Security

Presented by: Mark Davis

&

Shahein Moussavi

Overview

(1) Information Security C-I-A Model Authenticity Controls Risk Management Cryptography

(2) Internet Security Firewalls Anti-Virus Anti-Spyware

(3) Hacker (Computer Security)

(1) Information Security

What is INFOSEC?

It is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

C-I-A Model to INFOSEC Confidentiality is the

protection of information from disclosure to unauthorized parties.

Integrity is the assurance that information processed, stored, or transferred within a system will not be accidentally or maliciously manipulated, altered, or corrupted

Availability - for any information system to serve its purpose, the information must be available when it is needed

Authenticity

A piece of information has authenticity when it can be shown to come from the expected person or place, and when the content of the information appears to be correct for the circumstances involved.

In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine (i.e. they have not been forged or fabricated.)

Risk Management

The CISA Review Manual 2006 provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.

Risk Management (cont.)

Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset .

A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset.

A threat is anything (man made or act of nature) that has the potential to cause harm.

Risk Management (cont.) The ISO/IEC 27002:2005 Code of practice for information

security management recommends the following be examined during a risk assessment: Security policy Organization of information security Asset management, human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition Development and maintenance Information security incident management Business continuity management Regulatory compliance

Controls When Management chooses to mitigate a risk, they

will do so by implementing one or more of three different types of controls. Administrative

Administrative controls consist of approved written policies, procedures, standards and guidelines.

Administrative controls form the framework for running the business and managing people.

Logical Logical controls use software and data to monitor and

control access to information and computing systems. Physical

Physical controls monitor and control the environment of the work place and computing facilities.

Cryptography

A process called encryption is implemented to transform usable information into a form that renders it unusable by anyone other than an authorized user.

Once information that has been encrypted, it can be transformed back into its original usable form by an authorized user, who possesses the cryptographic key, through the process of decryption.

Discussion Questions

Why would INFOSEC be important to businesses?

What kind of INFOSEC measures are being employed in your work environment?

Who should be held accountable for INFOSEC?

(2) Internet Security

It is the prevention of unauthorized access and/or damage to computer systems via internet access.

Four aspects should be considered when dealing with internet security: Penetration Testing Intrusion Detection Incidence Response Legal/ Audit Compliance

Internet Security Protection

Firewalls - blocks all "roads and cars" through authorized ports on your computer, thus restricting unfettered access.

Anti-Virus - are computer programs that attempt to identify, neutralize or eliminate malicious software. Computer Virus - is a computer program that can

copy itself and infect a computer without permission or knowledge of the user.

Internet Security Protection (cont.)

Trojan horses - are programs that conceal their true purpose or include a hidden functionality that a user would not want.

Worms - are characterized by having the ability to replicate themselves and viruses are similar except that they achieve this by adding their code onto third party software.

Internet Security Protection (cont.)

Anti-Spyware Spyware is software that runs on a computer

without the explicit permission of its user. It often gathers private information from a user's computer and sends this data over the Internet back to the software manufacturer

Adware is software that runs on a computer without the owner's consent, much like spyware; however, it typically runs in the background and displays random or targeted pop-up advertisements.

Discussion

How does internet security affect you personally and professionally?

Why would it be important for businesses to be aware of internet security?

Do you believe that all the software you have on your computer protect you from “unwanted visitors?”

(3) Hacker (Computer Security)

A hacker is someone involved in computer security/insecurity, specializing in the discovery of exploits in systems (for exploitation or prevention), or in obtaining or preventing unauthorized access to systems through skills, tactics and detailed knowledge.

Some hacker types include: White Hat, Grey Hat, Blue Hat and Black Hat

Hacker

A white hat hacker or ethical hacker is someone who breaks security but who does so for altruistic or at least non-malicious reasons. White hats generally have a clearly defined code of ethics, and will often attempt to work with a manufacturer or owner to improve discovered security weaknesses.

A grey hat hacker is a hacker of ambiguous ethics and/or borderline legality, often frankly admitted.

Hacker

A blue hat hacker is someone outside computer security consulting firms that are used to bug test a system prior to its launch, looking for exploits so they can be closed.

A black hat hacker is someone who subverts computer security without authorization or who uses technology (usually a computer or the Internet) for terrorism, vandalism (malicious destruction), credit card fraud, identity theft, intellectual property theft, or many other types of crime.

Common Hacker Methods

Security Exploit A prepared application that takes advantage of a

known weakness. Vulnerability Scanner

A tool used to quickly check computers on a network for known weaknesses.

Hackers also commonly use port scanners. These check to see which ports on a specified computer are "open" or available to access the computer

Common Hacker Methods (cont.)

Packet Sniffer A packet sniffer is an application that captures

TCP/IP data packets, which can maliciously be used to capture passwords and other data while it is in transit either within the computer or over the network.

Spoofing Attack A situation in which one person or program

successfully masquerades as another by falsifying data and thereby gaining illegitimate access

Discussion

How would a hacker be beneficial for a business or company?

Do you believe that you are sufficiently protected?

Would you employ a hacker to check your network for security and vulnerability?

Good Resources

Information Security

http://en.wikipedia.org/wiki/Information_security#Cryptography

Internet Securityhttp://en.wikipedia.org/wiki/Internet_security

Hacker

http://en.wikipedia.org/wiki/Hacker_(computer_security)

Computer Virushttp://en.wikipedia.org/wiki/Computer_virus