2-IMFORMATION SECURITY AND INTERNET OF THINGS (1).pdf
Document Details
Uploaded by Deleted User
Full Transcript
ITE 115 INFORMATION ASSURANCE AND SECURITY John Paulus Serafin Gazzingan Instructor INFORMATION ASSURANCE AND SECURITY Lesson 1.1 Introduction to Information Security INFORMATION ASSURANCE AND SECURITY INFORMATION ASSURANCE AND SECURITY Information Security in the Past Computer Securi...
ITE 115 INFORMATION ASSURANCE AND SECURITY John Paulus Serafin Gazzingan Instructor INFORMATION ASSURANCE AND SECURITY Lesson 1.1 Introduction to Information Security INFORMATION ASSURANCE AND SECURITY INFORMATION ASSURANCE AND SECURITY Information Security in the Past Computer Security is where the history of information security begins. When the first mainframes, created to facilitate computation for communication code breaking, where put during WW2, the demand for computer security – that is, the requirement to secure physical locations, hardware and software against threats arose Decade of the 1960s many more mainframes were brought online during the Cold War to perform more complicated and sophisticated jobs. The Department of Defense’s Advanced Research Project Agency (APRA) began investigating the feasibility of a redundant, networked communication system to support the military’s information exchange in response to this necessity, thus APRANET was born. Larry Roberts the developed the said system which was called the “Forerunner of the internet” and Larry was dubbed as the “Father of the Internet” INFORMATION ASSURANCE AND SECURITY 1970s and 1980s ARPANET faced growing concerns regarding its security. Despite its popularity, the system lacked essential controls, allowing hackers easy access through vulnerabilities such as password weaknesses and widely distributed phone numbers. Robert M. Metcalfe identified significant security flaws, and the term "network insecurity" was coined in 1978. Efforts to address these concerns included ARPA projects and the influential Rand Report R-609, which highlighted the need for comprehensive security measures in multilevel computer systems and is now considered foundational in computer security research. INFORMATION ASSURANCE AND SECURITY In Time-Sharing Computer Systems, Maurice Wilkes examined password 1968 security. In "Preliminary Notes on the Design of Secure Military Computer Systems," 1973 Schell, Downey, and Popek looked at the need for more security in military systems. In the Federal Register, the Federal Information Processing Standards (FIPS) 1975 evaluated the Digital Encryption Standard (DES). Bisbey and Hollingworth published "Protection Analysis: Final Report," a report on the ARPA-funded Protection Analysis project, which aimed to better 1978 understand operating system security vulnerabilities and investigate the possibility of automated vulnerability detection techniques in existing system software. "Password Security: A Case History," written by Morris and Thompson, was published in the Communications of the Association for Computing Machinery 1979 (ACM). The study looked at the evolution of a password security method for a time-sharing system that may be accessed remotely. INFORMATION ASSURANCE AND SECURITY Dennis Ritchie published "On the Security of UNIX" and "Protection of Data File 1979 Contents," which describe secure user and group IDs, as well as the challenges that these systems have. The authors of "UNIX Operating System Security" addressed four "key handles to computer security" in this report: physical control of premises and computer 1984 facilities, management commitment to security objectives, staff education, and administrative procedures aiming at increased security. "No technique can be secure against wiretapping or its equivalent on the computer," Reeds and Weinberger wrote in "File Security and the UNIX System 1984 Crypt Command." As a result, no technique can be guaranteed to be secure against the systems administrator or other privileged users... the uninitiated user has no chance. INFORMATION ASSURANCE AND SECURITY MULTICS was the first operating system to incorporate security as a fundamental aspect, though it is now obsolete. Created in the 1960s by GE, Bell Labs, and MIT, it influenced the development of UNIX. However, UNIX initially lacked the multiple security levels and passwords present in MULTICS. UNIX’s focus was on text processing, and it did not integrate password security until the early 1970s. The rise of microprocessors in the late 1970s led to the personal computer (PC), which became central to modern computing, shifting away from data centers and promoting the decentralization and networking of computers in the 1980s. INFORMATION ASSURANCE AND SECURITY The Decade of the 1990s Networks of computers became more popular at the end of the twentieth century, as did the necessity to connect these networks to one another. The Internet, the first worldwide network of networks, was born as a result of this. In the 1990s, the Internet was made available to the general people after previously being restricted to government, university, and industry experts. Almost any computer that could connect to a phone line or an Internet-connected local area network could use the Internet (LAN). The Internet became omnipresent when it was commercialized, reaching practically every corner of the planet with an ever-expanding range of applications. INFORMATION ASSURANCE AND SECURITY The Internet has grown from a means for sharing Defense Department information to an interconnection of millions of networks. Because industry standards for network interconnection did not exist at the time, these connections were initially based on de facto standards. These de facto standards offered nothing to secure information security, while some security was introduced as these precursor technologies were extensively adopted and established industry standards. Early Internet deployment, on the other hand, placed a low focus on security. In reality, many of the current problems with e-mail on the Internet are the result of this early security flaw. Mail server authentication and e-mail encryption did not appear required at the time, when all Internet and e-mail users were (apparently trustworthy) computer scientists. Security was embedded into the physical environment of the data center that housed the computers in early computing approaches. As networked computers became the norm, the capacity to physically safeguard a networked computer was gone, and the information stored on the computer became more vulnerable to security risks. INFORMATION ASSURANCE AND SECURITY INFORMATION ASSURANCE AND SECURITY Onel de Guzman, a then-24-year-old computer science student at AMA Computer College and resident of Manila, Philippines, created