Tuesday, May 12, 2015

Chapter 4 Summary



Security:
The degree of protection against criminal activity, danger, damage and loss.



Information Security:

All the process and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification or destruction. 

Threats to Information Security:

  • Today’s interconnected, interdependent, wirelessly-networked business environment
  • Smaller, faster, cheaper computers and storage devices (flash drives)
  • Decreasing skills necessary to be a computer hacker
  • International organized crime turning to cybercrime
  • Lack of management support

Unintentional Threats to Information Systems:

Human Errors:
  • Carelessness with laptops and portable computing devices
  • Opening questionable e-mails
  • Careless Internet surfing
  • Poor password selection
Social Engineering:
  • Tailgating
  • Shoulder surfing

Deliberate Threats to Information Systems:

  • Espionage or trespass
  • Information extortion
  • Sabotage or vandalism
  • Theft of equipment or information
  • Identity theft
  • Compromises to Intellectual Property (IP)
     
Alien Software:
  • Spyware
  • Spam ware
  • Cookies

Cybercrime:
  • Supervisory Control and Data Acquisition (SCADA) Attacks
  • Cyber-terrorism and Cyber-warfare

What Organizations Are Doing to Protect Information Resources:

Risk:
The probability that a threat will impact an information resource.
 
Risk management:
To identify, control and minimize the impact of threats.
 
Risk analysis:
To assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.
 
Risk mitigation:
Is when the organization takes concrete actions against risk. It has two functions:
  • Implement controls to prevent identified threats from occurring.
  • Develop a means of recovery should the threat become a reality.

Risk Mitigation Strategies:

Risk Acceptance:
Accept the potential risk, continue operating with no controls, and absorb any damages that occur.

Risk limitation:
Limit the risk by implementing controls that minimize the impact of threat. 
  
Risk transference:
Transfer the risk by using other means to compensate for the loss, such as purchasing insurance and having off-site backups.

Information Security Controls:

  • Controls evaluation
  • Physical controls
  • Access controls
  • Communications (network) controls
  • Application controls

Access Controls:


Authentication:
Determines/confirms the identity of the person requiring access. Include:
Something the user is:
Access controls that examine a user's physiological or behavioral characteristics
 
Biometrics 
 
Something the user has:
These access controls include regular ID cards, smart cards
 
Something the user does:
These access controls include voice and signature recognition
Something the user knows
  • Password : a private combination of characters that only the user should know
  • Passphrases: a series of characters that is longer than a password but can be memorized easily.
Authorization:
Determines which actions, rights or privileges the person has to do certain activities with information resources, based on his/her verified identity.
  • Privilege
  • Least privilege


Communication / Network Controls:

 






How Digital Certificates Work?

 
 



Information Systems Auditing:

Independent or unbiased observers task to ensure that information systems work properly. 
Audit:
Examination of information systems, their inputs, outputs and processing.
*Types of Auditors and Audits:
Internal: Performed by corporate internal auditors.External: Reviews internal audit as well as the inputs, processing and outputs of information systems.







No comments:

Post a Comment