1) Security = degree of protection against criminal activity, danger, damage,
and/or loss.
2) Info security = all of the processes & policies designed to protect an
organizations info and info system from unauthorized access, use,
disclosure, disruption, modification, or destruction.
3) Threat to an info resource is any danger to which a system may be
exposed.
4) Exposure of an info resource is the harm, loss, or damage that can result if
a threat compromises that resource.
5) Info resources vulnerability is the possibility that the sys will be harmed
by a threat.
6) 5 key factors contributing to increasing vulnerability of organizational info
resources:
a) Interconnected, interdependent, wirelessly networked business
environment.
i) Trusted network = any network within your organization.
ii) Untrusted network = any network external to your organization.
iii) Wireless is an inherently non-secure broadcast communication
medium.
b) Smaller, faster, cheaper computers & storage devices.
i) E.g., flash drives.
ii) Easier to steal or lose a computer or storage device that contains
huge amounts of sensitive info.
c) Decreasing skills necessary to be a computer hacker.
d) International organized crime taking over cybercrime.
i) Cybercrime = illegal activities conducted over computer networks,
particularly the internet.
e) Lack of mgmt. support.
7) 2 major categories of threats: unintentional threats, deliberate threats.
a) Unintentional threats:
i) Acts performed without malicious intent that nevertheless
represents a serious threat to info security.
ii) Major reason is human error.
(1) The higher the level of employee, the greater the threat he
poses to info security.
(a) Because they have greater access to corporate data and
enjoy greater privileges on organizational info systems.
(2) HR & IS areas of organization pose significant threat to info
security.
(a) Human resource employees have access to sensitive
organizational data. Info sys employees have access to
sensitive organizational data and also often
control the
means to create, store, transmit and modify that data.
(3) Other employees include contract labor, consultants, janitors &
guards.
(a) They have key to every office and nobody questions their
presence in even the most sensitive parts of the building.
�(b) Present most employees have gone home.
(4) Mistakes by employees pose a large problem as the result of
laziness, carelessness, or a lack of awareness concerning info
security.
(a) Lack of awareness is due to poor education and training
efforts by company.
(5) e.g., of human mistake:
(a) Carelessness with laptops: misplaced or lose it.
(b) Carelessness with computing devices: lose, or use carelessly
so malware is introduced into organization network.
(c) Opening questionable emails, careless internet surfing.
(d) Poor password.
(e) Carelessness with office: unlocked desks, not logging off.
(f) Carelessness using unmanaged devices (devices outside
control of organization, e.g., customer or Starbucks
computer).
(g) Carelessness with discarded equipment: discarding old
devices without completing wiping the memory.
(h) Careless monitoring of environmental hazards: dirt, dust,
humidity, and static electricity are harmful to operation of
computing devices.
iii) Attackers employ social engineering to induce individuals to make
unintentional mistakes & disclose sensitive info.
iv) Social engineering = an attack in which the perpetrator uses social
skills to trick or manipulate a legitimate employee into providing
confidential company info such as passwords.
(1) E.g., tailgating = technique designed to allow the perpetrator to
enter restricted areas that are controlled with locks or card
entry. Perpetrator follows closely behind employee and when
employee gain entry, attacker asks him to hold the door.
(2) E.g., shoulder surfing = perpetrator watches an employees
computer screen over the employees shoulder.
(a) Successful in public area such as airports, trains and
airplanes.
b) Deliberate threats:
i) Espionage or trespass:
(1) Unauthorized individual attempts to gain illegal access to
organizational info.
(2) Competitive intelligence = legal info-gathering techniques, e.g.,
companys website, press releases, attending trade shows, etc.
(3) Industrial espionage = crosses the legal boundary.
ii) Info extortion = attacker either threatens to steal, or actually steals
info from a company.
(1) Perpetrator demands payment for not stealing the info, for
returning stolen info, or for agreeing not to disclose the info.
�iii) Sabotage or vandalism = defacing an organizations website,
possibly damaging the organizations image & causing its
customers to lose faith.
(1) E.g., hacktivist or cyberactivist operations are cases of high-tech
civil disobedience to protest the operations, policies, or actions
of an organization or govt. agency.
iv) Theft of equipment or info:
(1) Smaller devices are becoming easier to steal or use to steal info.
(2) Dumpster diving = practice of rummaging through commercial
or residential trash to find info that has been discarded.
v) Identity theft = deliberate assumption of another persons identity,
usually to gain access to his financial info or to frame him for a
crime.
(1) Techniques include: stealing mail; dumpster diving; steal
personal info in computer database; infiltrating organizations
that store large amounts of personal info (e,g, data aggregator
such as Acxiom); impersonating a trusted organization in an
electronic communication (phishing).
