designs and deploys software to attack a system This attack can consist of specially crafted software that attackers trick users into installing on their systems This software can be used to overwhelm the processing capabilities of online systems or to gain access to protected systems by hidden means 55 Management of Information Security, 5th Edition © Cengage Learning

Software Attacks Malware, including viruses, worms, Trojan horses, polymorphic threats and hoaxes Back doors, trap doors, and maintenance hooks Denial-of-service ( DoS ) and distributed denial-of-service attacks (DDoS) E-mail attacks such as spam, mail bombs and social engineering attacks Communications interception attacks such as packet sniffers, spoofing, pharming and man-in-the-middle attacks like TCP hijacking or session hijacking 56 Management of Information Security, 5th Edition © Cengage Learning

Technical Hardware Failures Technical hardware failures or errors occur when a manufacturer distributes equipment containing a known or unknown flaw These defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability In hardware terms, failures are measured in mean time between failure (MTBF) and mean time to failure (MTTF) MTBF presumes that the item can be repaired or returned to service, MTTF presumes the item must be replaced From a repair standpoint, MTBF = MTTF + MTTD + MTTR, where mean time to diagnose (MTTD) examines diagnosis time and mean time to repair (MTTR) calculates repair time 57 Management of Information Security, 5th Edition © Cengage Learning

Technical Software Failures Large quantities of computer code are written, debugged, published, and sold before all their bugs are detected and resolved Sometimes, combinations of certain software and hardware reveal new failures that range from bugs to untested failure conditions Sometimes these bugs are not errors, but purposeful shortcuts left by programmers for benign or malign reasons, bypassing security checks – known as trap doors Among the most popular bug tracking Web site is Bugtraq , hosted by Security Focus, which provides up-to-the-minute information on the latest security vulnerabilities as well as a thorough archive of past bugs 58 Management of Information Security, 5th Edition © Cengage Learning

Technical Software Failure The Open Web Application Security Project (OWASP) list of “The Ten Most Critical Web Application Security Risks” for 2013: Injection Broken authentication and session management Cross-site scripting (XSS) Insecure direct object references Security misconfiguration Sensitive data exposure Missing function level access control Cross-site request forgery (CSRF) Using components with known vulnerabilities Unvalidated redirects and forwards 59 Management of Information Security, 5th Edition © Cengage Learning

Deadly Sins of Software Security Web Application Sins SQL Injection Web Server-Related Vulnerabilities Web Client-Related Vulnerabilities (XSS) Use of Magic URLs, Predictable Cookies and Hidden Form Fields Implementation Sins Buffer Overruns Format String Problems Integer Overflows C++ Catastrophies Catching Exceptions Command Injection Failure to Handle Errors Correctly Information Leakage Race Conditions Poor Usability Not Updating Easily Executing Code with Too Much Privilege Failure to Protect Stored Data The Sins of Mobile Code Management of Information Security, 5th Edition © Cengage Learning 60

Deadly Sins of Software Security Cryptographic Sins Use of Weak Password Based Systems Weak Random Numbers Using the Wrong Cryptography Networking Sins Failure to Protect Network Traffic Improper Use of PKI, Especially SSL Trusting Network Name Resolution Management of Information Security, 5th Edition © Cengage Learning 61

Technological Obsolescence Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems Management must recognize that when technology becomes outdated, there is a risk of losing data integrity from attacks Ideally, proper planning by management should prevent technology from becoming obsolete, but when obsolescence is clear, management must take immediate action Perhaps the most significant case of technology obsolescence in recent years is Microsoft’s Windows XP 62 Management of Information Security, 5th Edition © Cengage Learning

Theft The value of information is diminished when it is: copied without the owner’s knowledge Physical theft can be controlled easily using a wide variety of measures, from locked doors to trained security personnel and the installation of alarm systems Electronic theft, however, is a more complex problem to manage and control Theft is often an overlapping category with software attacks, espionage or trespass, information extortion, and compromises to intellectual property 63 Management of Information Security, 5th Edition © Cengage Learning

