UNIT 7 - ORGANISATIONAL SYSTEMS SECURITY
Lesson 3 - Damage to or destruction of systems or information
Last Session
Accidental damage to or destruction of systems or information:
fires and other natural disasters
Power variations
This Session
Damage to or destruction of systems or information:
malicious damage (internal and external causes)
Information security:
confidentiality
integrity and completeness of data
availability of data as needed
New threats reported everyday
Typo-squatting, doppleganger domains
E.g. Goggle.com
30% of Fortune 500 susceptible
Email Based Attack Vectors catch-all email account (passive)
120,000 individual emails (or 20 gigabytes of data) in 6 months, trade secrets, business invoices, employee PII, network diagrams, usernames and passwords,
second attack vector involves social engineering
godaigroup.net
godaigroup.net/free-doppelganger-domain-scan/
Malicious Damage Several famous malicious computer programs:
the Morris worm released in 1988,
the MBDF virus
the Pathogen virus
the Melissa virus
the Anna worm
By 2002 these were the ONLY cases where a person had been convicted; over a dozen were arrested in 2004. In May 2014 over 100 people world-wide were arrested in connection with one piece of malware (The Guardian)
http://www.theguardian.com/technology/2014/may/19/fbi-arrests-100-hackers-blackshades-rat-backdoor-malware
Malicious damage: - task
For your selected incident find out and report back to the group:
When was it released? What did it do? Where did it originate? Who was responsible? How much damage was
caused? What was the punishment? What OS(s) did it attack?
Morris wormthe MBDF virusthe Pathogen virusthe Melissa virusthe Anna wormGoner wormBlaster
Rapid propogation
How long do you think a new computer was estimated to have as ‘survival time’ before being infected (using XP, 2004)?
Data from the Register, 19th Aug 2004
How long do you think it took the Slammer worm to scan all 4 billion IP addresses following its release in February 2005?
Ronald Standler
Malicious Damage
The first computer virus for Microsoft DOS was apparently written in 1986
Brain virus
NO computer system is immune from attack
http://www.linuxinsider.com/story/62275.html malware
Threats to E-Commerce
Website defacement – crackers seek out script or version vulnerabilities in servers and website coding. Then edit site to include: Graffiti-type ‘tags’ Political statements Religious statements Childish statements Explicit or inappropriate images
Meta-refresh tags to forward visitors to spoof sites (phishing).
Denial of Service or Distributed Denial of Service
Technical Errors
Seldom a cause for concern
Regular maintenance of equipment will contain most of these errors
Human Errors
one of the biggest sources of errors in any complex system.
poorly designed human-computer interface (HCI).
human beings - fail-safe in an otherwise automated system. boredom when they are usually not needed for normal operation, panic when an unusual situation occurs, stress levels are raised, and
lives are at stake.
The HCI must give appropriate feedback to the operator to allow him or her to make well informed decisions based on the most up to date information on the state of the system.
High false alarm rates will make the operator ignore a real alarm condition.
System designers must insure that the HCI is easy and intuitive for human operators to use, but not so simple that it lulls the operator into a state of complacency and lowers his or her responsiveness to emergency situations.
Computer Theft
This is physical removal of a computer system
Seldom happens
Good example:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9056058
http://www.datacenterknowledge.com/archives/2007/12/08/oceans-11-data-center-robbery-in-london/
Portable devices more at risk
Computer Theft
Of course people leave computers lying about http://www.bbc.co.uk/news/uk-scotland-glasgow-
west-18955798 (2000)
http://news.bbc.co.uk/1/hi/uk/1279584.stm (2012)
“The unencrypted laptop contains sensitive details of 8.63 million people plus records of 18 million hospital visits, operations and procedures.” (2011)Read more: http://www.thesun.co.uk/sol/homepage/news/3637704/Missing-Laptop-with-86million-medical-records.html#ixzz26picYml9
Information Security
protecting information and information systems from:
unauthorized access
Use
Disclosure
Disruption
modification
destruction
Information Security
The terms information security, computer security and information assurance are frequently incorrectly used interchangeably.
These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information
Task
Consider the different types of risk:
How is each of them related to the key strands of Information Security?
Confidentiality
Integrity
Availability
Counterfeit Goods Clothes, drink, food, music, films, software, websites
etc
Infringement of copyright
Damage to reputation and future sales of genuine manufacturer
Copyright, Designs & Patents Act 1988
Counterfeit Goods – effects on the customer
Customer disappointment
Possible damage to customer equipment – e.g. Malware contained on DVD’s, software
Illegal downloading -> legal process, heavy fine, loss of computer; traceable through IP address
Health effects – e.g. Counterfeit hardware may cause fires
Wider impact on society – often used to fund other criminal or terrorist activities
Confidentiality Who can see the information? Who can update the information? How long should the information be stored? How often should it be checked to make sure it is
up-to-date and accurate? What information can be stored? What systems should be used to store the
information? How often do you review the above? Data Protection Act 1998
http://www.legislation.gov.uk/ukpga/1998/29/contents
Integrity and completeness of data Critical
Errors cause damage to individuals and organisations
Medical, credit, police,
Need to review - ask customer, person involved.
Task – 15 mins
Find evidence (newspaper articles etc) to show the main impact of these acts:
Data Protection Act 1998
Computer Misuse Act 1990
Freedom of Information Act 2000
Copyright, Designs and Patents Act 1988
Assignment 1
Know your threats
P1 - Explain the impact of different types of threat on an organisation.
M1 - Discuss information security.
P1 - Explain the impact of different types of threat on an organisation.
Leaflet:
Type of threat,
example of each
Consequences to business
6 types of threat are listed on the brief
Variety of consequences are suggested –other consequences can be included
~ 3 sides of A4