Chapter 13 Information Security Barbarians at the Gateway 13 1 Introduction Information security is everyone s business and needs to be made a top organizational priority Firms suffering a security breach can experience direct financial loss exposed proprietary information fines legal payouts court costs damaged reputations plummeting stock prices and more Information security isn t just a technology problem a host of personnel and procedural factors can create and amplify a firm s vulnerability 13 2 Why is This Happening Who is Doing it And What s Their Motivation Account theft illegal funds transfer stealing personal financial data extortion espionage compromising computing assets for use in other crimes cyberwarfare terrorism pranksters protect hacking revenge Data harvesters cybercriminals who infiltrate systems and collect data for illegal resale Cash out fraudsters criminals who might purchase data from the harvesters in order to buy then resell goods using stolen credit cards or create false accounts via identity theft Botnets hords of computers linked and controlled remotely aka zombie networks hackers will use botnets to send spam from thousands of difficult to shut down accounts launch tough to track click fraud efforts or DDoS Distributed denial of service DDoS an attack where the firm s computer systems are flooded with thousands of seemingly legitimate requests the sheer volume will slow or shut down the site often performed via botnets Cyberwarefare Stuxnet infiltrated Iranian nuclear facilities and reprogrammed the industrial control software operating hundreds of uranium enriching centrifuges Hacktivists a protestor seeking to make a political point by leveraging technology tools often through system infiltration defacement or damage Hacker depending on the context may be applied to either someone who breaks into computer systems or to a particularly clever programmer White hat hackers someone who uncovers computer weaknesses without exploiting them goal is to improve security Black hat hackers a computer criminal Key Takeaways o Computer security threats have moved beyond the curious teen with a PC and are now sourced from a number of motivations including theft leveraging compromised computing assets extortion espionage warfare terrorism pranks protest and revenge o Threats can come from both within the firm as well as from the outside o Cybercriminals operate in an increasingly sophisticated ecosystem where data harvesters and tool peddlers leverage sophisticated online markets to sell to cash out fraudsters and other crooks o Technical and legal complexity make pursuit and prosecution difficult o Many law enforcement agencies are underfunded underresourced and underskilled to deal with the growing hacker threat 13 3 Where are Vulnerabilities Understanding the Weaknesses Every physical or network touch point is a potential vulnerability Social engineering games that trick employees into revealing information or 70 of security incidents involve insiders performing other tasks that compromise a firm examples include o Impersonating senior management identifying a key individual as a friend making claims with confidence authority baiting someone to clarify information using harassment or guilt using an attractive individual to charm others into gaining information Phishing a con executed using technology typically targeted at acquiring sensitive information or tricking someone into installing malicious software that could record passwords and keystrokes Spoofed forging or disguising the origin or identity faked Zero day exploits attacks that are so new that they haven t been clearly identified they haven t made it into security screening systems Most valuable assets are kept secure via one thin layer of protection password Biometrics technologies that measure and analyze human body characteristics for identification or authentication finger print readers retina scanners voice face recognition Malware seeks to compromise a computing system without permission threatens nearly any connected system running software Methods of infection o Viruses programs that infect other software or files require an executable a running program to spread by attaching to other executable o Worms programs that take advantage of security vulnerability to automatically spread do not require an executable o Trojans try to sneak in by masquerading as something they are not Address the goal of the malware o Botnets zombie networks hordes of infected computers linked and controlled remotely by a central command used to decipher CAPTCHAs those scrambled character images that help distinguish between if a computer or human is doing it o Malicious adware programs installed without full user consent or knowledge that later serve unwanted advertisements o Spyware software that monitors user actions network traffic or scans for files o Keylogger type of spyware that records user keystrokes o Screen capture variant of the keylogger approach records the pixels that appear on a user s screen for later playback in hopes of getting info o Blended threats attacks combining multiple malware or hacking exploits Domain name service DNS is a collection of software that maps an Internet address such as www To an IP address Dumpster diving combing through trash to identify valuable assets Shoulder surfing gaining compromising information through observation looking over one s shoulder Encryption scrambling data using a code or formula known as a cipher such that it is hidden from those who do not have the unlocking key Key code that unlocks encryption larger the key harder to crack the combination Brute force attacks an attack that exhausts all possible password combinations in order to break into an account Public key encryption a two key system used for securing electronic commissions one key is distributed publicy is used to encrypt or lock data but it can t unlock data unlocking can only be performed with the public key the private key also cannot be reverse engineered from the public key Certificate authority a trusted third party that provides authentication services in public key encryption schemes Key Takeaways o An organization s information assets are vulnerable to attack from several points of weakness including users and administrators its hardware and software its networking systems and various physical threats o Social engineering attempts to trick or con individuals into providing information
View Full Document
Unlocking...