Cybersecurity Basics for Information Systems PDF

Cybersecurity Basics for Information Systems Introduction The foundation for information security, all of information security, is what's known as the CIA Triad: the initials CIA stand for Confidentiality, Integrity, and Availability. Confidentiality is ensuring that your data is not accessed by people who do not have authority or permission or the rights and privileges to access it. It ensures that your confidential data, secret data, private data, etc. remains confidential, secret, private, etc. Integrity is ensuring that data is not changed without appropriate permission or authority. In a previous lecture, we looked at encryption. Encryption can help maintain confidentiality by making sure that only people with the appropriate key can decrypt the data. And then availability is ensuring that the data is there for you to read, to report from, to access when you need to get it. A compromise of any of these elements is considered to be a security event or a security breach. If the data is copied, then it is no longer confidential. If the data is altered, then the integrity is lost. Or, if the data is not there or you are prevented from accessing it, then the information’s availability has been compromised. Those are all violations of some aspect of CIA. When you think about information security, remember the CIA triad: Confidentiality, Integrity, and Availability. Information Security vs. Cybersecurity Most of this discussion is going to be about the topic of cybersecurity. However, cybersecurity is a subset of the larger topic of information security. Information can exist in digital form, but also in physical form. The people that need to be protected and the servers that need to be protected exist in the physical world. Cybersecurity can certainly play a role in their protection, but there’s more. Information security can be as simple as making sure a door to a data center is locked or that a file cabinet is locked. Hiring a security guard can be a form of © 2022 – Mark Perew 1 Cybersecurity Basics for Information Systems physical information security. It can mean not leaving sensitive documents unattended on your desk. I certainly hope no one is writing down passwords on sticky notes or putting them in clear text notes on your smartphone. But, for now, let’s get back to the topic of cybersecurity. Terms Since this is a specialized field, there are some terms that need to be defined. Vulnerability A vulnerability is a weakness in an information system. It can be a software defect. It can be a hardware flaw. It can be a configuration problem. For example, if the software has the correct options set to make it secure, then that is good. But, if there are settings which can allow the confidentiality, integrity, or accessibility of the information system to be compromised, then there is a vulnerability. Exploit: An exploit is a way of taking advantage of a vulnerability. Take the example of the user of an information system who doesn't normally have privileged access, administrative access, or elevated access to a system. This is just an average user. But there is a vulnerability that allows that user to connect to the system as a normal user and then promote themselves to have more access than they should, then that is one form of an exploit. Threat: A threat is someone who has both the skills and the knowledge to use that exploit. Risk: Risk is the threat of financial loss, disruption to the business, compromise, the theft of data, or even loss of data. Anything that impacts the Five Component Model, or has the potential of impacting, one or more of the components of the Five Component Model is a risk. Information Security and the Five Component Model Information Security covers all the components of the Five Component Model. A vulnerability can be in the hardware and can cause harm where a compromise causes a system to stop operating or to operate in an inappropriate way. It can cause the software to misbehave or cause the software to send data where it's not supposed to. The data itself can be copied, the data can be deleted, the data can be changed. If the software and the data have been impacted, the processes being used can be impacted. In the case of a denial of service, those processes cannot be performed. There are also the people. A key element of cybersecurity is © 2022 – Mark Perew 2 Cybersecurity Basics for Information Systems protecting people. Make sure that people aren't being abused or misused or misled or even harmed when there is a compromise of an information system. A Growing Problem Vulnerabilities are a tremendously growing problem. In 2021, there were nearly 22,000 new and unique vulnerabilities that had been found in information systems. This is the total of all the previously unknown vulnerabilities found in Windows, Linux, smart phones, apps, devices, or anything else that we consider to be a computer or information system. As the chart below shows, that number has been growing steadily for several years. Number of Published Vulnerabilities 25,000 21,957 20,000 18,372 17,306 16,566 15,000 14,714 10,000 7,946 6,484 4,652 4,155 5,295 5,191 6,447 5,000 - 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 CVE Count Figure 1- Source: National Institute of Standards and Technology, National Vulnerability Database This data is tracked by National Institute of Standards and Technology (NIST) in the National Vulnerability Database (NVD). Anyone can access that site and look at the list of common vulnerabilities and exploits that have been published. Here is another key term for you. © 2022 – Mark Perew 3 Cybersecurity Basics for Information Systems Common Vulnerabilities and Exploits (CVE): A CVE is an entry in National Vulnerability Database (NVD) or another repository that tracks weaknesses in information systems. If you’re interested in digging deeper into information security, CVE entries will give you a lot of information about the kinds of vulnerabilities that exist and how to remediate them. This chart shows a growing problem. This is absolutely not something that we can ignore. We have to take information about security very seriously. We have to take note of it and we have to act on it. We have to protect the business and the business customers. The 4 A’s: Authentication, Authorization, Auditing, and Accountability We use the term credentials to refer to the information that identifies you and proves your identity. This is typically an account name or username. When you enter that username, you are making an assertion about your identity. It's easy to go on to the fullerton.edu portal and enter my username. But can I prove that I'm that person? Can I substantiate that assertion? The first way of substantiating that assertion is by entering the password that is connected to my username. That’s enough for a lot of websites and uses. Unfortunately, too many people don’t use strong passwords or the sites that store the passwords don’t keep them secure. So, here at the university, in addition to a password, we have to provide a second piece of evidence to prove who you are. That can be acknowledging a pop-up message on your phone or getting a code on your phone or in your email that you must enter on a special prompt or it can be getting a string of characters from a physical device, called a fob, that you carry. In each case, your phone or your email or your fob, is connected to your account and only to your account. That second piece of evidence says, “Yes, I am who I claim I am.” The system receives that evidence, confirms it, and then goes okay, “Yes, you have provided proof of your identity and therefore you are authenticated.” Using a second piece of evidence is called Two Factor Authentication (2FA). However, 2FA is a subset of Multifactor Authentication (MFA), which allows for more ways to prove who you are. With MFA, you have to provide several pieces of different kinds of information. Those kinds of information are broken down into: 1) Something I know 2) Something I have 3) Something I am A password or PIN is the most common way of providing something that you know. However, those are often not sufficient. The “something I have” can be validated through your phone or access to your email or the code off a fob. It could also be a smartcard with a chip that validates your identity. © 2022 – Mark Perew 4 Cybersecurity Basics for Information Systems The factor “something I am” is addressed through biometrics. The something I am could be a fingerprint, or your voice, or the unique pattern of the iris of your eye, or a scan of your hand geometry. Sometimes there is a fourth factor added: Someplace that I am This factor requires that you provide your authentication in a specific location or within proximity to a location. That location might be established through a specific device that must be used in a