Chapter 6:

Information System Security

 Definition of Concepts
 Major Threats to IS
 Inadvertent Act
 Deliberate Software Attack
 Natural Disaster
 Technical Failure
 Management Failure
 Managing Information System Security
 Goals
 Information System Security Strategy/Mechanisms
 Information Privacy, Ethics and Security
 Introduction
. …
Information System Security

Threats – IS Factors Contributing Managing IS Security

Security to Threat

 Goals
 Definition of IS  Inadvertent act  Strategy
Security  Deliberate SW attack  Policy
 Dimensions of IS  Virus, Hacking,  Authentication
Security identity theft,  Access control
 Definition of IS cyber-harassment,  Encryption
Security Threats war, crime  Backup
 Natural Disaster  Firewall
 Technical Failure  IDS
 Management failure  Physical security
Definition of Information System Security
• Security is defined as ―the quality/state of being
secured – to be secured from danger‖
• Information security – practice of defending digital
information from unauthorized:
 Access
 Use
 Recording
 Disruption
 Modification
 Destruction
 Dimensions of Information Security
• Information is:
 stored on computer hardware
 manipulated by software
 transmitted by communication network
 used by people, etc.

• Multiple layers of security:

 Physical security: physical items/objects/areas
 Personal security: individuals/groups
 Operations security: series of activities
 Communication security: media, technology and content
 Information security: confidentiality, integrity and
accessibility
 Information Security Threats
• Security Threat: any action or interaction that could cause
disclosure, alteration, loss, damage or unavailability of a
company’s/individual’s assets

• Three components of threat:

 Target: organization’s assets that might be attacked

(information, HW, SW, Network service, etc.)

 Agent: people/organization originating threat

(intentional/non-intentional)

 Events: type of action that poses the threat

 Major Factors Contributing to IS Threats
1. INADVERTENT ACTS
 acts that happen by mistake

 not deliberate or with no malicious intent or ill will

 examples of inadvertent acts

 Acts of Human error and failure (inexperienced, poor training)

 Deviation from service quality,

 Communication error
Cont.
2. DELEBERATE SOFTWARE ATTACKS
 Deliberate action aimed to violate/ compromise a system’s security
through the use of software:

 Use of malware

 Password cracking

 Spoofing

 Sniffing

 Man-in-the-Middle

 Phishing
 Cont.
3. NATURAL DISASTER
 dangerous - unexpected and occur without very little warning

 causes damage to information

4. TECHNICAL FAILURE
 Two Types:
 Technical Hardware Failure
 Equipment distributed with flaws that may be known or
unknown to the manufacturer
 Technical Software Failure
 Cause the system to perform in an undesirable or
unexpected way  may be unrecoverable
 Cont.
5. MANAGEMENT FAILURE
 Managers:
 update themselves about recent developments and
technology.
 develop proper plan for good protection of the information.
 Committed to upgrade the existing system to the latest
technology (assisted by IT professionals)
 Computer Crime
• What is computer crime?
 An act using a computer or network to commit an illegal act.
 Targeting a computer while committing an offense

 Unauthorized access of a server to destroy data

 Using a computer to:

 commit an offense: to embezzle funds

 support criminal activity: illegal gambling

Cont.
• Who commits a crime?

 Current or former employees; insider threat

 People with technical knowledge who commit business or

information sabotage for personal gain

 Career criminals who use computers to assist in crimes

 Outside crackers — commit millions of intrusions per year

 Types of Computer Crimes

Identity
Hacking & Cracking
Theft

Computer
Viruses

Cyber harassment,
Cyberstalking, Piracy
Cyberbullying
 Hackers & Crackers
• Hackers
 Anyone who can gain unauthorized access to computers

 White hat hackers don’t intend to do harm

• Crackers
 Individuals who break into computer systems with the
intent to commit crime or do damage
 Also called black hat hackers

• Hacktivists:
 Crackers who are motivated by political or ideological
goals and who use cracking to promote their interests
 Computer Viruses
• perverse software which cause malicious activity (spread
destructive program routines)
 hindering execution of other programs

 modification or complete destruction of data

 destroy the contents of memory, hard disks, and other

storage devices

 sabotaging the operating system

• Types: Virus, Worms, Trojan Horses, Bombs, etc.

 Computer Viruses
Type Description Way of Propagation/ Effect
spreading
Worms  stand-alone  replicates itself and  neither delete nor
program and spread from one computer change data/files
propagates to another  make multiple copies of
itself  It doesn't need to be part itself and send the copies
automatically of another program to be on the network and
propagated congest disk drives
 useful for installation of
a network – to check its
presence at each node

Virus  program code  Makes copies of itself (just  Erasing/overwriting files

that reproduce like biological viruses)  formatting hard disk
itself within a  propagate by attaching  Allowing unauthorized
computer itself to executable files access to the machine
system (e.g., application  Modify or even destroy
programs, OS) - running the software
executable file make new  but doesn’t damage HW
copies of the virus
 also propagates a copy of
itself via telephone lines
or via network connections
Computer Viruses
Type Description Way of Propagation/ spreading Effect

Bombs  Piece of bad  explode and cause immediate  disruption of

code damage when conditions fulfilled: computer
 Time Bomb – activated by a system,
computer clock modification
 Logic Bomb – activated by or destruction
combination of events (e.g. of data
deleting file – destroying the
whole content of the memory)

Trojan  Pretends to be a  doesn’t attach itself to other  Steals personal

Horse legitimate programs information(P
program (e.g.  doesn’t move from one computer W) & sends it
game, utility to the other (happens only when to a criminal
program) but it is copied)  modify records
contain special  as an e-mail attachment – when in protected
hidden codes executed it creates damage files
 delete the
content of the
machine
 Cont.
• Reasons for perverse activity:

 For gaining publicity

 Revenge on company/person

 In-born natural desire to tease other people

 act of maniac
 Cont.
• Commonly transmitted through:
 The Internet and online services:
 Hacker creates a virus and attaches it to a real program or file on a
Website
 User downloaded file (thinking it is a legitimate file or program).
 Once downloaded, it infects other files and programs on the machine
 Email and file attachments and files shared
 Disks from contaminated computers

• Doesn’t infect non-executable files

 User created word files, database files, source program code

• Infects files with extension (.COM, .EXE, .OVR, .OVL, .SYS, .BIN)
Cont.