(2) Recovering from identity theft is costly, time consuming and
difficult.
vi) Compromises to intellectual property (protect intellectual property):
(1) Intellectual property = property created by individuals or
corporations that is protected under trade secret, patent &
copyright laws.
(2) Trade secret = intellectual work, e.g., business plan, that is a
company secret & is not based on public info. E.g., coca cola
formula.
(3) Patent = official document that grants the holder exclusive
rights on an invention or a process for a specified period of time.
(4) Copyright = statutory grant that provides the creators or owners
of intellectual property with ownership of the property, also for a
designated period.
(a) Copyright Act includes software. E.g., source code & object
code of computer software, but does not clearly identify what
is eligible for protection.
(b) Piracy is major problem for software vendors.
vii) Software attack:
(1) Remote attacks requiring use action:
(a) Virus = segment of computer code that performs malicious
actions by attaching to another computer program.
(b) Worm = segment of computer code that performs malicious
actions & will replicate, or spread by itself.
(c) Phishing attack = use deception to acquire sensitive personal
info by masquerading as official looking emails or instant
messages.
�(d) Spear phishing attack = phishing attack target large groups
of ppl. Spear phishing perpetrators find out as much info
about an individual as possible to improve their chances that
phishing techniques will be able to obtain sensitive, personal
info.
(2) Remote attacks needing no user action:
(a) Denial of service attack = attacker sends so many info
request to a target computer sys that the target cannot
handle successfully and typically crashes (ceases to
function).
(b) Distributed denial of service attack = attacker 1 st takes over
many computers, typically by using malicious software.
These computers are called zombies or bots. Attacker uses
these bots which form a botnet to deliver a coordinated
stream of info request to a target computer, causing it to
crash.
(3) Attacks by a programmer developing a system:
(a) Trojan horse = software programs that hide in other
computer programs & reveal their designed behavior only
when they are activated.
(b) Back door (a.k.a. trap door) = typically a password, known
only to the attacker, that allows him to access a computer
system at will, without having to go through any security
procedures.
(c) Logic bomb = segment of computer code that is embedded
within an organizations existing computer programs & is
designed to activate & perform a destructive action at a
certain time or date.
viii) Alien software or pestware:
(1) Clandestine software that is installed on your computer through
duplicitous methods.
(2) Many PC has it running on them that the owners do not know
about.
(3) Not malicious, but use up valuable sys resources.
(4) Can report on your web surfing habits & other personal behavior.
(5) Adware = software that causes pop up advertisement to appear
on your screen.
(6) Spyware = collects personal info about users without their
consent.
(a) E.g., keystroke loggers & screen scrapers.
(7) Keystroke loggers / keyloggers record both your individual
keystrokes & internet web browing history for criminal, theft or
advertising purposes.
(a) CAPTCHA is a test to counter keyloggers by switching to
other forms of identifying users. It is a string of distorted
letters & users have to type them correctly into a box.
�(i) Computers cannot accurately read those distorted letters.
Thus, the fact that you can transcribe them means that
you are probably not a software program run by an
unauthorized person, such as a spammer.
(ii) Thus, attackers have turn to screen scrapers / screen
grabbers. This software records a continuous movie of a
screens
contents
rather
than
simply
recording
keystrokes.
(8) Spamware = uses your computer as a launch pad for spammers.
(a) Spam is unsolicited email, usually advertising for products &
services.
(9) Cookies = small amounts of info that web sites store on your
computer, temporarily or permanently.
(a) Useful & innocuous.
(b) Tracking cookies = used to track your path through a
website, the time you spend there, what links you click on, &
other details that the company wants to record, usually for
mktg. purposes.
ix) Supervisory control & data acquisition (SCADA) attacks:
(1) SCADA = Large scale, distributed measurement & control
system.
(2) SCADA is used to control or monitor chemical, physical &
transport processes such as oil refineries, water & sewage
treatment plants, electrical generators, power plant.
(3) SCADA provide a link between the physical world & electronic
world.
(4) If attacker gains access to network, they can cause serious
damage.
x) Cyberterrorism & cyberwarfare = malicious acts in which attackers
use a targets computer system, via the internet to cause physical,
real world harm or severe disruption, usually to carry out a political
agenda.
xi) Cyberterrorism is carried out by individuals or groups.
xii) Cyberwarfare is carried out by nation states.
c) Organizations perform risk mgmt. to protect their info resources.
i) Risk = probability that a threat will impact an info resources.
ii) Risk mgmt. = identify, control & minimize the impact of threats.
Reduce risk to acceptable lvl. 3 processes: risk analysis, risk
mitigation & control evaluation.
(1) Risk analysis: ensure there is security programs are cost
effective.
(a) Step 1: Accessing the value of each asset being protected.
