Ch02-Secure Information Systems - v1
Ch02-Secure Information Systems - v1
Ch02-Secure Information Systems - v1
Yahoo disclosed in December Uber, the popular ridesharing, Under Armour was hit with a
2016 that one billion of its food delivery, and data breach that impacted some
users’ accounts had been transportation service company, 150 million users of its My
compromised in an August 2013 announced in February 2015 Fitness Pal food and nutrition
breach. that it had suffered a data application.
breach in May 2014.
Why Learn About Secure Information
Systems?
• Confidential business data and private customer and employee
information must be safeguarded, and systems must be protected
against malicious acts of theft or disruption.
• Although the need for security is obvious, it must often be balanced
against other business needs. Business managers, IS professionals,
and IS users all face a number of complex trade-offs regarding IS
security.
Why Computer Incidents Are So Prevalent
(1/3)
1. Increasing Complexity Increases Vulnerability
• The Internet of Things, cloud computing, mobile devices, operating systems,
applications, Web sites, switches, routers, and gateways are all interconnected and
are driven by hundreds of millions of lines of code.
• The number of possible entry points to a network expands continually as more
devices are added, further increasing the possibility of security breaches.
2. Bring your own device (BYOD) policies
• A business policy that permits, and in some cases encourages, employees to use
their own mobile devices (smartphones, tablets, or laptops) to access company
computing resources and applications.
• BYOD makes it extremely difficult for IT organizations to adequately safeguard the
wide range of portable devices with various operating systems and a myriad of
applications.
Why Computer Incidents Are So Prevalent
(2/3)
3. Use of Software with Known Vulnerabilities
• Exploit is an attack on an information system that takes advantage of a
particular system vulnerability. Once the vulnerability is discovered, software
developers create and issue a “fix,” or patch, to eliminate the problem.
• Clearly, it can be difficult to keep up with all the required patches to fix these
vulnerabilities. Of special concern is a zero-day attack, which is an attack that
takes place before the security community becomes aware of and fixes a
security vulnerability.
• Even when vulnerabilities are exposed, many corporate IT organizations
continue to use already installed software as-is rather than implement
security fixes. IT organizations often make this decision because the fixes will
either make the software harder to use or eliminate “nice-to-have” features
that will help sell the software to end users.
Why Computer Incidents Are So Prevalent
(3/3)
4. Increasing Sophistication of Those Who Would Do Harm
• Today’s computer menace is much better organized and may be part of an
organized group (such as Anonymous, Chaos Computer Club, Lizard Squad,
TeslaTeam) that has an agenda and that targets specific organizations and
Web sites.
• Some of these groups have ample resources, including money and
sophisticated tools, to support their efforts.
Perpetrators Most Likely to Initiate a Cyberattack
• Currently, although the lone
wolf and cyberterrorist receive
a lot of publicity, they are not
considered among the most
serious sources of cyberattacks.
• IBM found that 55–60 percent
of all cyberattacks are initiated
through the actions of insiders.
Types of
Attack
Vectors
attack vector: The technique
used to gain unauthorized
access to a device or a
network
Cyberattacks That Pose Serious Threats
Distributed
Ransomware denial-of- Data breaches
service attacks
Cyberespionage Cyberterrorism
Ransomware
• Ransomware is malware that stops you from using your computer or
accessing the data on your computer until you meet certain
demands, such as paying a ransom or, in some cases, sending
compromising photos to the attacker.
• A computer can become infected with ransomware when a user
opens an email attachment containing the malware or is lured to a
compromised Web site by a deceptive email or pop-up window.
• Once the malware has taken over, it encrypts some or all of the
victim’s files. The files can then only be decrypted with a
mathematical key known only to the attacker.
Distributed denial-of-service attacks
• A distributed denial-of-service (DDoS) attack is one in which a
malicious hacker takes over computers via the Internet and causes
them to flood a target site with demands for data and other small
tasks.
• The term botnet is used to describe a large group of such computers,
which are controlled from one or more remote locations by hackers,
without the knowledge or consent of their legitimate owners.
Data breaches
• A data breach is the unintended release of sensitive data or the
access of sensitive data by unauthorized individuals, often resulting in
identify theft.
• Not only are the individuals whose data is compromised in a data
breach put at risk of identity theft or blackmail, but also the
shareholders of an organization hit with a data breach can be
impacted by a decline in the valuation of the firm that follows
publication of the incident
Cyberespionage
• Cyberespionage involves the deployment of malware that secretly
steals data in the computer systems of organizations.
