CCF-Session-1-v4-Regular-2023-lec-clsu-1 PDF - Information Security Fundamentals
Document Details
Uploaded by WellEstablishedToad
Central Luzon State University
2023
Tags
Summary
These lecture notes cover the fundamentals of information security, including cyber threats, attack vectors, and data privacy. The document delves into topics such as social engineering, remote access, and ransomware. It also discusses the CIA triad and critical infrastructure.
Full Transcript
Introduction to Fundamentals of Information Security Refers to new measures, policies or protocols that have an effect on the attitude and behavior of people in the field of public health after the Covid-19 pandemic. Internet Evolution (APNIC) ...
Introduction to Fundamentals of Information Security Refers to new measures, policies or protocols that have an effect on the attitude and behavior of people in the field of public health after the Covid-19 pandemic. Internet Evolution (APNIC) Imperva https://www.imperva.com/resources/resource-library/reports/2021-cyberthreat-defense-report/ What does means for us? Motivation There are important ways you can protect yourself and your organization. But first “It is vital to understand the major methods cyber criminals use to accomplish attacks! “ Types of Hackers and what they do Grey hat exploit networks Black-hat hacker is White-hat hacker, and computer systems in an individual who on the other hand, the way that black hats attempts to gain are deemed to be the do, but do so without any unauthorized entry good guys, working malicious intent, into a system or with organizations to disclosing all loopholes network to exploit strengthen the and vulnerabilities to law them for malicious security of a system enforcement agencies or reasons. intelligence agencies. Attack Motivation Source: NANOG60 keynote presentation by Jeff Moss, Feb 2014 Attack Motivation Attack Motivation Joy Hacks APNIC Opportunistic Hacks APNIC Targeted Attack APNIC Advanced Persistent Threats (APT) Highly skilled (well funded) - specific targets – Mostly 0-days Sometimes (not always) working for a nation-state An attack in which an unauthorized user gains access to a system or network and remains there for an extended period of time without being detected. Note: many lesser attacks blamed on APTs APNIC Attack Vector vs Attack Surface Attack Surface What is an Attack Surface? represented by all of the points on your network where an adversary can attempt to gain entry to your information systems. Attack Vectors What is an Attack Vector? Attack vectors are the methods that adversaries use to breach or infiltrate your network. Major Attack Vectors 1.Social Engineering: Phishing 2.Remote Access 3.Insider Threats 4.Brute-Force Attacks 5.Ransomware 6.Denial of Service 7.Access through Intermediaries Social Engineering: Phishing Remote Access Insider Threats Brute force Attacks A brute force attack, also known as an exhaustive search, is a cryptographic hack that relies on guessing possible combinations of a targeted password until the correct password is discovered. Ransomware Denial of Service A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. Access through Intermediaries Send your question Is there any Differences? CIA TRIAD The CIA triad is a common, respected model that forms the basis for the development of security systems and policies. CIA TRIAD Information Security (InfoSec) Information Security (InfoSec) is preservation of confidentiality, integrity and availability of information. Cyber Security Defined as the “preservation of confidentiality, integrity and availability of information in the Cyberspace.” CIA objectives To achieve the CIA objectives organizations must protect two aspects or their IT environment: application security and data security. Critical Infrastructure Critical Infrastructure is the body of systems, networks and assets that are so essential that their continued operation is required to ensure the security of a given nation, its economy, and the public’s health and/or safety. The United States recognizes 16 distinct sectors of critical infrastructure, which are systems that are considered crucial to national economic security and national public health. Critical Infrastructure Information technology is the fundamental sector on which all others depend. Recent Major Cyber Incidents involving Critical Infrastructure CERT-PH | Cybersecurity Bureau Critical Infrastructure “Mr Blount also told Senators the decision to pay a $4.4m (£3.1m) ransom to hackers in Bitcoin was the "hardest decision" in his career. https://www.bbc.com/news/business-57050690 Send your question Recent Major Cyber Incidents involving DATA Breach CERT-PH | Cybersecurity Bureau The Equifax data breach occurred between May and July 2017 at the American credit bureau Equifax. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. Philippines Response to Cyber Security Threats R.A. 10175 Cybercrime Prevention Act of 2012 R.A. 10173 Data Privacy Act of 2012 What are the look up references for the cyber crime and data privacy risks that must be mitigated? R.A. 10175 An act defining cybercrime, providing for the prevention, Cybercrime Prevention Act investigation, suppression and the imposition of penalties therefore of 2012 and for other purposes R.A. 10173 An act protecting individual personal information in information and Data Privacy Act of 2012 communication systems in the government and the private sector, creating for this purpose a National Privacy Commission, and for other purposes. R.A. 10175 Cybercrime Prevention Act of 2012 1. It is offense against the confidentiality, integrity and availability of computer data and systems. 1.1 Illegal Access. Access to the whole or any part of a computer system without right 1.2 Illegal Interception Interception made by technical means without right 1.3 Data Interference. Intentional or reckless alteration, damaging, deletion of computer data 1.4 System Interference Intentional alteration or reckless interference with the functioning of a computer or computer network 1.5 Misuse of Devices Use, production, sale, procurement, importation, distribution, or otherwise making available, without right 1.6 Cyber Squatting Acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation, and deprive others from registering the same R.A. 10175 Cybercrime Prevention Act of 2012 2. It is offense related with the use of computer. 2.1 Forgery Input, alteration, or deletion of any computer data without right resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic 2.2 Fraud Unauthorized input, alteration, or deletion of computer data or program or interference in the functioning of a computer system, causing damage thereby with fraudulent intent 2.3 Identity Theft Intentional acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information belonging to another, whether natural or juridical, without right. R.A. 10175 Cybercrime Prevention Act of 2012 3. It is offense related to creation and sharing of content. 3.1 Cybersex Willful engagement, maintenance, control, or operation, directly or indirectly, of any lascivious exhibition of sexual organs or sexual activity, with the aid of a computer system 3.2 Child Pornography Unlawful or prohibited acts defined and punishable by Republic Act No. 9775 or the Anti-Child Pornography Act of 2009, committed through a computer system 3.3 Libel Unlawful or prohibited acts of libel as defined in Article 355 of the Revised Penal Code, as amended, committed through a computer system Data Privacy vs Right to Privacy Data Privacy Violation Ø Privacy violation is illegal or unwanted act that endangers the privacy rights of a person and security of personal data. Ø Data privacy violation is penalized act according to R.A. 10173 Chapter VIII. The complaint can be made through the use of NPC Complaint-Assisted Form. Section 25 Unauthorized processing Section 30 Concealment of breach Section 26 Negligence in access Section 31 Malicious disclosure Section 27 Improper disposal Section 32 Unauthorized disclosure Section 28 Unauthorized purpose Section 33 Combination of acts Section 29 Unauthorized access or intentional breach Data Privacy Violation 1. Unauthorized processing It is when personal information is processed without the 3-6 years imprisonment consent of the data subject, or without being authorized 500K-4M penalty using lawful criteria 2. Negligence in access It is when personal information is made accessible due to 1-6 years imprisonment negligence and without being authorized by any existing 500K-4M penalty law. Data Privacy Violation 3. Improper disposal It is when personal information is knowingly or 6 mos-3 years imprisonment negligently disposed, discard, or abandon in an area 100K-1M penalty accessible to the public or has otherwise placed the personal information of an individual in any container for trash collection 4. Unauthorized purpose It is when personal information is processed for 1-7 years imprisonment purposes not authorized by the data subject, or 500K-2M penalty otherwise authorized by any existing laws. Data Privacy Violation 5. Unauthorized access It is when an individual handling personal information knowingly or intentional breach and unlawfully, or violating data confidentiality and security 1-3 years imprisonment data systems, breaks in any way into any system where 500K-2M penalty personal and sensitive personal information are stored. 6. Concealed breach It is when an individual or entity who has knowledge of a 1-5 years imprisonment security breach and of the obligation to notify the Commission 500K-1M penalty pursuant to Section 20(f) of the Act, intentionally or by omission conceals the fact of such security breach. Data Privacy Violation 7. Malicious disclosure It is when an individual or entity with malice or in bad 1-65years imprisonment faith, discloses unwarranted or false information relative 500K-1M penalty to any personal information or sensitive personal information obtained by him or her 8. Unauthorized disclosure It is when an individual or entity discloses to third party 1-5 years imprisonment personal information not covered by legitimate purpose, 500K-2M penalty lawful criteria, and without the consent of the data subject. “Innocent of the law excuses no one.” Send your question Email: [email protected] [email protected]