Chapter 1_Overview hhhhhhhhhhhhhhhhhhhhhhhhhh
ASKMEDIA
92 views
59 slides
Aug 31, 2025
Slide 1 of 59
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
About This Presentation
hhhhhhhhhhhhhhh
Slide Content
IS Security Management Overview of IS security
O u tline IS security concepts and frameworks IS security risks, threats and vulnerabilities
IS security concepts key concepts, approaches to Information Security Implementation,
1. Definitions and key concepts What is Security? “The quality or state of being secure—to be free from danger” To be protected from adversaries--from those who would do harm, intentionally or otherwise A successful organization should have multiple layers of security in place: Physical security, Personal security, Operations security, Communications security, Network security, and Information security
Definitions and key concepts What is Security? Physical security – To protect the physical items, objects, or areas of an organization from unauthorized access and misuse. Personal security – To protect the individual or group of individuals who are authorized to access the organization and its operations. Operations security – To protect the details of a particular operation or series of activities. Communications security – To protect an organization’s communications media, technology, and content. Network security – To protect networking components, connections, and contents.
Definitions and key concepts To meet objectives and keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function This environment must maintain confidentiality and privacy and assure the integrity and availability of organizational data 13
Definitions and key concepts Information S ystem security is the collection of activities that protect the information system and the data stored in it. It is t he protection of information and its critical elements, including systems and hardware that use, store, and transmit that information. Information security : a “well-informed sense of assurance that the information risks and controls are in balance.” IS security is a classic battle of “good vs. evil.”
Definitions and key concepts Computer security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications) IT Security Management: a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity and reliability.
Definitions and key concepts IT Security Management functions include: Creating organizational IT security objectives, strategies and policies determining organizational IT security requirements identifying and analyzing security threats to IT assets identifying and analyzing risks specifying appropriate safeguards monitoring the implementation and operation of safeguards developing and implement a security awareness program detecting and reacting to incidents
IT security management process
Definitions and key concepts C.I.A.Triangle Industry standard for computer security since the development of the mainframe. It was solely based on three characteristics that described the utility of information : confidentiality, integrity, and availability . When you design and use security controls, you are addressing one or more of these components.
Definitions and key concepts Confidentiality The quality or state of preventing disclosure or exposure to unauthorized individuals or systems . Data confidentiality :Assures that confidential information is not disclosed to unauthorized individuals Of personal data and information Credit card account numbers and bank account numbers Social Security numbers and address information Of intellectual property of businesses Copyrights, patents, and secret formulas Source code, customer databases, and technical specifications Of national security Military intelligence Homeland security and government-related information
Definitions and key concepts Integrity The quality or state of being whole, complete, and uncorrupted. Data integrity : assures that information and programs are changed only in a specified and authorized manner System integrity : Assures that a system performs its operations in unimpaired manner The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state. Data has integrity if the data is not altered, is valid, and is accurate
Definitions and key concepts Availability Enables users who need to access information to do so without interference or obstruction and in the required format. Assures that systems works promptly and service is not denied to authorized users The information is said to be available to an authorized user when and where needed and in the correct format. In the context of information security, availability is generally expressed as the amount of time users can use a system, application, and data. Uptime: The total amount of time that a system, application, and data are accessible. Downtime :The total amount of time that a system, application, and data are not accessible. Availability = (Total Uptime) / (Total Uptime + Total Downtime)
Definitions and key concepts Critical Characteristics of Information in other models The C.I.A. triangle model has expanded into a list of critical characteristics of information The value of information comes from the characteristics it possesses: Availability Accuracy Authenticity Confidentiality Integrity Utility Possession
Definitions and key concepts Critical Characteristics of Information Accuracy – Free from mistake or error and having the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate. Authenticity –The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.
Definitions and key concepts Critical Characteristics of Information Utility – The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose.This means that if information is available, but not in a format meaningful to the end user, it is not useful. Possession – The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic.While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.
