3-INFORMATION SECURITY AND CIA TRIAD.pdf
Document Details
Uploaded by HotHilbert1196
Full Transcript
ITE 115 INFORMATION ASSURANCE AND SECURITY John Paulus Serafin Gazzingan Instructor INFORMATION ASSURANCE AND SECURITY SCAN ME!!! Disclaimer: This registration is part of a phishing simulation for training and educational purposes. An...
ITE 115 INFORMATION ASSURANCE AND SECURITY John Paulus Serafin Gazzingan Instructor INFORMATION ASSURANCE AND SECURITY SCAN ME!!! Disclaimer: This registration is part of a phishing simulation for training and educational purposes. Any information entered during this exercise will be used solely for educational purposes and will be deleted after the simulation. No real harm will be done to your account or system. INFORMATION ASSURANCE AND SECURITY Lesson 1.1 Introduction to Information Security INFORMATION ASSURANCE AND SECURITY INFORMATION ASSURANCE AND SECURITY Expanded CIA Triad AVAILABILITY. It permits authorized users—persons or computer systems—to access information without interference or obstruction and to receive it in the proper format. Consider research libraries, which require identification before admission. The contents of the library are protected by librarians so that only authorized patrons have access to them. Before a patron gets free access to the book stacks, the librarian must accept identification. When approved users get access to the stacks, they expect to discover the material they need in a usable format and in a language they understand, which in this case usually means bound in a book and written in English. INFORMATION ASSURANCE AND SECURITY Expanded CIA Triad ACCURACY. When information is free of faults or errors and has the value that the end user expects, it is said to be accurate. If data have been altered, whether purposefully or unintentionally, it is no longer accurate. Take a bank account, for example. You believe that the information on your checking account is a true reflection of your financial situation. External or internal faults can lead to incorrect information in your checking account. The value of the information is affected if a bank teller, for example, incorrectly adds or subtracts too much from your account. Alternatively, you could enter an inaccurate amount into your account register by accident. In any case, an incorrect bank balance could lead to errors, such as bouncing a check. INFORMATION ASSURANCE AND SECURITY Expanded CIA Triad AUTHENTICITY. Information authenticity refers to the attribute or state of being genuine or original, as opposed to a copy or fabrication. When information is in the same state as when it was created, placed, saved, or transferred, it is said to be authentic. Consider some popular e-mail misconceptions for a moment. When you get e-mail, you assume it was created and sent by a certain person or group—you assume you know where the e-mail came from INFORMATION ASSURANCE AND SECURITY Expanded CIA Triad This isn’t always the case, though. The act of sending an e-mail message with a modified field, known as e-mail spoofing, is an issue for many individuals nowadays, because the modified field is frequently the originator’s address. Spoofing: the sender’s address can receive e-mail recipients into believing that messages are real, causing them to open e-mail that they would not have otherwise. Phishing is a type of spoofing in which an attacker tries to get personal or financial information through deception, most commonly by impersonating another person or organization. Mention law enforcement or private detectives, pretending to be someone you are not is referred to as pretexting. When employed in a phishing attack, e-mail spoofing leads users to a Web server that does not represent the organization it claims to represent, with the goal of stealing personal information such as account numbers and passwords. INFORMATION ASSURANCE AND SECURITY Expanded CIA Triad The Facebook and Google scam. In this classic case of business email compromise (BEC), a Lithuanian man named Evaldas Rimasauskas stole over $100 million from Facebook and Google. Rimasauskas and his co-conspirators created fairly convincing forged email accounts of Taiwan-based Quanta Computer, which actually does business with Facebook and Google. They sent carefully crafted phishing emails with fake invoices, contracts and letters to employees at both these tech giants, falsely billing them for millions of dollars over a period of two years between 2013 to 2015. The Facebook and Google employees paid more than $100 million to Rimasauskas’ fake company’s bank accounts, which he reportedly laundered through banks in Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong. https://www.graphus.ai/blog/worst-phishing-attacks-in-history/ INFORMATION ASSURANCE AND SECURITY Expanded CIA Triad CONFIDENTIALITY. When information is safeguarded from disclosure or exposure to unauthorized individuals or systems, it is said to be confidential. Confidentiality ensures that only those with the necessary rights and privileges have access to information. Confidentiality is violated when information is viewed by unauthorized individuals or systems. You can take a number of steps to maintain