Security:
Information Security:
All the process and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification or destruction.
Threats to Information Security:
- Today’s interconnected, interdependent, wirelessly-networked business environment
- Smaller, faster, cheaper computers and storage devices (flash drives)
- Decreasing skills necessary to be a computer hacker
- International organized crime turning to cybercrime
- Lack of management support
Unintentional Threats to Information Systems:
Human Errors:- Carelessness with laptops and portable computing devices
- Opening questionable e-mails
- Careless Internet surfing
- Poor password selection
Social Engineering:
- Tailgating
- Shoulder surfing
Deliberate Threats to Information Systems:
- Espionage or trespass
- Information extortion
- Sabotage or vandalism
- Theft of equipment or information
- Identity theft
- Compromises to Intellectual Property (IP)
- Spyware
- Spam ware
- Cookies
Cybercrime:
- Supervisory Control and Data Acquisition (SCADA) Attacks
- Cyber-terrorism and Cyber-warfare
What Organizations Are Doing to Protect Information Resources:
Risk:
The probability that a threat will impact an information resource.
The probability that a threat will impact an information resource.
Risk management:
To identify, control and minimize the impact of threats.
To identify, control and minimize the impact of threats.
Risk analysis:
To assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.
To assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.
Risk mitigation:
Is when the organization takes concrete actions against risk. It has two functions:
Is when the organization takes concrete actions against risk. It has two functions:
- Implement controls to prevent identified threats from occurring.
- Develop a means of recovery should the threat become a reality.
Risk Mitigation Strategies:
Risk Acceptance:
Accept the potential risk, continue operating with no controls, and absorb any damages that occur.
Risk limitation:
Limit the risk by implementing controls that minimize the impact of threat.
Risk transference:
Transfer the risk by using other means to compensate for the loss, such as purchasing insurance and having off-site backups.Information Security Controls:
- Controls evaluation
- Physical controls
- Access controls
- Communications (network) controls
- Application controls
Access Controls:
Authentication:
Determines/confirms the identity of the person requiring access. Include:
Something the user is:
Access controls that examine a user's physiological or behavioral characteristics
Biometrics
Something the user has:
These access controls include regular ID cards, smart cards
Something the user does:
These access controls include voice and signature recognition
Something the user knows
- Password : a private combination of characters that only the user should know
- Passphrases: a series of characters that is longer than a password but can be memorized easily.
Determines which actions, rights or privileges the person has to do certain activities with information resources, based on his/her verified identity.
- Privilege
- Least privilege
Communication / Network Controls:
How Digital Certificates Work?
Information Systems Auditing:
Independent or unbiased observers task to ensure that information systems work properly. Audit:
Examination of information systems, their inputs, outputs and processing.
*Types of Auditors and Audits:
Internal: Performed by corporate internal auditors.External: Reviews internal audit as well as the inputs, processing and outputs of information systems.