Other key security terms Access - a subject or object’s ability to use, manipulate, modify, or affect another subject or object. Asset - the organizational resource that is being protected. Attack - an act that is an intentional or unintentional attempt to cause damage or compromise to the information and/or the systems that support it. Control, Safeguard, or Countermeasure - security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization. Exploit - to take advantage of weaknesses or vulnerability in a system. Hack - Good: to use computers or systems for enjoyment; Bad: to illegally gain access to a computer or system. Object - a passive entity in the information system that receives or contains information. Risk - the probability that something can happen.
Other key security terms Security Model - a collection of specific security rules that represents the implementation of a security policy. Security Posture or Security Profile - a general label for the combination of all policies, procedures, technologies, and programs that make up the total security effort currently in place. Subject - an active entity that interacts with an information system and causes information to move through the system for a specific end purpose Threats - a category of objects, persons, or other entities that represents a potential danger to an asset. Threat Agent - a specific instance or component of a more general threat. Vulnerability - weaknesses or faults in a system or protection mechanism that expose information to attack or damage.
1.2 Approaches to Information Security Implementation
Approaches to Information Security Implementation The Security Systems Development Life Cycle The same phases used in traditional SDLC Need to be adapted to support implementation of an IS project SecSDLC is a coherent program not series of random, seemingly unconnected actions: Investigation, Analysis, design (logical and physical), Implementation, and Maintenance and change
Approaches to Information Security Implementation The Security Systems Development Life Cycle Investigation Begins with a directive from upper management , dictating the process, outcomes, and goals of the project, as well as the constraints placed on the activity. Teams of responsible managers, employees, and contractors are organized , problems are analysed, and scope is defined Finally, an organizational feasibility analysis is performed to determine whether the organization has the resources and commitment necessary to conduct a successful security analysis and design.
Approaches to Information Security Implementation The Security Systems Development Life Cycle Analysis the documents from the investigation phase are studied a preliminary analysis of existing security policies or programs, along with documented current threats and associated controls is conducted. an analysis of relevant legal issues that could impact the design of the security solution made. The risk management task – identifying, assessing and evaluating the levels of risk facing the organization – also begins in this stage.
Approaches to Information Security Implementation The Security Systems Development Life Cycle Logical Design creates and develops the blueprints for security , and it examines and implements key policies that influence later decisions Incident response actions planned to be taken in the event of partial or catastrophic loss: continuity planning, incident response and disaster recovery Feasibility analysis to determine whether project should be continued or outsourced
Approaches to Information Security Implementation The Security Systems Development Life Cycle Physical Design the security technology needed to support the blueprint outlined in the logical design is evaluated, alternative solutions are generated, and a final design is agreed up on The security blueprint may be revisited to keep it synchronized with the changes needed when the physical design is completed Criteria needed to determine the definition of successful solutions is also prepared
Approaches to Information Security Implementation The Security Systems Development Life Cycle Physical Design the designs for physical security measures to support the proposed technological solutions also made a feasibility study to determine the readiness of the organization for the proposed project done the design is presented to champion and users
Approaches to Information Security Implementation The Security Systems Development Life Cycle Implementation Security solutions are acquired, tested, implemented, and tested again Personnel issues evaluated; specific training and education programs conducted Entire tested package is presented to management for final approval
Approaches to Information Security Implementation The Security Systems Development Life Cycle Maintenance and Change Perhaps the most important phase, given the ever- changing threat environment Often, repairing damage and restoring information is a constant duel with an unseen adversary Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve
2.1 IS security threats
Why IS security ? Information security’s primary mission is to ensure that systems and their contents remain the same! “Organizations must understand the environment in which information systems operate so their information security programs can address actual and potential problems.” Information security has more to do with management than with technology To protect organization’s information Know the information to be protected and the systems that store, transport and process Know the threats you face
