Security Threats; Internal Threats PDF
Document Details
Uploaded by ForemostOak
2014
Umesh Hodeghatta Rao, Umesha Nayak
Tags
Summary
This document discusses security threats, internal threats, and various aspects of computer security. It covers topics such as the lack of user security awareness, password complexity, social engineering, and more. The document also explains different types of attacks and the importance of risk management.
Full Transcript
Security Threats; Internal Threats Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook, 2014) Lack of user security awareness, including: ‒ Identity theft and unauthorized access due to weak password complexity. ‒ Not following company policies, such as appropriate...
Security Threats; Internal Threats Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook, 2014) Lack of user security awareness, including: ‒ Identity theft and unauthorized access due to weak password complexity. ‒ Not following company policies, such as appropriate use of assets, clean desk policy, or clear screen policy, leading to virus attacks or confidential information leakage. ‒ Divulging user IDs and/or passwords to others, leading to confidential information leakage. ‒ Falling prey to social engineering attacks. ‒ Falling prey to phishing and similar attacks. ‒ Downloading unwanted software, applications, or images or utilities/tools leading to malware, viruses, worms, or Trojan attacks. ‒ Improper e-mail handling/forwarding leading to the loss of reputation or legal violations. ‒ Improper use of utilities like messengers or Skype and unauthorized divulgence of information to others. Security Threats; Internal Threats Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook, 2014) Lack of user security awareness, including: Continue; ‒ Inappropriate configuration or relaxation of security configurations, leading to exploitation of the systems. ‒ Entering incorrect information by oversight and not checking it again or processing the wrong information. ‒ Ignoring security errors and still continuing with transactions, leading to the organization being defrauded. Threats Types of Attacks A security goals (C-I-A triad) can be threatened by security attacks; There are different approaches to categorize the security attacks; A. Attacks can be divided into three groups related to a three security goals/properties; Security Attacks Modification Snooping Denial of (release the Masquerading Service message content) Replaying Traffic Analysis Repudiation Threats Types of Attacks B. Attacks can be categorize into four groups related to the harm acts; Interception, Interruption, Modification, and Fabrication. These attacks can be grouped into two broads categories based on their effects on the system; Passive attacks, and Active attacks. Passive and Active Attacks ; A passive attack; Threaten the confidentiality, Does not modify data or harm the system, May harm the sender or the receiver, It is difficult to detect, but can prevent it easily by encryption of the data. An active attack; Threaten the integrity, availability and authenticity, May change the data or harm the system, Easer to detect than to prevent, An attacker can launch them in a variety ways. Passive and Active Attacks ; The following figure depicts these attacks categories; Security Attacks Passive Attacks Active Attacks (Interception Attacks): Snooping - release the Interruption message content. Fabrication Modification [Denial of Traffic Analysis Impersonating, Service- Masquerade (DOS)] Repudiation Attacks Replay Attack Alteration Attack Figure 1: Classification of the Security Attacks Assignments; Assignment: Write a report on the vulnerability, according to types. Write a report on the computer crimes up to date in 2021, according to types. Threats and Attacks on the: Data, Hardware, and Software. Harm The negative consequence of an actualized threat is harm; we protect ourselves against threats in order to reduce or eliminate harm, There are many examples of computer harm: a stolen computer, modified or lost file, revealed private letter, or denied access to data. These events cause harm that we want to avoid; The value of many assets can change over time; so the degree of harm and therefore the severity of a threat can change, too. With unlimited time, money, and capability, we might try to protect against all kinds of harm. Harm; But because our resources are limited, we must prioritize our protection; safeguarding only against serious threats and the ones we can control. Choosing the threats; ─ we try to mitigate a threats by involving a process called risk management, and; ─ it includes weighing the seriousness of a threat against our ability to protect. The possibility for harm to occur is called risk; Harm: Risk and Common Sense; Risk management involves; choosing which threats to control, and; what resources to devote to protection. The number and kinds of threats are practically unlimited because devising an attack requires; an active imagination, determination, persistence, and time as well as access and resources. Harm Risk and Common Sense The nature and number of threats in the computer world reflect life in general: The causes of harm are limitless and largely unpredictable, There are too many possible causes of harm for us to protect ourselves-or our computers-completely against all of them; In real life we make decisions every day about the best way to provide our security. Computer security is similar; Because we cannot protect against everything, we prioritize: Only so much time, energy, or money is available for protection; so we address some risks and let others slide. The risk that remains uncovered by controls is called residual risk; Harm Risk and Common Sense A basic model of risk management involves; a user’s calculating the value of all assets, determining the amount of harm from all possible threats, computing the costs of protection, selecting safeguards (that is, controls or countermeasures) based on the degree of risk and on limited resources, applying the safeguards to optimize harm averted. Harm Risk and Common Sense This approach to risk management is a logical and sensible approach to protection, but it has significant drawbacks; In reality, it is difficult to assess the value of each asset; as we have seen, value can change depending on context, timing, and a host of other characteristics. Even harder is determining the impact of all possible threats; The range of possible threats is: effectively limitless, and it is difficult (if not impossible in some situations) to know the short- and long-term impacts of an action. Harm Risk and Common Sense Although we should not apply protection haphazardly: we will necessarily protect against threats we consider most