Week 2 – Introduction To Information Security Part II PDF
Document Details
Uploaded by RazorSharpSaxhorn
Tags
Summary
This document provides an introduction to information assurance and security including security controls, discussing physical, technical and administrative controls, as well as various control categories by their functionality. It also covers risk management, defining risks, and different types of hackers.
Full Transcript
Information Assurance and Security LECTURE – 2 : INTRODUCTION TO INFORMATION SECURITY PART II Security Controls IT3070 - INFORMATION ASSURANCE AND SECURITY 2 Security Controls Computer/information security controls are often divided into three distinct categ...
Information Assurance and Security LECTURE – 2 : INTRODUCTION TO INFORMATION SECURITY PART II Security Controls IT3070 - INFORMATION ASSURANCE AND SECURITY 2 Security Controls Computer/information security controls are often divided into three distinct categories Physical controls Technical/Logical controls Administrative controls IT3070 - INFORMATION ASSURANCE AND SECURITY 3 Physical Controls The Physical control is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material. Surveillance cameras Motion or thermal alarm systems Security guards Picture IDs Locked and dead-bolted steel doors Network segregation Work area separation IT3070 - INFORMATION ASSURANCE AND SECURITY 4 Technical Controls The Technical control uses technology as a basis for controlling the access and usage of sensitive data throughout a physical structure and over a network. Encryption Smart cards Network authentication Access control lists (ACLs) File integrity auditing software IT3070 - INFORMATION ASSURANCE AND SECURITY 5 Administrative Controls Administrative controls define the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information by such means as: Training and awareness Disaster preparedness and recovery plans Personnel recruitment and separation strategies Personnel registration and accounting Policy and procedures IT3070 - INFORMATION ASSURANCE AND SECURITY 6 Controls categorized by their functionality Preventive Controls Detective Controls Deterrent Controls Corrective Controls Recovery Controls Compensating Controls IT3070 - INFORMATION ASSURANCE AND SECURITY 7 Preventive Controls Designed to discourage errors or irregularities from occurring. They are proactive controls that help to ensure departmental objectives are being met. Separation of duties Security of Assets (Preventive and Detective) Planning/testing Proper hiring practices Proper processing of terminations Approvals, Authorizations, and Verifications IT3070 - INFORMATION ASSURANCE AND SECURITY 8 Detective Controls Designed to find errors or irregularities after they have occurred. Monitoring Systems Log reviews Bugler Alarm File Integrity checkers Security reviews and audits Performance evaluations IT3070 - INFORMATION ASSURANCE AND SECURITY 9 Deterrent Controls Intended to discourage potential attackers and send the message that it is better not to attack, but even if you decide to attack we are able to defend ourselves. Notices of monitoring logging Visible practice of sound information security management. IT3070 - INFORMATION ASSURANCE AND SECURITY 10 Corrective Controls Designed to correct the situation after a security violation has occurred. Although a violation occurred, not all is lost, so it makes sense to try and fix the situation. Procedure to clean a virus from an infected system A guard checking and locking a door left unlocked by a careless employee Updating firewall rules to block an attacking IP address IT3070 - INFORMATION ASSURANCE AND SECURITY 11 Recovery Controls Somewhat like corrective controls, but they are applied in more serious situations to recover from security violations and restore information and information processing resources. Disaster recovery and business continuity mechanisms Backup systems and data Emergency key management arrangements and similar controls. IT3070 - INFORMATION ASSURANCE AND SECURITY 12 Compensating Controls Intended to be alternative arrangements for other controls when the original controls have failed or cannot be used. When a second set of controls addresses the same threats that are addressed by another set of controls, the second set of controls are referred to ad compensating controls. IT3070 - INFORMATION ASSURANCE AND SECURITY 13 Risk Management What is risk? Life is full of risk. We all manage risk consciously or automatically in life. Risk is the possibility of damage happening, and the ramifications of such damage should it occur. Information Risk Management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. Risk can be mitigated, but cannot be eliminated (which is usually not an option in the commercial world, where controlled (managed) risk enables profits) IT3070 - INFORMATION ASSURANCE AND SECURITY 14 Risk Management Terms Vulnerability – a system, network