IMS562 Chap_2 and Chap_3 PDF

Summary

This document is about the subject of information security in organizations and businesses. It defines and describes the objectives, terms, and challenges in the field. It also examines professional roles, and different types of threats and vulnerabilities. Lastly, it shares some real-life examples, and some research related to this subject.

Full Transcript

CHAPTER 2: INFORMATION
SECURITY
LESSON OBJECTIVES:

1 Understand the definition of information security

2 Understand the key terms and concepts of information security

3 Understand the key challenges in information security

4 Understand the roles of professionals involved in information security within an organization
 INTRODUCTION
TO INFORMATION
SECURITY
The current state…

Cybersecurity is escalating
Information Let’s have a look
security? https://youtu.be/7L9J
erWIT3Y
DEFINING INFORMATION
SECURITY
The activity to protect
information from a wide
Securing information
range of threats in order
through proactive
to ensure business
management of
continuity, minimize
information security risks,
business damage, and
threats and
maximize return on
vulnerabilities (Kritzinger
investments and
& Smith, 2008).
business opportunities
(Hagen et al., 2008).

The prevention of, and
recovery from, The protection of
unauthorized or information assets,
undesirable destruction, aiming to maintain
modification, disclosure, confidentiality, integrity,
or use of information and availability and
information resources, accountability of
whether accidental or information (Whitman
intentional (Alnatheer & and Mattord, 2011).
Nelson, 2009).
EFINING INFORMATION SECURITY
Process that ensures that
The protection of within the enterprise,
information and information information is protected
systems from unauthorized against disclosure to
access, use, disclosure, unauthorized users
disruption, modification, or (confidentiality), improper
destruction in order to modification (integrity)
provide confidentiality, and non-access when
integrity, and availability required (availability)
(NIST, 2011). (ISACA, 2012).

A multidisciplinary area of study
and professional activity which is
concerned with the development
The practice of and implementation of security
defending information fro countermeasures of all available
m unauthorized access, types (technical, organizational,
human-oriented and legal) in
use, disclosure, order to keep information in all its
disruption, modification, locations (within and outside the
perusal, inspection, organization’s perimeter) and,
recording or destruction consequently, information
systems, where information is
(ISO/IEC 27001, 2013). created, processed, stored,
transmitted and destructed, free
from threats (Cherdantseva &
Hilton 2013)
Information security is a crucial component in the success of any
organization, regardless of what environment the organization
functions in. The objectives of information security commonly is
to preserve an organization’s information assets and the
business processes they support.
INFO SECURITY or CYBERSECURITY?

Information Security - the protection
of information and information
systems from unauthorized access,
use, disclosure, disruption,
modification, or destruction in order to
provide confidentiality, integrity, and
availability (CIA).
Cyber Security - protection of
cyberspace and use of it against any
sort of crime (related/not related to
information CIA).
THE DEVELOPMENT OF INFORMATION SECURITY

1 3
THE TECHNICAL WAVE
THE INSTITUTIONAL WAVE
Information security is characterized by a
The growing emphasis on information
technical approach driven by the
security awareness and the risk that
application of mainframe environment
ignorant employees can compromise
which allows centralized processing for The Information Security measures had
All waves emphasize on the importance Information
business information in organization. of securing data required the institutionalization of
During this era, information security was
and information belongs to organization
limited to simple forms of Identification The that is regarded
Security information security in an organization.
And this has led to the Institutional
and Authentication for logging onto the Institutional Governance
as critical resources for businesses.
mainframe system as security control.
And Wave
the responsibility
(mid
wave of information security in the
Wave (mid mid-90s that saw enormous efforts of
is lies with the organization and
90s -its
midemployees. By doing
2000- now) promoting culture and way of thinking
The
so, it will ensureManagement
that the confidentiality
2000) and integrity of the in alignment of making secure
environment in protecting valuable
data and information of the company are maintained at all
Wave (early information resources belongs to the
80s-mid
times 90s)
for business strategic use. organization.

2 4
THE MANAGEMENT WAVE The
In conjunction with the development of Technical THE INFORMATION SECURITY GOVERNANCE WAVE
The latest waves were started in early 2000 along with the
distributed computing, and the personal Wave (early appearance of several International best practices for good
computer which demanded a lot of other 80s)
inputs into the Information Security field, Corporate Governance. This is wave is termed as ‘Information
the information security wave than Security Governance Wave’. In this era, techniques to measure the
allegedly deemed as imperative. During status and level of organization’s information security compliance
this period, information security really got becoming more structured to be part of the governance. Apart from
the attention of management, and this that, the used of computerized systems are holistic in this era.
have resulted many information security
managers to be appointed to developed
policies and procedures in tightening up
security elements in organizations.
THE GUIDING PRINCIPLES

C.I.A –
Confidentiality,
Integrity, Availability

We want our information to:
Be confidential. Readable by the right people.
Have integrity. Can be altered by authorized
people or process.
Be available. Accessible by authorized people
only.