physical location or it could be limited by having your smart device within a specified proximity of a key device. At one point in time, I worked at a facility which had a highly secure data center. In order to gain access to the data center where the servers and mainframe devices were located, I had to swipe a card (something I had), enter a PIN (something I knew), place my hand into a scanner that checked to make sure it was my hand (something I am). Those 3 forms of authentication also only worked for one door in the entire world. So, I had to be standing in that location to make the other three factors work. In addition, there was a security guard and cameras that were tracking everything that I did. Now once you have been authenticated to the system, there is this question of authorization. What are you allowed to do? What systems and what websites can you use? What courses are you allowed to access? The key idea is that you don't want someone who doesn’t have permission to log in and then access your FAFSA information or your grade information. That would be a violation of confidentiality, and it would break that aspect of the CIA triad. Authentication and Authorization are a great start. They are definitely necessary, but not sufficient. You’ve been authenticated and your authorizations have been granted, but now we need to track what you do. So, we have this idea of Auditing. That is where the information system or the operating system or some other component writes files with information about who did what and when. Let's say that a user logged on and authenticated himself. That logon to that user’s account would be recorded. The fact that a valid user name was provided would be recorded along with some information about where that access originated from. Next, the fact that the correct password and/or valid multifactor authentication was provided would also be recorded. Here’s an example of what a log might look like. There is a logon to the account “jtkirk” and the correct 2FA was completed via a Duo Push. Then there are some file access records. A file was updated, a file was deleted, and a file was created. That might be OK, but what if the file “c:/USERS/hsulu/FLIGHTPLAN.DOCX” should not have been removed? Without this kind of auditing, there would be no one to find out what happened to the file. © 2022 – Mark Perew 5 Cybersecurity Basics for Information Systems Which brings up the topic of Accountability. It's not just enough that those logs exist. Someone needs to be looking at them. Someone needs to monitor that from time to time and say, “Hey, has anything strange happened?” If someone looks at the log information above, they might say, “Hmm. That IP address looks odd. When I check where it comes from, it’s a site in Greece.” Someone could ask user jtkirk about it, and he might say, “I've never been to Greece, and I don't have any plans to go to Greece in the near future. I’ve been here in southern California the whole time.” That could definitely point out a security problem. The Accountability piece doesn’t have to be manual. There are automated tools that can examine the logs and say, “Hey, this is not normal behavior.” That would cause the information to be flagged for human beings to review. Auditing and Accountability helps us demonstrate and have some comfort that our processes around Authentication and Authorization are working the way they are supposed to. Or, to find instances where they are not working correctly. All of this improves the security of the information system, guards the information systems, makes sure that the confidentiality, integrity and availability of your data - whether it's a medical system or campus data or your iCloud account or your Gmail account, is protected appropriately. There are ways to bypass all that. Of course, those are not supposed to exist. These are vulnerabilities that can allow people to bypass authentication. Those are referred to as “spoofing” or using fake credentials to pretend that I'm someone else or provide false credentials that are accepted. There are also ways to bypass the authorization and bypass the auditing. These vulnerabilities are also not supposed to exist. Normally, no one designs a system to have to be able to bypass authentication. However, sometimes there are intentional or unintentional “back doors” into information systems. One form of vulnerability comes from default credentials. When you buy a new router from the cable company, it typically comes with a default account with a default password. One of the things you want to do to change that password. You don't want to leave it on the default because that could allow someone else to login to your network using those default credentials. Changing that password will lower the chances of someone accessing your home network without your permission. This is the kind of network compromise, a violation of the CIA Triad, that you want to avoid. Now, that number when we go back to that slide, this number 22,316, last year in 2019. There are a lot of reasons why that number is what it is and why that number exists at all. Why is that number not 0? One of the things that happen is that people misuse what are known as administrative accounts or elevated privilege accounts. These are accounts on computers that have access to all files, programs, services, hardware, etc. If a hacker takes over one of these accounts, they have full control of the computer. These accounts can install software, change passwords, encrypt data, and perform other harmful actions. © 2022 – Mark Perew 6 Cybersecurity Basics for Information Systems Various operating systems have taken steps to alert users to when elevated privileges are needed. Figure 2 – Windows UAC and MacOS Verification Panel Examples of some warnings and confirmation pop-up boxes from both Windows and MacOS are shown in Figure 2 – Windows UAC and MacOS Verification If a malicious user gains access to an elevated privilege account, then they will have full control over the system. What that malicious user will do is attempt to get a normal user to approve the privilege elevation or install software which has the privilege elevation. If you, as a normal user, are cautious about when to allow elevated privileges, then you are exercising good judgement and protecting your computer from this form of attack. Another common cause of vulnerabilities comes from improper configurations. Many applications have default settings that allow very wide access. If a malicious user finds a system that is not properly secured, then the system can be compromised, data stolen, etc. Restricting access can be annoying to normal users. We like to have access to everything at our fingertips. But the better rule is only to have the access that you actually need to get your job done. Anything more than that is an invitation to having a compromised system. Another common problem is the introduction of new flaws. Software is updated constantly, especially on mobile devices. On any given day, there are anywhere from four to eight apps that update. Some of them update multiple times per week. It’s important to understand that when a change is made there is a risk of introducing a bug or other unintended functionality. Even when the change is to fix a problem, there is the risk of introducing another problem. I’ve spent a lot of my career writing software and I know how easy it is to accidentally create a new problem. That’s not a suggestion that you should not update your software. On the contrary, you should. However, you have to decide how quickly you need to perform those updates. Sometimes defects are so critical that you must update the software immediately. Other times, you might want to wait to make sure the vendor doesn’t retract the update or send a follow-on update. For the average user, updating is probably safer than not updating. Expert users can use their knowledge and experience to make a more nuanced decision. © 2022 – Mark Perew 7 Cybersecurity Basics for Information Systems Yes, innocent users can do things that cause security problems. However, malicious actors, the bad folks, are constantly trying to break into systems. They find vulnerabilities in information systems and develop exploits to take advantage of those vulnerabilities. These malicious actors get better and better at what they do. These are not amateurs. There are very talented people out there who decided to use their skills and their knowledge for illicit purposes. They constantly improve their tools. Their knowledge and skills grow. Their access to systems around the world gets better. The good folks are also getting better. Defenses get stronger and more comprehensive. Training in cybersecurity is now a significant priority in most companies and governments. So, it becomes a kind of warfare, an arms race, where one side improves their tools, and the other side