Chapter 06 - Information Systems Security_df46cbf5492578c4f90cbbbca0df820f (1).pdf
Document Details
Uploaded by IdealBerkelium
Tags
Full Transcript
ITC 1370 Information Technology for Business Chapter 06 Information Systems Security © Department of Information Techno...
ITC 1370 Information Technology for Business Chapter 06 Information Systems Security © Department of Information Technology, FMSC, USJ 1 Learning Objectives Upon successful completion of this chapter, you will be able to: Understand what Information Systems Security is. Identify the information security triad. Identify internal and external threats of information systems. Identify strategies for securing Information Systems. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 2 What is Information Systems Security? © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 3 What is Information Systems Security? “Information systems security is the collection of activities that protect the information system and the data stored in it.” - Kim, D., & Solomon, M. (2018). Fundamentals of information systems security (Third edition). Jones & Bartlett Learning. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 4 The Information Security Triad © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 5 The Information Security Triad: Confidentiality, Integrity, Availability (CIA Triad) Confidentiality — Only authorized users can view information. Ex. - Universities restrict unauthorized parties to access to students’ information. Access to grade records should be limited to those who have authorized access. Integrity — Only authorized users can change information. Assure that the information being accessed has not been altered, and truly represents what is intended. Ex. - Only authorized personnel in the examination unit login to university’s examination system and change a student’s grade. Availability — Information is accessible by authorized users whenever they request the information. Ex. - Online bankers require banks’ web servers to be available twenty-four hours a day, seven days a week. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 6 Internal and external threats of information systems 1. Malicious software 2. Hardware or software failure 3. Human error/mistakes 4. Internal attacker 5. Equipment theft 6. External attacker 7. Natural disaster 8. Terrorism © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 7 Malicious software Some software infiltrates one or more target computers and follows an attacker’s instructions. These instructions can include causing damage, escalating security privileges, revealing private data, or even modifying or deleting data. This type of software called Malicious software, or Malware for short. The purpose of malware is to damage or disrupt a system. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 8 Malicious software Exists in two main categories. Infecting Infecting programs actively attempt to programs copy themselves to other computers. Viruses Their main purpose is to carry out an Worms attacker’s instructions on new targets. Ransomware Hiding programs As their name implies, these programs Trojan horses hide in the computer and carrying out Rootkits the attacker’s instructions while Spyware avoiding detection. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 9 Malicious software Viruses - A computer virus is a software program that attaches itself to or copies itself into another program on a computer. The purpose of the virus is to trick the computer into following instructions that were not intended by the original program developer. Worms - A worm is a self-contained program that replicates and sends copies of itself to other computers, generally across a network, without any user input or action. The main difference between a virus and a worm is that a worm does not need a host program to infect. The worm is a standalone program. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 10 Malicious software Trojan Horses - A Trojan horse, also called a Trojan, is malware that masquerades as a useful program and trick users into running them. Today’s Trojans do far more than just save copies of themselves. Trojans can hide programs that collect sensitive information, open backdoors into computers, or actively upload and download files. Rootkits - A rootkit modifies or replaces one or more existing programs to hide traces of attacks. Although rootkits commonly modify parts of the operating system to conceal traces of their presence, they can exist at any level—from a computer’s boot instructions up to the applications that run in the operating system. Rootkits provide attackers with easy access to compromised computers to launch additional attacks. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 11 Malicious software Spyware - Spyware is a type of malware that gathers information about a user through an Internet connection, without his or her knowledge. Ransomware - Ransomware attacks a computer and limits the user’s ability to access the computer’s data. Then the attacker demands a payment to restore full access. The demand for a payment, or ransom, gives this type of malware its name. Many current ransomware programs operate by encrypting important files or even the entire disk and making them inaccessible. Watch - https://www.youtube.com/watch?v=n8mbzU0X2nQ © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 12 Hardware or software failure Hardware failure - A malfunction within the electronic circuits or electromechanical components (disks, tapes) of a computer system. Possible reasons for failure - ▪ Electricity interruptions ▪ Overheating ▪ Improper grounding of equipment etc. Software failure - The inability of a program to continue processing due to erroneous logic. Possible reasons for failure - ▪ Bad logic in code ▪ Incorrect formula ▪ Data type mismatch ▪ Inadequate computer resources etc. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 13 Human errors or mistakes The user is the weakest link in security. Even information systems security practitioners can make mistakes. Human error is a major risk and threat to any organization. No group can completely control any person’s behavior. E.g. – The use of weak passwords Sending sensitive information to the wrong recipients Sharing password/account information with unauthorized parties Installation of unauthorized, unregistered software (application and OS) The unmonitored download of files from the Internet Falling for phishing scams A phishing email is a fake or bogus email to Coding mistakes trick the recipient into clicking on an embedded URL link or opening an email Email misdelivery attachment. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 14 Internal Attacker An internal attacker is an individual or a group within an organization seeks to ruin operations or misuse organizational assets through its computer systems. Typically involves a current or former employee, or business associate who has access to sensitive information within the network of an organization. An internal attacker would perform following activities such as, Downloading or accessing substantial amounts of data Sharing sensitive data outside the organization Attempts to bypass security Accessing sensitive data not associated with their job function Run personal applications on organization’s systems/computers © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 15 Equipment theft Act of stealing computer(hardware) equipment. Stealing Internal equipment Stealing External equipment Internal HDD External HDD RAM Flash drives Other electronic circuits or chips Mouse, Keyboard etc. Wires/Cables Key cards Equipment theft can occur with the intention of selling stolen equipment or selling sensitive data outside the organization. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 16 External Attacker An external attacker is an individual or a group from outside an organization seeks to ruin operations or misuse organizational assets through its computer systems. Following type of methods use by an external attacker to hack, damage or disrupt a system. Phishing Keystroke loggers Botnets DOS (Denial of Service) attacks Man-in-the-middle attacks Social Engineering © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 17 External Attacker Phishing - Phishing is an attempt to commit identity theft via email or instant message. The message appears to come from a legitimate source, such as a trusted business or financial institution, and includes an urgent request for personal information. Phishing messages usually indicate a critical need to update an account (banking, credit card, etc.) immediately. The message instructs the victim to either provide the requested information or click on a link provided in the message. Watch - https://www.youtube.com/watch?v=BnmneAjVrM4&list=PLPmbqO785Hlu- lW7655fc7XxzjGBSdiut&index=25 Keystroke loggers - a keystroke logger captures keystrokes, or user entries. The keystroke logger then forwards that information to the attacker. This enables the attacker to capture logon information, banking information, and other sensitive data. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 18 External Attacker DoS (Denial of Service) attacks - purpose of a denial of service (DoS) attack is to overwhelm a server or network segment to the point that the server or network becomes unusable. A successful DoS attack crashes a server or network device or creates so much network congestion that authorized users cannot access network resources. Watch - https://www.youtube.com/watch?v=yLbC7G71IyE&list=PLPmbqO785Hlu- lW7655fc7XxzjGBSdiut&index=24 Botnets – (short for ‘robotically controlled networks’). A botnet consists of a network of compromised computers that attackers use to launch attacks and spread malware. Attackers can use botnets to distribute malware and spam and to launch DoS attacks against organizations or even countries. Watch - https://www.youtube.com/watch?v=3BbxUCOFX8g&list=PLPmbqO785Hlu- lW7655fc7XxzjGBSdiut&index=22 © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 19 External Attacker Man-in-the-middle attacks - In this type of attack, an attacker intercepts messages between two parties before transferring them on to their intended destination. Attackers use man-in-the-middle attacks to steal information, to corrupt transmitted data, to gain access to an organization’s internal computer and network resources, and to introduce new information into network sessions. Social Engineering - Social engineering is the art of one human attempting to deceive another human into doing something or exposing information. This involves tricking authorized users into carrying out actions for unauthorized users. Watch - https://www.youtube.com/watch?v=lc7scxvKQOo © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 20 Who is a Hacker? Hacker is a person who enjoys exploring and learning how to modify something, particularly related to computer systems. Types of Hackers Black-hat hackers - A black-hat hacker tries to break IT security and gain access to systems with no authorization in order to gain financial benefits, revenge or simply prove technical ability. White-hat hackers - A white-hat hacker, or ethical hacker, is an information systems security professional who has authorization to identify vulnerabilities and perform penetration testing. Gray-hat hackers - may set out to find vulnerabilities in a system but they will only report their findings to the owners of a system if doing so coincides with their agenda. Or they might even publish details about the vulnerability on the internet so that other attackers can exploit it. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 21 Watch Later https://www.youtube.com/watch?v=opRMrEfAIiI https://www.youtube.com/watch?v=j0EZpH_eIsY &t=3s © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 22 Strategies for securing Information Systems 1. Authentication 2. Access Control 3. Encryption 4. Backups 5. Firewalls 6. Intrusion Detection Systems 7. Physical Security 8. Security Policies 9. Anti-malware programs 10. Security Awareness Training © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 23 Authentication is the process or action of verifying the identity of a user. Authentication can be accomplished by identifying someone through one or more of three factors: 1. Something they know (Ex – Username, Password, Pin number etc.) 2. Something they have (Ex- Key cards, Secure Tokens, Phone APPs etc.) 3. Something they are (Ex- Fingerprint, Facial geometry, Eye scan etc. - Biometrics) A more secure way to authenticate a user is through multi-factor authentication. By combining two or more of the factors listed above, it becomes much more difficult for someone to misrepresent themselves. Example – Log in to your Gmail account using both Password and OTP received to your phone. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 24 Access Control Once a user has been authenticated, the next step is to ensure that they can only access the information resources that are appropriate. This is done through the use of access control. Access control determines which users are authorized to read, modify, add, and/or delete information. Two types Access Control List (ACL) Role-Based Access Control (RBAC) Identifies a list of users who have the Instead of giving specific users access capability to take specific actions with an rights to an information resource, users information resource such as data files. are assigned to roles and then those roles are assigned the access. Specific permissions are assigned to each user such as read, write, delete, or This allows the administrators to add. Only users with those permissions manage users and roles separately, are allowed to perform those functions. simplifying administration and, by Drawback - Harder to maintain extension, improving security. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 25 Access Control (Cntd.) Access Control List (ACL) Role-Based Access Control (RBAC) Name System Role Name Access Control Dr. Saman Perera Lecturer Dr. Saman Perera Read, Write, Delete Kamal Fernando Student Kamal Fernando Read only Sunil Silva Student Sunil Silva Read only Prof. Namal Costa Lecturer Prof. Namal Costa Read, Write, Delete Role Access Control Lecturer Read, Write, Delete Student Read only © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 26 Encryption Encryption is a process of encoding data upon its transmission or storage so that only authorized individuals can read it. This encoding is accomplished by software which encodes the plain text that needs to be transmitted (encryption). Then the recipient receives the cipher text and decodes it (decryption). Watch - https://www.youtube.com/watch?v=6-JjHa-qLPk © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 27 Types of Encryption Watch - https://www.youtube.com/watch?v=AQDCe585Lnc Refer - Thunderbird help: https://www.howtogeek.com/706402/how-to-use-openpgp-encryption-for-emails- in-thunderbird/ 1. Symmetric vs Asymmetric (Encryption) – (Private Key Encryption) Amali’s Private Key Bimal Amali Charly © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 28 Types of Encryption 2. Symmetric vs Asymmetric (Encryption) – (Public Key Encryption) Private Key Public Key Amali gets a copy of Bimals public key and encrypt the message Bimal Amali Charly © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 29 Digital certificate Digital certificates are electronic credentials that bind the identity of the certificate owner to a pair of electronic encryption keys, (one public and one private), that can be used to encrypt and sign information digitally. A digital certificate is a pair of Keys ( = Passwords) issued by a trusted certificate authority (CA). Private Key Amali Public Key Certification Authority / Software © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 30 Asymmetric Encryption (use as a Digital Signature) Amali’s Public Key Certification Authority Bimal gets Amali’s public key from CA to open Private Key Public Key the digitally signed message. If success, it verifies that the message has sent by Amali Amali Bimal Amali signed digitally © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 31 Backups Process of keeping a copy of a file or other item of data made, on an alternative location, in case the original is lost or damaged. Not only should the data on the corporate servers be backed up, but individual computers used throughout the organization should also be backed up. A good backup plan should consist of following components. Full understanding of the organization’s information resources. Regular backups of all data. Offsite storage (Ex- Cloud storage) of backup data sets. Ex- Google Drive, One Drive etc. Test of data restoration. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 32 Firewalls A firewall is a program or dedicated hardware device that inspects network traffic passing through it and denies or permits that traffic based on a set of rules you determine at configuration. A firewall protects all company servers and computers by stopping packets from outside the organization’s network that do not meet a strict set of criteria. A firewall may also be configured to restrict the flow of packets leaving the organization. Watch - https://www.youtube.com/watch?v=kDEX1HXybrU © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 33 Intrusion Detection Systems Intrusion Detection Systems (IDS) can be placed on the network for security purposes. An IDS does not add any additional security. Instead, it provides the capability to identify if the network is being attacked. An IDS can be configured to watch for specific types of activities and then alert security personnel if that activity occurs. An IDS also can log various types of traffic on the network for analysis later. It is an essential part of any good security system. Source - https://www.dnsstuff.com/ids-vs-ips © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 34 Physical Security Physical security is the protection of the actual hardware and networking components that store and transmit information resources. To implement physical security, an organization must identify all of the vulnerable resources and take measures to ensure that these resources cannot be physically tampered with or stolen. These measures include the following. Locked doors. Physical intrusion detection. Secured equipment. Environmental monitoring. Employee training. Uninterruptible power supply (UPS) and/or a backup power generator to keep systems going in the event of a power failure. Fire prevention systems. Surge protectors to minimize the effect of power surges on delicate electronic equipment. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 35 Security Policies Besides the technical controls listed above, organizations also need to implement security policies as a form of administrative control. A good information security policy lays out the guidelines for employee use of the information resources of the company and provides the company with the action to be taken in the event that an employee violates a policy. Policies require compliance. Failure to comply with a policy will result in disciplinary action. A security policy should also address any governmental or industry regulations that apply to the organization. For example, any business organization in Sri Lanka must be aware of the ‘Personal Data Protection Act, No. 9 of 2022’, which applies to any processing of personal information by organizations that takes place in Sri Lanka. Example of a Security Policy - https://itsecurity.uiowa.edu/university-it-policy © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 36 Security Policies (Cont.) Security policy may include the following Acceptable usage policy Email protection policies Mobile device policy Password Creation and Management Policy Business Continuity Plan (BCP) Disaster Recovery Plan (DRP) Email/communication policy Remote access policy etc. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 37 Anti-malware programs - is a computer program used to prevent, detect, and remove malware. Many anti-malware products are available to prevent the spread of all types of malware as well remove malware from infected computers. These include the following: BitDefender—www.bitdefender.com Kaspersky Anti-Virus—www.kaspersky.com Norton AntiVirus—www.symantec.com/norton/antivirus ESET Nod32 Antivirus—www.eset.com AVG Antivirus—www.avg.com McAfee Endpoint Protection—www.mcafee.com © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 38 Security Awareness Training Every organization, regardless of the industry vertical or regulatory compliance law requirement, must have a new-hire and ongoing or annual security awareness training program. This security awareness training course must be part of an organization’s security awareness campaign. A security awareness campaign consists of training, periodic newsletters or memos, “lunch and learn” training sessions, and security incidents that are opened as a result of a security policy violation. © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 39 References Kim, D., & Solomon, M. (2018). Fundamentals of information systems security (Third edition). Jones & Bartlett Learning © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 40 Thank You © Department of Information Technology, FMSC, USJ ITC 1370 : Information Technology for Business 41