only for daisy

Human Errors

Higher level employees + greater access privileges = greater threat

Two areas pose significant threats

Human Resources

Information Systems

Other areas of threats:

Contract Labor, consultants, janitors, & guards

10

Human Errors

Common Human Error

Carelessness with Laptops

Carelessness with Computing Devices

Opening Questionable E-mail

Careless Internet Surfing

Poor Password Selection and Use

Carelessness with laptops: Losing or misplacing laptops, leaving them in taxis, and so on.

Carelessness with computing devices: Losing or misplacing these devices, or using them carelessly so that malware is introduced into an organization’s network.

Opening questionable e-mails: Opening e-mails from someone unknown, or clicking on links embedded in e-mails (see phishing attack in Table 4.2).

Careless Internet surfing: Accessing questionable Web sites; can result in malware and/or alien software being introduced into the organization’s network.

Poor password selection and use: Choosing and using weak passwords (see strong passwords in the “Authentication” section later in this chapter).

11

Human Errors

Common Human Error

Carelessness with One’s Office

Carelessness Using Unmanaged Devices

Carelessness with Discarded Equipment

Careless Monitoring of Environmental Hazards

Carelessness with one’s office: Leaving desks and filing cabinets unlocked when employees go home at night; not logging off the company network when leaving the office for any extended period of time.

Carelessness using unmanaged devices: Unmanaged devices are those outside the control of an organization’s IT department and company security procedures. These devices include computers belonging to customers and business partners, computers in the business centers of hotels, and so on.

Carelessness with discarded equipment: Discarding old computer hardware and devices without completely wiping the memory; includes computers, smartphones, BlackBerry® units, and digital copiers and printers.

Careless monitoring of environmental hazards: These hazards, which include dirt, dust, humidity, and static electricity, are harmful to the operation of computing equipment.

12

The Heartbleed Bug

4.1

[about business]

What are two lessons we can learn from the Heartbleed bug?

What actions should you (personally) take to combat the Heartbleed bug?

13

Social Engineering

Social Engineering:

an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords.

Example:

Kevin Mitnick, world famous hacker and former FBI’s most wanted.

14

Deliberate Threats to Information Systems

4.3

Espionage or Trespass

Information Extortion

Sabotage or Vandalism

Theft of Equipment or Information

Identity Theft

Compromises to Intellectual Property

Espionage or Trespass: occurs when an unauthorized individual attempts to gain illegal access to organizational information.

Information Extortion: occurs when an attacker either threatens to steal, or actually steals, information from a company. The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information.

Sabotage and Vandalism: deliberate acts that involve defacing an organization’s Web site, potentially damaging the organization’s image and causing its customers to lose faith.

Theft of Equipment or Information: Computing devices and storage devices are becoming smaller yet more powerful with vastly increased storage and as a result these devices are becoming easier to steal and easier for attackers to use to steal information.

Dumpster Diving: rummaging through commercial or residential trash to find discarded information.

Identity Theft: is the deliberate assumption of another person’s identity, usually to gain access to his or her financial information or to frame him or her for a crime.

Compromises to Intellectual Property:

Trade Secret: an intellectual work, such as a business plan, that is a company secret and is not based on public information.

Patent: an official document that grants the holder exclusive rights on an invention or a process for a specified period of time.

Copyright: a statutory grant that provides the creators or owners of intellectual property with ownership of the property, also for a designated period.

Intellectual Property: the property created by individuals or corporations that is protected under trade secret, patent, and copyright laws.

15

Deliberate Threats to Information Systems

4.3

Software Attacks

Alien Software

Supervisory Control and Data Acquisition (SCADA) Attacks

Cyberterrorism and Cyberwarfare

7. Software Attacks

8. Alien Software: clandestine soft ware that is installed on your computer through duplicitous methods.

9. Supervisory Control and Data Acquisition Attacks (SCADA): refers to a large-scale, distributed measurement and control system. SCADA systems are used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants.

10. Cyberterrorism and Cyberwarfare: refer to malicious acts in which attackers use a target’s computer systems, particularly via the Internet, to cause physical, real-world harm or severe disruption, often to carry out a political agenda.

16

Software Attacks

Remote Attacks Requiring User Action

Virus

Worm

Phishing Attack

Spear Phishing Attack

(1) Remote Attacks Requiring User Action

Virus: Segment of computer code that performs malicious actions by attaching to another computer program.

Worm: Segment of computer code that performs malicious actions and will replicate, or spread, by itself (without requiring another computer program).

Phishing Attack: Phishing attacks use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages.