improves their tools to compensate for the better tools on the other side. The Defenders have to get better at our defenses. But the bad folks, the attackers, see that and modify their tools to come up with a stronger attack. And then the good folks modify the tools to defend better, and it just goes back and forth that way. And I don't know that that cycle is ever going to be broken. I hope at some point someone figures out a better way to do this. But that's where we are today. Another factor is that people want more from their devices. People want their handheld devices, their mobile devices, laptops, tablets, et cetera to do more and do it quickly. Out of that demand, some software can be released or shipped before it has been fully tested. The developer of the app or the operating system can’t know all of the interactions between an operating system change and some change in an app unless exhaustive testing is performed. If you haven't fully tested, then you don't know what could go wrong. There could be some gap that has opened up, and at the rate the patches are released or implemented, it's hard to keep track of those possible combinations. Perpetrators Cybersecurity is filled with lots of specialized terms. We looked at a few earlier. Now we need to look at some of the kinds of people involved in cybersecurity. Cybercriminal This is the generic term for someone who attacks an information system either for personal gain or to cause damage or just because they can. Black hat hacker This is someone who is a legitimate bad guy. A malicious actor. An attacker. They have bad intent. They want to steal your data or compromise your system or use your system to attack someone else. These are bad guys. White hat hackers © 2022 – Mark Perew 8 Cybersecurity Basics for Information Systems These people are also known as ethical hackers. These are people who are doing research and investigation. They're doing legitimate testing within a legitimate environment to see what they can find. There is training and certification for people who want to become ethical hackers. I do need to apologize for using these terms: black hat and white hat. Nothing is intrinsically wrong with black; nothing is intrinsically right with white. But these are the terms that are used in the industry, and I'm not in a position to introduce other terms. Using these terms is awkward, but we still need to go with them, even if they are, in some ways problematic. Gray hat hacker These are people who are doing unauthorized investigations. They're not bad guys, per se. They don't have an intent to break anything, but they're not doing an authorized investigation. Someone who goes around scanning systems to see what they can find comes in the category of a grey hat hacker. They're going to find something and perhaps find a computer that is not configured correctly. They would then tell the owner that they need to fix the vulnerability.. This is intended to be helpful, but it really is a bit creepy. It’s like walking down the street and checking to make sure everyone locked their front door. Yeah, someone might be glad that you told them, “Hey, you forgot to lock your front door.” But it's kind of disturbing that some stranger is going around checking people's front doors. Cracker This isn’t a term that’s been lost, but it has some important history. Originally, a hacker was just someone who was a computer enthusiast. Someone who liked experimenting and trying things. Back 30 or 40 years ago, when people built their own computers all the time, and things were a lot more experimental than they are today, those people were known as hackers. But that term hacker became a term for bad guys. Now we don't use the term cracker and anybody who's trying to do security work, good or bad, is a hacker. I wish there was more clarity about that. But the terms are as they are. Malicious Insider There's also the idea of a malicious insider, an employee who has an axe to grind; they have some reason for wanting to do something nasty to their employer. Often, they can exfiltrate, or steal, data. We use the term infiltrate to sneak into something. We don’t use the term exfiltrate very often. It just means to sneak something out. In this case, exfiltrating data that should remain on the inside. A malicious insider can also commit sabotage in order to cause systems to crash or fail in some way. There was a case in San Francisco several years ago where a network administrator changed passwords and refused to divulge them (https://www.govtech.com/pcio/ex-san-francisco-network- engineer-convicted-of.html). He eventually went to prison for several years. © 2022 – Mark Perew 9 Cybersecurity Basics for Information Systems Industrial Spy An industrial spy is an outsider who pretends to be an insider. Their goal is to get inside access so they can steal data or commit some sort of sabotage. This is a real threat. It isn't just some crazy John le Carre movie, or Tom Clancy novel, or any of those kinds of fictional stories. One study in 2019 (https://op.europa.eu/en/publication-detail/-/publication/b3b5fcfb-4541-11e9-a8ed- 01aa75ed71a1/language-en/format-PDF/source-90181868) found that 20% of European companies had been the victim of cyber espionage. Hacktivist This is someone who has a political agenda. They're trying to make a statement. It's not about personal monetary gain, or just causing general havoc. They have a political point, an environmental point, some sort of point on international issues, or any number of possible motivations. They see themselves as a kind of vigilante trying to right a wrong that the government can’t or won’t address. Cyberterrorists Terrorism is intended to inflict harm and generate fear. Cybercrime can be used for that purpose. These people are not out for the money, but they're just trying to engage in terrorism through this particular channel. Script kiddies Part of this discussion has mentioned people with advanced computer skills. There is another group who are derisively called script kiddies. These are people who don't have a lot of skills, but they can go out on the dark web and find tools that other people have written on how to perform cybersecurity compromises. These tools will attack systems, compromise systems, bring down systems. But these individuals are only using the tools that someone else has provided since they don’t have the skills to create their own. Advanced Persistent Threats (APTs) At the far other end of the spectrum are groups we call advanced persistent threats or APTs. These are skilled attackers with many resources. They are typically sponsored by some nation. That is, they're backed by a government or a quasi-governmental body that provides them with money and facilities and training and other resources. Those governments either tacitly or overtly protect these APT groups. Some governments use APTs as a way to generate income. It has been estimated that 8% of the Gross Domestic Product of North Korea comes from cybercrime (https://www.bloomberg.com/news/articles/2021-12-21/north- korean-army-of-cybercriminals-props-up-kim-s-nuclear-program-and-economy) Exploits There are many different kinds of exploits. Malware is the generic term for any kind of malicious software, can inflict damage in many different ways. Traditionally there were different kinds of malware: viruses, worms, and trojans. © 2022 – Mark Perew 10 Cybersecurity Basics for Information Systems Viruses modify other programs in order to operate and propagate. These are, conceptually, just like a human virus, such as the SARS-COV2 virus that causes COVID-19. That virus enters your body, takes over your cells, and causes your cells to then produce more of the virus. The computer virus takes over other software in order to produce more of itself. But it does require people to transmit it from computer to computer. Worms, however, are sophisticated enough to go from computer to computer on their own. Once a worm is on a computer, it can find new targets and move to them without human involvement. The idea of a trojan comes to us from the story of the Trojan Horse. It’s something that looks great, but has something bad hidden inside. You see a piece of software that looks interesting, but when you install it the bad part, the malware, is unleashed. Modern malware can do all of these functions (virus, worm, and trojan) and more. So those distinctions have become a little lost in the haze. The term “zero day” is often used when discussing new malware. There are a couple of ways that this term is used. A Zero-Day Vulnerability is a previously unknown vulnerability. It’s a flaw or defect in an information system which has not been public knowledge. Sometimes malicious actors or researchers have known about it, but that information had not been shared. Since this is a new vulnerability, a patch may not exist for it. Or, the vendor may be