Our concerns:
Authentication. Information/messages
came from the person we acknowledge
Non-repudiation. Senders cannot deny
knowledge of sending the message or
performing some online activities, at some
later point in time.
INFOSEC. in broad
 The act of protecting the
confidentiality, integrity and
availability of information and
information systems from
unauthorized access, use,
disclosure, disruption,
modification, perusal, inspection,
recording or destruction. –
Regardless of the form of the
information (electronic, printed,
cloud, etc.)
 INFORMATION SECURITY DOMAINS
People – ”The Human Factor”
Human factor has to be address at two key levels :
Non-technical staff - must have up-to-date awareness of their role in preventing and reducing threats
Technical staff – must have broad, up-to-date information security skills, competency and qualifications.

People

Process
Good Information
Structured set of activities designed to accomplished a specific objective. i.e. procedures, works Security Practice
instructions, metrics, roles, improvements.
Technology Process

Technology
Technology is a key element in achieving effective information security for any organization.

…security is far more than investing in hardware and software. First and foremost, security is a business issue. This
means that top management is accountable for ensuring that its organisation’s security strategy meets business
objectives and is adopted as a strategic risk. Discussions of security risk at board level should include identifying which
risks to avoid, accept, mitigate or transfer (such as through information insurance), as well as reviewing specific plans
associated with each approach.

The three fundamental domains of an effective cyber security strategy are: people, processes and technology.
Source: www.itgovernance.co.uk
  Discuss how People, Process and
Technology could become
challenges for information security?

Information  3 groups for 20 minutes discussions
and 10 minutes presentation.
Security  group 1 – People as challenge
group 2 – Technology as challenge
Challenges


 group 3 – Process as challenge

* Will be presented in google meet
 INFORMATION
SECURITY
PROFESSIONALS
Information Security professionals
 Information Security professional must develop breadth and depth knowledge
throughout the information security domain (e.g. in physical security, business continuity
and legal matters).

 Information Security Professionals is defined as:
 Information security practitioners who conform with the requirements of Information
Security Professional Guideline; and
 Information security practitioners with specific roles and responsibilities in Information
Security Operation, Information Security Compliance and Information Security Audit
Cybersecurity Malaysia (CSM)
http://www.cybersecurity.my/data/content_files/11/1159.pdf?.diff=1373447691
Information Security professionals
 Information Security Professional comprises of the following 3
roles:

1
 Chief Information Security Officer (CISO).
 The role of a CISO is to define Information Security strategic
direction, develop and maintain policies and establish roles and
responsibilities for Information Security within the organisation.
 The Chief Information Security Officer may report to either the
Chief Executive Officer (CEO), Chief Operating Officer (COO),
Chief Technology Officer (CTO) or Chief Information Officer
(CIO) of an organisation and is subject to the organisation
structure.
http://www.cybersecurity.my
 Information Security professionals

2 


Information Security Operations.
The role of an Information Security Professional performing Information
Security Operations is to:
 1. Manage and implement appropriate access rights to
applications, systems, databases and network
 2. Implement and maintain network security
 3. Perform incident management
 4. Ensure that the relevant Information Security controls are
implemented and embedded in the respective departments
performing daily operations

http://www.cybersecurity.my
Information Security professionals

3
 Information Security Audit & Information Security Compliance.
 In smaller agencies / organisations these two functions may be
combined. Essentially their role is to monitor compliance by the
staff of the agency / organisation to the Information Security
policies, standards, and procedures.
 Information Security Professional with the role of audit or
compliance shall be independent from day-to-day Information
Security Operations.

http://www.cybersecurity.my
Information Security professionals

Information Security Professional Requirements
Source: Cybersecurity Malaysia, 2013
 Some profession challenges: Skills shortage

 Source: http://research.esg-global.com/reportaction/tect0312201501/TOC
Source: https://cybersec.isaca.org
Summary
 In this chapter you learned how to:
 Define information security.
 Describe the key terms and concepts of information
security.
 Discuss the key challenges in information security.
 Explain the roles of professionals involved in
information security within an organization
CHAPTER 3: THE IMPORTANCE OF INFORMATION
SECURITY IN ORGANIZATIONS
 LESSON OBJECTIVES:

1
Understand the importance of information security to organizations

2 Understand the meaning of threats and vulnerabilities

3 Understand the business impacts of realized threats
THE IMPORTANCE
OF INFORMATION
SECURITY
The Importance of Information
Security for Business..maintains the competitive..necessity in sustaining an advantage, improves public...ensuring business continuity by
organization’s business image, increases innovation and
reducing business risks.
operations. protects the enterprise’s assets.
Kruger et al., 2010
Thompson et al., 2006 Parker, 1997, Anttila et. al, 2004,
COBIT 5

…ensures a high quality of...ensures alignment of
service of information information security with business
…ensures that technological
infrastructures and technologies, strategies and objectives, value
assets are safely accounted for
which support and complement delivery and accountability and
and protected.
the business goal of an expands business opportunities.
organization. Whitman and Mattord, 2011
ISO 27001:2013, Vasiu et. al,
Lane, 2007 2003
Discussions..
Protect
Prevents
profit and
data theft
regulation

Information
Discuss this. & computer
Protect
Form three groups and choose two topics. intellectual
crimes has
property
escalated

maintains Foils cyber
productivity terrorism
 THE
VULNERABILITY
& THREATS
 es
l iti t s
bi ea
ra hr
ne T
ul
V

Source: https://heimdalsecurity.com
OVERVIEW: VULNERABILITIES & THREATS
A vulnerability refers to a
known weakness of an asset
(resource) that can be
exploited by one or more
attackers. In other words, it is
a known issue that allows an
attack to be successful. For
example, when a team
member resigns and you
forget to disable their access
to external accounts, change
logins or remove their names
A threat refers to a new or newly discovered incident with the from company credit cards,
potential to do harm to a system or your overall organization. this leaves your business open
There are three main types of threats – natural threats (e.g., to both intentional and
floods or a tornado), unintentional threats (such as an employee unintentional threats.
mistakenly accessing the wrong information) and intentional
threats.

Intentional threats? Source: www.bcm.com
Intentional (deliberate) threats
 Computer crimes are the best examples of intentional
threats, or when someone purposely damages property or
information. Computer crimes include espionage, identity
theft, child pornography, and credit card crime.
https://www.cerias.purdue.edu/assets/pdf/k12/infosec_newsletters/03threats.pdf

 Intentional threats includes spyware, malware, adware
companies or the actions of a disgruntled employee. In
addition, worms and viruses are also categorized as threats,
because they could potentially cause harm to your
organization through exposure to an automated attack, as
opposed to one perpetrated by humans.
 Acts of Compromises Deliberate Deliberate Deliberate Deliberate
human to intellectual acts of acts of acts of acts of theft
error/failure properties trespass information sabotage or Illegal removal
accidents piracy Unauthorized extortion vandalism of equipment or
Employee Copyright access blackmail Destruction of information
mistakes infringements Data collection Information system or
disclosure information

Sources of threats
Deliberate Forces of Deviations in Technical Technical Technological
software nature quality of Hardware software obsolescence
attack Unauthorized services failure failure Uselessness
viruses access Power, Lan , equipment Bugs, codes technology
Denial or Data collection Wan loopholes etc Outdated tech
service Service issues
from service
providers

Sources of threats
Malicious Threats:
The most common threat
Insiders
Information security breaches are now the burning issues.

“14% of all data breaches linked to insiders”
source: The Verizon 2013 Data Breach Investigation Report

Among 874 incidents, as reported by
companies to the Ponemon Institute for
its recent 2016 Cost of Data Breach Study, 568
were caused by employee or contractor
negligence; 85 by outsiders using stolen
credentials; and 191 by malicious employees and
criminals.
Some real-life examples..
Alphabet, Google’s parent company, recently filed a lawsuit against its
former engineer Anthony Levandowski, who is now working with Uber. The
company accused Levandowski of copying more than 14,000 internal files
and taking them directly to his new employer.
source: https://www.tripwire.com

Anthony Lewandoski was a high profile engineer at Waymo, a subsidiary of
Alphabet (formerly known as Google). His role there was to push forward
the development self-driving cars.

In December 2015, he downloaded 9.7 GB of company files on his
computer so he could “work from home”. But in January 2016 he left
Waymo to join Uber’s own self-driving car division.

We cannot know for sure whether Lewandowski used the files to help Uber
in their own project, but the situation was ostentatious enough that Waymo
sued Uber and asked for a halt in their self-driving car trials until further
notice.