or device weakness Threat – potential danger posed by a vulnerability Threat agent – the entity that identifies a vulnerability and uses it to attack the victim Risk – likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact Exposure – potential to experience losses from a threat agent Countermeasure – put into place to mitigate the potential risk IT3070 - INFORMATION ASSURANCE AND SECURITY 15 Understanding Risk A threat agent gives rise to a threat that exploits a vulnerability and can lead to a security risk that can damage your assets and cause an exposure. This can be counter- measured by a safeguard that directly affects the threat agent. IT3070 - INFORMATION ASSURANCE AND SECURITY 16 Managing Risks IT3070 - INFORMATION ASSURANCE AND SECURITY 17 Comprehensive Security Model IT3070 - INFORMATION ASSURANCE AND SECURITY 18 Data Loss Data loss or data exfiltration is when data is intentionally or unintentionally lost, stolen, or leaked to the outside world. Data is likely to be an organization’s most valuable asset. Organizational data can include Research and development data Sales data Financial data Human resource and legal data Employee data Contractor data Customer data. IT3070 - INFORMATION ASSURANCE AND SECURITY 19 Data Loss can result in: Brand damage and loss of reputation Loss of competitive advantage Loss of customers Loss of revenue Litigation/legal action resulting in fines and civil penalties Significant cost and effort to notify affected parties and recover from the breach IT3070 - INFORMATION ASSURANCE AND SECURITY 20 Vectors of Data Loss Unencrypted Devices Cloud Storage Devices Removable Media Hard Copy Improper Access Control Email Social Networking IT3070 - INFORMATION ASSURANCE AND SECURITY 21 BYOD (Bring Your Own Device) BYOD is the emerging trend of employees using their personal devices, like smartphones, tablets, laptops etc, to remotely access any organizational network to carry out office work. Employees can thus access official mail on their smartphone, connect to office and work using their laptop even while they are traveling and use tablets to be part of conferences that happen at their office when they are away. BYOD is important today since employees would want to deliver their best in today's competitive world and companies too would want to make the most of the manpower they have at hand. IT3070 - INFORMATION ASSURANCE AND SECURITY 22 BYOD Benefits Boosts productivity. Employees can always work by accessing work using their personal devices and they can even check emails and update presentations while on vacation or while traveling back home. Employees work with devices that they are more comfortable with and are hence happier when they work in places where BYOD is encouraged. The money that needs to be invested on buying hardware, software etc can be utilized for other things even as employees use their own personal devices for work. Thus SMBs can benefit out of BYOD in a very direct manner. BYOD helps companies stay abreast of changing technology as employees using personal devices for work would stay up-to-date as regards technology and would use the same for the company as well. IT3070 - INFORMATION ASSURANCE AND SECURITY 23 BYOD Drawbacks The security threats arise due to the increased number of people who would be accessing a company's data using other devices and also due to the fact that malware could get in through any BYOD device that isn't properly secured. Company files and data, which are free to be accessed by employees using their personal devices, could also end up in wrong hands. Such data can be easily seen or stolen by outsiders with malicious intentions. BYOD devices might also get stolen or they may get lost, which would also cause data breaches. The IT departments in companies where BYOD is practiced would have to undergo tremendous pressure support, managing and securing all BYOD devices. IT3070 - INFORMATION ASSURANCE AND SECURITY 24 COPE (corporate-owned, personally enable) COPE is a business model in which an organization provides its employees with mobile computing devices and allows the employees to use them as if they were personally-owned notebook computers, tablets or smartphones. The COPE model provide the organization with greater power to protect the organization's data both technically and legally. Corporate-owned device policies provide several benefits, such as: The ability to actively manage and control if and when a device can access particular apps, sites, services, networks and solutions. The opportunity to wipe a device of any corporate data when an employee loses his or her device or parts ways with the organization. The chance to incorporate controls on the device that determine how applications, networks and IT systems can be utilized remotely, and whether specific information can be retrieved in certain scenarios. IT3070 - INFORMATION ASSURANCE AND SECURITY 25 Security measures for COPE/BYOD