releasing the patch on the same day as announcing the vulnerability. A Zero-Day Exploit is a new way for a malicious actor to use that Zero-Day Vulnerability. This would only work on unpatched systems. This is why it’s important for critical information systems to be patched early and often, and to have many layers of cyber protection. We've probably all received spam email, spam text messages, and spam phone calls. Spam isn’t just annoying, it’s dangerous. The intent is to get you to compromise your security. The email will have something enticing to get you to click on the link. Something like, “Hi, friend, we have FIVE MILLION DOLLARS for you. But, to get it, you need to send us $500 to unlock the account.” But that “friend” is someone you’ve never heard of, living in a country far away, and they just want your $500 so they can disappear. Spam can also have a sense of urgency. “You must click now to avoid fines and penalties!” But we’ll talk more about that later under Social Engineering. If you do click on that link, it can trigger the download of a Trojan. Once that is downloaded and running, it will trigger the installation of the full-blown malware. That will steal your data or your keystrokes or encrypt your machine or perform some other damage. Be wary of all links, even from people you know. Email can be made to look like it came from someone else. So, always be cautious. Compromising availability often comes in the form of a Denial of Service (DOS) attack. A target computer is hit with so much internet activity that it cannot perform any other function. That’s hard for © 2022 – Mark Perew 11 Cybersecurity Basics for Information Systems just one attacking computer to do. So, the malicious attackers create a network of other computers to all attack the target at the same time. This network is created by compromising other computers and installing the attack software on them. These infected computers are referred to as bots, and the collection of bots is referred to as a botnet. Depending on the attacker, the botnet can include a few hundred computers, to several million computers. Imagine what would happen if 1 million computers all tried to connect to your personal computer all at once. The attacker operates a Command & Control (C&C) server which sends instructions to the bots in the botnet of what computer to target and when to do it. Advanced C&C systems can even update the botnet software to add more capabilities. Botnet software is often distributed through phishing attacks. So, once more, be careful about the links Figure 3 - Najafimehr, Mohammad & Zarifzadeh, Sajjad & you click on, even if it looks like it is from someone Mostafavi, Seyedakbar. (2022). A Hybrid Machine you know. Phishing emails can look very convincing Learning Approach for Detecting Unprecedented DDoS Attacks. The Journal of Supercomputing. 78. as can the sites they lead to. 10.1007/s11227-021-04253-x. Here’s an example of a fake Amazon website. It looks very much like the real Amazon site, but the URL isn’t amazon.com. Instead, it’s amazonshopim.com. It even has the lock icon to show that the session is encrypted with TLS. It would be very easy to put your account credentials on this site and then lose your real Amazon account to the hackers. Phishing emails tend to be rather generic. They tempt the recipient with a reward for clicking on the link. Spearfishing is where the attacker is targeting you by name. That doesn't mean that they are directly after you.by name. They just have a list of names. And now they can make the phishing attack look more personal to you and make and entice us like, “Oh, they know my name, it must be authentic.” On top of spearfishing phishing, there's this idea of whale phishing. This is an attempt to target high level executives, the big fish, especially a message with some sort of urgency. The messages state that the executive must provide an approval immediately in order to execute some critical contract or pay a critical invoice. The link contained can take them to a very © 2022 – Mark Perew 12 Cybersecurity Basics for Information Systems legitimate looking website. However, all they really do is give up their credentials by logging in to the fake site. This is where multifactor authentication helps. Even if the executive gives up their account name and password to the malicious site, the attackers won’t be able to use that without the additional form of authentication that is used. Whether that is acknowledging an SMS text message, entering a code, or some other forms. The hackers just won’t have access to that extra bit of critical data. If the site does not use MFA or 2FA authentication, the hackers can then access the system to perform malicious activities. Beyond phishing emails, there are smishing attacks. Using Short Message Serve (SMS) text messages to get the recipient to click on a link. That URL is going to trigger malware or steal your credentials. There are also voice mail scams (vishing) to get the targeted. The intent on those it to get the victim to call back and then give up key data over the phone. The newest form of these attacks are QR code scams (https://timesofindia.indiatimes.com/city/hyderabad/qr-code-scam-can-empty-your- wallet/articleshow/72930101.cms). A QR code is just a visual short cut to a web site. You have to look at the website that QR code takes you to and ensure that it is not a fraudulent site. Another form of attack comes using URL shorteners, such as bit.ly or tinyurl.com. Sites that take a long URL and replace it with a short URL alias. How do you know that the actual website behind that shortened URL is safe? Well, you don’t. So, don’t automatically trust shortened URLs, either. Watering hole attacks are attempts to compromise a set of users, an industry, a specific interest group, by compromising a common website that is used by members of that group. Once the common site has been compromised, the attackers can send phishing emails to members of that group, enticing them to visit the site. Visitors to that site may find that malware has been downloaded to their systems. Both the site administrators and the users must be cautious. The site administrators must lock down access to their servers to protect again compromise. Users must employ the usual caution about clicking on links and having anti-virus software installed. Social Engineering Social engineering is the craft of tricking people into revealing confidential information, such as their social security number, passwords, account numbers, procedures, etc. The attacker who's the person © 2022 – Mark Perew 13 Cybersecurity Basics for Information Systems performing the social engineering activity, is seeking information that they are not entitled to have. Social engineering plays on people's emotions, plays on their fears, or their confidence, or their uncertainty, or their lack of familiarity or privacy, perhaps even overconfidence. Social engineering leads people to think “That’s okay, this question that this person is asking is something I need to answer” or “It's okay for me to answer and give up that information.”. This is usually done through some kind of pretexting where someone is claiming to be an authority of some kind, but they really aren’t. Someone says, “Hey, I'm from information security, and please confirm your password to me.” No one in information security is ever going to ask you for your password. If they do, you need to escalate that to some level of management and report that behavior. Figure 4 - Source: vpnoverview But someone might say, “Oh, can you can you just do me this little favor and log onto this site for me?” Or someone shows you some credentials that look right, so their request must be valid. As with phishing attacks, social engineering can include a sense of urgency in order to stop people from thinking critically about the situation. There's also old-fashioned shoulder surfing where someone watches as you enter a password. People who are skilled can watch you type and make accurate guesses about your password. Social engineering can be in person, it can be email (including spam), it can be something over the phone. The piece of data that you give up might not be big all on its own. But a patient and thorough social engineer will get little bits from multiple people. By the time they've gotten those pieces, they now can put together a fuller picture of the entity that they're trying to attack in order to compromise information systems. Identity Theft Identity theft is a big deal. When a person’s credit card information, social security number or ITIN, your driver’s license or state-issued ID number, or other private information is stolen several bad things can happen. It can be used to commit fraud. It can be sold on the dark web. It can be used to compromise your other accounts online. There are several types of data come under the heading of