(b) Step 2: estimating the probability that each asset will be
compromised.
(c) Step 3: comparing the probable costs of the assets being
compromised with the costs of protecting that asset.
(2) Risk mitigation: take concrete actions against risk.
�(a) 2 functions: 1) implementing controls to prevent identified
threats from occurring; 2) developing a means of recovery
should the threat become a reality.
(b) Strategy:
(i) Risk acceptance: accept the potential risk, continue
operating with no controls, & absorb any damages that
occur.
(ii) Risk limitation: limit the risk by implementing controls
that minimize the impact of the threat.
(iii)Risk transference: transfer the risk by using other means
to compensate for the loss, such as by purchasing
insurance.
(3) Controls evaluation: examines the costs of implementing
adequate control measures against the value of those control
measures.
(a) If costs of control are greater than value of asset being
protected, then control is not cost effective.
8) Information security controls:
a) Controls = defense mechanism = countermeasures.
i) Designated to protect all of the components of an info sys, including
data, software, hardware and networks.
ii) Because there are so many threats, organizations utilize layers of
controls / defense in depth.
b) 3 types of control: physical, access & communication.
c) Physical control = prevent unauthorized individuals from gaining
access to a companys facilities.
i) Include walls, doors, fencing, gates, badges, guards, & alarm
systems.
ii) Pressure sensors, temp sensors, & motion detectors.
iii) Disadvantage: inconvenient to employees.
iv) Guards deserve special attention because they have difficult jobs. 2
reasons:
(1) Jobs are boring & repetitive & generally do not pay well.
(2) If guards perform jobs thoroughly, other employees harass
them, particularly if they slow up the process of entering the
facility.
v) Also limit computer users to acceptable login times & locations.
(1) Limit number of unsuccessful login attempts.
(2) Require employees to log off computer before they leave for the
day.
(3) Set employees computers to automatically log off after certain
period of disuse.
d) Access control = restrict unauthorized individuals from using info
resources.
i) 2 major functions:
(1) Authentication = confirms the identity of the person requiring
access. After authentication, next step is authorization.
�(a) 4 methods:
(i) Something the user is = biometrics. Examines a persons
innate physical characteristics. E.g., fingerprint, palm,
retina scans, iris recognition & facial recognition.
(ii) Something the user has = includes regular identification
(ID) cards, smart ID cards & tokens.
1. Regular ID / dumb card = persons picture & his
signature.
2. Smart ID card = embedded chip that stores pertinent
info about the user.
a. Smart ID cards used for identification differ from
smart card used in electronic commerce. Both have
chips, but diff purposes.
3. Tokens = embedded chips & digital display that
presents a login number that the employees use to
access the organizations network. Number changes
with each login.
(iii)Something the user does = include voice & signature
recognition.
(iv)
Something the user knows = passwords &
passphrases.
1. Password should be strong and long. Disadvantage is
hard to remember than weaker password. Thus,
employee often write them down which defeat its
purposes.
a. The ideal solution is to create a strong password
that is also easy to remember. Thus, passphrases is
used.
2. Passphrase = series of characters that is longer than
password but is still easy to memorize. E.g.,
maytheforcebewithyou.
a. To turn passphrase to strong password, can take
first letter of each word in passphrase and add
number. E.g., Mtfbwy9.
(b) Multifactor authentication = implement more than one type
of authentication to authorized users more efficiently &
effectively.
(i) Important when users log in from remote locations.
(ii) E.g., single-factor authentication: weakest. Two-factor
authentication: password + biometrics, etc.
(iii)Stronger authentication = more expensive. Stronger
password = more irritating to users.
(2) Authorization = determines which actions, rights, or privileges
the person has, based on his verified identity.
(a) Privilege = collection of related computer system operations
that a user is authorized to perform.
�(b) Companies base authorization policies on the principle of
least privilege, which posits that users be granted the
privilege for an activity only if there is a justifiable need for
them to perform that activity.
e) Communication controls (a.k.a. network control) = secure the
movement of data across networks. Consist of firewalls, anti-malware
systems, whitelisting & blacklisting, encryption, virtual private
networks (VPNs), secure socket layer (SSL), & employee monitoring
systems.
i) Firewalls = system that prevents a specific type of info from moving
between untrusted networks, such as internet & private networks
(e.g., company network).
(1) All message entering or leaving company networks pass through
firewall.
(2) Firewall examines each message & blocks those that do not
meet specified security rules.
(3) Company usually has external & internal firewall & demilitarized
zone (DMZ) between the 2 firewalls.
(4) DMZ handles web page requests & email.
(5) Danger of virus is so severe that companies placed firewalls at
strategic points inside their private networks. If worm or virus
gets through both external & internal firewall, then internal
damage may be contained.
ii) Anti-malware systems (a.k.a. antivirus / AV software) = software
that identify & eliminate viruses & worms known as malware.