• These organizations include government agencies, military
contractors, political organizations, and manufacturing firms.
• The type of data most frequently targeted includes data that can
provide an unfair competitive advantage to the perpetrator. This data
is typically not public knowledge and may even be protected via
patent, copyright, or trade secret.
Cyberterrorism
• Cyberterrorism is the intimidation of government or civilian
population by using information technology to disable critical national
infrastructure (e.g., energy, transportation, financial, law
enforcement, emergency response, and healthcare systems) to
achieve political, religious, or ideological goals.
Consequences of a
Successful Cyberattack
• Direct impact: This is the value of the assets (cash, inventory,
equipment, patents, copyrights, trade secrets, data) stolen or
damaged due to the cyberattack.
• Business disruption: A successful cyberattack may make it
impossible for the organization to operate in an effective manner
for several hours or days.
• Recovery cost: It may take people from the IS organization and
business areas days or weeks to repair affected systems and
recover lost or compromised data.
• Legal consequences: There is the prospect of monetary penalties
for businesses that fail to comply with data protection legislation.
• Reputation damage: A successful cyberattack can erode the trust
your organization has established with your customers, suppliers,
business partners, and shareholders.
Principle 02
The CIA Security Triad
Principles Learning Objectives
Organizations must take • Discuss how the CIA security triad can be
strong measures to ensure implemented at the organizational, network,
application, and end user levels to safeguard
secure, private, and
against cyberattacks.
reliable computing • Conduct a security self-assessment of your own
experiences for their computer and usage habits.
employees, customers, and • Identify eight steps that must be taken to perform
business partners. a thorough security risk assessment.
• Describe five actions an organization must take in
response to a successful cyberattack.
• Describe the role of a managed security service
provider.
• Define the term computer forensics.
A multi-layered
security solution
Security measures must be
planned for, designed,
implemented, tested, and
maintained at the
organizational, network,
application, and end-user layers
to achieve true CIA security
Implementing CIA at the Organizational Level
Implementing CIA begins at the organizational level with the definition of an overall
security strategy
• Risk Assessment: Identify and prioritize the threats that the organization faces.
• Disaster Recovery: Ensures the availability of key data and information technology
assets.
• Security Policies: Guide employees to follow recommended processes and practices to
avoid security-related problems.
• Security Audits: Ensure that individuals are following established policies and to assess if
the policies are still adequate even under changing conditions.
• Regulatory Standards Compliance: organization may also need to comply with standards
defined by external parties, including regulatory agencies
• Security Dashboard: help track the key performance indicators of their security strategy.
Identify the set of IT assets about which the
Step 1
organization is most concerned.
• the creation of roles and user accounts so that once users are
Implementing
authenticated, they have the authority to perform their
responsibilities and nothing more.
• This concept is called proper separation-of-duties.
CIA at the
Data Encryption
Application
• Major enterprise systems such as enterprise resource planning
(ERP), customer relationship management (CRM), and product
Level
lifecycle management (PLM) access sensitive data residing on
data storage devices located in data centers, in the cloud, or at
third-party locations.
• Data encryption should be used within applications to ensure
that this sensitive data is protected from unauthorized access.
Implementing CIA at the End-User Level
• Security Education
• Authentication methods
• Antivirus software
• Data encryption
• Implementing Safeguards Against Attacks by Malicious Insiders
Security Education
• Creating and enhancing user awareness of security policies is an
ongoing security priority for companies.
• Users must help protect an organization’s information systems and
data by doing the following:
• Guarding their passwords to protect against unauthorized access to their
accounts
• Prohibiting others from using their passwords
• Applying strict access controls (file and directory permissions) to protect data
from disclosure or destruction
• Reporting all unusual activity to the organization’s IT security group
• Taking care to ensure that portable computing and data storage devices are
protected (hundreds of thousands of laptops are lost or stolen per year)
Authentication methods
• End users should be required to be authenticated before their
computing/communications device accepts further input.
• Again, several multifactor authentication schemes can be used.
• Many mobile devices are using the user’s fingerprint as a means of
authentication.
Antivirus software
• Antivirus software should be installed on each user’s personal
computer to scan a computer’s memory and disk drives regularly for
viruses.
• Antivirus software scans for a specific sequence of bytes, known as a
virus signature, that indicates the presence of a specific virus.
• In most corporations, the network administrator is responsible for
monitoring network security Web sites frequently and downloading
updated antivirus software as needed.
