Professional Documents
Culture Documents
Securing Information Systems 2020 r03 en
Securing Information Systems 2020 r03 en
2
Facultat d’Economia i Empresa
Assets related with Information Security
Business
Processes
Installations
Data and
(buildings,
Information
vehicles, …)
Support
equipment
(cooling devices,
paper
Information Software
schredders,…)
security
assets
Data storage IT
devices equipment
Communicat
ion Personnel
Source: Magerit v3
networks
3
Facultat d’Economia i Empresa
Basic Pillars of Information Security
4
Facultat d’Economia i Empresa
2018 Data breach cost study
5
Facultat d’Economia i Empresa
Securing Information Systems
THREATS
6
Facultat d’Economia i Empresa
Threats to Information Secrity
Criminal activity
• Cybercrime
• Data theft (either performed by own employees or by
outside parties)
• Terrorism, vandalism
• Corruption
•…
Involuntary actions
7
Facultat d’Economia i Empresa
Fauna (1/2)
Hackers:
• IT experts with an interest on system vulnerabilities. A
hacker tries to gain unauthorised access to protected IT
systems and confidential information.
Crackers:
Because we don't want
• A person who breaches computer security for a profit or Internet old days
vanishing into dead
malicious purposes. bits.
• IT network experts who analyze data traffic to extract Because we want their
information from the packets that are transferred on the memory alive.
Carders:
• Individuals who perform attacks on credit
card-related devices, such as ATMs or
payment management devices. Typical
actions include copying the details of the
card electronically and trying to obtain the
PIN number.
Ciberterrorists https://hackstory.es/
https://youtu.be/MPy6WIuXK3k
• Use of Information Systems illegally with the
objective of creating panic or fear amongst
the population by disrupting services or
compromising the usage of infrastructures.
Diapositiva 9
Facultat d’Economia i Empresa
Viruses, worms and trojan horses
Diapositiva 10
Facultat d’Economia i Empresa
Widespread malware (Ex Worm Conficker)
Origin:
• Appears in 2008
What does it do
• Exploits a vulnerability of the Windows Operating system and deactivates important security related processes
(Update, security center, defender, error reporting). Once the defence system is deactivated, it connects to an external
server to receive instructions on how to propagate.
Name
• Conficker = Configuration + “fucker”
• Also known as trafficconverter .biz → (fic)(con)(er) → (con)+(fic)+k+(er)
Solution:
• The vulnerability is solved by applying a windows security update
Links:
• http://blog.checkpoint.com/2016/06/21/top-10-most-wanted-malware/
• https://uk.norton.com/emeabots
Diapositiva 11
Facultat d’Economia i Empresa
The malware business
(ex: Cryptolocker - Ransomware)
Email impersonating a trusted company or The link downloads malicious software that
institution infects your computer. Criminals ask for a
ransom in exchange for the decryption key.
https://www.fireeye.com/blog/executive-perspective/2014/08/your-
locker-of-information-for-cryptolocker-decryption.html
https://www.symantec.com/content/dam/symantec/docs/s
ecurity-center/white-papers/ransomware-and-businesses-
16-en.pdf
12
Facultat d’Economia i Empresa
Spyware
https://www.keelog.com/es/usb_hardware_keylogger.html
Diapositiva 13
Facultat d’Economia i Empresa
Identity-related threats
Identity theft
• Unauthorised access to personal Information (ID number, driver’s license, or
credit card numbers) to impersonate another person, usually with the objective
of obtaining passwords
Phishing
• Setting up fake Web sites or sending e-mail messages that look like legitimate
messages to obtain confidential data
Evil twins
• Wireless networks that pretend to offer trustworthy Wi-Fi connections to the
Internet, in which the traffic is being monitored
Pharming
• Redirects users to a bogus Web page, even when individual types the correct
Web page address into his or her browser
Diapositiva 14
Facultat d’Economia i Empresa
Phishing examples
https://phishingquiz.mcafee.com/
15
Facultat d’Economia i Empresa
Scareware examples
16
Facultat d’Economia i Empresa
Other types of attack
Diapositiva 17
Facultat d’Economia i Empresa
Hoax
▪ A hoax may be created and spread for multiple purposes: from a simple joke,
profit or undermining the reputation of a person or institution for political or
commercial reasons.