If the allegations are true, the damage caused to Waymo, and Google for
that matter, could far exceed the one caused by an external hacking. Years
of hard work and investment were practically handed over on silver platter
to a major competitor.
source: https://heimdalsecurity.com/
http://www.cdse.edu/documents/toolkits-insider/Rob http://www.cdse.edu/documents/cdse/CDSE-Insider-Threat-Case-
ert-Mo-Insider-Threat-Case-Study.pdf Study-Yuan-Li.pdf
 Security Vulnerability
A vulnerability is a weakness which allows an attacker to reduce a
system's information assurance.
 Vulnerability is the intersection of three elements: a system
susceptibility or flaw, attacker access to the flaw, and attacker
capability to exploit the flaw ("The Three Tenets of Cyber
Security". U.S. Air Force Software Protection Initiative.
Retrieved 2009-12-15).
A vulnerability refers to a known weakness of an asset (resource)
that can be exploited by one or more attackers. In other words, it
is a known issue that allows an attack to be successful.
Vulnerability assessment
 Benefits of a Vulnerability Assessment & Cyber
Security Assessment The goal is to limit exposure and
attack surfaces to make compromising and exploitation
of network vulnerabilities more difficult.

 Identify and safely exploit vulnerabilities on network devices, operating
systems, desktop applications, Web applications, databases, and
more.
 Detect and repair potential weaknesses in your network before they
can be exploited by cyber criminals.
 Understand and enhance the current state of your cyber security
posture and level of risk.
 Test your policy agreement and your organization's ability to identify
and respond to security threats.
 Determine the adequacy of employee security awareness as a
baseline for skill acquisition and reinforcement of human defences.
 Demonstrate compliance with current government and industry
regulations such as PCI-DSS, FFIEC, GLBA, and HIPAA/HITECH.
 Manage resources more efficiently by focusing attention and resources
where needed.
Source: http://www.infosightinc.com/solutions/advisory-services/vulnerability-assessment.php
 Impact of Security Risks and Threats

Viruses, worms, and Trojan horses can corrupt data on a user’s
computer, infect other computers, weaken computer security, or
provide back doors into protected networked computers. Viruses can
corrupt digital content on a user’s computer, spyware, adware, and

Other forms of security risk also
represent a significant problem
to businesses, their users, and
the company networks.
All types of threat and security risk can seriously
impair business operations, network use, and
computer performance while performing many
tasks unknown to the user of an infected computer.
 Some research examples..
Authors Study Objectives/Context Threats/Risks Business Impacts
Zafar et. al, To investigates the financial impact of publicly e-business/e-commerce utilization for businesses Unwanted access to internal information - Data loss
2012 announced information security breaches on – competitive disadvantages
breached firms and their non-breached competitors
Akram, 2013 To theorize and empirically measure the effects of attacks or threats to information assets can result in Information security has a substantial effect on
information disclosure on the accuracy of business inadequate decisions, which consequently affect the generating accurate, effective and efficient business
decision-making at various organizations entire structure of the organization / insecure decisions.
information assets
Mani et. al, To contribute to a better understanding of the Physical breaches (e.g. due to stolen data storage An employee misuses work-related data for personal
information security threats, awareness, and risk devices such as smart mobile devices and gain will impact competitive advantages.
2014 management standards currently employed by the computers) and non-physical breaches (e.g. due to
real estate sector in South Australia computer or network intrusions) on real estate
information.
Telstra, 2014 To understand the security market dynamics, Technology becomes more important to business Critical infrastructure, business continuity and IT &
particularly the drivers, restraints and adoption every day. But the technologies that currently make business processes were the most severely affected
trends facing Australian organizations. the biggest difference – like Cloud Computing, Big by security incidents in organizations during the past
Data and Mobility – also increase your exposure to three years.
security incidents.
Gallagher et. To establish a measure of the impact of security Security breach through IT systems Disruption to operations
breaches and to assess differences in the impact
al, 2016 experienced across organizations of different sizes,
different industries, and the degree to which they
are centralized or decentralized.
Telstra, 2016 To understand the security market dynamics, Connectivity and technology provide great benefits to Security incidents impacted in productivity loss,
particularly the drivers, restraints and adoption our society and the economy today, and the full disruption of business operations, critical
trends facing Australian and Asians organizations. potential to touch and benefit us all is yet to be fully infrastructure breakdown, reputational loss, loss of
realized. However with this benefit comes some risk – sensitive data and financial loss.
and as more of the world embraces technology and
connectivity, the risk increases and organizations
need to be able to manage this risk
Summary
 In this chapter you learned how to:
 Describe the importance of information security to
the organizations
 Explain the terms vulnerability and threats.
 Discuss the impacts of security risks and threats to
organizations