Data Security Concepts ICT206

Course Details

 Course Title : Data Security Concepts

 Course Code: ICT206
 Credits: 3
 Lecturer:
Course Details

Learning Outcomes
• Explain how to secure information.
• Identify and counteract social engineering exploits.
• Identify security issues with the network of an organization.
• Create a process to maintain file security
• Design policies to guard against security breaches
• Identify measures to prevent attacks on an organization’s network
Teaching and Learning Methods

 Lecture
 Quiz
 Discussions
 Presentation
Teaching and Learning Methods

 Individual Presentation: 10%

 Project: 15%
 Quiz : 15%
 Final Exam : 60%
Textbooks and References
Weaver. R., (2007). Guide to network defense and countermeasures (2nd
ed.). Boston, MA: Thomson Course Technology.
 Guide to network defense and countermeasures (3rd ed.)

Reading List
Simpson, M. (2006). Hands-on ethical hacking and network Defense.
Boston, MA: Thomson Course Technology.
 
Howlett, T. (2004). Open source security tools: A practical guide to security
applications. Upper Saddle River, New Jersey: Prentice Hall.
Harris, S., Harper, A., Eagle, C., & Ness, J. (2005). Gray hat hacking: The
ethical hacker’s handbook. McGraw Hill Osborne Media.
 
Information Security
“Information is an asset which, like other important business assets,
has value to an organization or individual and consequently needs to
be suitably protected.” (ISMS Parikh)

Health Insurance Portability and Accountability Act (HIPAA) :

Protects personal health records

HIPAA affects all companies that use Electronic data interchange (EDI)
to communicate personal health records
Information Security

Information Security is a broad term that encompasses the

protection of information from accidental or intentional
misuse by persons inside or outside an organization.

The quality or state of being secure—to be free from

danger”
What is Information Security

Information Security refers to the processes and

methodologies which are designed and implemented to
protect printed, electronic, or any other form of
confidential, private and sensitive information or data from
unauthorized access, use, misuse, disclosure,
destruction, modification, or disruption.
Is Information and Data the same thing ?
What is information?
There are two important characteristics of
information that determine its value to an
organisation:
• The scarcity of the information outside the
organisation e.g KFC
• The shareability of the information within the
organisation, or some part of it.
Confidential Information:
Any information or document that a business or individual
wishes not to make public. It can include anything that has been
acquired by or made available to an individual or other legal
entity in the course of the relationship between the parties.

It may include, but is not limited to, any information or

documents about a business’s organizational structure,
activities, operating procedures, products and services,
intellectual property, trade secrets and know how, finances,
plans, transactions and policies.
Why do you need to keep your information secure?

Any information that is confidential (not available for public use) must
be kept secure. Why?

1. Failure to properly secure and protect confidential business

information can lead to the loss of business/clients.
2. Failure to properly secure and protect confidential personal
information can lead to the loss of privacy and other infringement.

If information security is breached, there may be risks including:

3. Loss of income
4. Legal liability
5. Criminal liability
What impact could an attack have?
Attack :Act that causes damage to information or systems

• Financial losses from theft of information, financial and bank details or

money.
• Financial losses from disruption to trading and doing business – especially if
you are dependent on doing business online.
• Costs from cleaning up affected systems and getting them up and running.
• Costs of fines if personal data is lost or compromised.
• Costs of losing business through damage to your reputation and customer
base.
• Damage to other companies that you supply or are connected to.
Information Security Terminology
Attack :Act that causes damage to information or systems

Risk: Probability that something unwanted will happen.

The possibility of suffering a lost or injury in the event of an
attach on the system.

Subject: Agent used to conduct the attack

Threat: Entity presenting danger to an asset

Vulnerability :Weakness or fault in a system that opens up the

possibility of attack or damage
Information Security Terminology
Asset :Organizational resource being protected

Control, safeguard, or countermeasure : Security mechanisms,

policies, or procedures

Exploit :Technique used to take advantage of a vulnerability or

compromised system.

Exposure :Condition or state of being exposed to attack

C.I.A. triangle is a model designed to guide policies for
Information Security within an organization.
Information Security methods and techniques are implemented to guarantee the
following:

1. Confidentiality – ensuring that information is accessible only to those authorized to

have access, protecting information from being disclosed to unauthorised parties.