information confidentiality, including the following: 1.Classification of data; 2.Document storage that is secure; 3.Implementation of broad security policies; 4.Information custodians and end users must be educated. INFORMATION ASSURANCE AND SECURITY Expanded CIA Triad Confidentiality, like the majority of information traits, is interdependent on others, and is most closely tied to the characteristic known as privacy. In Chapter 12, "Legal and Ethical Issues in Security," the relationship between these two traits is discussed in greater depth. When it comes to personal information regarding employees, customers, or patients, secrecy is extremely important. Individuals who trade with an organization, whether it is a federal agency like the Internal Revenue Service or a corporation, want their personal information to be kept private. When businesses reveal confidential information, problems develop. INFORMATION ASSURANCE AND SECURITY Expanded CIA Triad Almost every day, as a customer, you give up pieces of personal information in exchange for convenience or value. You reveal part of your spending patterns by utilizing a "members only" card at the grocery shop. When you participate in an online survey, you are exchanging elements of your personal history in exchange for internet access. Your personal information is studied, sold, replaced, and circulated in bits and pieces, eventually coalescing into profiles and even whole dossiers about yourself and your life. Salami theft is a criminal enterprise that employs a similar strategy. A deli worker understands that stealing an entire salami is impossible, but a few pieces here and there may be taken home without being noticed. The deli employee eventually steals a full salami. Salami theft occurs in information security when an employee steals a few pieces of data at a time; knowing that taking more would be caught, but finally the person acquires something complete or usable. INFORMATION ASSURANCE AND SECURITY Expanded CIA Triad INTEGRITY. When information is whole, complete, and uncorrupted, it has integrity. When information is vulnerable to corruption, damage, destruction, or other disruption of its authentic state, its integrity is jeopardized. Information might be corrupted as it is being stored or delivered. Many computer viruses and worms are created with the express intent of causing data corruption. As a result, looking for changes in file integrity is another important way of ensuring information integrity, in which a file is read by a particular algorithm that computes a single big integer called a hash value based on the value of the bits in the file. Any combination of bits has a unique hash value. INFORMATION ASSURANCE AND SECURITY Expanded CIA Triad External influences, such as hackers, aren’t always to blame for file corruption. Noise in the transmission medium, for example, might cause data to be corrupted. When data are transmitted on a circuit with a low voltage level, the data can be altered and corrupted. Internal and external hazards to information integrity can be compensated for using redundancy bits and check bits. Algorithms, hash values, and error-correcting codes protect the integrity of the data during transmission. Data that have had its integrity tampered with are resent. INFORMATION ASSURANCE AND SECURITY Expanded CIA Triad UTILITY. The attribute or state of having value for some goal or end is known as information utility. When information can be used for a certain purpose, it is valuable. It is useless to have information that is available but not in a manner that is understandable to the end user. To a private citizen in the United States, for example, census data may quickly become overwhelming and difficult to analyze. For a politician, though, census data offer details on a district’s residents, such as ethnicity, gender, and age. These data can aid in the development of a politician’s future campaign strategy. INFORMATION ASSURANCE AND SECURITY Expanded CIA Triad POSSESSION. The quality or state of ownership or control of information is referred to as "possession." If one acquires information, regardless of format or other features, it is said to be in one’s possession. While a violation of confidentiality always results in a breach of possession, a breach of possession does not necessarily result in a breach of confidentiality. Assume a corporation uses an encrypted file system to keep its important customer data. An ex- employee plans to duplicate the tape backups and sell the customer information to the competition. A breach of custody occurs when the tapes are removed from their secure environment. However, because the data are encrypted, neither the employee nor anyone else can read it without the correct decryption tools; thus, no breach of confidentiality has occurred. People who sell company secrets now face more harsh fines and the possibility of jail time. Furthermore, employers are becoming increasingly hesitant to recruit people who have a history of dishonesty. INFORMATION ASSURANCE AND SECURITY Components of an Information System An information system (IS), is much more than computer hardware; it is the full combination of software, hardware, data, people, procedures, and networks that enable the company to utilize information resources. Information can be input, processed, output, and stored using these six important components. Each of these IS components has its own set of strengths and weaknesses, as well as unique features and applications. Additionally, each component of the information system has its own set of security needs. INFORMATION ASSURANCE AND SECURITY Components of an Information System SOFTWARE. Applications, operating systems, and various command utilities make up the software component of the IS. Perhaps the most challenging IS component to safeguard is software. A significant chunk of information-related attacks is based on exploiting faults in software programming. Reports of holes, bugs, vulnerabilities, or other basic faults in software abound in the information technology sector. In truth, defective software affects many aspects of daily life, from smartphone crashes to faulty vehicle control computers that result in recalls. Software is the lifeblood of an organization’s information flow. Unfortunately, software products are frequently developed under project management limitations, which limit time, money, and people. Information security is frequently introduced as an afterthought rather than being created as a core component from the start. As a result, software programs become an easy target for unintentional or deliberate attacks. INFORMATION ASSURANCE AND SECURITY Components of an Information System HARDWARE. Hardware refers to the physical technology that contains and executes software, stores, and transfers data, and provides interfaces for entering and removing data from a system. Physical security policies deal with hardware as a physical asset and how to keep it safe from harm or theft. Traditional physical security methods, such as locks and keys, restrict access to and interaction with an information system’s hardware components. Because a breach of physical security might result in the loss of information, it is critical to secure the physical location of computers as well as the computers themselves. Unfortunately, most information systems are constructed on hardware platforms that, if unlimited access to the hardware is permitted, cannot ensure any level of information security. INFORMATION ASSURANCE AND SECURITY Components of an Information System DATA: The most valuable asset in a computer system. It needs protection during storage, processing, and transmission, as it is often a target of malicious attacks. Using robust database management systems can help protect data from unauthorized access and exploitation. In systems built in recent years, when done correctly, this should increase the data and application's security. Unfortunately, many system development projects do not fully utilize the database management system’s security features, and the database is sometimes deployed in less secure ways than traditional file systems. INFORMATION ASSURANCE AND SECURITY Components of an Information System PEOPLE: individuals can be the weakest link in a company’s information security program. Individuals will continue to be the weakest link until policy, education and training, awareness, and technology are appropriately implemented to prevent people from mistakenly or intentionally harming or losing information. The human desire to cut corners and the ubiquitous character of human error can be exploited by social engineering. It can be used to control people’s actions in order to gain access to system information. INFORMATION ASSURANCE AND SECURITY Components of an Information System PROCEDURES. Procedures are another aspect of an IS that is usually disregarded. Procedures are step- by-step instructions for completing a task. When an unauthorized user obtains an organization’s methods, the integrity of the data is jeopardized. For example, a bank consultant learned how to wire funds utilizing processes that were easily available at the computer center. This bank consultant ordered millions of dollars to be wired to his own account by taking advantage of a security flaw (lack of verification). Before the matter was resolved, lax security practices resulted in a loss of over 10 million dollars. Most companies offer procedures to their legitimate employees so that they can access the information system, but many of them fail to provide adequate training on how to secure the processes. As crucial as physically securing the information system is educating staff about security protocols. Procedures, after all, are data in and of themselves. As a result, knowledge of processes, like other vital information, should only be shared with individuals of the organization who need to know. INFORMATION ASSURANCE AND SECURITY Components of an Information System NETWORKS. The networking component of an IS is responsible for most of the demand for better computer and information security. When information systems are linked to local area networks (LANs), and these LANs are linked to other networks, such as the Internet, new security concerns emerge quickly. Physical technology that supports physical security methods, such as locks and keys, are still