INFORMATION SYSTEM.

1 | Office | Faculty | Department

Week 8

Information Security

ISYS 111

Fundamentals of Business Information Systems

2 | Office | Faculty | Department

Why are we doing this?

By completing the activities in this week, you should be able to:

1. Give one specific example of each of the five factors that are contributing to the

increasing vulnerability of information resources.

2. Compare and contrast human mistakes and social engineering by way of

specific examples.

3. Describe negative consequences that might result from at least three different

kinds of deliberate attacks on information systems.

4. Assess how you might employ each of the three risk mitigation strategies in the

context of your owning a home.

5. Identify the three major types of controls that organisations can use to protect

their information resources

6. Have the database skills to establish table relationships and set field properties

3 | Office | Faculty | Department

Essential Question

What are the major threats to information security and how to minimise

them?

20 Interesting cyber crime statistics:

https://securityintelligence.com/20-eye-opening-cybercrime-statistics/

Information Security and IT

• IT, properly used can have enormous benefits for individuals,

organisations, and entire societies.

• Examples?

4 | Office | Faculty | Department

• Unfortunately, IT can also be misused, often with devastating

consequences.

• Examples?

Introduction to information security

• Security

• The degree of protection against criminal activity, danger, damage, and/or loss

• Information security

• Protecting an organisation’s information resources from un-authorised access, use, disclosure, disruption, modification, or destruction

• Threat (to an information resource)

• Any danger to which a system may be exposed

5 | Office | Faculty | Department

Introduction to information security

• Exposure (of an information resource)

• The harm, loss or damage that can result if a threat compromises that resource

• Vulnerability (of an information resource)

• The possibility that the system will be harmed by a threat

Factors that increase the vulnerability

of information resources

What are the factors that may increase the vulnerability of information

resources?

6 | Office | Faculty | Department

Five factors that increase the vulnerability

of information resources

1. Networked business environment

2. Smaller, faster, cheaper computers and storage devices

3. Decreasing skills necessary to be a hacker • New and easier tools make it very easy to attack the network

• Attacks are becoming increasingly sophisticated

4. Organised crime taking over cybercrime • Hacktivist groups: Anonymous and LulzSec

5. Lack of management support

7 | Office | Faculty | Department

Unintentional threats to information

systems

Social engineering • Attacker uses social skills to trick a legitimate employee into providing confidential

company information such as passwords

• Typically unintentional human error on the part of an employee, but it is the result of

a deliberate action on the part of an attacker

• Techniques: Tailgating, shoulder surfing

8 | Office | Faculty | Department

• Interview with Kevin Mitnick

9 | Office | Faculty | Department

Human Errors

10 | Office | Faculty | Department

Security threats

Watch Lateline interview with Kevin

Mitnick’s: http://www.abc.net.a

u/lateline/content/20 16/s4561331.htm

(16:57 minutes)

11 | Office | Faculty | Department

Deliberate threats to IS

• Espionage (practice of spying) or trespass

• Information extortion

• Sabotage or vandalism

• Theft of equipment or information

• Identity theft

• Compromises to intellectual property

• Software attacks

• Alien software (or pestware)

• Supervisory control and data acquisition (SCADA) attacks

• Cyberterrorism and cyberwarfare

12 | Office | Faculty | Department

Cyber security facts

13 | Office | Faculty | Department

14 | Office | Faculty | Department

What organisations are doing to protect information resources?

Risk management

• Risk

• The probability that a threat will impact an information resource

• Risk management

• Identify, control, and minimise the impact of threats

15 | Office | Faculty | Department

• Risk analysis

• Prioritize assets (probability x value) • Compare cost of security breach vs. cost of control

• Risk mitigation

• Organisation takes concrete actions again risk • Implement controls and develop recovery plan • 3 strategies: • Risk acceptance: (Accept the potential risk, continue operating with no controls, and absorb any

damages that occur)

• Risk limitation: Limit the risk by implementing controls that minimise the impact of threat • Risk transference: Transfer the risk by using other means to compensate for the loss, such as

purchasing insurance

16 | Office | Faculty | Department

Information security controls

Figur e 7.3

PHYSICAL CONTROLS: prevent unauthorised access

ACCESS CONTROL: restrict unauthorised access

COMMUNICATION CONTROLS : protect data

movements across network

Denial - of - service protection

Intrusion detection system

Anti - malware software

Whitelisting and blacklisting

ID system

Encryption

d Access passwor

Authentication: proof of identity

- ID

- Access Password

- Voice

Authorisation: permission to

do certain activities

- Administrator

- Regular user

- Guest

| Office | Faculty | Department

Chapter Summary

This chapter focused on

• The factors contributing to increasing vulnerability of

information

• Human mistakes and social engineering

• Deliberate attacks on information systems

• Risk mitigation and risk mitigation strategies

• Security controls used to protect

information resources

18 | Office | Faculty | Department

18