What is management? Chapter 01: Introduction to the Management of Information Security 64 Management of Information Security, 5th Edition © Cengage Learning

What Is Management? Management is the process of achieving objectives using a given set of resources A manager is a member of the organization assigned to marshal and administer resources, coordinate the completion of tasks, and handle the many roles necessary to complete the desired objectives 65 Management of Information Security, 5th Edition © Cengage Learning

Managerial Roles Informational role: Collecting, processing, and using information that can affect the completion of the objective Interpersonal role: Interacting with superiors, subordinates, outside stakeholders, and other parties that influence or are influenced by the completion of the task Decisional role: Selecting from among alternative approaches, and resolving conflicts, dilemmas, or challenges 66 Management of Information Security, 5th Edition © Cengage Learning

The Difference Between Leadership and Management A leader influences employees so that they are willing to accomplish objectives: He or she is expected to lead by example and demonstrate personal traits that instill a desire in others to follow In other words, leadership provides purpose, direction, and motivation to those that follow By comparison, a manager administers the resources of the organization: He or she creates budgets, authorizes expenditures and hires employees Effective managers can be effective leaders 67 Management of Information Security, 5th Edition © Cengage Learning

Behavioral Types of Leaders There are three basic behavioral types of leaders: the autocratic, the democratic, and the laissez-faire 68 Management of Information Security, 5th Edition © Cengage Learning

Management Characteristics Two basic approaches to management are: Traditional management theory uses the core principles of planning, organizing, staffing, directing, and controlling (POSDC) Popular management theory categorizes the principles of management into planning, organizing, leading, and controlling (POLC) 69 Management of Information Security, 5th Edition © Cengage Learning

Planning The process of developing, creating, and implementing strategies for the accomplishment of objectives is called planning: Strategic planning—This occurs at the highest levels of the organization and for a long period of time, usually five or more years Tactical planning—This focuses on production planning and integrates organizational resources at a level below the entire enterprise and for an intermediate duration (such as one to five years) Operational planning—This focuses on the day-to-day operations of local resources and occurs in the present or the short term 71 Management of Information Security, 5th Edition © Cengage Learning

Governance Governance is “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly Governance emphasizes escalating the importance of InfoSec to the uppermost levels of the organization and providing it with an appropriate level of management 73 Management of Information Security, 5th Edition © Cengage Learning

Solving Problems Step 1: Recognize and Define the Problem Step 2: Gather Facts and Make Assumptions Step 3: Develop Possible Solutions Step 4: Analyze and Compare Possible Solutions (Feasibility analyses) Step 5: Select, Implement, and Evaluate a solution 74 Management of Information Security, 5th Edition © Cengage Learning

Principles of Information Security management Chapter 01: Introduction to the Management of Information Security 75 Management of Information Security, 5th Edition © Cengage Learning

Principles of Information Security Management The unique functions of information security management are known as the six Ps: Planning Policy Programs Protection People Project Management 76 Management of Information Security, 5th Edition © Cengage Learning

InfoSec Planning Planning as part of InfoSec management is an extension of the basic planning model discussed earlier in this chapter Included in the InfoSec planning model are activities necessary to support the design, creation, and implementation of information security strategies, as they exist within the IT planning environment 77 Management of Information Security, 5th Edition © Cengage Learning

InfoSec Planning Several types of InfoSec plans exist: incident response planning business continuity planning disaster recovery planning policy planning personnel planning technology rollout planning risk management planning and security program planning including education, training and awareness 78 Management of Information Security, 5th Edition © Cengage Learning

InfoSec Planning Included in the InfoSec planning model are activities necessary to support the design, creation, and implementation of InfoSec strategies within the planning environments of all organizational units, including IT Because the InfoSec strategic plans must support not only the IT use and protection of information assets, but those of the entire organization, it is imperative that the CISO work closely with all senior managers in developing InfoSec strategy 79 Management of Information Security, 5th Edition © Cengage Learning