useful for restricting access to the interaction with the hardware components of an information system; but when components of systems are networked, this technique is no longer significant. Network security measures, as well as the development of alarm and intrusion detection sensors to alert system owners to rogue intrusions, are critical. INFORMATION ASSURANCE AND SECURITY Balancing Information Security and Access It is difficult to achieve complete information security even with the best design and implementation. Remember James Anderson’s statement, where he stressed the importance of balancing security and access. Information security is a process, not a goal, so it can’t be perfect. It is possible to make a system accessible to anyone, anywhere, at any time, and using any method. However, such unrestricted access jeopardizes the information’s security. A totally secure information system, on the other hand, would not allow anyone access. The security level must allow fair access while protecting against risks in order to establish balance— that is, to operate an information system that satisfies both the user and the security expert. When it comes to balancing information security and access. Due to today’s security concerns and difficulties, an information system or data-processing department can become too invested in system management and security. When the end user’s demands are overshadowed by a focus on safeguarding and administering information systems, an imbalance can arise. INFORMATION ASSURANCE AND SECURITY Approaches to Information Security Implementation Information security might start with a grassroots effort by system administrators to improve their systems' security. A bottom-up strategy is what this is known as. The technical expertise of individual administrators is a fundamental benefit of the bottom-up approach/strategy. Working with information systems on a daily basis, these administrators have a wealth of experience that can substantially aid the construction of a security system. They are aware of and comprehend the dangers to their systems, as well as the processes required to successfully protect them. Unfortunately, because it lacks a number of important elements, such as participant support and organizational staying power, this technique rarely works. INFORMATION ASSURANCE AND SECURITY Approaches to Information Security Implementation 1. Bottom-Up Approach: The company’s security model is applied by system administrators or people who are working in network security or as cyber-engineers. The main idea behind this approach is for individuals working in this field of information systems to use their knowledge and experience in cybersecurity to guarantee the design of a highly secure information security model. Key Advantages: An individual’s technical expertise in their field ensures that every system vulnerability is addressed and that the security model is able to counter any potential threats. Disadvantage:: Due to the lack of cooperation between senior managers and relevant directives, it is often not suitable for the requirements and strategies of the organization. INFORMATION ASSURANCE AND SECURITY Approaches to Information Security Implementation The top-down strategy, in which upper-level managers launch the project by issuing policy, procedures, and processes, dictating the goals and expected outcomes, and assigning responsibilities for each required activity, has a greater success rate. Strong upper-management support, a devoted champion, usually dedicated financing, a clear planning and implementation procedure, and the ability to influence corporate culture are all features of this method. A formal development plan known as a systems development life cycle is also used in the most successful top-down approach. INFORMATION ASSURANCE AND SECURITY Approaches to Information Security Implementation 2. Top-Down Approach: This type of approach is initialized and initiated by the executives of the organization. They formulate policies and outline the procedures to be followed. Determine the project’s priorities and expected results Determine liability for every action needed INFORMATION ASSURANCE AND SECURITY Approaches to Information Security Implementation This approach looks at each department’s data and explores how it’s connected to find vulnerabilities. Managers have the authority to issue company-wide instructions while still allowing each person to play an integral part in keeping data safe. Compared to an individual or department, a management-based approach incorporates more available resources and a clearer overview of the company’s assets and concerns. A top-down approach generally has more lasting power and efficacy than a bottom-up approach because it makes data protection a company-wide priority instead of placing all the responsibility on one person or team. Data vulnerabilities exist in all offices and departments, and each situation is unique. The only way for an information security program to work is by getting every manager, branch, department, and employee in agreement with a company-wide plan. INFORMATION ASSURANCE AND SECURITY Approaches to Information Security Implementation