Today’s security attacks
Advances in computing power
Make password-breaking easy
Software vulnerabilities often not
patched
Smartphones a new target
Examples of recent attacks
Bogus av software
Marketed by CC thieves
Online banking attacks
Hacking contest
Nigerian 419 advanced fee fraud
#1 internet fraud
Identity theft using Firesheep
Malware
Infected USB flash drive devices
More after the break
Difficulties in defending against attacks
Universally connected devices
Increased speed of attacks
Greater sophistication of attacks
Availability and simplicity of
attack tools
Faster detection of
vulnerabilities
Delays in patching
Weak distribution of patches
Distributed attacks
User confusion
What is Information Security?
Before defense is possible, one
must understand:
What information security is
Why it is important
Who the attackers are
Defining information security
Security
Steps to protect person or
property from harm
Harm may be intentional or
non-intentional
Sacrifices convenience for safety
Information security
Guarding digitally-formatted
information:
That provides value to people and
organizations
Three types of information
protection: often called CIA
Confidentiality
Only approved individuals may
access information
Integrity
Information is correct and
unaltered.
Availability
Information is accessible to
authorized users
Protections implemented to secure
information
Authentication
Individual is who they claim to
be
Authorization
Grant ability to access
information
Accounting
Provides tracking of events
Products
Form the physical security around
the data; may be as basic as door locks or as complicated as network security
equipment
People
Those who implement and properly
use security products to protect data
Procedures
Plans and policies established by
an organization to ensure that people correctly use the products
Information Security Terminology
Asset
Item of value
Threat
Actions or events that have
potential to cause harm
ie: Shutting down the oil lines
Threat agent
Person or element with power to
carry out a threat
ie: Iranians doing the shutting down
Element name
|
Description
|
Example
|
Critical asset
|
Information
|
Data that has
been collected, classified, organized and stored in various forms
|
Customer,
personnel, production, sales, marketing, and finance databases
|
Yes; extremely
difficult to replace
|
Application
software
|
Software that
supports the business processes of the organization
|
Customized order
transaction application, generic word processor
|
Yes; unique and
customized for the organization
No; generic off
the shelf software
|
System software
|
Software that
provides the foundation for application software
|
Operating system
|
No; can be easily
replaced
|
Physical items
|
Computer
equipment, communications equipment, storage media, furniture and fixtures
|
Servers, routers,
DVDs, power supplies
|
No; can be easily
replaced
|
Services
|
Outsourced
computing services
|
Voice and data
communications
|
No; can be easily
replaced
|
Vulnerability
Flaw or weakness
Threat agent can bypass security
Risk
Likelihood that threat agent will
exploit vulnerability
Cannot be eliminated entirely
Cost would be too high
Take too long to implement
Some degree of risk must be
assumed
No comments:
Post a Comment