IS security threats
IS security threats Common Threats in the User Domain Lack of user awareness User apathy toward policies User violating security policy User inserting CD/DVD/USB with personal files User downloading photos, music, or videos User destructing systems, applications, and data Disgruntled employee attacking organization or committing sabotage Employee blackmail or extortion
IS security threats Common Threats in the Workstation Domain Unauthorized workstation access Unauthorized access to systems, applications, and data Desktop or laptop operating system vulnerabilities Desktop or laptop application software vulnerabilities or patches Viruses, malicious code, and other malware User inserting CD/DVD/USB with personal files User downloading photos, music, or videos
IS security threats Common Threats in the LAN Domain Unauthorized physical access to LAN Unauthorized access to systems, applications, and data LAN server operating system vulnerabilities LAN server application software vulnerabilities and software patch updates Rogue users on WLANs Confidentiality of data on WLANs LAN server configuration guidelines and standards
IS security threats Common Threats in the LAN-to-WAN Domain Unauthorized probing and port scanning Unauthorized access Internet Protocol (IP) router, firewall, and network appliance operating system vulnerability Local users downloading unknown file types from unknown sources
IS security threats Common Threats in the WAN Domain Open, public, and accessible data Most of the traffic being sent as clear text Vulnerable to eavesdropping Vulnerable to malicious attacks Vulnerable to Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks Vulnerable to corruption of information and data Insecure Transmission Control Protocol/Internet Protocol (TCP/IP) applications Hackers and attackers e-mailing Trojans, worms, and malicious software freely and constantly
IS security threats Common Threats in the Remote Access Domain Internet Brute force user ID and password attacks Multiple logon retries and access control attacks Unauthorized remote access to IT systems, applications, and data Confidential data compromised remotely Data leakage in violation of data classification standards
IS security threats 58 Common Threats in the Systems/Applications Domain Cloud Computing Unauthorized access to data centers, computer rooms, and wiring closets Difficult-to-manage servers that require high availability Server operating systems software vulnerability management Security required by cloud computing virtual environments Corrupt or lost data
IS security threats : Overview of IS security May 2017 59 ISS M Categories of Threat Examples Compromises to intellectual property Piracy, copyright infringement Software attacks Viruses, worms, macros, DoS Deviations in quality of service ISP, power,WAN service issues from service providers Espionage or trespass Unauthorized access and/or data collection Forces of nature Fire, flood, earthquake, lightning Acts of human error or failure Accidents, employee mistakes Information extortion Blackmail or information disclosure Deliberate acts of theft Illegal confiscation of equipment or information
IS security threats : Overview of IS security May 2017 60 ISS M Categories of Threat Examples Missing, inadequate, or incomplete Loss of access to information systems due to disk drive failure, without proper backup and recovery plan Missing, inadequate, or incomplete controls Network compromised because no firewall security controls Sabotage or vandalism Destruction of systems or information Th e f t Illegal confiscation of equipment or information Technical hardware failures or errors Equipment failure Technical software failures or errors Bugs, code problems, unknown loopholes Technological obsolescence Antiquated or outdated technologies
IS security threats Intellectual property “the ownership of ideas and control over the tangible or virtual representation of those ideas. Use of another person’s intellectual property may or may not involve royalty payments or permission, but should always include proper credit.” Includes Trade secrets Copyrights Trademarks Patents
IS security threats Deliberate Software Attacks Deliberate software attacks occur when an individual or group designs and deploys software to attack a system. Referred to malicious code, malicious software or malware Designed to damage, destroy, or deny service to the target systems. The more common instances of malicious code are viruses and worms,Trojan horses, logic bombs, and back doors First business hacked out of existence s believed to be cloudnine (British internet service provider) through denial-of- service attack
IS security threats Deliberate Software Attacks Virus Segments of code Attaches itself to existing program Takes control of program access Replication Worms Malicious program Replicates constantly Doesn’t require another program Can be initiated with or without the user download
IS security threats Deliberate Software Attacks Other Malware Trojan Horse Hide their true nature Reveal the designed behavior only when activated Back door or trap door A virus or worm that installs a back door or trap door component in a system, which allows the attacker to access the system at will with special privileges Polymorphism Changes it apparent shape over time Makes it undetectable by techniques that look for preconfigured signatures Hoaxes: warning of a dangerous viruses that do not exist, leading to chaos