▪ http://mashable.com/2009/07/15/internet-hoaxes/
▪ http://www.museumofhoaxes.com/
▪ http://www.hoaxbusters.org/
▪ http://www.rompecadenas.com.ar/
Diapositiva 18
Facultat d’Economia i Empresa
Securing information systems
CYBER-CRIME
19
Facultat d’Economia i Empresa
Cyber-crime definition
Cyber-dependent crime
• Crime that can only be commited using information systems. Act targeting networks
or systems, although the actual aim could be to commit fraud or other criminal
activity. Example of Cyber-dependent criminal acts:
• Propagation of viruses or malware
• Intrusion, theft or access/dissemination of confidential information
• Participating in a Denial of Service Attack.
Cyber-enabled crime
• Traditional criminal actions that have higher impact thanks to the use of information
systems. Examples include:
• Fraud, including phishing , internet banking fraud, fake products, …
• Theft, personal information or authentication details
• Abuse of all types
20
Facultat d’Economia i Empresa
Cyber-Crime from a business perspective
21
Facultat d’Economia i Empresa
Security and Cyber-crime
22
Facultat d’Economia i Empresa
Average annualized cyber crime cost weighted by attack
frequency
23
Facultat d’Economia i Empresa
Estimated average time (days) to resolve
24
Facultat d’Economia i Empresa
Organized cyber-crime
http://en.wikipedia.org/wiki/Zeus_(trojan_horse)
25
Facultat d’Economia i Empresa
Organized cyber-crime
http://en.wikipedia.org/wiki/Zeus_(trojan_horse)
26
Facultat d’Economia i Empresa
27
Facultat d’Economia i Empresa
https://securityintelligence.com/dyre-wolf/
Cybercriminal Syndicate Hierarchy
Team members tend to have strong ties in real life and often are respected members of their communities, viewed
by many as successful businessmen and entrepreneurs. The group will often have a diversified investment portfolio
and maintain a presence in real estate, hospitality, and auto-related businesses.
Andrei Barysevich in (nov-2016)
https://www.recordedfuture.com/cyber-criminal-profiling/
28
Facultat d’Economia i Empresa
Hacktivism
29
Facultat d’Economia i Empresa
Hacktivists
http://www.alexandrasamuel.com/dissertation/pdfs/index.html
http://securitywatch.pcmag.com/hacking/295701-hacktivists-stole-more-data-than-criminals-in-2011
http://hackstory.net/index.php/Hacktivismo_es
30
Facultat d’Economia i Empresa
Threat maps
https://www.fireeye.com/cyber-map/threat-map.html
http://map.norsecorp.com/
31
Facultat d’Economia i Empresa
Securing Information Systems
PERIMETER SECURITY
32
Facultat d’Economia i Empresa
Technological protection
33
Facultat d’Economia i Empresa
Perimeter security areas
Web Servers
Server Applications
Internet Data…
Provider
Services
Intranet
Extranet
E-mail
server
SysAdmin
Conf Core
34
Facultat d’Economia i Empresa
Securing Information Systems
AUTHENTICATION
35
Facultat d’Economia i Empresa
Identification methods
▪ Something I know
- Password / Passphrase
▪ Something I have
- ID card
- Smartcard
- ID Token
▪ Something I am(Biométric)
- Fingerprint
- Iris / Retina
Aplicaciones de la Biometría a la Seguridad
- Face recognition Presentación Carmen Sanchez en UPM via criptored
http://www.criptored.upm.es/descarga/TASSI2012_CarmenSanchez.pdf
- Voice recognition
36
Facultat d’Economia i Empresa
Passwords
37
Facultat d’Economia i Empresa