the malware. Because there were no laws in the Philippines against making malware at the time of its creation, the Philippine Congress enacted Republic Act No. 8792, otherwise known as the E-Commerce Law, in July 2000 to discourage future iterations of such activity. However, the Constitution of the Philippines prohibits ex post facto laws, and as such de Guzman could not be prosecuted. INFORMATION ASSURANCE AND SECURITY ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers on and after 5 May 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR- YOU.TXT.vbs".At the time, Windows computers often hid the latter file extension ("VBS", a type of interpreted file) by default because it is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. First, the worm inflicts damage on the local machine, overwriting random files (including Office files and image files; however, it hides MP3 files instead of deleting them), then, it copies itself to all addresses in the Windows Address Book used by Microsoft Outlook, allowing it to spread much faster than any other previous email worm. INFORMATION ASSURANCE AND SECURITY From 2000s to present Today, the Internet allows millions of insecure computer networks to communicate with one another in real time. The security of each computer's stored data is now dependent on the security of every other computer to which it is linked. In recent years, governments and businesses have become more aware of the need to improve information security, as well as the importance of information security to national defense. The growing threat of cyberattacks has made governments and businesses more aware of the need to defend computer-controlled systems of utilities and other critical infrastructure. There is also growing concern about nation-states engaging in information warfare, as well as the prospect that undefended commercial and personal information systems will be victims. INFORMATION ASSURANCE AND SECURITY What Exactly is Security In general security is defined as “the characteristic or state of being secure – to be free from risk.” In other words , the goal is to guard against adversaries – those who damage other purposefully or unintentionally. National Security for example, is a multilayered structure that safeguards a state’s sovereignty, assets, resources, and citizens. A complex system is required to achieve proper level of security for a business To safeguard its operations, a successful company should have the following numerous layer of security in place: Physical Security is preventing illegal access to and misuse of physical items, objects or spaces. Personnel Security refers to the safeguarding of an individual or a group of individuals who have been granted access to an organization’s operations INFORMATION ASSURANCE AND SECURITY Operations Security is to safeguard the specifics of certain operations or series of actions Communications Security is to protect communications medium, equipment, and content, communications security is necessary Network Security refers to the safeguarding of networking components, connections, and data Information Security refers to the safeguarding the confidentiality, integrity and availability of data assets while they are being stored, processed, or transmitted. It is accomplished b the use of policy, education, training and awareness, as well as technology INFORMATION ASSURANCE AND SECURITY INFORMATION ASSURANCE AND SECURITY The Basics of Information Security Access. The ability of a subject or thing to manipulate, modify, or influence another subject or object. Hackers have unauthorized access to a system, whereas authorized users have legal access. This ability is governed by access controls. Asset. The resource that is being safeguarded within the organization. A logical asset, such as a website, information, or data, or a physical asset, such as a person, computer system, or other tangible thing, are both examples of assets. Security activities are focused on assets, particularly information assets, which are what such efforts are aiming to protect. INFORMATION ASSURANCE AND SECURITY Attack. An act that can harm or compromise information and/or the systems that support it, whether intentionally or unintentionally. Attacks can be direct or indirect, active or passive, purposeful or inadvertent. A passive attack occurs when someone casually reads sensitive information that was not intended for their use. An attempt to break into an information system by a hacker is a deliberate attack. An unintended attack is like a lightning strike that causes a building fire. A hacker using a personal computer to break into a system is known as a direct attack. A hacker who compromises a system and uses it to attack other systems, such as part of a botnet, is committing an indirect assault (slang for robot network). This set of hacked machines, running software chosen by the attacker, can attack systems and steal user information or execute distributed denial-of-service assaults autonomously or under the attacker's direct supervision. The threat itself is the source of direct attacks. Indirect attacks are launched through a hacked system or resource that is malfunctioning or under the control of a threat. INFORMATION ASSURANCE AND SECURITY Control, safeguard, or countermeasure. Mechanisms, rules, or methods for successfully countering assaults, reducing risk, resolving vulnerabilities, and otherwise improving an organization's security. Exploit. A method for compromising a system. This phrase could be a noun or a verb. Threat agents may try to take advantage of a system or other information asset by abusing it for personal gain. An exploit, on the other hand, can be a defined procedure for exploiting a vulnerability or exposure in software that is either inherent in the product or devised by the attacker. Existing software tools or custom-made software components are used in exploits. Exposure. Being exposed is a condition or state. When a vulnerability known to an attacker is present, it is referred to as exposure in information security. INFORMATION ASSURANCE AND SECURITY Activity 1 Find five recent cyber attacks and determine which layer of security was breached during the attack. Explain why this particular layer was breached. Cite your source. Example: VARTA Cyber Attack (February 2024): Layer Breached: Network Layer Explanation: The cyber attack on VARTA, a German battery manufacturer, impacted both IT systems and production equipment, resulting in halted production across five plants. The network layer was compromised, likely through a ransomware or denial-of-service (DOS) attack, which suggests that the organization’s internal network was inadequately protected from external intrusions