رقم3.pdf

Full Transcript

Security Threats; Internal Threats
Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook, 2014)

Lack of user security awareness, including:
‒ Identity theft and unauthorized access due to weak
password complexity.
‒ Not following company policies, such as appropriate use
of assets, clean desk policy, or clear screen policy,
leading to virus attacks or confidential information
leakage.
‒ Divulging user IDs and/or passwords to others, leading
to confidential information leakage.
‒ Falling prey to social engineering attacks.
‒ Falling prey to phishing and similar attacks.
‒ Downloading unwanted software, applications, or images
or utilities/tools leading to malware, viruses, worms, or
Trojan attacks.
‒ Improper e-mail handling/forwarding leading to the loss
of reputation or legal violations.
‒ Improper use of utilities like messengers or Skype and
unauthorized divulgence of information to others.
Security Threats; Internal Threats
Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook, 2014)

Lack of user security awareness, including:
Continue;
‒ Inappropriate configuration or relaxation of security
configurations, leading to exploitation of the systems.
‒ Entering incorrect information by oversight and not
checking it again or processing the wrong
information.
‒ Ignoring security errors and still continuing with
transactions, leading to the organization being
defrauded.
Threats
Types of Attacks
A security goals (C-I-A triad) can be
threatened by security attacks;
There are different approaches to
categorize the security attacks;
A. Attacks can be divided into three groups
related to a three security goals/properties;

Security Attacks

Modification
Snooping Denial of
(release the Masquerading Service
message content) Replaying
Traffic Analysis Repudiation
Threats
Types of Attacks
B. Attacks can be categorize into four groups
related to the harm acts;
 Interception,
 Interruption,
 Modification, and
 Fabrication.
These attacks can be grouped into two broads
categories based on their effects on the system;
 Passive attacks, and
 Active attacks.
Passive and Active Attacks ;
A passive attack;
 Threaten the confidentiality,
 Does not modify data or harm the system,
 May harm the sender or the receiver,
 It is difficult to detect, but can prevent it
easily by encryption of the data.
An active attack;
 Threaten the integrity, availability and
authenticity,
 May change the data or harm the system,
 Easer to detect than to prevent,
 An attacker can launch them in a variety ways.
Passive and Active Attacks ;
The following figure depicts these attacks
categories;
Security Attacks

Passive Attacks Active Attacks
(Interception
Attacks):
Snooping
- release the Interruption
message content. Fabrication Modification [Denial of
Traffic Analysis Impersonating,
Service-
Masquerade
(DOS)]

Repudiation
Attacks Replay Attack Alteration Attack

Figure 1: Classification of the Security Attacks
Assignments;
Assignment:
 Write a report on the vulnerability,
according to types.
 Write a report on the computer crimes up
to date in 2021, according to types.
 Threats and Attacks on the:
Data,
Hardware, and
Software.
Harm
The negative consequence of an actualized
threat is harm;
 we protect ourselves against threats in order
to reduce or eliminate harm,
 There are many examples of computer harm:
 a stolen computer, modified or lost file, revealed
private letter, or denied access to data.
These events cause harm that we want to
avoid;
The value of many assets can change over
time;
 so the degree of harm and therefore the
severity of a threat can change, too.
 With unlimited time, money, and capability,
 we might try to protect against all kinds of harm.
Harm;
But because our resources are limited, we
must prioritize our protection;
 safeguarding only against serious threats and
the ones we can control.
 Choosing the threats;
─ we try to mitigate a threats by involving a
process called risk management, and;
─ it includes weighing the seriousness of a
threat against our ability to protect.
The possibility for harm to occur is called
risk;
Harm:
Risk and Common Sense;
Risk management involves;
 choosing which threats to control, and;
 what resources to devote to protection.
The number and kinds of threats are
practically unlimited because devising an
attack requires;
 an active imagination, determination,
persistence, and time as well as access and
resources.
Harm
Risk and Common Sense
The nature and number of threats in the
computer world reflect life in general:
 The causes of harm are limitless and largely
unpredictable,
 There are too many possible causes of harm for us to
protect ourselves-or our computers-completely
against all of them;
 In real life we make decisions every day about the best
way to provide our security.
Computer security is similar;
 Because we cannot protect against everything,
 we prioritize: Only so much time, energy, or money
is available for protection;
 so we address some risks and let others slide.
The risk that remains uncovered by controls
is called residual risk;
Harm
Risk and Common Sense
A basic model of risk management
involves;
 a user’s calculating the value of all assets,
 determining the amount of harm from all
possible threats,
 computing the costs of protection,
 selecting safeguards (that is, controls or
countermeasures) based on the degree of
risk and on limited resources,
 applying the safeguards to optimize harm
averted.
Harm
Risk and Common Sense
This approach to risk management is a
logical and sensible approach to
protection, but it has significant
drawbacks;
 In reality, it is difficult to assess the value of
each asset; as we have seen,
 value can change depending on context, timing,
and a host of other characteristics.
 Even harder is determining the impact of all
possible threats;
 The range of possible threats is:
 effectively limitless, and
 it is difficult (if not impossible in some situations)
to know the short- and long-term impacts of an
action.
Harm
Risk and Common Sense