2. Integrity – safeguarding the accuracy and completeness of information and processing

methods, protecting information from being changed by unauthorised parties

3. Availability – ensuring that authorized users have access to information and

associated assets when required. The availability of information to authorised parties
only when requested.
Organizations use a multi-layered approach to Information security:
1. Information Security Policies: these policies are the foundation of the
security and well-being of our resources. They increase the awareness of
information security within your organization.
2. Physical Security: Ensure that information assets (servers, network
devices) are secured form unauthorized physical assess.
3. Secure Networks and Systems: ensure that access to your network is
secure through e-mail filtering, firewall and Internet content security
4. Vulnerability Programs: We can mitigate risk by maintaining anti-virus, anti-
spyware, anti-spam and Windows® and firewall updates-as well as
updates to your industry programs.

5. Strong Access Control Measures: through the use of complex passwords

that change often and implementing Multi-Factor Authentication.

6. Protect and Backup Data: Encrypt you data while in storage and when it is
being transmitted. Backup servers and operational data on a scheduled
bases.

7. Monitor and Test Your Systems: Be vigilant, test your internal and external
systems for inherent vulnerabilities, monitor network traffic for trend that
may infer nefarious activities, change and update your security policy to
mitigate new threats
• An Information Security Policy (ISP) is a set of rules that guide
individuals who work with IT assets. It should secure the
organization from all ends; it should cover all software, hardware
devices, physical parameters, human resource, information/data,
access control.

• An ISP is developed to ensure employees and other users follow

security protocols and procedures.

• An updated and current security policy ensures that confidential

information can only be accessed by authorized users.
 Characteristics of a Information
Security Policy

1. Information security policy should be end to

end.
2. It should have a room for revision and updates.
3. It should incorporate the risk assessment of the
organization.
4. It should be practical and enforceable.
An information Security Policy Should Include
Guidelines for:
1. Use and misuse of IT assets
2. Access Control
3. Password Control
4. Email, Internet, Anti-virus
5. Information and document Classification
6. Remote Access
7. Supplier Access to IT Services
8. Asset Disposal
Network security
Network security is any activity designed to protect the
usability and integrity of your network and data.
1. It includes both hardware and software technologies
2. It targets a variety of threats
3. It stops them from entering or spreading on your
network
4. Effective network security manages access to the
network
Network Security
Network security consists of the policies and practices adopted to
prevent and monitor unauthorized access, misuse, modification, or
denial of a computer network and network-accessible resources
Overview of Threats to Network
Security

Network intrusions cause:

o Loss of data
o Loss of privacy
o Other problems

Businesses must actively address information security.

Threats to Network Security
Motivation to break into systems

 Status
 Revenge
 Financial gain
 Industrial espionage
Threats to Network Security
Hackers
o Attempt to gain access to unauthorized resources
-Circumventing passwords, firewalls, or other protective measures

Disgruntled employees
 Usually unhappy over perceived injustices
 Steal information to give confidential information to
new employees
 When an employee is terminated, security measures
should be taken immediately
Threats to Network Security
Terrorists
Attack computer systems for several reasons
 Making a political statement
 Achieving a political goal e.g: release of a jailed comrade
 Causing damage to critical systems
 Disrupting a target’s financial stability

Government Operations
• A number of countries see computer operations as a
spying technique
Threats to Network Security
Malicious Codes
 Malware (e.g. intrusive software, worms , Trojan)
 Use system’s well known vulnerabilities to spread

Viruses
 Executable code that copies itself from one place to another
 Can be benign or harmful
 Spread methods
 Running executable code
 Sharing disks or memory sticks
 Opening e-mail attachments
 Viewing infected Web pages
Threats to Network Security
Worm
 Creates files that copy themselves and consume disk space
 Does not require user intervention to be launched
 Some worms install back doors
-A way of gaining unauthorized access to computer or other resources
 Others can destroy data on hard disks
 E.g AIDS (AUTOEXEC)

Trojan program
Harmful computer program that appears to be something useful
Can create a back door to open system to additional attacks
E.g waterfalls.scr"
Threats to Network Security
Macro viruses
 Macro is a type of script that automates repetitive tasks in Microsoft
Word or similar applications
 Melissa Virus 1999 (email – 50 addresses)

 Other Threats to Network Security

 It is not possible to prepare for every possible risk to your systems
 Try to protect your environment for today’s threat
 Be prepared for tomorrow’s threats
 Cyber security
The term cybercrime refers to online or Internet-based illegal acts.
Cyber security is about protecting your computer-based equipment
and information from unintended or unauthorised access, change or
destruction.

