Information Assurance and Security PDF
Document Details
Uploaded by Deleted User
Tags
Related
Summary
This document provides an overview of information assurance and security, outlining various types of cyber security threats such as malware, emotet, denial-of-service (DoS) attacks, man-in-the-middle (MitM) attacks, phishing, SQL injection, and password attacks. It also discusses emerging threats, increasing vulnerabilities, and the importance of data privacy.
Full Transcript
**INFORMATION ASSURANCE AND SECURITY** **Information Security** refers to the body of technology, processes and practices designed to protect network, devices, programs and data from attack, damage or unauthorized access. May also be referred to as ***Information Technology Security or Computer Se...
**INFORMATION ASSURANCE AND SECURITY** **Information Security** refers to the body of technology, processes and practices designed to protect network, devices, programs and data from attack, damage or unauthorized access. May also be referred to as ***Information Technology Security or Computer Security***. **Why information security matters?** Every organization relies on the confidentiality, integrity, and availability of the information it processes, stores, and communicates. Strong information security helps your organization to: - Maintain the trust and confidence of the public, customers, and partners - Keep your important information safe and available to those who need it - Reduce the risks of your information being lost, damaged, or compromised - Avoid costs of recovery after an incident, as well as costs of downtime and lost productivity - Comply with regulation and legislation **TYPES OF CYBER SECURITY / INFORMATION THREATS** 1. **Malware** Malware is malicious software such as spyware, ransomware, viruses and worms. Malware is activated when a user clicks on a malicious link or attachment, which leads to installing dangerous software. Cisco reports that malware, once activated, can: - Block access to key network components (ransomware) - Install additional harmful software - Covertly obtain information by transmitting data from the hard drive (spyware) - Disrupt individual parts, making the system inoperable 2. **Emotet** The Cybersecurity and Infrastructure Security Agency (CISA) describes Emotet as "an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware." 3. **Denial of Service (DoS)** A denial of service (DoS) is a type of cyber-attack that floods a computer or network so it can't respond to requests. A distributed DoS (DDoS) does the same thing, but the attack originates from a computer network. Cyber attackers often use a flood attack to disrupt the "handshake" process and carry out a DoS. 4. **Man in the Middle (MITM)** A man-in-the-middle (MITM) attack occurs when hackers insert themselves into a two-party transaction. After interrupting the traffic, they can filter and steal data, according to Cisco. MITM attacks often occur when a visitor uses an unsecured public Wi-Fi network. Attackers insert themselves between the visitor and the network, and then use malware to install software and use data maliciously. 5. **Phishing** Phishing attacks use fake communication, such as an email, to trick the receiver into opening it and carrying out the instructions inside, such as providing a credit card number. "The goal is to steal sensitive data like credit card and login information or to install malware on the victim's machine," Cisco reports. 6. **SQL Injection** A Structured Query Language (SQL) injection is a type of cyber attack that results from inserting malicious code into a server that uses SQL. When infected, the server releases information. Submitting the malicious code can be as simple as entering it into a vulnerable website search box. 7. **Password Attacks** With the right password, a cyber attacker has access to a wealth of information. Social engineering is a type of password attack that Data Insider defines as "a strategy cyber attackers use that relies heavily on human interaction and often involves tricking people into breaking standard security practices." Other types of password attacks include accessing a password database or outright guessing. **THREATS AND RISK ARE INCREASING AND EVOLVING** Threats to the security of your information can come from inside and outside your organization. Your information in all forms (for example, electronic, printed or spoken) needs to be appropriately protected. Information stored and processed on IT systems or mobile devices is vulnerable to cyber-specific threats. **We are far more exposed today than ever before.** - We have increasing quantities of electronic information, and organizations are often heavily dependent on it to function. - We have cloud, social media, mobile, and other emerging technologies, which have increased the ways critical information can be accessed. - We face increasing and continually evolving threats that make detection challenging. External actors and disgruntled insiders have been known to: - expose or publish sensitive information in the public domain - encrypt and then ransom critical information - sell information to competitors and interested parties - steal intellectual property (IP) - compromise organizations by destroying or denying access to records. Your people may also accidentally compromise your information because they: - lack awareness of your security practices and why they're important - get distracted or complacent while handling organizational information - provide access to other parties seeking information for criminal or other inappropriate purposes. For instance, 'social engineering' attacks attempt to manipulate people into breaking normal security controls, often disguising themselves as someone trusted through phishing, pretexting, baiting, quid pro quo, and tailgating or other means. **INFORMATION SECURITY AND ASSURANCE (DATA PRIVACY)** Personal Data - refers to any information, whether recorded in a metal form or not, from which the identify of an individual is apparent or can be directly ascertained by the entity holding the information. Privacy - concerns the collection and use of data about individuals. There are three (3) primary privacy issues: - Accuracy relates to the responsibility of those who collect data to ensure that the data is correct. - Property refers to who owns the data - Access relates to the responsibility of those who have data to control who can use the data. **DATA PRIVACY VS DATA SECURITY** Organizations commonly believe that keeping sensitive data secure from hackers means they're automatically compliant with data privacy regulations. - Data privacy and data security are often used interchangeably, but there are distinct differences, although sometimes difficult to distinguish between. Whereas security controls can be met without also satisfying privacy considerations, privacy concerns are impossible to address without first employing effective security practices. In other words, security protects data, and privacy protects the identity. - Privacy and security come down to which data is being protected, how it's being protected, from whom it's being protected, and who is responsible for that protection. Security is about protecting data from malicious threats, whereas privacy is about using data responsibly. - **Data privacy** is a part of the data protection area that deals with the proper handling of data, with the focus on compliance with data protection regulations. - Data privacy focuses on the rights of individuals, the purpose of data collection and processing, privacy preferences, and the way organizations govern the personal data of data subjects. It focuses on how to collect, process, share, archive, and delete the data under the law. - **Data security** includes a set of standards and different safeguards and measures that an organization is taking to prevent any third party from unauthorized access to digital data or any intentional or unintentional alteration, deletion, or data disclosure. It focuses on the protection of data from malicious attacks and prevents the exploitation of stolen data such as: HOW DATA CAN BE STOLEN? - **Data Breach -** An un-authorized or unintentional disclosure of confidential information - **Cyber Attacks -** Stealing of data or confidential information by electronic means, including hacking. To achieve this, organizations use tools and technology such as firewalls, user authentication, network limitations, and internal security practices to prevent such access. ![](media/image2.png)**CIA Triad** is a model designed to guide an organization's policies on information security. The elements of the triad are considered the three most crucial components of security. The following are the three (3) elements of data security. **1. Confidentiality** ensures that data is accessed only by authorized individuals. **2. Integrity** ensures that information is reliable as well as accurate; and **3. Availability** ensures that data is both available and accessible to satisfy business needs **ELEMENTS OF DATA PRIVACY** - Data privacy encompasses three (3) key elements: - Right of an individual to be left alone and have control over their data - Procedures for proper handling, processing, collecting, and sharing of personal data - Compliance with data protection laws - **Data management** -- the process of ingesting, storing, organizing, and maintaining the data created and collected by an organization. - Data management is at the heart of privacy. Data is a vague concept and can encompass such a wide range of information. ASPECT OF PRIVACY - Information privacy is considered an important aspect of information sharing. With the advancement of the digital age, personal information vulnerabilities have increased - Information privacy may be applied in numerous ways, including encryption, authentication, and data masking, each attempting to ensure that information is available only to those with authorized access. - Information privacy includes the regulations required for companies to protect data. And as more data protection regulation grows worldwide, global privacy requirements and demands will also expand and change. - Protective measures are geared toward preventing data mining and the unauthorized use of personal information, which are illegal in many parts of the world. Information privacy also relates to different data types, including: - **Internet privacy**: All personal data shared over the Internet is subject to privacy issues. Most websites publish a privacy policy that details the website\'s intended use of collected online and/or offline collected data. - **Financial privacy**: Financial information is particularly sensitive, as it may easily use to commit online and/or offline fraud. - **Medical privacy**: All medical records are subject to stringent laws that address user