Personally Identifiable Information (PII). The US government defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual” (OMB Memorandum M-07-1616). This could include your birthdate, your address, account numbers, or a long list of other things. If a set of data could be used to identify you from the other 8 billion people on the planet, then it’s likely to be PII. © 2022 – Mark Perew 14 Cybersecurity Basics for Information Systems One shocking thing is that it is cheap to buy information about you. On the dark web, a social security number sells for as little as $2.00. A passport number goes for $50 or $60. A full set of information about you might sell for under $1,500. These pieces of data are stolen from websites that are supposed to be secure. However, they aren’t and so a data breach occurs. A data breach is any release or leak of sensitive information to or by unauthorized individuals. That can be accidental through a poorly secured site, or intentional by some malicious person who wants to spread information. It can even be an intentional release, but under the wrong context, such as through a social engineering attack. There are ways to know if your data has been leaked through a data breach. The best way is to have a credit monitoring service so that you will get alerted if someone tries to use your credentials. Those credit monitoring services can cost a few dollars a month or per year, but some credit cards or other services now include that as a feature of the card or service. Regardless of how you subscribe to a credit monitoring service, it’s a good idea to have one. Most banks and credit unions and credit card issuers now provide daily, or even real time, reports of transactions and account balances. Those alerts to your email or mobile device can quickly alert you to any illicit use of your accounts There is also a site called “Have I Been Pwned” (https://haveibeenpwned.com/). The term pwned (pronounced powned, like owned) is hacker speak for having been compromised. The hacker now “owns” your information. This site will track your account. You give it your email address or other account information and it will check the dark web regularly to see if your information shows up in some new data dump. This is a very legitimate site operated by a gentleman down in Australia who is a security expert. He is trustworthy. He does know what he's doing. I get alerts from this site a couple of times a year that some site that I thought was trustworthy has been hacked. We need to take a side detour here to talk about willingly giving up your data to a monitoring service like this. Yes, there is a risk that “Have I Been Pwned” could be hacked. However, the people who operate the site are world class experts at what they do. They teach how to avoid being hacked. They consult with companies who have been hacked. They absolutely do not take cybersecurity for granted. But, people can and do make mistakes. The experts can be beaten. But it's software and software can always have vulnerabilities. So, yes, there is some small risk in sharing data with this kind of site. But, here's the reality, you have to pick which risks you're willing to accept. There are no risk-free options. I wish it was otherwise. You have to pick your tolerance for risk and evaluate the risk versus reward conditions. There’s no perfect answer. You just have to do your best © 2022 – Mark Perew 15 Cybersecurity Basics for Information Systems Credit card theft Credit card theft is another example of how your information can be compromised. Card skimmers, for example, are physical card readers that can be placed on things like gas pumps. You go to the gas station and you put your card in a pump. But the skimmer is reading, and passing the information on to the gas pump. You don’t know that your data is being stolen. The newer Europay Mastercard Visa (EMV) cards with an embedded chip have extra security. It’s difficult to copy the information in the chip, so that adds protection on top of the use of your PIN Some credit card thieves will plant very small cameras so they can record the card number as you insert the card into the machine. They also watch the PIN pad to see what numbers you press. However, new cards sometimes have the number printed (not embossed) on the bottom of the card. That makes it harder for cameras to steal the information. People are amazingly creative in how they find ways to steal data. It's a shame that they don't put their skills or talent, their energy, and their time into more productive uses. The world might be a more secure place, instead of less secure, if these people used their abilities for good. Insider Threats We’ve talked about outsiders who try to attack systems. But there can be insider threats, too. Often these come from disgruntled employees who feel they have been wronged in some way. Perhaps they were passed over for a promotion, or weren’t given a raise, or any of a long list of other things that could make someone unhappy at their job. An insider can potentially inflict a lot of damage. They can create a logic bomb, which is software that will take some unauthorized action when a particular condition is met. That logic bomb could erase files or shutdown devices or reconfigure security settings to make systems vulnerable. The insider could simply stop following security protocols and create vulnerabilities in that way. We covered earlier the case in San Francisco where passwords were changed. Exfiltrating data can be done in many ways Steganography is a fascinating topic. It’s the ability to hide data inside an image file. There really isn’t space to go into that topic here. So, if you’re interested, please look it up. Cyberespionage Industrial spying really does occur. There’s a long history of companies spying on each other to learn trade secrets and steal intellectual property. The use of cyberespionage techniques just opens up new avenues for that to occur. Some of the most valuable data to steal includes: © 2022 – Mark Perew 16 Cybersecurity Basics for Information Systems  Sales, marketing, and new product development plans, schedules, and budgets  Details about product designs and innovative processes  Employee personal information and customer and client data  Sensitive information about partners and partner agreements Cyberterrorism It’s unfortunate that cyberterrorism is a real threat. For example, in 2018, there was a cyberattack on petrochemical plant in Saudi Arabia (https://www.nytimes.com/2018/03/15/technology/saudi-arabia- hacks-cyberattacks.html). If that attack had been successful, it would have caused an explosion at the plant. Cyberterrorism has some real appeal for those who want to inflict harm or at least generate fear It’s relatively inexpensive. There is a degree of anonymity in the attacks. There are computers all over the world, connected by the internet, which can be attacked. And, it can be done from a remote location. In the United States, the Department of Homeland Security has the responsibility to monitor for cyber terror attacks. There is also the US Computer Emergency Readiness Team (US CERT) which handles security incidents that occur. A relatively new organization, Cybersecurity – Infrastructure Security Agency (CISA), works with both businesses and governments to build a more secure and resilient cyber infrastructure. CISA was heavily involved in ensuring that the elections in 2020 and 2022 were free from serious cyber threats. In the US, we have over 600 different election authorities ranging from state, county, and city officials. CISA worked with all of those groups to train them, advise them, and guide them in the best practices for holding a safe election and being able to demonstrate that the elections were free from cyber interference. Advanced Persistent Threats The concept of APTs was introduced earlier. Now, we need to look at them in more detail. As mentioned, APTs have highly skilled people, advanced technology, strong finances, and often have political protection. That makes them formidable opponents in the world of cybersecurity. When we look at APTs, we often examine their Tactics, Techniques, and Procedures (TTPs) that they use. A US government document on cyber threats (NIST SP 800-150), provides these definitions: Tactics, techniques, and procedures (TTPs) describe the behavior of an actor. Tactics are high-level descriptions of behavior, techniques are detailed descriptions of behavior in the context of a tactic, and procedures are even lower-level, highly detailed descriptions in the context of a technique. TTPs could describe an actor’s tendency to use a specific malware variant, order of operations, attack tool, delivery mechanism (e.g., phishing or watering hole attack), or exploit © 2022 – Mark Perew 17 Cybersecurity Basics for Information Systems TTPs can vary from one APT to another. Some prefer one set of malware