Software used by cybercriminals sometimes is called crimeware.

Today, cybercrime is one of the FBI’s top three priorities.
Perpetrators of cybercrime
Perpetrators of cybercrime and other
intrusions fall into seven basic categories:

1. Hacker
2. Cracker
3. Script kiddie,
4. Corporate spy
5. Unethical employee
6. Cyber extortionist
7. Cyber terrorist
Hacker : The term Hacker, although originally a complimentary
word for a computer enthusiast, now has a derogatory meaning and
refers to someone who accesses a computer or network illegally.
Some hackers claim the intent of their security breaches is to
improve security.

Cracker : A cracker also is someone who accesses a computer

or network illegally but has the intent of destroying data, stealing
information, or other malicious action. Both hackers and crackers
have advanced computer and network skills.
Script Kiddie : A Script Kiddie has the same intent as a cracker but
does not have the technical skills and knowledge. Script kiddies often
use prewritten hacking and cracking programs to break into computers.

Corporate spies : Some Corporate spies have excellent computer

and networking skills and are hired to break into a specific computer
and steal its proprietary data and information, or to help identify security
risks in their own organization. Unscrupulous companies hire corporate
spies, a practice known as corporate espionage, to gain a competitive
advantage.
Unethical employees may break into their employers’ computers for a
variety of reasons. Some simply want to exploit a security weakness. Others
seek financial gains from selling confidential information.

A cyber extortionist is someone who uses e-mail as a vehicle for extortion.

These perpetrators send an organization a threatening e-mail message
indicating they will expose confidential information, exploit a security flaw, or
launch an attack that will compromise the organization’s network — if they
are not paid a sum of money.

A Cyberterrorist is someone who uses the Internet or network to destroy or

damage computers for political reasons.
Implementing Security Measures

Network Infrastructure
 Wireless access
 User accounts
 Firewalls
 Physical
 Software
 Network monitoring software
 Physical protection
 Layers of Protection
Physical Location Devices
Building Flash Drive Data
Office Laptop Image Files
Home Workstation Text
Car Smartphone Spreadsheet
Briefcase Tablet Database
Data Center
Data Protection
Email
Encrypted
Digital Signatures
Security Threats
Phishing Mails
Storage devices
User authentication
Do not share passwords or accounts
PCI DSS(Payment Card Industry Data
Security Standards) Compliance
Making it Work
Education/Training/Accountability
Polices
Procedures
Documentation
Management
Accountability
Checks and balances
Implementing physical security

Common physical security include:

• Biometric devices
• Locked doors and windows
• Cameras
• Usernames and passwords
• Security guards
• Guard dogs
Implementing physical security

 Before implementing any physical security, a risk

assessment should be conducted. This identifies your
organization’s assets, threats, vulnerabilities,
probabilities of incursion and associated costs.

 The results obtained should provide the necessary

information needed to make decisions.
Evaluate
What is being protected?
Hardware, software, confidential and proprietary information -why?
Your business image, business information- legal value?
Can you afford to lose “it”?
Can you afford the legal costs?
Implementing physical security
• Guidelines for Risk Assessment

A properly conceived and implemented risk assessment should:

• Provide the basis for deciding whether countermeasures are needed

• Ensure that additional countermeasures counter actual risk

• Save money that might have been wasted on unnecessary countermeasures

• Determine whether residual risk (that risk which remains after countermeasures
have been introduced) is acceptable
Risk management
The Certified Information Systems Auditor (CISA) Review Manual
2006 provides the following definition of risk management:

"Risk management is the process of identifying

vulnerabilities and threats to the information resources used by
an organization in achieving business objectives, and deciding
what countermeasures, if any, to take in reducing risk to an
acceptable level, based on the value of the information
resource to the organization
 The choice of countermeasures (controls)
used to manage risks must strike a balance
between productivity, cost, effectiveness of
the countermeasure, and the value of the
informational asset being protected.