Data encryption
• While you should already have a login password for your mobile
computing device or workstation, those measures won’t protect your
data if someone steals your device—the thief can simply remove your
storage device or hard drive and plug it into another computing
device and access the data.
• If you have sensitive information on your computer, you need to
employ full-disk encryption, which protects all your data even if your
hardware falls into the wrong hands.
Implementing Safeguards Against Attacks by
Malicious Insiders
• User accounts that remain active after employees leave a company
are another potential security risk.
• To reduce the threat of attack by malicious insiders, IS staff must
promptly delete the computer accounts, login IDs, and passwords of
departing employees and contractors.
• Another important safeguard is to create roles and user accounts so
that users have the authority to perform their responsibilities and
nothing more.
Detection of a Cyberattack (1/2)
An intrusion detection
system (IDS) is software
and/or hardware that
monitors system and
network resources and
activities and notifies
network security personnel
when it detects network
traffic that attempts to
circumvent the security
measures of a networked
computer environment.
Detection of a Cyberattack (2/2)
• Knowledge-based intrusion detection systems
• Contain information about specific attacks and system vulnerabilities and watch for
attempts to exploit these vulnerabilities, such as repeated failed login attempts or
recurring attempts to download a program to a server.
• When such an attempt is detected, an alarm is triggered.
• A behavior-based intrusion detection system
• Understands normal behavior of a system and its users because it collects reference
information by various means.
• The intrusion detection system compares current activity to this model and
generates an alarm if it finds a deviation.
• Examples include unusual traffic at odd hours or a user in the human resources
department who accesses an accounting program that she has never before used.
Response
• Incident Notification
• Protection of Evidence and Activity Logs
• Incident Containment
• Eradication
• Incident Follow-Up
Incident Notification
• A key element of any response plan is to define who to notify and
who not to notify in the event of a computer security incident.
• Most security experts recommend against giving out specific
information about a compromise in public forums, such as news
reports, conferences, professional meetings, and online discussion
groups.
• A critical ethical decision that must be made is what to tell customers
and others whose personal data may have been compromised by a
computer incident.
Protection of Evidence and Activity Logs
• An organization should document all details of a security incident as it
works to resolve the incident.
• Documentation captures valuable evidence for a future prosecution
and provides data to help during the incident eradication and follow-
up phases.
• It is especially important to capture all system events, the specific
actions taken (what, when, and who), and all external conversations
(what, when, and who) in a logbook.
• Because this may become court evidence, an organization should
establish a set of document-handling procedures using the legal
department as a resource.
Incident Containment
• The incident response plan should clearly define the process for
deciding if an attack is dangerous enough to warrant shutting down
or disconnecting critical systems from the network.
• How such decisions are made, how fast they are made, and who
makes them are all elements of an effective response plan.
Eradication
• Before the IT security group begins the eradication effort, it must
collect and log all possible criminal evidence from the system and
then verify that all necessary backups are current, complete, and free
of any malware.
• Creating a forensic disk image of each compromised system on write-
only media both for later study and as evidence can be very useful.
• After virus eradication, a new backup must be created.
• Throughout this process, a log should be kept of all actions taken.
The key elements of a formal incident report should
include the following:
• IP address and name of host computer(s) involved
• The date and time when the incident was discovered
Incident Follow-Up • The length of the incident
A review should be conducted after • How the incident was discovered
an incident to determine exactly
• The method used to gain access to the host computer
what happened and to evaluate
how the organization responded. • A detailed discussion of vulnerabilities that were exploited
• A determination of whether or not the host was
One approach is to write a formal compromised as a result of the attack
incident report that includes a • The nature of the data stored on the computer (customer,
detailed chronology of events and employee, financial, etc.)
the impact of the incident. • A determination of whether the accessed data is
considered personal, private, or confidential
• The number of hours the system was down
• The overall impact on the business
• An estimate of total monetary damage from the incident
• A detailed chronology of all events associated with the
incident
Using a Managed Security Service Provider
(MSSP)
• For most small and midsized organizations, the level of in-house
network security expertise needed to protect their business
operations can be too costly to acquire and maintain.
• As a result, many organizations outsource their network security
operations to a managed security service provider (MSSP), which is a
company that monitors, manages, and maintains computer and
network security for other organizations.
• MSSPs include such companies as AT&T, Computer Sciences
Corporation, Dell SecureWorks, IBM, Symantec, and Verizon.
Computer Forensics