tools. Some select their targets in different ways. However, there is a common approach to attacks from APTs. 1. Reconnaissance 2. Incursion 3. Discovery 4. Capture 5. Exfiltration In the Reconnaissance phase, the APT will research the intended target. They can find publicly available information or engage in social engineering activities to learn more about their victim Incursion is performed by attacking a vulnerable system and installing malware. Once again, social engineering might be used in order to get someone to trigger the installation of the malware. It could come through a phishing attack. Or it could come through using an unpatched vulnerability. The APT attempts to be undetected during the Discovery phase. They are now inside your network, exploring what systems or data will be their ultimate targets. Additional systems are compromised during the Capture phase. These are the critical system with important data that the APT attackers are seeking. Now that the key data is available to the APT, the Exfiltration phase begins. In a highly successful attack, this data theft can go on for months. Or, the APT may choose to end their attack. In doing so, they will often delete data and/or encrypt the system so that it is difficult to trace what was stolen and by whom. As mentioned earlier, APTs get support and protection from governments in the countries where they operate. In the cyber community, the term “nation-state actors” is typically used. Nation-state is a political, sociological, and historical term. It’s accurate, but for simplicity, we’ll just talk about national governments. APT groups definitely try to hide themselves behind the technology they use. It’s quite uncommon for an APT group to announce or even acknowledge their existence. As a result, security researchers assign them numbers. Because APT teams are very skilled, they try to hide their tracks. That makes attribution, determining responsibility, very hard. However, the defenders and researchers are very good, too. There are times when they can be quite certain who is responsible for a particular attack. So, they come up with “cute” names for some of the groups after they determine which country they likely operate out of. © 2022 – Mark Perew 18 Cybersecurity Basics for Information Systems Many countries support APTs within their borders Lazarus Group (APT 38) – North Korea and governmental operations. It’s believed that the Fancy Bear (APT 28) – Russia United States is no different. The Equation Group, Double Dragon (APT 41)– China which is one of the most sophisticated APTs, is Helix Kitten (APT 34) – Iran suspected (but not proven) to be part of the National Equation Group – US National Security Agency Security Agency. Please go out and look around the internet at the activities of different Advanced Persistent Threat groups. Ransomware The topic of ransomware deserves special attention. A ransomware attack causes the data on the targeted device to be encrypted. The ransomware is frequently downloaded through a social engineering email. The recipient reads the email, clicks on the link, and the ransomware software is downloaded. Once the ransomware is running, it encrypts the data on the computer so that the data is now unusable. The ransomware then looks for other systems to spread to and infect. It spreads to every device it can find. A more modern trend in ransomware is that the original data is exfiltrated to the attacker along with being encrypted. However, with all, or at least a substantial number of devices now inoperable, most businesses hit with ransomware are unable to function. The encryption of their systems makes it impossible for the company to operate until those systems are recovered. That is exactly the motivation the ransomware attackers are using to get money from their victims. Once a device is encrypted it displays a message from the attackers stating that the device has been hacked and how to contact them to arrange to pay the ransom. In exchange for paying the ransomware, the attackers will provide a tool to decrypt the data on the device. However, if the company’s data has been exfiltrated, they will have to pay a second ransom to prevent the attackers from publishing it on the dark web. Ransomware attacks have been going up over time and the amount of ransom demanded is also increasing. The number of companies that give in to the attackers and pay the demanded ransom is also increasing. However, only 4% to 8% of companies are able to recover all of their data after paying the ransom to the attackers. Often the decryption tools do not work properly. The attackers will definitely put time into creating malware that will work effectively and reliably, but they have very little incentive to create a recovery tool that works very well. The ransom, if paid, is typically paid in cryptocurrency, such as Bitcoin, Ethereum, Monero, Doge Coin, etc. The use of cryptocurrency helps to hide the identity of the attackers. However, in the 2021 © 2022 – Mark Perew 19 Cybersecurity Basics for Information Systems Colonial Pipeline ransomware attack, the FBI were able to trace and recover over 80% of the Bitcoin paid to the attackers. The money paid and businesses disrupted are bad enough. But that’s not the worst part about it. Ransomware kills A 2010 report by PBS News Hour (https://www.pbs.org/newshour/science/ransomware- and-other-data-breaches-linked-to-uptick-in-fatal-heart-attacks) reported that hospital emergency rooms hit by ransomware can lead to interruptions and delays in life saving medical care. Imagine for a moment that someone very near and dear to you suffers a heart attack. The paramedics and ambulance arrive to give initial care. Your loved one is loaded on the ambulance and they radio ahead that a cardiac patient is en route. The hospital emergency room, however, is inoperable due to a ransomware attack. They tell the ambulance to take your loved one to a hospital that is 15 minutes farther away. That 15 minutes can be the difference between life and death for someone going through a heart attack. PBS News Hour estimated that as many of 2,500 deaths per year in the US alone could be attributed to delays caused by ransomware. There are a few documented cases where a clear connection could be made. But, we just don’t know the full extent of the deaths caused by ransomware. All cybercrime is wrong. But attacking a hospital is nothing short of pure evil. Cyber Crime Laws Of course it is illegal to damage someone Computer Fraud and Abuse Act (1984, 1994) else’s computer. It’s illegal to access a Computer Security Act (1987) computer or an account that doesn’t belong National Infrastructure Protection Act (1996) to you. There is a long list of crimal laws Government Information System Reform Act (2000) cover cybercrime. Cybercriminals can also Patriot Act (2001) be held liable in civil courts for theft of Federal Information Security Act (2002) intellectual property and violation of copyrights. The Big Dilemma Cybersecurity is no longer optional. Appropriate corporate governnance includes due diligence (actions taken by a prudent person to avoid harm to others). But, corporate governance must also ensure that the organization is operational and producing a benefit for the stakeholders. © 2022 – Mark Perew 20 Cybersecurity Basics for Information Systems But herein lies The Big Dilemma Most companies are not in business to be secure, but to be in business they must be secure. McDonalds is in the business os selling hamburgers, not providing cyber security. The reason Adidas is in business is to sell shoes and sports apparel. What does Adidas know about cyber security? Home Depot exists to sell you supplies for your home and garden? Is your rhododendron going to get hacked? But these companies also exist in cyber space. They have a presence on the internet. They all use information systems. Just as they have to physical security to make sure their physical inventory isn’t stolen. They need to protect their information assets. But how do they do that and still operate a successful business? What amount of the company’s limited resources (people, time, and money) is appropriate for a company to spend on cybersecurity? How does a company prepare for when (not if) it becomes the victim of a cyberattack? How does it deal with law enforcement, the press, and the reputational impacts? What does it say to its customers, business partners, suppliers, lenders, and regulators?. How to governments and public agencies answer the same questions? How do they create emergency plans to stay in business when (again, not if) they are attacked by cybercriminals? Security Policy The answer begins with the establishment of a security policy. Like any governance policy, the responsibility for establishing the security policy begins at the top with the CEO, Board of Directors, and other senior leaders. However, the