Chapter Five

Information Systems and Cyber

security issues
 Chapter objectives

• Describe the basics of information and cyber

security
• Introduce potential sources of security threats
and vulnerabilities
• Familiarize with comprehensive information
security standards and frameworks
• Introduce research and practical issues of
information security
 Aimes of Information security
• Protect loss of data and Assets
• Ensure safe and sustainable Information systems
services
• Protect companies reputation
• Build customers confidence
• Avoid business and financial losses
• Protect the company from fines related to failure to
adhere standards or compliance to standards
 Information systems security
management
Content
•Information security vs Cyber security
•Sources of security threats
•Vulnerabilities
•Types of Attack
• Security Measures
– Technical
– Managerial: Policy and Procedures
– Ethical
 5.1. Information systems
security
Definitions and conceptions
•the preservation of the Confidentiality, Integrity
and Availability of information (ISO/IEC 27002,
2005, p. 1).
•the protection of information and its critical
elements, including the systems and hardware that
use, store, and transmit information” (Whitman
and Mattord, 2009, p. 8).
 Info sec..
• Whitman and Mattord (2009) add accuracy, authenticity, utility
and possession to the list of information characteristics that
needs to be protected.
• Information security is not a product or a technology, but a
process (Mitnick and Simon, 2002, p. 4).
• According to Wood (2004) information security used to be a
strictly technical issue.
• However, as the use of computers and networks evolved, the
process of securing these computers and networks also had to
evolve to extend beyond only the technical.
 Info sec..
• ICT security as all aspects relating to defining,
achieving and maintaining the confidentiality,
integrity, availability, non- repudiation,
accountability, authenticity, and reliability of
information resources (ISO/IEC 13335-1, 2004, p. 3)
• Information systems security= Info security + ICT
security + people security
 Information Systems Security issues and threats

Computer Security
The four potential and
sources Industries
of information
systems attack

Internal threats (dishonest Government and private

employees, software intelligence communities
failures etc.)

Company‘s
computer
Business partners systems
(customers,
competitors,
Hackers,
suppliers, etc.)
investigator,
reporters etc.
CPE5002 - Introduction To Nework Security 3
 Vulnerabilities
Hardware: the physical part of the computer, like the system memory and
disk
drive

Firmware: permanent software that is embedded into a hardware device’s non-

volatile memory

Software: programs that offers services, like operating system, word

processor, internet browser to the user
 Security Concerns
Three main areas:
 Confidentiality is ensuring that information
is available only to the intended users

 Availability is protecting
 Integrity is protecting information from being
information from being removed by unauthorized
modified by unauthorized parties
parties
Goals of the attacker

1.Knowing how to gain access to the computer

system

2. Knowing how to manipulate the system to

produce the desired result

3. Perform grand damage on the system and

infrastructure
Types of Computer Systems
Attack
Hacking
Unauthorized access, modification, or
use of an electronic device or some
element of a computer system
Social Engineering
Techniques or tricks on people to gain
physical or logical access to
confidential information
Malware
Software used to do harm
 Hacking
▫Hijacking
 Gaining control of a computer to carry out illegal
activities
Cross-Site Scripting (XSS) attacks
 Types of Malware
• Spyware
• Trap door
– Secretly monitors and collects
– Set of instructions that allow
information
the user to bypass normal
– Can hijack browser, search system controls
requests • Packet sniffer
– Adware – Captures data as it travels
• Keylogger over the Internet
– Software that records user • Virus
keystrokes – A section of self-replicating
code that attaches to a
• Trojan Horse program or file requiring a
– Malicious computer instructions in human to do something so it
an authorized and properly can replicate itself
functioning program • Worm
– Stand alone self replicating
program
 Grand attacks

Logic bomb: an application or system virus designed to “explode” or

execute at a specified time and date

Cyber terrorism: Grand org level or national infrastructure attack

Cyber terrorist: intimidates or coerces a government or organization to advance
his or her political or social objectives by launching computer-based attacks against
computers, networks, and the information stored on them
 Security Management
• Socio-Technical Approach is now becoming
popular
1. Technical Mechanisms
 Technical Mech…

1. Access Control : Strong Password and User ID

2. Keep All Software Updated

Particularly, Anti-virus software & operating
systems

3. Standardize Software:
Make sure that all computers use the same: operating
system, Browser, Media player, Plugins etc
4. Use Network Protection Measures
Install a firewall, Ensure proper access controls, virtual
private network (VPN), Conduct proper maintenance
5. Employee Training:
etc End users & IT personnel
 Virtual Private Network
• Securely transmits encrypted data between
sender and receiver
▫ Sender and receiver have the appropriate
encryption and decryption keys.
2. Management & Policies
 Management &…..
Trust Services Framework

• Security
▫ Access to the system and data is controlled and
restricted to legitimate users.
• Confidentiality
▫ Sensitive organizational data is protected.
• Privacy
▫ Personal information about trading partners,
investors, and employees are protected.
• Processing integrity
▫ Data are processed accurately, completely, in a
timely manner, and only with proper authorization.
• Availability
▫ System and information are available.
 Cyber Security
Cyber security is the collection of tools, policies, security concepts,
security safeguards, guidelines, risk management approaches,
actions, training, best practices, assurance and technologies that can
be used to protect the cyber environment and organization and user’s
assets

Organization and user’s assets include connected computing

devices, personnel, infrastructure, applications, services,
telecommunications systems, and the totality of transmitted and/or
stored information in the cyber environment
 5.2. Cyber Security
 involves protection of :
 Cyberspace itself
 the electronic information,
 the ICTs that support cyberspace
 and the users of cyberspace in their personal, societal and
national capacity, including any of their interests, either
tangible or intangible, that are vulnerable to attacks
originating in cyberspace.
Cybersecurity Standards and
Frameworks

Classified into two main categories:

1. information security standards

• concentrate on security concerns

• ISO 27000 series, ISF SOGP, NIST 800

series, SOX, and Risk IT

2. information security governance standards

• general guidelines that cover a wide
range of domains and components in
organizations
Cybersecurity Standards…..
The evolution of standards
 Cybersecurity challenges
Increasing cybercrime: Cyberattacks are becoming more frequent and
damaging
Staffing shortages: difficulty finding enough talent to handle increasing
demands

Skills gaps: Continuous on job training required

Remote worker security: Securing distributed workforce and virtual works

Uneven regulations: Varying jurisdiction and cybersecurity regulations in

different localities
Lack of Cybersecurity knowledge: Organizing basic cybersecurity
training for all employees, not just IT workers
 3. Ethics

Enhancing the ethical and moral norms of

IT personnel
 The ACM Code of Professional Conduct

• Strive to achieve the highest quality, effectiveness,

and dignity in both the process and products of
professional work
• Acquire and maintain professional competence
• Know and respect existing laws pertaining to
professional work
• Accept and provide appropriate professional review
• Give comprehensive and thorough evaluations of
computer systems and their impact, including
analysis of possible risks
 Announcement

• Final Exam Saturday January 25