MIS-MODULE-6

Information Security Management

Dr. Archana Sarkar
Assistant Professor
Faculty of Management Studies
Indukaka Ipcowala Institute of Management
Module Topics
• Introduction

• Security Threats

• Security Access Control Systems and technologies

• Security Risk Management Framework

What Is a Cyber Security Threat?
• A cyber security threat refers to any possible malicious attack that seeks to
unlawfully access data, disrupt digital operations or damage information.
Cyber threats can originate from various actors, including corporate spies,
hacktivists, terrorist groups, hostile nation-states, criminal organizations,
lone hackers and disgruntled employees.
• In recent years, numerous high-profile cyber attacks have resulted in
sensitive data being exposed. For example, the 2017 Equifax breach
compromised the personal data of roughly 143 million consumers,
including birth dates, addresses and Social Security numbers. In 2018,
Marriott International disclosed that hackers accessed its servers and stole
the data of roughly 500 million customers. In both instances, the cyber
security threat was enabled by the organization’s failure to implement, test
and retest technical safeguards, such as encryption, authentication and
firewalls.
Threats to Information Security
• Information Security threats can be many like Software attacks, theft of intellectual
property, identity theft, theft of equipment or information, sabotage, and information
extortion.
• Threat can be anything that can take advantage of a vulnerability to breach security and
negatively alter, erase, harm object or objects of interest.
• Software attacks means attack by Viruses, Worms, Trojan Horses etc.
• Theft of intellectual property means violation of intellectual property rights like
copyrights, patents etc.
• Identity theft means to act someone else to obtain person’s personal information or to
access vital information they have like accessing the computer or social media account
of a person by login into the account by using their login credentials.
• Theft of equipment and information is increasing these days due to the mobile nature
of devices and increasing information capacity.
• Sabotage means destroying company’s website to cause loss of confidence on part of its
customer.
• Information extortion means theft of company’s property or information to receive
payment in exchange. For example ransomware may lock victims file making them
inaccessible thus forcing victim to make payment in exchange. Only after payment
victim’s files will be unlocked.
• These are the old generation attacks that continue these days also with advancement
every year.
• Apart from these there are many other threats. Below is the brief description of these
new generation threats.
• Technology with weak security – With the advancement in technology, with every
passing day a new gadget is being released in the market. But very few are fully secured
and follows Information Security principles. Since the market is very competitive Security
factor is compromised to make device more up to date. This leads to theft of data/
information from the devices
• Social media attacks – In this cyber criminals identify and infect a cluster of websites that
persons of a particular organization visit, to steal information.
• Mobile Malware –There is a saying when there is a connectivity to Internet there will be danger to
Security. Same goes for Mobile phones where gaming applications are designed to lure customer to
download the game and unintentionally they will install malware or virus on the device.
• Outdated Security Software – With new threats emerging everyday, updation in security software is a
prerequisite to have a fully secured environment.
• Corporate data on personal devices – These days every organization follows a rule BYOD. BYOD means
Bring your own device like Laptops, Tablets to the workplace. Clearly BYOD pose a serious threat to
security of data but due to productivity issues organizations are arguing to adopt this.
• Social Engineering – is the art of manipulating people so that they give up their confidential
information like bank account details, password etc. These criminals can trick you into giving your
private and confidential information or they will gain your trust to get access to your computer to
install a malicious software- that will give them control of your computer. For example email or
message from your friend, that was probably not sent by your friend. Criminal can access your friends
device and then by accessing the contact list, he can send infected email and message to all contacts.
Since the message/ email is from a known person recipient will definitely check the link or attachment
in the message, thus unintentionally infecting the computer.
Types of Cyber Security Threats
1. Malware:
• Malware is malicious software such as spyware, ransomware, viruses and worms. Malware is activated when a
user clicks on a malicious link or attachment, which leads to installing dangerous software.
• Cisco reports that malware, once activated, can:
✔ Block access to key network components (ransomware)
✔ Install additional harmful software
✔ Covertly obtain information by transmitting data from the hard drive (spyware)
✔ Disrupt individual parts, making the system inoperable
2. Emotet :
• The Cybersecurity and Infrastructure Security Agency (CISA) describes Emotet as “an advanced, modular
banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet
continues to be among the most costly and destructive malware.”
3. Denial of Service:
• A denial of service (DoS) is a type of cyber attack that floods a computer or network so it can’t respond to
requests. A distributed DoS (DDoS) does the same thing, but the attack originates from a computer network.
Cyber attackers often use a flood attack to disrupt the “handshake” process and carry out a DoS. Several other
techniques may be used, and some cyber attackers use the time that a network is disabled to launch other
attacks.
4. Man in the Middle:
• A man-in-the-middle (MITM) attack occurs when hackers insert themselves into a two-party transaction. After
interrupting the traffic, they can filter and steal data, according to Cisco. MITM attacks often occur when a
visitor uses an unsecured public Wi-Fi network. Attackers insert themselves between the visitor and the
network, and then use malware to install software and use data maliciously.
• 5. Phishing
• Phishing attacks use fake communication, such as an email, to trick the receiver into opening it and carrying
out the instructions inside, such as providing a credit card number. “The goal is to steal sensitive data like
credit card and login information or to install malware on the victim’s machine,” Cisco reports.
6. SQL Injection
• A Structured Query Language (SQL) injection is a type of cyber attack that results from inserting malicious code
into a server that uses SQL. When infected, the server releases information. Submitting the malicious code can
be as simple as entering it into a vulnerable website search box.
7. Password Attacks
• With the right password, a cyber attacker has access to a wealth of information. Social engineering is a type of
password attack that Data Insider defines as “a strategy cyber attackers use that relies heavily on human
interaction and often involves tricking people into breaking standard security practices.” Other types of
password attacks include accessing a password database or outright guessing.
Security Access Control Systems and
technologies
• Control for providing information security can be either preventive or
detective.
• Preventive controls attempts to avoid the occurrence of unwanted
events, whereas
• Detective control attempt to identify unwanted events after they
have occurred.
Preventive Access Controls
• Preventive access controls for information security may be physical,
technical, and policy oriented control mechanisms.
• Physical security is the use of locks, security guards, badges, alarms,, and
similar measures to control access to computers, related equipment and
the processing facilities itself.
• Preventive technical controls are used to prevent unauthorized personnel
or programme from gaining remote access to computing resources.
Examples includes, access control software, anti-virus software, passwords,
firewalls, encryption, PKI etc.
• Preventive security policy controls are personnel-oriented techniques for
controlling people’s behaviour to ensure the confidentiality, integrity, and
availability of computing data and program.
 Continue
• Firewalls
• A firewall is a network security device that monitors
incoming and outgoing network traffic and decides
whether to allow or block specific traffic based on a
defined set of security rules.
• Firewalls have been a first line of defense in
network security for over 25 years. They establish a
barrier between secured and controlled internal
networks that can be trusted and untrusted outside
networks, such as the Internet.
• A firewall can be hardware, software, or both.
• Cryptography
• Cryptography is the study of secure
communications techniques that allow
only the sender and intended recipient
of a message to view its contents.
• Encryption is the conversion of data
into a form/secure format, called a
cipher, that cannot be easily
understood by unauthorized people.
• Decryption is the process of converting
encrypted data back into its original
form so that it can be understood.
• Public Key Infrastructure:
• The PKI enables users of a basically unsecured public
network, such as the internet, to securely and privately
exchange data and money through the use of a public
and private cryptographic key pair that is obtained and
share through a trusted third party/certificate authority.
• PKI requires the provider to use a mathematical
algorithm to generate two long numbers, called keys.
One key is public, and one key is private.
• The private key is allotted to users and kept secret
within the system, whereas the public key associated to
private key are published and known to public.
• Certifying authority (CA) creates and issue digital
certificates to each user which is considered as legal
verification.
• Digital Signature Systems
• Digital signatures are like electronic “fingerprints.” They are a specific type of electronic signature
(e-signature).
• Digital signatures, like handwritten signatures, are unique to each signer. Digital signature solution
providers, follow a specific protocol, called PKI.
• When a signer electronically signs a document, the signature is created using the signer’s private
key, which is always securely kept by the signer.
• The mathematical algorithm acts like a cipher, creating data matching the signed document, called a
hash, and encrypting that data.
• The resulting encrypted data is the digital signature. The signature is also marked with the time that
the document was signed. If the document changes after signing, the digital signature is invalidated.
• As an example, Jane signs an agreement to sell a timeshare using her private key. The buyer receives
the document. The buyer who receives the document also receives a copy of Jane’s public key. If the
public key can’t decrypt the signature (via the cipher from which the keys were created), it means
the signature isn’t Jane’s, or has been changed since it was signed. The signature is then considered
invalid.
• To protect the integrity of the signature, PKI requires that the keys be created, conducted, and saved
in a secure manner, and often requires the services of a reliable Certificate Authority (CA).
• Secure Hypertext Transfer Protocol and Secure Sockets Layers
• Hypertext Transfer Protocol Secure (HTTPS) is a protocol that secures
communication and data transfer between a user's web browser and a
website. HTTPS is the secure version of HTTP. The protocol protects
users against eavesdroppers(Secretly listen to a conversation) and
man-in-the-middle (MitM) attacks.
• SSL stands for Secure Sockets Layer and, in short, it's the standard
technology for keeping an internet connection secure and
safeguarding any sensitive data that is being sent between two
systems, preventing criminals from reading and modifying any
information transferred, including potential personal details.
• Secure Multipurpose internet mail extension
• Secure/Multipurpose Internet Mail Extension (S/MIME) is an
industry-standard for email encryption and signature that is
commonly used by businesses to improve email security. S/MIME is
supported by the majority of corporate email clients.
• S/MIME encrypts and digitally signs emails to verify that they are
verified and that their contents have not been tampered with.
• One-time password
• A one-time password
(OTP) is an
automatically
generated sequence of
numeric or
alphanumeric
characters that will
authenticate a user for
a single login or
transaction.
Detective Control Systems
• The detective control systems help in detecting any security breach.
• Currently there are two most prominent detective technical control systems: Information
Security Audit Systems and Intrusion Detection Systems
• Information Security Audit Systems
• An information systems security audit (ISSA) is an independent review and examination of
system records, activities and related documents. These audits are intended to improve the level
of information security, avoid improper information security designs, and optimize the efficiency
of the security safeguards and security processes
• Intrusion Detection Systems
• An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious
activity and issues alerts when such activity is discovered. It is a software application that scans a
network or a system for the harmful activity or policy breaching. Any malicious venture or
violation is normally reported either to an administrator or collected centrally using a security
information and event management (SIEM) system
Security Risk Management Framework
• Cybersecurity risk management is a strategic approach to prioritizing
threats. Organizations implement cybersecurity risk management in order
to ensure the most critical threats are handled in a timely manner.
• Cybersecurity risk management process involves four stages:
• Identifying risk – evaluating the organization’s environment to identify
current or potential risks that could affect business operations
• Assess risk – analyzing identified risks to see how likely they are to impact
the organization, and what the impact could be
• Control risk – define methods, procedures, technologies, or other
measures that can help the organization mitigate the risks.
• Review controls – evaluating, on an ongoing basis, how effective controls
are at mitigating risks, and adding or adjusting controls as needed.
THANK YOU