security policy must call out the responsibilities and expected behavior of all members of the organization. People are often the weakest link in cybersecurity. They fall victim to social engineering or phishing attacks, or they become overwhelmed with just trying to get work done, or they don’t understand the criticality of some rules and procedures. As a result, they leave the organization vulnerable. At the same time, people are the most important link. They can be the most important component in stopping a phishing attack. They can report abnormal situations. They can use strong passwords and MFA. They can be cautious about sharing data. People can be an extremely valuable asset in maintaining the security posture. The security policy needs to cover every IT asset in the company. All the hardware devices, and software, and data, and configurations, and users, and vendors, and contractors, and more. © 2022 – Mark Perew 21 Cybersecurity Basics for Information Systems Cyber Defense The security policy needs to be based on five key questions: 1. Identification What threats to the company exist and what assets will each threat attack? Implicit in this question is having an accurate inventory of all of your IT/IS assets. What physical and virtual devices do you have? Where are those devices located? How are they connected to each other internally and to the outside network. What software and software versions are installed on those devices? What data is on those devices and how sensitive is that data? 2. Protection How will you protect those assets from attack? No defense is 100% effective, so how will can you make it so difficult to break in that the bad guys will give up? Do you have defense in depth (multiple means of protecting every asset) in place? 3. Detection What tools and procedures do you have in place to detect a cyber attack? Cyber attacks occur all the time. It is never a question if you will be attacked, but when. How will know you that you are under attack and if that attack has succeeded or been foiled? 4. Response When an attack is successful, what will you do? What is your plan to stop the attack? How will you assess the damage? What evidence will you gather? This is a large topic and more will be said about this below. 5. Recovery How will you return the business to normal operations? How do you restore systems to normal operation? How do you recover any data that was corrupted or deleted? Response Plan The response to a cyber attack must be planned in advance. When systems begin to fail due to malware or otherwise cybercriminal activity, the business can be thrown into a great deal of chaos. Having a plan is an important way to reduce the chaos and respond in an orderly fashion. © 2022 – Mark Perew 22 Cybersecurity Basics for Information Systems No plan will ever be perfect. The plan has to be a living and flexible “Plans are useless, but document. The formal plan that is written down may have to be planning is indispensable.” adapted to a specific situation. However, the act of planning helps – Dwight Einsenhower you identify your priorities and objectives, the resources you have, and how they can be best used in a crisis. A strong plan addresses some important components. Evidence The natural first reaction is to do everything possible to stop the attack. Before stopping the attack, though, you need to know if you are going to gather evidence about the attack. What computer logs or network logs can you collect to show evidence of the attack? Forensics, the science of data gathering for legal purposes, is a specialized skill set. Just like the criminal experts on CSI and other shows have special tools and techniques, people who practice cyber forensics have their own tools and techniques. There are certifications in how to gather data which can be turned over to law enforcement for use in tracking down and prosecuting the attackers. If you are going to gather data for use in court, use trained professionals. Containment What are your plans for stopping the attack? What options do you have? Who makes the decision of what steps to take? Eradication Once the attack has been blocked, how do you get the malware out of your environment? How do you find a remediate the vulnerability that allowed the attack to succeed? At this point, you can invoke the recovery steps in the security policy and return the business to normal operations. Root Cause Analysis What was the technical, procedural, or process failure that allowed the attack to succeed? How are you going to prevent this attack and similar attacks from happening again? Notification What is your communication plan regarding this attack? If the attack included a data breach, there are laws that require the crime to be reported to law enforcement. If a data breach has occurred that includes confidential customer information, there is a legal and ethical responsibility to notify those customers. © 2022 – Mark Perew 23 Cybersecurity Basics for Information Systems Hacking Back One action you must never take is to attempt to attack back at the attackers. First, figuring out who attacked you (attribution) is very hard. The server where the attack came from might be just a bot used by the attackers. The attackers can be very sophisticated and use many tricks to cover their tracks. Second, hacking is illegal. Your attacking them makes you a cybercriminal, too. It’s normal to feel outraged and want to fight back. But you just can’t do it in this arena. Risk Assessment One of the governance responsibilities of the organizational leadership is to perform a risk assessment. The purpose of a risk assessment is to understand how best to use the finite people, time, and money resources available in a way that most effectively addresses risks. While many kinds of risk assessments may be performed (market risk, vendor risk, etc.), this discussion will focus on cybersecurity risk assessment. In order to protect your assets, you must first have a full inventory. Having that inventory was mentioned above under Cyber Defense. The risk assessment is part of creating that Cyber Defense plan. Next, it’s necessary to understand the possible threats to those assets. In the case of information systems, the threats can be in the Information Security realm. Events such as fire, water damage, electrical outages are all risks. However, we’re focusing on cybersecurity here. So, the threats are more along the lines of a cyberattack, insider threats, data breach, etc. There are many different kinds of vulnerabilities that can be exploited and become threats. Those need to be identified carefully. Now, each threat can be evaluated based on the frequency of that threat becoming a true loss event (having a negative impact) and the probability of that threat becoming a loss event. Some threats are complex and might happen rarely and be uncommon. Other threats might be more common and occur regularly. After the frequency and probability are assessed, the impact of that threat must be determined. Is this a threat that can take down entire systems for days, is this a minor disruption to one isolated area, or somewhere in between? The impact needs to be stated in dollars. What is the financial impact to the company? What income will you lose? What additional costs will you incur? The next step is research possible mitigations to each threat, and determine their cost and their benefit. Is this a mitigation that will give you total protection or something that will only limit the damage done. Finally, a cost-benefit analysis must be performed. If the total-protection mitigation costs 10x the asset being protected, then it probably isn’t a good investment. But, if the partial mitigation can provide 50% protection for 5% of the value of the asset, then that is probably a good place to invest your scarce financial resources. © 2022 – Mark Perew 24 Cybersecurity Basics for Information Systems Each asset must be compared to the cost of protecting it. The value of the asset has to be compared and balanced against the money, time, and other resources it would take to protect it. There are two general rules when evaluating that balance.  