likely or most damaging; For this reason, it is essential to understand how we perceive threats and evaluate their likely occurrence and impact. Spending for security is based on the impact and likelihood of potential harm; both of which are nearly impossible to measure precisely. Harm Method, Opportunity, and Motive A malicious attacker must have three things: Method: is the how; ─ skills, ─ knowledge, ─ tools, and ─ other things with which to perpetrate the attack. Opportunity: is the when; ─ the time and access to accomplish the attack. Motive: is the why of an attack; ─ a reason to want to perform this attack against this system. Method, opportunity, and motive are all necessary for an attack to succeed; deny any of these, the attack will fail. Vulnerabilities Computer systems have vulnerabilities; weak authentication, lack of access control, errors in programs, finite or insufficient resources, and inadequate physical protection. each of these vulnerabilities can allow harm to C-I-A triad; Security analysts speak of a system’s attack surface; System’s attack surface is the system’s full set of vulnerabilities-actual and potential, Thus, the attack surface includes; physical hazards, malicious attacks by outsiders, stealth data theft by insiders, mistakes, and impersonations. Our next step is to find ways to block threats by neutralizing vulnerabilities; Information Security Classification The type of information security classification labels selected and used will depend on the nature of the organization, examples: In the business sector, labels such as: Public, Sensitive, Private, Confidential. In the government sector, labels such as: Unclassified, Unofficial, Protected, Confidential, Secret, Top Secret and their non-English equivalents. Example; Common military data classifications: Unclassified, Confidential, Secret, Top Secret. In cross-sectorial formations, the Traffic Light Protocol, which consists of: White, Green, Amber, and Red. Data Classification Procedures The following outlines the necessary steps for a proper classification program: 1. Define classification levels. 2. Specify the criteria that will determine how data are classified. 3. Identify data owners who will be responsible for classifying data. 4. Identify the data custodian who will be responsible for maintaining data and its security level. 5. Indicate the security controls, or protection mechanisms, required for each classification level. 6. Document any exceptions to the previous classification issues. Data Classification Procedures The necessary steps for a proper classification program: Continue; 7. Indicate the methods that can be used to transfer custody of the information to a different data owner. 8. Create a procedure to periodically review the classification and ownership. Communicate any changes to the data custodian. 9. Indicate procedures for declassifying the data. 10. Integrate these issues into the security- awareness program so all employees understand how to handle data at different classification levels. Data Classification; Commercial Business & Military Data Classification Examples Organization Classification Definition Examples That Would Use This How many people are Disclosure is not welcome, but it would not Commercial working on a specific Public cause an adverse impact to company or project business personnel. Upcoming projects Requires special precautions to ensure the integrity and confidentiality of the data by Financial information protecting it from unauthorized modification Details of projects Commercial Sensitive or deletion. Profit earnings and business Requires higher-than-normal assurance of Forecasts accuracy and completeness. Personal information for use within a Work history company. Human resources Commercial Private Unauthorized disclosure could adversely information business affect personnel or the company. Medical information For use within the company only. Trade secrets Data exempt from disclosure under the Healthcare information Commercial Freedom of Information Act or other laws Confidential Programming code business and regulations. Information that keeps Military Unauthorized disclosure could seriously the company competitive affect a company. Data Classification; Commercial Business & Military Data Classification Examples Classification Definition Examples Organizations That Would Use This Computer manual and Unclassified Data is not sensitive or classified. warranty information Military Recruiting information Sensitive but Minor secret. Medical data unclassified If disclosed, it may not cause serious Military Answers to test scores (SBU) damage. Deployment plans for If disclosed, it could cause serious Secret troops Military damage to national security. Nuclear bomb placement Blueprints of new wartime If disclosed, it could cause grave weapons. Top secret Military damage to national security. Spy satellite information. Espionage data. Primary layers of information security Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook_ An Introduction to Information Security-Apress (2014) information security layers are: Physical Security, Hardware Security, Network security, Communications Security, Software Security, Human or personnel security. All of the important layers are supported by: policies, procedures, and processes to plan, implement, monitor, audit, detect, correct, and change of any of the components of all the layers that constitute a layered approach to information security. Appropriate coordination between the various layers, and the distribution of risks and opportunities to different layers, will vary, depending on the: cost effectiveness and ease of use, and the impact on the efficiency and effectiveness of information security. Primary layers of information security The following figure depicts the context diagram of various layers of information security interacting with each other and providing a robust security architecture; Security Achievement; Security is achieved by implementing policies, guidelines, procedures, governance, and other software functions; Information security consists of three main components: hardware, software, and a communication system. Various tools are developed daily to combat the compromise of information security; Several standards and guidelines have been implemented to reduce the propensity for information security breaches. Security Achievement; Information security also spans to physical aspects like: hardware and infrastructure, the operating system, networks, applications, software systems, utilities, and tools. Other important contributors (favorable or adverse) to the field of information security are: human beings, particularly employees, contractors, system providers, hackers, and crackers.