access privileges. By law, security and authentication systems are often required for individuals that process and store medical records. **INFORMATION PRIVACY CONCEPTS** Information privacy generally pertains to what is known as **personally identifiable information** (PII). **PII** is information that can be used to distinguish or trace an individual's identity, such as: - Information about birth, race, religion, weight, activities, geographic indicators, employment information, medical information, education information, and financial information; - Personal characteristics, including photographic images, x-rays, fingerprints, or biometric image; and - Asset information, such as Internet Protocol (IP) or media access control (MAC) address or other host- specific persistent static identifier that consistently links to a particular person or a small, well-defined group of people. **PRIVACY DESIGN** In dealing with the privacy of PII, two (2) new concepts have emerged: privacy by design (PbD) and privacy engineering. The goal of privacy by design is to take privacy requirements into account throughout the system development process, from the conception of a new IT system through detailed system design, implementation, and operation. - **Privacy requirements**: These are system requirements that have privacy relevance. System privacy requirements define the protection capabilities provided by the system, the performance and behavioral characteristics exhibited by the system, and the evidence used to determine that the system privacy requirements have been satisfied. Privacy requirements are derived from various sources, including laws, regulations, standards, and stakeholder expectations. SECURITY ATTACKS What is a security attack? A security attack is any action that compromises the integrity, confidentiality, or availability of information or systems. Importance of understanding security attacks: - Protecting sensitive data. - Ensuring system integrity. - Preventing financial loss and reputation damage. TYPES OF SECURITY ATTACKS - **Passive Attacks** Eavesdropping or monitoring transmissions. - **Active Attacks** ![](media/image4.jpeg)**BURP SUITE** Burp Suite is a comprehensive web application security testing tool used by security professionals, developers, and penetration testers. It provides a wide range of functionalities for identifying vulnerabilities and assessing the security of web applications. **Use Cases** - **Penetration Testing**: Security professionals use Burp Suite to identify vulnerabilities in web applications before attackers can exploit them. - **Security Audits**: Organizations conduct regular audits using Burp Suite to ensure their applications are secure. - **Development**: Developers can use it to identify and fix security issues during the development lifecycle. - **Burp Suite** is a powerful tool for anyone involved in web application security testing. Its diverse set of features and tools make it suitable for a wide range of security assessments, from manual testing to automated vulnerability scanning. Whether you are a beginner or an experienced professional, Burp Suite provides the capabilities necessary to identify and mitigate security risks in web applications. **AIRCRACK-NG** **MEDUSA** **Medusa** is a powerful, fast, and parallelized brute-force login tool included in Kali Linux. It\'s designed to support multiple services and protocols, making it a versatile tool for penetration testers and security researchers. Medusa is primarily used to perform brute-force attacks on various network services to identify weak passwords and potential entry points. **NIKTO** Nikto is an open-source web server scanner included in Kali Linux that helps in identifying vulnerabilities, configuration issues, and potential security risks on web servers. It's a highly valuable tool in penetration testing, allowing users to scan websites for known vulnerabilities. **NMAP** **Nmap (Network Mapper)** is a widely used open-source network scanning tool that helps in network discovery and security auditing. It\'s an essential tool in the arsenal of penetration testers and system administrators for identifying hosts and services on a network, mapping network topology, detecting open ports, and uncovering security vulnerabilities. **HYDRA** **Hydra** (or **THC-Hydra**) is a fast and flexible password-cracking tool included in Kali Linux, commonly used for performing brute-force attacks on various network protocols. It\'s designed to attack services that require authentication, and it supports a wide variety of protocols such as SSH, FTP, HTTP, MySQL, RDP, VNC, and more. Hydra is widely used in penetration testing to assess the strength of passwords in networked services. **KEYLOGGER** A **keylogger** (short for keystroke logger) is a type of software or hardware designed to record the keys pressed on a keyboard, typically without the user\'s knowledge. Keyloggers are often used maliciously to steal sensitive information such as passwords, credit card numbers, and other private data. **RED HAWK** **RED HAWK** is an open-source, all-in-one tool used for information gathering and vulnerability scanning. It\'s designed for penetration testers and security researchers to gather detailed information about web servers and websites. It combines several scanning techniques, including reconnaissance and vulnerability assessment, to help users get a complete picture of their