IS security threats Espionage or Trespass When an unauthorized individual gains access to the information an organization is trying to protect Intelligence Gathering Legal – competitive intelligence Illegal – industrial espionage Thin line One technique – shoulder surfing Trespass Protect with Authentication Authorization
IS security threats
IS security threats Espionage or Trespass The classic perpetrator of espionage or trespass is the hacker. Hackers are “people who use and create computer software [to] gain access to information illegally 2 levels Experts Develop software scripts Develop program exploits Novice Script kiddie Use previously written software by expert hackers Packet monkeys Use automated exploits developed by expert hackers
IS security threats Espionage or Trespass Other System Rule Breakers Crackers Individuals who crack or remove software protection designed to prevent unauthorized duplication With the removal of the copyright protection, the software can be easily distributed and installed. Phreakers Use public networks to make free phone calls With the advent of digital communications it’s becoming almost obsolete
IS security threats Fire Tornado Tsunami Electrostatic discharge Dust contamination Flood Earthquake Lightning Landslide Mudslide Hurricane/typhoon Forces of Nature Pose some of most dangerous threats Unexpected and occur with little or no warning
IS security threats Acts of Human Error or Failure Acts performed without intent or malicious purpose by authorized user Greatest threat to org info security Organization’s own employees Closest to the data Mistakes Revelation of classified data Entry of erroneous data Accidental deletion or modification of data Storage of data in unprotected areas Failure to protect information
IS security threats Acts of Human Error or Failure Prevention Training Ongoing awareness activities Controls Require user to type a critical command twice Verification of commands
IS security threats Information Extortion Attacker or trusted insider steals information Demands compensation Agree not to disclose information
IS security threats Missing, Inadequate or Incomplete Planning/policy and Controls Missing, inadequate, or incomplete organizational policy or planning makes an organization vulnerable to loss, damage, or disclosure of information assets when other threats lead to attacks. Similarly, missing, inadequate, or incomplete controls—that is, security safeguards and information asset protection controls that are missing, misconfigured, antiquated, or poorly designed or managed —make an organization more likely to suffer losses when other threats lead to attacks.
IS security threats 75 Sabotage or Vandalism Deliberate sabotage of a computer system or business Acts to destroy an asset Damage to an image of an organization Hackterist or cyber activist Interfere with or disrupt systems in protest to the operations, policies, or actions of an organization Cyber terrorism Cyberterrorists hack systems to conduct terrorist activities via network or Internet pathways. Theft Illegal taking of another’s property: Physical, Electronic, Intellectual Constant Problem – crime not always readily apparent
IS security threats 76 Technical Hardware Failures or Errors Occur when a manufacturer distributes equipment containing a known or unknown flaw, resulting in the system to perform outside of expected parameters which could result in unreliable service or lack of availability Some errors are terminal i.e., result in the unrecoverable loss of the equipment while others are intermittent, in that they only periodically manifest themselves and thus, equipment can sometimes stop working Best known: Intel Pentium II chip; First ever chip recall; Loss of over $475 million Technology obsolescence: Can lead to unreliable and untrustworthy systems
IS security threats 77 Technical Software Failures or Errors Large quantities of computer code are written, published, and sold before all their bugs are detected and resolved. Sometimes, combinations of certain software and hardware reveal new bugs. These failures range from bugs to untested failure conditions. Sometimes these bugs are not errors, but rather purposeful shortcuts left by programmers for benign or malign reasons. Weekly patches
IS security threats Technology Obsolescence Antiquated or outdated infrastructure (HW and SW) can lead to unreliable and untrustworthy systems. Management must recognize that when technology becomes outdated, there is a risk of loss of data integrity from attacks. Should have plan in place Non-support of legacy systems is done by some software providers Can be costly to resolve
IS security attacks An attack is an act that takes advantage of a vulnerability to compromise a controlled system. A vulnerability is an identified weakness in a controlled system, where controls are not present or are no longer effective. Unlike threats , which are always present, attacks only exist when a specific act may cause a loss.
Assignment 1 1 list and describe the different IS security professionals in an organization 2.Describe the following Malicious Code Malicious Code Hoaxes Back Doors Password Crack Brute Force Dictionary Denial-of-Service (DoS) and Distributed Denial-of- Service (DDoS) Spoofing Man-in-the-Middle Spam Mail Bombing Sniffers Social Engineering Phishing Pharming Timing Attack
Tags
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 92
- Slides 59
- Age 92 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
28 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
28 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
27 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
30 views