Policy Policy is “a set of organizational guidelines that dictate certain behavior within the organization” In InfoSec, there are three general categories of policy: Enterprise information security policy (EISP) Issue-specific security policy (ISSP) System-specific policies ( SysSPs ) 80 Management of Information Security, 5th Edition © Cengage Learning

Programs InfoSec operations that are specifically managed as separate entities A security education training and awareness (SETA) program is one such entity Other programs that may emerge include a physical security program, complete with fire, physical access, gates, guards, and so on 81 Management of Information Security, 5th Edition © Cengage Learning

Protection The protection function is executed via a set of risk management activities, including risk assessment and control, as well as protection mechanisms, technologies, and tools Each of these mechanisms represents some aspect of the management of specific controls in the overall information security plan 82 Management of Information Security, 5th Edition © Cengage Learning

People People are the most critical link in the information security program This area of InfoSec includes security personnel and the security of personnel, as well as aspects of the SETA program mentioned earlier 83 Management of Information Security, 5th Edition © Cengage Learning

Projects The final component is the application of thorough project management discipline to all elements of the information security program Project management involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting the process as progress is made toward the goal 84 Management of Information Security, 5th Edition © Cengage Learning

Project Management Information security is a process, not a project, however, each element of an information security program must be managed as a project, even if the overall program is perpetually ongoing How can information security be both a process and a project? It is, in fact, a continuous series, or chain, of projects Some aspects of information security are not project based; rather, they are managed processes (operations) and are ongoing 85 Management of Information Security, 5th Edition © Cengage Learning

Summary Because businesses and technology have become more fluid, the narrower concept of computer security has been replaced by the broader concept of InfoSec From an InfoSec perspective, organizations often have three communities of interest: InfoSec managers and professionals, IT managers and professionals, and nontechnical managers and professionals The C.I.A. triad is based on three desirable characteristics of information: confidentiality, integrity, and availability To make sound decisions about information security, management must be informed about threats to its people, applications, data, and information systems 86 Management of Information Security, 5th Edition © Cengage Learning

Summary (cont.) Threats or dangers facing an organization’s people, information, and systems fall into the following general categories: Compromises to intellectual property Deviations in quality of service Espionage or trespass Forces of nature Human error or failure Information extortion Sabotage or vandalism Software attacks Technical hardware failures or errors Technical software failures or errors Technological obsolescence Theft 87 Management of Information Security, 5th Edition © Cengage Learning

Summary (cont.) An attack is a deliberate act that takes advantage of a vulnerability to compromise a controlled system. It is accomplished by a threat agent that damages or steals an organization’s information or physical assets. A vulnerability is an identified weakness in a controlled system, where controls are not present or are no longer effective Poor software development practices can introduce significant risk, but by developing sound development practices, change control, and quality assurance into the process, overall software quality and the security performance of software can be greatly enhanced In its simplest form, management is the process of achieving objectives by using resources The important distinction between a leader and a manager is that a leader influences employees so that they are willing to accomplish objectives, whereas a manager creates budgets, authorizes expenditures, and hires employees 88 Management of Information Security, 5th Edition © Cengage Learning

Summary (cont.) The traditional approach to management theory uses the core principles of planning, organizing, staffing, directing, and controlling (POSDC). Another approach to management theory categorizes the principles of management into planning, organizing, leading, and controlling (POLC) The process that develops, creates, and implements strategies for the accomplishment of objectives is called “planning.” There are three levels of planning: strategic, tactical, and operational InfoSec management operates like all other management units, but the goals and objectives of the InfoSec management team are different in that they focus on the secure operation of the organization 89 Management of Information Security, 5th Edition © Cengage Learning

Ch01_MoIS5e_v02.pptx business business business business

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Ch01_MoIS5e_v02.pptx business business business business

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77

7-10. STP + Branding and Product & Services Strategies.pptx