(1) Create definition or signatures of various types of malware &
update these signatures in their products.
(2) Anti-malware are reactive. Filter traffic according to a database
of specific problem.
(a) Firewalls filter network traffic according to categories of
activities likely to cause problems.
iii) Whitelisting & blacklisting: to prevent malware attack because AV
software is usually reactive.
(1) Whitelisting = process in which a company identifies the
software that it will allow to run on its companies. Allow nothing
to run unless it is on the whitelist.
(2) Blacklisting = allow everything to run unless it is on the
blacklist.
iv) Encryption = process of converting an original message into a form
that cannot be read by anyone except for the intended receiver.
(1) Public key encryption (a.k.a. asymmetric encryption) = uses two
diff keys: public key & private key.
(a) Both key are created simultaneously using the same
algorithm. Thus, data encrypted with one key can be
decrypted with another key.
�(b) Public key = publicly available in a directory that all parties
can access.
(c) Private Key = kept secret, never shared with anyone & never
sent across the internet.
(2) Certificate authority = acts as a trusted intermediary between
companies.
(a) Issues digital certificates & verifies the integrity of the
certificates.
(b) Digital certificate = electronic document attached to a file
that certifies that the file is from the organization it claims to
be from & has not been modified from its original format.
v) Virtual private networking (VPN):
(1) Private network that uses a public network to connect users.
(2) Are virtual because no separate physical existence.
(3) Created by using log-ins, encryption & other techniques to
enhance the users privacy, the right to be left alone & free of
unreasonable personal intrusion.
(4) Advantages:
(a) Allow remote users to access the company network.
(b) Provide flexibility. Mobile users can access the organizations
network from properly configured remote devices.
(c) Organizations can impose their security policies through
VPNs.
(i) E.g., only corporate emails are available to users when
connect from unmanaged devices.
(5) To provide secure transmission, VPNs use a process called
tunneling.
(6) Tunneling encrypts each data packet to be sent & places each
encrypted packet inside another packet. Thus, packet can travel
across the internet with confidentiality, authentication &
integrity.
vi) Secure socket Layer (SSL):
(1) Now called transport layer security (TLS).
(2) Encryption std. used for secure transactions such as credit card
purchases & online banking.
(3) TLS encrypts & decrypts data between a web server & a browser
end to end.
(4) TLS is indicated by a URL that begins with https rather than
http. It often displays a small padlock icon in the browsers
status bar.
vii) Employee monitoring system:
(1) Protect their network against what they view as one of their
major security threats, namely employee mistakes.
(2) Proactive approach by monitoring employees computers, email
activities, & internet surfing activities.
�(3) Useful to identify employees who spend too much time surfing
on the internet for personal reasons, who visit questionable
websites, or who download music illegally.
f) Business continuity plan (a.k.a. disaster recovery plan):
i) Prepare for, react to & recover from events that affect the security
of info assets.
ii) Objective is to restore the business to normal operations as quickly
as possible following an attack.
iii) Strategy:
(1) Hot sites = fully configured computer facility, with all services,
communication links, & physical plant operations.
(a) Duplicates computing resources, peripherals, telephone
systems, applications & workstations.
(2) Warm site = provides many of the same services & options as
the hot site, but does not include the actual applications the
company needs.
(a) Include computing equipment such as server, but does not
include user workstation.
(3) Cold site = provides only rudimentary services & facilities, such
as a building or a room with heating, air conditioning & humidity
control.
(a) Provide no hardware or user workstation.
(b) Takes care of long lead-time issues.
(i) Installing high speed communication lines or high
capacity power takes long time. Even building or renting
takes long time.
(4) Hot site reduce risk to the greatest extent, but most expensive
option. Cold sites reduce risk the least, but least expensive.
g) Info system auditing:
i) Ensure that info systems work properly.
ii) In IS environment, audit = examination of info sys, inputs, outputs
& processing.
iii) Types of auditors & audits:
(1) Internal auditing.
(2) External auditing = review findings of internal audit as well as
inputs, processing, & outputs of info systems.
(a) Usually perform by CPA firm.
(b) Focuses on issues such as operations, data integrity, software
applications, security & privacy, budgets & expenditures,
cost control & productivity.
iv) Auditing procedures 3 categories:
(1) Auditing around the computer = verifying processing by
checking for known outputs using specific approach. Best used
in systems with limited outputs.
(2) Auditing through the computer = inputs, outputs & processing
are checked. Auditors review program logic & test data.
�(3) Auditing with the computer = using a combination of client data,
auditor software, & client & auditor hardware. Enables auditor to
perform tasks such as simulating payroll program logic using live
data.
