CHAPTER 4CHAPTER OUTLINELEARNING OBJECTIVESLEARNING OBJECTIVES (continued)7.1 Introduction to Information SecurityKey Information Security TermsGet ProtectionThreats / ProtectionNetwork issuesFive Factors Increasing the Vulnerability of Information ResourcesNetworked Business EnvironmentSmaller, Faster DevicesPowerPoint PresentationOrganized Crime Taking Over CybercrimeLack of Management Support7.2 Unintentional Threats to Information SystemsSecurity ThreatsMost Dangerous EmployeesConsultants, Janitors and Security GuardsHuman ErrorsSocial EngineeringThe “King” of Social Engineering7.3 Deliberate Threats to Information SystemsThere are many types of deliberate attacks including:Deliberate ThreatsDeliberate Threats (continued)Slide 27Slide 28Slide 29Is the email really from eBay, or PayPal, or a bank?Is the email really from eBay, or PayPal, or a bank?Example Continued – bottom of the emailHow to see what is happening View SourceView Source – The Real LinkAnother Example – AmazonSlide 36Example of CAPTCHASlide 38What if a SCADA attack were successful?Example of SCADA attack (and cyberwarfare)7.4 What Organizations Are Doing to Protect ThemselvesRisk ManagementRisk Mitigation Strategies7.5 Information Security ControlsWhere Defense Mechanisms (Controls) Are LocatedAccess ControlsAccess Controls (continued)Communications ControlsCommunication or Network Controls (continued)Basic Home Firewall (top) and Corporate Firewall (bottom)How Public Key Encryption WorksHow Digital Certificates WorkVirtual Private Network and TunnelingEmployee Monitoring SystemBusiness Continuity Planning, Backup, and RecoveryInformation Systems AuditingIS Auditing ProcedureCHAPTER 4Information SecurityCHAPTER OUTLINE4.1 Introduction to Information Security4.2 Unintentional Threats to Information Security4.3 Deliberate Threats to Information Security4.4 What Organizations Are Doing to Protect Information Resources4.5 Information Security ControlsLEARNING OBJECTIVES1. Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one.2. Compare and contrast human mistakes and social engineering, and provide a specific example of each one.3. Discuss the nine types of deliberate attacks.LEARNING OBJECTIVES (continued)4. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home.5. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.7.1 Introduction to Information Security© Sebastian/AgeFotostock America, Inc.Key Information Security TermsInformation Security Threat – a resource in danger Exposure – the magnitude of loss or damage Vulnerability – the possibility (i.e. the ‘odds’) that the system will suffer harm Example of a threat; bank attacks© Sebastian/AgeFotostock America, Inc.Get ProtectionC-NetSpywareUNCW resourcesMicrosoft Security EssentialsThreats / ProtectionFirewallsAnti-malwareWhitelisting and blacklistingEncryptionPublic keyPrivate keyDigital certificatesNetwork issuesVirtual private network (VPN)Secure socket layer (SSL) – see also HTTPSMonitor employeesUse IT audits (both internal and external)When all else fails – business continuity planFive Factors Increasing the Vulnerability of Information ResourcesToday’s interconnected, interdependent, wirelessly-networked business environmentSmaller, faster, cheaper computers and storage devicesDecreasing skills necessary to be a hackerOrganized crime taking over cybercrimeLack of management supportNetworked Business EnvironmentEspecially WIRELESS networksSmaller, Faster Devices© PhotoEdit/Alamy Limited© laggerbomber-Fotolia.com© Dragonian/iStockphotoDecreasing Skills Needed to be a HackerNew & Easier Tools make it very easy to attack the NetworkAttacks are becoming increasingly sophisticated © Sven Taubert/Age Fotostock America, Inc.Organized Crime Taking Over Cybercrime© Stockbroker xtra/AgeFotostock America, Inc.An international threatAre government agencies involved in cybercrime?Lack of Management Support© Sigrid Olsson/Photo Alto/Age Fotostock7.2 Unintentional Threats to Information SystemsGeorge Doyle/ImageSource LimitedSecurity ThreatsMost Dangerous EmployeesHuman resources and MISThese employees hold ALL the information© WAVEBREAKMEDIA LTD/Age Fotostock America, Inc.Consultants, Janitors and Security Guards© fatihhoca/iStockphotoSource: YouraPechkin/iStockphotoThese employees get wide access without much supervisionHuman ErrorsCarelessness with laptops and portable computing devicesOpening questionable e-mailsCareless Internet surfingPoor password selection and useAnd moreSocial EngineeringTwo examplesTailgatingShoulder surfing© Purestock/Age Fotostock America, IncThe “King” of Social EngineeringHacker Caught Kevin MitnickSocial engineering is a typically unintentional human error on the part of an employee, but it is the result of a deliberate action on the part of an attackerKevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulting firm, advising companies on how to deter people like him See his company here7.3 Deliberate Threats to Information SystemsThere are many types of deliberate attacks including:• Espionage or Trespass• Information extortion• Sabotage or vandalism• Theft of equipment or information• Identity theft• Compromises to intellectual property• Soft ware attacks• Alien soft ware• Supervisory control and data acquisition (SCADA) attacks• Cyberterrorism and cyberwarfareDeliberate ThreatsEspionage or trespassInformation extortionSabotage or vandalismTheft of equipment or informationFor example, dumpster diving© Diego Cervo/Age Fotostock America, Inc.Deliberate Threats (continued)Identify theftIdentity theft videoCompromises to intellectual propertyFrederic Lucano/Stone/Getty Images, Inc.Deliberate Threats (continued)Software attacksVirus – segment of malicious computer code attached to another computer programWorm – segment of malicious computer code that does not require another computer program(see the Stuxnet Worm)Trojan horseLogic Bomb – segment of malicious computer code that causes damage at a specified timeSoftware attacks (continued)Phishing attacksPhishing slideshowPhishing quizPhishing
View Full Document