target. Written in PHP, it is available on GitHub and can be easily installed on any Linux-based system, including **Kali Linux**. **CLOUDCRACKER** **CloudCracker** was an online password-cracking service that allowed users to crack password hashes, WPA/WPA2 wireless network keys, and other types of encrypted credentials. Users could upload hash files or wireless capture files, and CloudCracker would attempt to break them using large wordlists or rainbow tables stored on their cloud infrastructure. **ONLINE PRIVACY** refers to privacy concerns related to user interaction with Internet services through web servers and mobile apps. **ONLINE ECOSYSTEM** - Websites collect personal information explicitly through a variety of means, including registration pages, user surveys, and online contests, application forms, and order forms. - It also collects personal information through means that are not obvious to consumers, such as cookies and other tracking technologies. **DATA COLLECTORS** **Data collectors** collect information directly from their customers, audience, or other types of users of their services. **DATA BROKERS** **Data brokers** compile large amounts of personal data from several data collectors and other data brokers without having direct online contact with the individuals whose information is in the collected data. Data brokers repackage and sell the collected information to various data users, typically without the permission or input of the individuals involved. Because consumers generally do not directly interact with data brokers, they have no means of knowing the extent and nature of the information that data brokers collect about them and share with others for their financial gain. Data brokers can collect information about consumers from various public and nonpublic sources, including courthouse records, website cookies, and loyalty card programs. Typically, brokers create profiles of individuals for marketing purposes and sell them to data users. **DATA USERS** The **data user's** category encompasses a broad range. One type of data user is a business that wants to target its advertisements and special offers. Other uses are fraud prevention and credit risk assessment. The WWW is fundamentally a client/server application running over the Internet. The use of the Web presents several security challenges: - The Web is vulnerable to attacks on web servers over the Internet. - Casual and untrained (in security matters) users are common clients for web-based services. Such users are not necessarily aware of the security risks that exist and do not have the tools or knowledge to take effective countermeasures. - A web server can be exploited as a launching pad into a corporation's or an agency's entire computer complex. Once a web server is subverted, an attacker may be able to gain access to data and systems not part of the Web itself but connected to the server at the local site. **WEB SECURITY AND PRIVACY** - A useful way of breaking down the issues involved is to consider the following classification of security and privacy issues: - **Web server security and privacy** are concerned with the vulnerabilities and threats associated with the platform that hosts a website, including the operating system (OS), file and database systems, and network traffic. - **Web application security and privacy** are concerned with web software, including any applications accessible via the Web. - **Web browser security and privacy** are concerned with the browser used from a client system to access a web server. **MOBILE ECOSYSTEM** The execution of mobile applications on a mobile device may involve communication across several networks and interaction with some systems owned and operated by a variety of parties. **Cellular and Wi-Fi infrastructure**: Modern mobile devices are typically equipped with the capability to use cellular and Wi-Fi networks to access the Internet and to place telephone calls. Cellular network cores also rely upon authentication servers to use and store customer authentication information. **Public application stores (public app stores):** Public app stores include native app stores; these are digital distribution services operated and developed by mobile OS vendors. For Android, the official app store is Google Play, and for iOS, it is simply called the App Store. These stores invest considerable effort in detecting and thwarting malware and ensuring that the apps do not cause unwanted behavior on mobile devices. In addition, there are numerous third-party app stores. The danger with third-party stores is uncertainty about what level of trust the user or the enterprise should have that the apps are free of malware. **Device and OS vendor infrastructure:** Mobile device and OS vendors host servers to provide updates and patches to the OS and apps. Other cloud-based services may be offered, such as storing user data and wiping a missing device. **Enterprise mobility management systems**: Enterprise mobility management (EMM) is a general term that refers to everything involved in managing mobile devices and related components (e.g., wireless networks). EMM is much broader than just information security; it includes mobile application management, inventory management, and cost management. Although EMM is not directly classified as a security technology, it can help in deploying policies to an enterprise's device pool and monitoring a device's state.