Protection of Information Protection of Information AssetsAssets

•It addresses the key components that ensure confidentiality, integrity and availability of information assets.•It covers the evaluation of design, implementation and monitoring of logical and physical access controls

Key Elements of Information Security Key Elements of Information Security ManagementManagement

Senior Management Commitment & Support.

Policies and ProceduresGovernance & OwnershipSecurity Awareness and EducationMonitoring & ComplianceIncident Handling & Response

2

Inventory & Classification of Inventory & Classification of InformationInformationClear and distinct identification of

the asset.Its relative value to the organization.Its locationIts security/risk classificationIts asset group (where the asset

forms part of a larger information system)

Its ownerIts designated custodian

3

System Access PermissionSystem Access Permission

It usually refers to a technical privilege like the ability to read, create, modify or delete a file or data, execute a program or open or use an external connection.

Computer Crime Issues and Computer Crime Issues and ExposuresExposures Financial loss Loss of credibility or Competitive edge Blackmail/Industrial Espionage/Organized Crime Disclosure of confidential, Sensitive or embarrassing

information Hackers Crackers Employees (Authorized or unauthorized) IS Personnel End Users Former Employees Interested or Educated Outsiders Part-time and temporary personnel Third Parties Accidental Ignorant

5

Security Incident Handling Security Incident Handling and Responseand Response Planning & Preparation Detection Initiation Recording Evaluation Containment Eradication Escalation Response Recovery Closure Reporting Post-incident Review Lessons Learned

6

Trojan Horses/BackdoorsTrojan Horses/BackdoorsIt involves hiding malicious, fraudulent code in an authorized or falsely authorized computer program. This hidden code will be executed whenever the authorized program is executed.

7

VirusesVirusesThe insertion of malicious program code into other executable code that can self-replicate and spread from computer to computer, via sharing of removable computer media, transfer of logic over telecommunication lines or direct link with an infected machine/code.

8

WormsWormsDestructive programs that may destroy data or use up tremendous computer and communication resources but do not replicate like viruses.

9

SpywareSpywareMalware, similar to viruses, such as keystroke loggers and system analyzers, that collects potentially sensitive information, such as credit card numbers, bank details etc. from the host, and transmits the information to the originator when an online connection is detected.

10

Denial of Service (DoS) Denial of Service (DoS) AttackAttackDisrupts or completely denies service to legitimate users, networks, systems or other resources. The intent of any such attack usually is malicious in nature and often takes little skill because the requisite tools are readily available.

11

War DrivingWar DrivingInvolves receiving wireless data from a laptop (ideally while driving) and cracking the encryption controls to gain access or to simply eavesdrop the information being transferred over the wireless communication link

12

Piggy BackingPiggy BackingThe act of following an authorized person through a secured door or electronically attaching to an authorized telecommunications link to intercept and possibly alter transmissions

13

Social EngineeringSocial EngineeringSocial engineering is the human side of breaking into a computer system. It relies on interpersonal relations and deception. Organizations with strong technical security countermeasures, such as authentication processes, firewalls and encryption, may still fail to protect their information systems. This may happen if an employee unknowingly gives away confidential information (e.g., passwords and IP addresses) by answering questions over the phone with someone they do not know or replying to an e-mail from an unknown person. Some examples of social engineering include impersonation through telephone call, dumpster diving and shoulder surfing.

14

PhishingPhishingOne particular form of attack about which users should be warned is phishing. This normally takes the form of an e-mail, though it may be a personal or telephone approach, pretending to be an authorized person or organization legitimately requesting information. It may be a bank asking for confirmation of the users access codes to their Internet banking service, warning that failure to respond will result in future access being denied. The unsuspecting users provide the information and find that their bank account has been cleared of funds.

15

Type of AuthenticationType of AuthenticationOne Factor Authentication

(Something you know)Two Factors Authentication

(Something you have)Three Factor Authentication

(Something you are)

16

Type of BiometricsType of Biometrics1. Palm2. Hand Geometry3. Iris4. Retina5. Fingerprint6. Face7. Signature Recognition8. Voice Recognition

17