Securing Information Systems 2020 r03 en

Facultat d’Economia i Empresa
Securing Information Systems

Basic concepts
Data Record: Representation of an attribute or characteristic of an entity, It is

the minimum quantity of information about any subject.
Examples: The height of a person, square meters of a room, …
Information: Organized set of processed data records.
Examples: quarterly sales per geography, training expenditure by

department, manufacturing costs of a given product, …
Decision Management activities such as analysis, control and decision

making making require access large amounts of good quality information.
Information is a valuable asset for the organization, key to support

good decision making. As a valuable asset, it has to be protected.
2
Assets related with Information Security
Business
Processes
Installations
Data and
(buildings,
Information
vehicles, …)
Support
equipment
(cooling devices,
paper
Information Software
schredders,…)
security
assets
Data storage IT
devices equipment
Communicat
ion Personnel
Source: Magerit v3
networks
3
Basic Pillars of Information Security
Information is protected if we can assure three pillars:
AVAILABILITY INTEGRITY CONFIDENTIALITY
Employees need Data has to be

availability of Data has to be accessible only to
reliable data to complete and authorised users,
conduct business reliable. when it is needed
activities. to do their job
4
2018 Data breach cost study
500 companies in 11 countries

$3.86 million is the average total cost of data breach
6.4% increase in total cost of data breach since 2017 http://www-03.ibm.com/security/data-breach/
$40 is the average cost per lost or stolen record

average time to identify a data breach : 197 days
CASE: JP Morgan Chase &Co. Data-breach

• http://www.forbes.com/sites/larrymagid/2014/10/02/jp-morgan-chase-warns-customers-
about-massive-data-breach/
• http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-
identified/?_r=0
• http://www.bloomberg.com/news/articles/2015-06-30/jpmorgan-reassigns-security-team-
leader-a-year-after-data-breach
• http://www.cbsnews.com/news/three-charged-for-jpmorgan-data-breach-the-largest-ever/
5
THREATS
6
Threats to Information Secrity
Criminal activity
• Cybercrime
• Data theft (either performed by own employees or by
outside parties)
• Terrorism, vandalism
• Corruption
•…
Involuntary actions
• Wrong data entry

• Malfunctioning equipments or communications
• Faults
• Mistakes in data custody
• Force majeur
• Accidents
• …
7
Fauna (1/2)
Hackers:
• IT experts with an interest on system vulnerabilities. A
hacker tries to gain unauthorised access to protected IT
systems and confidential information.
Crackers:
Because we don't want
• A person who breaches computer security for a profit or Internet old days
vanishing into dead
malicious purposes. bits.
Sniffers: Because we are proud

of hackers.
• IT network experts who analyze data traffic to extract Because we want their
information from the packets that are transferred on the memory alive.
network. And running.

• The same term is used to describe applications or hardware http://hackstory.net
devices that monitor data flowing through a network
See also: http://www.catb.org/esr/jargon/ Diapositiva 8

Fauna (2/2)
Carders:
• Individuals who perform attacks on credit
card-related devices, such as ATMs or
payment management devices. Typical
actions include copying the details of the
card electronically and trying to obtain the
PIN number.
Ciberterrorists https://hackstory.es/
https://youtu.be/MPy6WIuXK3k
• Use of Information Systems illegally with the
objective of creating panic or fear amongst
the population by disrupting services or
compromising the usage of infrastructures.
Diapositiva 9
Viruses, worms and trojan horses
Virus: Worm: Trojan horse Botnets
• Rogue • Independent • Software that • Networks of

software programs that appears benign “zombie” PCs
program that copy but does infiltrated by
attaches itself themselves something bot malware
to other from one other than • Deliver 90
software computer to expected percent of
programs or other world spam, 80
data files in computers percent of
order to be over a world malware
executed network. • Grum botnet:
controlled
560K to 840K
computers
Diapositiva 10
Widespread malware (Ex Worm Conficker)
Origin:
• Appears in 2008
What does it do
• Exploits a vulnerability of the Windows Operating system and deactivates important security related processes
(Update, security center, defender, error reporting). Once the defence system is deactivated, it connects to an external
server to receive instructions on how to propagate.
Name
• Conficker = Configuration + “fucker”
• Also known as trafficconverter .biz → (fic)(con)(er) → (con)+(fic)+k+(er)
Solution:
• The vulnerability is solved by applying a windows security update
Number of affected computers:

• Infection peak: 11M computers
• 20% of total number of infection attempts in 2014
Links:
• http://blog.checkpoint.com/2016/06/21/top-10-most-wanted-malware/
• https://uk.norton.com/emeabots
Diapositiva 11
The malware business
(ex: Cryptolocker - Ransomware)
Email impersonating a trusted company or The link downloads malicious software that
institution infects your computer. Criminals ask for a
ransom in exchange for the decryption key.
https://www.fireeye.com/blog/executive-perspective/2014/08/your-
locker-of-information-for-cryptolocker-decryption.html
https://www.symantec.com/content/dam/symantec/docs/s
ecurity-center/white-papers/ransomware-and-businesses-
16-en.pdf
12
Spyware
▪ Collects information about usage of the affected computer and sends it to an

external server. Collected information varies: keyboard strokes, screen
recordings, Internet browser navigation history details, ….
▪ It may be a software program or a hardware device.

http://www.symantec.com/connect/articles/introduction-spyware-keyloggers
https://www.keelog.com/es/usb_hardware_keylogger.html
Diapositiva 13
Identity-related threats
Identity theft
• Unauthorised access to personal Information (ID number, driver’s license, or
credit card numbers) to impersonate another person, usually with the objective
of obtaining passwords
Phishing
• Setting up fake Web sites or sending e-mail messages that look like legitimate
messages to obtain confidential data
Evil twins
• Wireless networks that pretend to offer trustworthy Wi-Fi connections to the
Internet, in which the traffic is being monitored
Pharming
• Redirects users to a bogus Web page, even when individual types the correct
Web page address into his or her browser
Diapositiva 14
Phishing examples
https://phishingquiz.mcafee.com/
15
Scareware examples
16
Other types of attack
▪ Denial of service attacks (DOS / DDOS):

- The objective of this type of attack of making a service unavailable to its legitimate users. The
most common way to perform a DOS attack is to flood the server with thousands of requests in a
very short period of time, so the server is no capable of processing them.
- If a DOS attack is performed by several computers simultaneously, it is named Distributes Denial
of Service Attack (DDOS)
▪ Intrusion attack: To perform activity on a network or system in an unauthorised manner. Some of

the techniques used to perform an intrusion attack are listed below
- Exploit: software created to use a known vulnerability of the system that is being attacked to
perform the anouthrised activity. Software manufacturers push updates to solve vulnerabilities
when dettected (example: Winndows Operating systems updates).
- Backdoor: Method to avoid the authentication method built in the information system.
- Zero-Day vulnerability: Vulnerabilit khown by the attacher but that has not yet been detected by
the software manufacturer.
Diapositiva 17
Hoax
▪ It is not a virus or an attempt to breach a computer system, but the spread of

false information or facts about a person or organization.
▪ A hoax may be created and spread for multiple purposes: from a simple joke,
profit or undermining the reputation of a person or institution for political or
commercial reasons.
▪ http://mashable.com/2009/07/15/internet-hoaxes/
▪ http://www.museumofhoaxes.com/
▪ http://www.hoaxbusters.org/
▪ http://www.rompecadenas.com.ar/
Diapositiva 18
Securing information systems
CYBER-CRIME
19
Cyber-crime definition
Cyber-dependent crime
• Crime that can only be commited using information systems. Act targeting networks
or systems, although the actual aim could be to commit fraud or other criminal
activity. Example of Cyber-dependent criminal acts:
• Propagation of viruses or malware
• Intrusion, theft or access/dissemination of confidential information
• Participating in a Denial of Service Attack.
Cyber-enabled crime
• Traditional criminal actions that have higher impact thanks to the use of information
systems. Examples include:
• Fraud, including phishing , internet banking fraud, fake products, …
• Theft, personal information or authentication details
• Abuse of all types
20
Cyber-Crime from a business perspective
▪ Tax fraud: Alter corporate information online to falsify tax records.

- https://www.gov.uk/government/news/cyber-attack-leads-to-arrests-for-suspected-tax-
fraud
▪ Business theft: to deviate funds or assets, it may be done by internal employees.
▪ Cyber-Extortion: attacks to servers (DOS) or branding (hoax, web defacement, etc.) with the
aim of requesting ransom.
▪ Client details theft: Stealing client details with the aim of reselling
▪ Industrial espionage
▪ Theft of intellectual property: Designs, product specs, processes or methodologies with the
aim of:
- Copy products
- Incorporate elements to own products
- Selling it to third parties
- ...
▪ Money laundering.
▪ …
21
Security and Cyber-crime
▪ Highly valuable and quickly sold on underground information such as

payment, healthcare, and personally identifiable records, as well as
sensitive M&A information, must be identified as a targeted asset,
quarantined, and stored encrypted.
▪ The actionable contingency plan must be rehearsed and quickly activated in
the case of a breach including a clear response strategy if extortion is
attempted. Security professionals must be aware of upcoming threats and
successful mitigation practices when establishing a robust and secure
network, making sure the proper data backups are in place.
Andrei Barysevich in (nov-2016)

https://www.recordedfuture.com/cyber-criminal-profiling/
22
Average annualized cyber crime cost weighted by attack
frequency
23
Estimated average time (days) to resolve
24
Organized cyber-crime
http://en.wikipedia.org/wiki/Zeus_(trojan_horse)
25
Organized cyber-crime
http://en.wikipedia.org/wiki/Zeus_(trojan_horse)
26
27
https://securityintelligence.com/dyre-wolf/
Cybercriminal Syndicate Hierarchy
A typical group is controlled by a single

mastermind “boss” — a very intelligent
and highly educated person — and
includes bankers with extensive
connections in the financial industry to
arrange money laundering and cash out of
stolen funds.
Additionally, forgers are responsible for

fake documents and supporting paperwork
and professional project managers oversee
the technical aspects of operations,
software engineers, and skilled hackers.
Some groups include ex-law enforcement

agents responsible for information
gathering as well as counter-intelligence
operations.
Team members tend to have strong ties in real life and often are respected members of their communities, viewed
by many as successful businessmen and entrepreneurs. The group will often have a diversified investment portfolio
and maintain a presence in real estate, hospitality, and auto-related businesses.
Andrei Barysevich in (nov-2016)
https://www.recordedfuture.com/cyber-criminal-profiling/
28
Hacktivism
▪ To use IT hacking techniques with politivcal purposes. It is seen by some as crime

and by others as a ligitimite way to disobey existing legislation or highlight
abusive practices of governments or corporations
▪ Commonly-use tecniques include:
- Web site defacements: To change the appearence of a website
- Redirects: Redirect the traffic to an alternative wesite
- Denial-of-service attacks
- Information theft
- To steal and disseminate information that has been kept secret by
governments or corporations
- web site parodies
- virtual sabotage
29
Hacktivists
Creadores del término LulzSec
Disuelto en 2010. Creador de The pirate bay
http://www.alexandrasamuel.com/dissertation/pdfs/index.html
http://securitywatch.pcmag.com/hacking/295701-hacktivists-stole-more-data-than-criminals-in-2011
http://hackstory.net/index.php/Hacktivismo_es
30
Threat maps
https://www.fireeye.com/cyber-map/threat-map.html
http://map.norsecorp.com/
Botnet / DDoS Attack - Norse Live Footage - 12/25/15

https://youtu.be/1wq6LIjPHkk
31
PERIMETER SECURITY
32
Technological protection
Basic security tools