Mobile Device Management (MDM) features secure, monitor, and manage mobile devices, including corporate-owned devices and employee-owned devices. Data Encryption PIN enforcement / Strong Authentications Mechnisams Remote Date Wipe of stolen/misplaced devices Data Loss Prevention (DLP) options Jailbreak/Root detection Remotely locating devices Security assessments (Vulnerability assessments/ Pen testing/ Audits) IT3070 - INFORMATION ASSURANCE AND SECURITY 26 The Hacker Hacker is a common term used to describe a network attacker. However, the term “hacker” has a variety of meanings: A clever programmer capable of developing new programs and coding changes to existing programs to make them more efficient. A network professional that uses sophisticated programming skills to ensure that networks are not vulnerable to attack. A person who tries to gain unauthorized access to devices on the Internet. Individuals who run programs to prevent or slow network access to a large number of users, or corrupt or wipe out data on servers. IT3070 - INFORMATION ASSURANCE AND SECURITY 27 White Hat Hackers Ethical Hackers Who use their hacking skills for good, ethical and legal purposes May perform Security assessments such as vulnerability assessment penetration tests to discover vulnerabilities. Security vulnerabilities are reported to developers for them to fix before the vulnerabilities can be exploited. Some organizations award prizes or bounties to white hat hackers when they report vulnerabilities IT3070 - INFORMATION ASSURANCE AND SECURITY 28 Gray Hat Hackers These are the individuals who commit crimes and do arguably unethical things, but not for personal gain or cause serious damage. Example: Someone who compromise a system without permission and then disclose the vulnerabilities publically. However, by publicizing a vulnerability, the gray hat hacker may give other hackers the opportunity to exploit it. IT3070 - INFORMATION ASSURANCE AND SECURITY 29 Black Hat Hackers These are unethical criminals who violate computer and network security for personal gain or for malicious reasons. Black hat hackers exploit vulnerabilities to compromise computer and network systems. IT3070 - INFORMATION ASSURANCE AND SECURITY 30 Modern Hacking Titles Script Kiddies Vulnerability Brokers Cyber Criminals Hacktivists State-Sponsored Hackers IT3070 - INFORMATION ASSURANCE AND SECURITY 31 Script Kiddies Inexperienced hackers running existing scripts, tools and exploits developed by skillful hackers to cause harm but typically not for profit. It is generally assumed that most script kiddies are juveniles who lack the ability to write sophisticated programs or exploits on their own Their objective is to try to impress their friends or gain credit in computer-enthusiast communities. However, the term does not relate to the actual age of the participant. IT3070 - INFORMATION ASSURANCE AND SECURITY 32 Vulnerability Brokers They are usually gray hat hackers who attempt to discover exploits and report them to vendors, sometime for prize or rewards. IT3070 - INFORMATION ASSURANCE AND SECURITY 33 Cyber Criminals Cyber criminals are black hat hackers with the motive to make money using any means necessary. Self employed (working independently) or working for criminal organizations. It is estimated that globally, cyber criminals steal billions of dollars from consumers and businesses. Cyber criminals operate in an underground economy where they buy, sell, and trade attack toolkits, zero day exploit code, botnet services, banking Trojans, keyloggers, and much more. They also buy and sell the private information and intellectual property they steal from victims. Cyber criminals target small businesses and consumers, as well as large enterprises and industry verticals. IT3070 - INFORMATION ASSURANCE AND SECURITY 34 Hacktivists Grey hat hackers who rally and protest against different social and political ideas. Hacktivists do not hack for profit, they hack for attention. Hacktivists publically protest against organization or governments by posting articles, videos. Leaking sensitive information and performing distributed denial of service attacks. Examples of hacktivist groups Anonymous Hackers Syrian Electronic Army. IT3070 - INFORMATION ASSURANCE AND SECURITY 35 State-Sponsored Hackers These are government-funded and guided attackers. State-sponsored hackers create advanced and customized attack code, often using previously undiscovered software vulnerabilities, Steal government secrets , gather intelligence and sabotage networks and systems. Their targets are foreign governments, terrorist groups and corporations. Most countries in the world participate to some degree in state- sponsored hacking. Nations hire the best talent to create the most advanced and stealthy threats. An example : Stuxnet malware that was created to damage Iran’s nuclear enrichment capabilities. IT3070 - INFORMATION ASSURANCE AND SECURITY 36