Spear Phishing: Phishing attacks target large groups of people. In spear phishing attacks, attack the perpetrators find out as much information about an individual as possible to improve their chances that phishing techniques will obtain sensitive, personal information

17

Software Attacks

Remote Attacks Needing No User Action

Denial of Service Attack

Distributed Denial of Service Attack

(2) Remote Attacks Needing No User Action

Denial-of-Service Attack: An attacker sends so many information requests to a target computer system that the target cannot handle them successfully and typically crashes (ceases to function).

Distributed Denial-of-Service Attack: An attacker first takes over many computers, typically by using malicious soft ware. These computers are called zombies or bots. The attacker uses these bots—which form a botnet—to deliver a coordinated stream of information requests to a target computer, causing it to crash.

18

Software Attacks

Attacks by a Programmer Developing a System

Trojan Horse

Back Door

Logic Bomb

(3) Attacks by a Programmer Developing a System

Trojan Horse: Software programs that hide in other computer programs and reveal their designed behavior only when they are activated.

Back Door: Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to go through any security procedures (also called a trap door).

Logic bomb: A segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time or date.

19

Shodan: Good Tool or Bad Tool?

4.2

[about business]

Is Shodan more useful for hackers or for security defenders? Provide specifi c examples to support your choice.

What impact should Shodan have on the manufacturers of devices that connect to the Internet?

As an increasingly large number of devices are connected to the Internet, what will Shodan’s impact be? Provide examples to support your answer.

Explain how Shodan can be used to conduct a SCADA attack.

20

Alien Software

Adware

Spyware

Keyloggers

Spamware

Cookies

Tracking cookies

. Alien Software: clandestine software that is installed on your computer through duplicitous methods.

Adware: software that causes pop-up advertisements to appear on your screen.

Spyware: soft ware that collects personal information about users without their consent. Two common types of spyware are keystroke loggers and screen scrapers.

Spamware: pestware that uses your computer as a launch pad for spammers.

Spam: unsolicited e-mail, usually advertising for products and services

Cookies: small amounts of information that Web sites store on your computer, temporarily or more or less permanently

21

What Organizations Are Doing to Protect Information Resources

4.4

Risk

Risk Analysis

Risk Mitigation

Risk: the probability that a threat will impact an information resource.

Risk Management: identifies, controls, and minimizes the impact of threats. In other words, risk management seeks to reduce risk to acceptable levels.

Risk Analyses: ensures IS security programs are cost effective.

Risk Mitigation: the organization takes concrete actions against risks which has two functions:

implementing controls to prevent identified threats from occurring

developing a means of recovery if the threat becomes a reality

Risk Management: identifies, controls, and minimizes the impact of threats. In other words, risk management seeks to reduce risk to acceptable levels.

Three Processes of Risk management:

risk analysis

risk mitigation

controls evaluation

Risk Analyses: ensures IS security programs are cost effective.

Three Steps of Risk Analysis:

assessing the value of each asset being protected

estimating the probability that each asset will be compromised

comparing the probable costs of the asset’s being compromised with the costs of protecting that asset

22

Catching a Hacker

4.3

[about business]

Why did the FBI need to “argue with law enforcement officials in various countries”?

Describe the diffi culties that investigators encounter in bringing cybercriminals to justice.

23

Risk Mitigation

Risk Acceptance

Risk Limitation

Risk Transference

Information Security Controls

4.5

Physical Controls

Access Controls

Communication Controls

Business Continuity Planning

Information Systems Auditing

Physical Controls: prevent unauthorized individuals from gaining access to a company’s facilities. Common physical controls include walls, doors, fencing, gates, locks, badges, guards, and alarm systems.

Access Controls: restrict unauthorized individuals from using information resources and involve two major functions: authentication and authorization.

Communication Controls (also called network controls): secure the movement of data across networks and consist of firewalls, anti-malware systems, whitelisting and blacklisting, encryption, virtual private networks (VPNs), secure socket layer (SSL), and employee monitoring systems.

Business Continuity: the chain of events linking planning to protection and to recovery.

Business Continuity Plan: purpose is to provide guidance to people who keep the business operating after a disaster occurs.

25

Physical Controls

Prevent unauthorized individuals from gaining access to a company’s facilities.

Walls

Doors

Fencing

Gates

Locks

Badges

Guards

Alarm systems

Physical Controls: prevent unauthorized individuals from gaining access to a company’s facilities. Common physical controls include walls, doors, fencing, gates, locks, badges, guards, and alarm systems.

26

FIGURE 4.2 Where defense mechanisms are located.