Although we should not apply protection
haphazardly:
 we will necessarily protect against threats
we consider most likely or most damaging;
 For this reason, it is essential to understand how we
perceive threats and evaluate their likely
occurrence and impact.
 Spending for security is based on the impact
and likelihood of potential harm;
both of which are nearly impossible to measure
precisely.
Harm
Method, Opportunity, and Motive
A malicious attacker must have three things:
 Method: is the how;
─ skills,
─ knowledge,
─ tools, and
─ other things with which to perpetrate the attack.
 Opportunity: is the when;
─ the time and access to accomplish the attack.
 Motive: is the why of an attack;
─ a reason to want to perform this attack against this
system.
Method, opportunity, and motive are all
necessary for an attack to succeed;
 deny any of these, the attack will fail.
Vulnerabilities
Computer systems have vulnerabilities;
 weak authentication, lack of access control,
 errors in programs, finite or insufficient resources, and
 inadequate physical protection.
each of these vulnerabilities can allow harm to
C-I-A triad;
Security analysts speak of a system’s attack
surface;
 System’s attack surface is the system’s full set of
vulnerabilities-actual and potential,
 Thus, the attack surface includes;
 physical hazards, malicious attacks by outsiders,
 stealth data theft by insiders,
 mistakes, and impersonations.
Our next step is to find ways to block threats by
neutralizing vulnerabilities;
Information Security Classification
The type of information security classification
labels selected and used will depend on the
nature of the organization, examples:
 In the business sector, labels such as:
 Public, Sensitive, Private, Confidential.
 In the government sector, labels such as:
 Unclassified, Unofficial, Protected, Confidential,
Secret, Top Secret and their non-English equivalents.
 Example; Common military data classifications:
Unclassified, Confidential, Secret, Top Secret.
 In cross-sectorial formations, the Traffic Light
Protocol, which consists of:
 White, Green, Amber, and Red.
Data Classification Procedures
The following outlines the necessary steps
for a proper classification program:
1. Define classification levels.
2. Specify the criteria that will determine how
data are classified.
3. Identify data owners who will be responsible
for classifying data.
4. Identify the data custodian who will be
responsible for maintaining data and its
security level.
5. Indicate the security controls, or protection
mechanisms, required for each classification
level.
6. Document any exceptions to the previous
classification issues.
Data Classification Procedures
The necessary steps for a proper
classification program: Continue;
7. Indicate the methods that can be used to
transfer custody of the information to a
different data owner.
8. Create a procedure to periodically review the
classification and ownership. Communicate
any changes to the data custodian.
9. Indicate procedures for declassifying the
data.
10. Integrate these issues into the security-
awareness program so all employees
understand how to handle data at different
classification levels.
Data Classification;
Commercial Business & Military Data Classification
Examples
Organization
Classification Definition Examples That Would Use
This
How many people are
Disclosure is not welcome, but it would not Commercial
working on a specific
Public cause an adverse impact to company or
project business
personnel.
Upcoming projects
Requires special precautions to ensure the
integrity and confidentiality of the data by Financial information
protecting it from unauthorized modification Details of projects Commercial
Sensitive
or deletion. Profit earnings and business
Requires higher-than-normal assurance of Forecasts
accuracy and completeness.
Personal information for use within a Work history
company. Human resources Commercial
Private
Unauthorized disclosure could adversely information business
affect personnel or the company. Medical information
For use within the company only.
Trade secrets
Data exempt from disclosure under the
Healthcare information Commercial
Freedom of Information Act or other laws
Confidential Programming code business
and regulations.
Information that keeps Military
Unauthorized disclosure could seriously
the company competitive
affect a company.
Data Classification;
Commercial Business & Military Data Classification
Examples
Classification Definition Examples Organizations That
Would Use This
Computer manual and
Unclassified Data is not sensitive or classified. warranty information Military
Recruiting information
Sensitive but Minor secret.
Medical data
unclassified If disclosed, it may not cause serious Military
Answers to test scores
(SBU) damage.
Deployment plans for
If disclosed, it could cause serious
Secret troops Military
damage to national security.
Nuclear bomb placement
Blueprints of new wartime
If disclosed, it could cause grave weapons.
Top secret Military
damage to national security. Spy satellite information.
Espionage data.
 Primary layers of information security
Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook_ An
Introduction to Information Security-Apress (2014)

information security layers are:
 Physical Security,
 Hardware Security,
 Network security,
 Communications Security,
 Software Security,
 Human or personnel security.
All of the important layers are supported by:
 policies, procedures, and processes to plan,
 implement, monitor, audit, detect, correct, and
 change of any of the components of all the layers that
constitute a layered approach to information security.
Appropriate coordination between the various layers,
and the distribution of risks and opportunities to
different layers, will vary, depending on the:
 cost effectiveness and ease of use, and the
 impact on the efficiency and effectiveness of information security.
Primary layers of information security
The following figure depicts the context diagram of
various layers of information security interacting with
each other and providing a robust security architecture;
Security Achievement;
Security is achieved by implementing
policies, guidelines, procedures, governance,
and other software functions;
 Information security consists of three main
components: hardware, software, and a
communication system.
Various tools are developed daily to combat
the compromise of information security;
 Several standards and guidelines have been
implemented to reduce the propensity for
information security breaches.
Security Achievement;
Information security also spans to physical
aspects like:
 hardware and infrastructure,
 the operating system,
 networks,
 applications,
 software systems,
 utilities, and tools.
Other important contributors (favorable or
adverse) to the field of information security are:
 human beings,
 particularly employees,
 contractors,
 system providers,
 hackers, and crackers.