• Antivirus: Sofware designed to detect and eliminate malware (Virus, worms, …)
• Firewall: To block unauthorised communications, allowing legitimate Internet traffic.
• AntiX: Antispy, anti-keyloggers, anti-phising, anti-spam, anti-rootkit, parental control,
•…
Additional options:
• Access the corporate systems using VPN (Virtual Private Network), so all
communications are encrypted and not visible by external parties.
• NAC (Network Acces Control): Defining which resources (computers, servers etc.)
are authorised to access the internal network (hence rejecting connection attempts
by not authorised devices)
• Services offered by specialized security companies to mitigate risks of attacks or data
theft:
ex: https://www.akamai.com/uk/en/products/security/#secure-enterprise-access
• Monitoring and network control (→)
33
Perimeter security areas
Internet Screened Production Restricted Intranet

Subnet
Web Servers
Server Applications
Internet Data…
Provider
Services
Intranet
Extranet
E-mail
server
SysAdmin
Conf Core
No controlada Controlada MAnagement Secure Controlled
34
AUTHENTICATION
35
Identification methods
▪ Something I know
- Password / Passphrase
▪ Something I have
- ID card
- Smartcard
- ID Token
▪ Something I am(Biométric)
- Fingerprint
- Iris / Retina
Aplicaciones de la Biometría a la Seguridad
- Face recognition Presentación Carmen Sanchez en UPM via criptored
http://www.criptored.upm.es/descarga/TASSI2012_CarmenSanchez.pdf
- Voice recognition
36
Passwords
▪ Real Words in a dictionary

- Applications can break a password of this type within seconds
▪ Composition
- It should include letters, numbers and special characters
- Length should not be shorter than 8 characters
- Do not use personal details (birthdays, name of family members or pets, etc.)
▪ Usage
- Passwords should be modified regularly
- The same password should not be used in several places
- Consider using password managers: applications that store all your passwords,
different for each service, protecteed with a master password
(https://bitwarden.com/)
▪ N-factor authentitation
- To reduce the risks assotiated with password authentication, a lot of services are
combining different authentication methods, for example password + SMS code to
provide access to certain services.
37

Securing Information Systems 2020 r03 en

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Securing Information Systems 2020 r03 en

Uploaded by

Copyright:

Available Formats

Facultat d’Economia i Empresa

Securing Information Systems

Facultat d’Economia i Empresa

Data Record: Representation of an attribute or characteristic of an entity, It is

Examples: The height of a person, square meters of a room, …

Information: Organized set of processed data records.

Examples: quarterly sales per geography, training expenditure by

Decision Management activities such as analysis, control and decision

Information is a valuable asset for the organization, key to support

Information is protected if we can assure three pillars:

AVAILABILITY INTEGRITY CONFIDENTIALITY

Employees need Data has to be

500 companies in 11 countries

$40 is the average cost per lost or stolen record

CASE: JP Morgan Chase &Co. Data-breach

• Wrong data entry

Sniffers: Because we are proud

network. And running.

See also: http://www.catb.org/esr/jargon/ Diapositiva 8

Virus: Worm: Trojan horse Botnets

• Rogue • Independent • Software that • Networks of

Number of affected computers:

▪ Collects information about usage of the affected computer and sends it to an

▪ It may be a software program or a hardware device.

▪ Denial of service attacks (DOS / DDOS):

▪ Intrusion attack: To perform activity on a network or system in an unauthorised manner. Some of

▪ It is not a virus or an attempt to breach a computer system, but the spread of

▪ Tax fraud: Alter corporate information online to falsify tax records.

▪ Highly valuable and quickly sold on underground information such as

Andrei Barysevich in (nov-2016)

A typical group is controlled by a single

Additionally, forgers are responsible for

Some groups include ex-law enforcement

▪ To use IT hacking techniques with politivcal purposes. It is seen by some as crime

Creadores del término LulzSec

Disuelto en 2010. Creador de The pirate bay

Botnet / DDoS Attack - Norse Live Footage - 12/25/15

Basic security tools

Internet Screened Production Restricted Intranet

No controlada Controlada MAnagement Secure Controlled

▪ Real Words in a dictionary

You might also like