The cost of the mitigation should not be more than the value of the asset  The cost of the mitigation should not be more than the benefit derived If you have a server that costs $3,000, you don't want to spend $5,000 to protect it. That’s not a good governance decision. You might simply opt to buy another $3,000 server if the first one crashes. But, if you bought insurance for $50 to replace a damaged $3000 server, that might be a wiser decision. Similarly, if the cost of your mitigation doesn’t gain you sufficient protection, you don’t want to purchase that. Let’s say that the $50 insurance policy came with a $3000 deductible. You would have paid $50 and not have received any benefit in replacing a $3000 server. Or, put another way, it might make sense to pay $10 to insure a $5000 watch. But you really wouldn’t want to pay $5000 to insure a $10 watch. Risk Management Once your threats and risks have been assessed, it’s necessary to decide what to do about them. There are four possible choices: Risk Mitigation – Reducing the risk by implementing safeguards Risk Assignment – Transferring the risk to another party Risk Acceptance – Deciding that the mitigation cost exceeds the value of the asset Risk Rejection – Denying or ignoring the risk Risk Mitigation is the act of reducing risk by implementing safeguards. This can come in the form of established training, processes and procedures, oversight, audits, or buying other information systems to monitor what is happening on your devices and in your networks. Risk Assignment is making someone else responsible for that risk. This can come from buying insurance that will pay for any damage to your information systems or your business. It’s also possible to outsource the risk to someone else. If I'm a little company, I can't afford a stand up an entire information security team. I'm going to hire someone else to do that for me. That security team is going to have the expertise and they can operate at scale. Risk Acceptance is also a valid choice. If the risk assessment shows that it’s not possible to effectively mitigate the risk at a reasonable cost, you can accept the risk. You acknowledge that the risk is real. But the overall impact is understood and agreed to not be worth the cost of doing anything about it. © 2022 – Mark Perew 25 Cybersecurity Basics for Information Systems Risk Rejection, however, is the one choice you must not make. Denying that a risk exists when the risk assessment shows otherwise is not effective or appropriate governance. Even if you accept the risk, then you're acknowledging the reality and making a deliberate and considered choice. But risk rejection is not the same. Preventative Measures Fortunately, there are a number of well established, tried-and-true responses to cybersecurity risks. Education is at the top of the list. Train people to follow security policies. These can seem onerous at times, but they exist for a reason. Never try to bypass security policies. If there is a policy that is preventing you from doing your job, escalate that to your management. Let them figure out how you and the policies can peacefully coexist. Always use strong passwords The definition of a strong password varies, but my advice is this: It should be at least 12 characters long and it should have a mixture of upper case letters, lower case letters, numbers, and special characters. The special characters are the other items on the keyboard such as periods and the at-sign (@) and the underscore, etc. Not every information system will let you use special characters or some may limit your use. But use them where you can. And, NEVER share your password with anyone for any reason. Once If two people know a you share that information, you don’t know what will happen with it. You secret, no one knows might be the best of friends today, but things happen to relationships. Or, how many people know people make mistakes with confidential information. Or, someone might the secret. be coerced into revealing that information. We’ve talked about using Two-Factor or Multi-Factor Authentication. Those are important tools that go beyond just passwords. Establish a strict need-to-know policy around data. Don’t’ disclose information to someone just because they ask. It’s completely appropriate to ask why they need that information. If you experience unusual activity, especially from people you don’t know, report it. Raise your hand and say something. Encryption is vital to protecting data. Use encryption and a PIN on your mobile devices. Earlier, the concept of defense-in-depth was introduced. Have multiple ways to protect your information systems. Make sure that every asset is protected, no matter how small or insignificant it may seem. A vulnerability in a small device can be just as devastating as a huge vulnerability. Keep your software current through patching. Vendors release software updates that contain the latest fixes to known vulnerabilities. Having a device that has an unpatched vulnerability is an invitation to a cyber attack. © 2022 – Mark Perew 26 Cybersecurity Basics for Information Systems Validate the configurations of your systems. Many information systems are sold with a default set of configurations that aren’t very secure. The vendors do that intentionally so that the devices are easy to set up when they are sold. However, once you have it, you need to check those configurations with security in mind. Those devices also come with default passwords. Anyone can look up those passwords on the internet. Change those passwords as soon as you can. Firewalls are an important piece of network equipment. The firewall sits on your network between your business and the vast, wild, and dangerous internet. The firewall can help to prevent sensitive information from getting out and help to prevent attacks from getting in. The firewall can be either a physical or logical device Figure 5- Sour: IT With Ease that can look at the network traffic. It can inspect the information, the requests that are coming in and responses going out, and make decisions on what information comes and goes. It can determine that a source attempting to get in or destination where dating is being sent is known not to be safe or trustworthy. If it makes that determination, then it can block that network activity. Firewalls can prevent employees from visiting unauthorized websites or control incoming and outgoing email. But what if your firewall doesn’t stop the attacker from getting into your network? If that happens, then you need an Intrusion Detection System (IDS). An IDS has the ability to detect abnormal behavior on a network. For example, if two computers that don’t normally communicate start exchanging a lot of data, then an alert can be generated for a human to investigate. Perhaps something has legitimately changed in the network, or perhaps some malware has gotten into your network and is doing bad things. Anti-virus software is a must. The software scans your computer, including new files that are transferred to you, for a virus signature. The signature is a sequence of bytes that have been previously identified as belonging to some malware. Once the anti-virus vendor identifies that signature, then it pushes that signature file update out to all of its users. Make sure that your anti-virus software and all of the signature files are updated frequently. Segregation of Duties is a control on who is allowed to perform what functions. The goal is to prevent one person from having too much authority or having multiple job roles where a conflict could occur. For example, you wouldn’t want the person who enters invoices into an accounts payable system to be the same person who approves the invoices for payment. That creates a situation where someone could enter a fraudulent invoice and then have a check issued for it. User access should also follow the rule of Least Privilege. What is the minimum about of access that a person needs to do their assigned job? If someone works in Accounts Payable, then why would they need access to the Accounts Receivable system? All user access should be monitored and audited. The access should be reviewed by a human being periodically in order to confirm that that access is appropriate. © 2022 – Mark Perew 27 Cybersecurity Basics for Information Systems Third-party providers, outsourcing partners, and contractors must use security to your standards or better. You have the right to see the security policies of anyone who has access to your systems or your information. Ensure that they are not going to be the source of a vulnerability that brings down your systems. Summary Cyber security is complex and difficult. The saying goes that “The good guys have to be right 100% of the time, but the bad guys only have to be right once.” The advantage is definitely on the attackers. However, you can make wise business decisions on how to protect yourself. It requires planning and preparation, dedication, education, and a degree of legitimate paranoia. But, at the end of the day, good cyber security is good business. Protecting your information systems ensures that you can stay in business. It also means that you are protecting your customers’ data from being stolen, sold, and misused. Being a bad steward of your information systems isn’t good for your stakeholders. Not protecting your customers is just bad business. Make the wise decisions to have a strong security policy, a well-crafted response plan, and create a culture where security is rewarded. © 2022 – Mark Perew 28

Cybersecurity Basics for Information Systems PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue