Information Security

Rainer, Prince, and

Cegielski
Chapter 4
I N FO RMAT I O N
S EC U RI TY
Learning Objectives

1 2 3 4 5

Identify the five factors
that contribute to the
increasing vulnerability of
information resources, and
provide a specific example
of each one.
Compare and contrast Discuss the ten types of Define the three-risk Identify the three major
human mistakes and social deliberate attacks. mitigation strategies, and types of controls that
engineering, and provide a provide an example of organizations can use to
specific example of each each one in the context of protect their information
one. owning a home. resources, and provide an
example of each one.
What’s in IT for Me?
Kim Dotcom: Pirate or Successful
Entrepreneur?
Read the Kim Dotcom case and answer the following
questions:
• Do cyberlocker sites show due diligence in protecting sensitive,
classified information?
• How can cyberlockers address copyright infringement more effectively?
• Does better protection against copyright infringement on cyberlocker
sites involve technology, policy, or both?
4.1 Introduction to Information Security

Security is defined as “as the degree of protection against criminal activity, danger, damage, and/or
loss.

Information Security is “all of the processes and policies designed to protect an organization’s
information and information systems (IS) from unauthorized access, use, disclosure, disruption,
modification, or destruction”.
Today, five key factors are contributing to the increasing vulnerability of
organizational information resources, making it much more difficult to secure
them:

Today’s interconnected,
Smaller, faster, cheaper Decreasing skills
interdependent,
computers and storage necessary to be a
wirelessly networked
devices; computer hacker;
business environment;

International organized
Lack of management
crime taking over
support.
cybercrime;
4.2 Unintentional Threats
to Information Systems

Unintentional threats are acts performed without

malicious intent that nevertheless represent a serious
threat to information security. A major category of
unintentional threats is human error.
 There are two important points
to be made about employees:
• The higher the level of employee, the
Human greater the threat he or she poses to
information security.
Error • employees in two areas of the
organization pose especially significant
threats to information security: human
resources and information systems.
Table 4.1 Human
Mistakes
The human errors that you have just studied, although
unintentional, are committed entirely by employees.
However, employees also can make unintentional
mistakes as a result of actions by an attacker. Attackers
often employ social engineering to induce individuals to
make unintentional mistakes and disclose sensitive
information.
 Social engineering is defined as an attack in which the perpetrator
uses social skills to trick or manipulate legitimate employees into
providing confidential company information such as passwords.
Social Types of social engineering:

Engineering 1. Attacker impersonates

2. Tailgating

3. Shoulder surfing
4.3 Deliberate Threats to Information
System
Espionage or Information Sabotage or Theft of equipment
trespass extortion vandalism or information

Compromises to
Identity theft Software attacks Alien software
intellectual property

Supervisory control
Cyberterrorism and
and data acquisition
cyberwarfare
(SCADA) attacks
Espionage or Espionage or trespass occurs when an
unauthorized individual attempts to gain illegal
Trespass access to organizational information
Information
Extortion
Information extortion occurs
when an attacker either
threatens to steal, or actually
steals, information from a
company.
 Sabotage and vandalism are deliberate
Sabotage or acts that involve defacing an organization’s
Web site, possibly damaging the
Vandalism organization’s image and causing its
customers to lose faith.
Theft of One form of theft, known as dumpster

Equipment or diving, involves the practice of rummaging

through commercial or residential trash to
Information find information that has been discarded
 Identity theft is the deliberate assumption of another
person’s identity, usually to gain access to his or her
financial information or to frame him or her for a crime.

Techniques for illegally obtaining personal information

include:

1. stealing mail or dumpster diving;

Identity Theft 2. stealing personal information in computer
databases;

3. infiltrating organizations that store large amounts of

personal information (e.g., data aggregators such
as Acxiom) (www.acxiom.com);

4. impersonating a trusted organization in an

electronic communication (phishing).
 Intellectual property is the property created by individuals
or corporations that is protected under trade secret, patent,
and copyright laws.

A trade secret is an intellectual work, such as a business

plan, that is a company secret and is not based on public
Compromises information. An example is the Coca-Cola formula.

to Intellectual
A patent is an official document that grants the holder
Property exclusive rights on an invention or a process for a
specified period of time.

Copyright is a statutory grant that provides the creators or

owners of intellectual property with ownership of the
property, also for a designated period.
Software Modern cybercriminals use
sophisticated, blended malware

Attacks
attacks, typically via the Web, to
make money.
 Alien software is clandestine software that is
installed on your computer through duplicitous
methods.

Alien The vast majority of pestware is adware—software

that causes pop-up advertisements to appear on your
Software screen.

Spyware is software that collects personal

information about users without their consent. Two
common types of spyware are keystroke loggers and
screen scrapers.
Supervisory SCADA refers to a large-scale, distributed

Control and measurement and control system. SCADA

systems are used to monitor or to control
Data chemical, physical, and transport
Acquisition processes such as those used in oil
refineries, water and sewage treatment
(SCADA) plants, electrical generators, and nuclear
Attacks power plants.
 Cyberterrorism and cyberwarfare refer to
Cyberterrorism malicious acts in which attackers use a

and target’s computer systems, particularly via

the Internet, to cause physical, real-world
Cyberwarfare harm or severe disruption, usually to carry
out a political agenda
 4.4 What Organizations
Are Doing to Protect
Information Resources
Table 4.3 illustrates the many major
difficulties involved in protecting
information. Because organizing an
appropriate defense system is so
important to the entire enterprise, it is
one of the major responsibilities of any
prudent CIO as well as of the functional
managers who control information
resources. In fact, IT security is the
business of everyone in an organization.
4.5 Information Security Controls

To protect their information assets, organizations implement controls, or defense mechanisms

(also called countermeasures). These controls are designed to protect all of the components of an
information system, including data, software, hardware, and networks. Because there are so many
diverse threats, organizations utilize layers of controls, or defense-in-depth.
 Where defense
mechanisms are
located.
Figure 4.2 illustrates these
controls. In addition to applying
controls, organizations plan for
business continuity in case of a
disaster, and they periodically
audit their information resources
to detect possible threats.
Physical Controls

Physical controls Common physical

prevent unauthorized controls include walls,
individuals from doors, fencing, gates,
gaining access to a locks, badges, guards,
company’s facilities. and alarm systems.
 Access controls restrict unauthorized
Access individuals from using information resources.
Controls These controls involve two major functions:
authentication and authorization
Communications Controls

Communications controls (also called network controls) secure the movement of data across
networks. Communications controls consist of firewalls, anti-malware systems, whitelisting and
blacklisting, encryption, virtual private networks (VPNs), secure socket layer (SSL), and employee
monitoring systems.
What’s In
IT For Me?