Professional Documents
Culture Documents
CHAPTER 4. Information Security
CHAPTER 4. Information Security
CHAPTER 4. Information Security
INFORMATION SECURITY
Muhamad Khairulnizam Zaini
Senior Lecturer
Information Systems Management
UiTM Selangor
2017
LESSON OBJECTIVES:
C.I.A –
Confidentiality,
Integrity, Availability
Our concerns:
Authentication. Information/messages
came from the person we acknowledge
Non-repudiation. Senders cannot deny
knowledge of sending the message or
performing some online activities, at some
later point in time.
INFOSEC. in broad
The act of protecting the
confidentiality, integrity and
availability of information and
information systems from
unauthorized access, use,
disclosure, disruption,
modification, perusal,
inspection, recording or
destruction. – Regardless of
the form of the information
(electronic, printed, cloud, etc.)
INFORMATION SECURITY DOMAINS
People – ”The Human Factor”
Human factor has to be address at two key levels :
Non-technical staff - must have up-to-date awareness of their role in preventing and reducing threats
Technical staff – must have broad, up-to-date information security skills, competency and qualifications.
People
Process
Good Information
Structured set of activities designed to accomplished a specific objective. i.e. procedures, works Security Practice
instructions, metrics, roles, improvements.
Technology Process
Technology
Technology is a key element in achieving effective information security for any organization.
…security is far more than investing in hardware and software. First and foremost, security is a business issue. This
means that top management is accountable for ensuring that its organisation’s security strategy meets business
objectives and is adopted as a strategic risk . Discussions of security risk at board level should include identifying which
risks to avoid, accept, mitigate or transfer (such as through information insurance), as well as reviewing specific plans
associated with each approach.
The three fundamental domains of an effective cyber security strategy are: people, processes and technology.
Source: www.itgovernance.co.uk
Information Security Challenges
1
Chief Information Security Officer (CISO).
The role of a CISO is to define Information Security strategic
direction, develop and maintain policies and establish roles and
responsibilities for Information Security within the organisation.
The Chief Information Security Officer may report to either the
Chief Executive Officer (CEO), Chief Operating Officer (COO),
Chief Technology Officer (CTO) or Chief Information Officer
(CIO) of an organisation and is subject to the organisation
structure.
http://www.cybersecurity.my
Information Security professionals
2
Information Security Operations.
The role of an Information Security Professional performing Information
Security Operations is to:
1. Manage and implement appropriate access rights to
applications, systems, databases and network
2. Implement and maintain network security
3. Perform incident management
4. Ensure that the relevant Information Security controls are
implemented and embedded in the respective departments
performing daily operations
http://www.cybersecurity.my
Information Security professionals
3
Information Security Audit & Information Security Compliance.
In smaller agencies / organisations these two functions may be
combined. Essentially their role is to monitor compliance by the
staff of the agency / organisation to the Information Security
policies, standards, and procedures.
Information Security Professional with the role of audit or
compliance shall be independent from day-to-day Information
Security Operations.
http://www.cybersecurity.my
Information Security professionals
Source: http://research.esg-global.com/reportaction/tect0312201501/TOC
Source: https://cybersec.isaca.org
Summary
In this chapter you learned how to:
1
Understand the importance of information security to organizations
Information
Protect
& computer
intellectual
crimes has
property
escalated
Sources of threats
Deliberate Forces of Deviations in Technical Technical Technological
software nature quality of Hardware software obsolescence
attack • Unauthorized services failure failure • Uselessness
• viruses access • Power, Lan , • equipment • Bugs, codes technology
• Denial or • Data collection Wan loopholes etc • Outdated tech
service • Service issues
from service
providers
Sources of threats
Malicious Threats: Insiders
The most common threat
We cannot know for sure whether Lewandowski used the files to help Uber
in their own project, but the situation was ostentatious enough that Waymo
sued Uber and asked for a halt in their self-driving car trials until further
notice.
If the allegations are true, the damage caused to Waymo, and Google for
that matter, could far exceed the one caused by an external hacking. Years
of hard work and investment were practically handed over on silver platter
to a major competitor.
source: https://heimdalsecurity.com/
http://www.cdse.edu/documents/toolkits- http://www.cdse.edu/documents/cdse/CDSE-Insider-Threat-
insider/Robert-Mo-Insider-Threat-Case-Study.pdf Case-Study-Yuan-Li.pdf
Security Vulnerability
A vulnerability is a weakness which allows an attacker to reduce a
system's information assurance.
Vulnerability is the intersection of three elements: a system
susceptibility or flaw, attacker access to the flaw, and attacker
capability to exploit the flaw ("The Three Tenets of Cyber
Security". U.S. Air Force Software Protection Initiative.
Retrieved 2009-12-15).
A vulnerability refers to a known weakness of an asset (resource)
that can be exploited by one or more attackers. In other words, it
is a known issue that allows an attack to be successful.
Vulnerability assessment
Benefits of a Vulnerability Assessment & Cyber
Security Assessment The goal is to limit exposure
and attack surfaces to make compromising and
exploitation of network vulnerabilities more difficult.
Source: http://www.infosightinc.com/solutions/advisory-services/vulnerability-assessment.php
Impact of Security Risks and Threats