• Protection & Treatment Mechanism

 Preventive

 Detection and Removal of a virus

Using anti-virus SWs

 Recovery of the damaged data files

 Spyware, Spam, and Cookies
• Spyware: software that monitors the computer use, such as the
Web sites visible or even the keystrokes of the user

• Spam: Bulk unsolicited e-mail sent to millions of users at extremely

low cost, typically seeking to sell a product, distribute malware, or
conduct a phishing attack

• Cookies: A small file Web sites place on a user’s computer; can be

legitimate (to capture items in a shopping cart) but can be abused
(to track individuals’ browsing habits) and can contain sensitive
information (like credit card numbers) and pose a security risk
 Denial-of-Service (DoS)
• A denial-of-service(DoS) attack seeks to
overload servers, typically using a
network of hacked computers that are
controlled remotely, by sending too
many requests or messages to the
server for it to handle.

• When a server has too many requests

to handle, it becomes overloaded and
unable to serve the requests of
legitimate users.
 Spoofing
• Insertion of forged (but trusted) IP addresses into IP packets in
order to gain access to networks/components

 Ingress filtering – ISP discard packet with IP address not

belonging to any of the networks connected to the ISP

 Egress filtering – organization’s firewall discards any

outgoing packet with a source address that doesn’t belong to
the organization
 Sniffing
• use of a program or device that can monitor data traveling
over a network

• Unauthorized sniffers – sniff/extract critical information;

can’t be detected
 Phishing
• It is an attempt to gain sensitive personal information by
posing as a legitimate entity

 E.g. an e-mail is sent to the victim informing them of a

problem and asking them to provide their username,
password, etc.
 Identity Theft
• Stealing Social Security, credit card, bank account numbers
and information
 thieves even withdraw money directly from victims’ bank
accounts
 organizations keep information about individuals in accessible
databases

• One of the fastest growing information crimes

• Possible solutions
 Government and private sector working together to change
practices
 Use of biometrics and encryption
 Cyber-harassment, Cyberstalking, and Cyberbullying

• Communicating offensive, ill-mannered, or threatening

content
 to cause emotional distress

 to track the individual’s online activity & committing acts that

damage the reputation of the individual
 Software Piracy
• Unauthorized copying of computer programs, which is intellectual
property protected by copy right law.
• using software that isn’t properly licensed and paid for, such as by
purchasing one copy of a product and then using it on multiple
computers.
• Huge profit loss by software publishers.

Region Piracy Level Dollar Loss

(in US$ millions)
North America Western 19% 10,958
Europe 32% 13,749
Asia/Pacific 60% 20,998
Latin America 61% 7,459
Middle East/Africa 58% 4,159
Eastern Europe 62% 6,133
Worldwide 42% 63,456
 Privacy Issue
• Violation of Privacy
 Unauthorized access of individuals’ private email
conversations and computer records (personal files)

 Collecting and sharing information about individuals gained

from their visits to Internet websites

 Computer Monitoring: tracking where a person is, especially

as mobile and paging services are becoming more closely
associated with people rather than places.
 Cyberwar and Cyber-terrorism
• Cyber-war
 Modern military systems rely on their own sophisticated
networks to help the military execute its mission
 Cyber-war involves protecting a military’s own infrastructure
and/or disrupting an enemy’s infrastructure.
 Cyber-war Vulnerabilities
 Command-and-control systems

 Intelligence collection, processing, and distribution systems

 Tactical communication systems and methods

 Troop and weapon positioning systems

 Smart weapons systems

 Cont.
• Cyber-war strategy includes controlling Internet-based propaganda

 Web vandalism

• ―Patriot hackers‖-governments sometimes blame independent

citizens or groups for cyber-war attacks

• Stuxnet—malware against an Iranian system

 Originally blamed on patriot hackers, then revealed to be

developed by the U.S. and Israel
Cont.

• Cyber-terrorism
 Attacks by individuals and organized groups (not by the
government)
 Goal  Political, religious, or ideological

 Terrorists are leveraging the Internet to coordinate their

activities, recruit, and perform fundraising

 Globalization of Terrorism (a global business)

 Attacks can be launched from anywhere in the world
Cont.
.Types of Cyber-terrorism
Terrorist Use of the Internet
• Coordinated bomb attacks • Information dissemination
• Manipulation of financial and • Data mining
banking information • Fundraising
• Manipulation of the • Recruiting and mobilization
pharmaceutical industry • Networking
• Manipulation of transportation • Training
control systems
• Planning and coordinating
• Manipulation of civilian
infrastructures • Information gathering
• Manipulation of nuclear power • Location monitoring
plants
Managing Information System Security
 Goals of Information Security
• Availability:
 Ensuring that legitimate users can access the system

• Integrity
 Preventing unauthorized manipulations of data and systems

• Confidentiality
 Protecting data from unauthorized access

• Accountability
 Ensuring that actions can be traced
 Developing IS Security Strategy
• Options for addressing information security risks

 Risk Reduction

 Actively installing countermeasures

 Risk Acceptance

 Accepting any losses that occur

 Risk Transference

 Have someone else absorb the risk (insurance, outsourcing)

 Risk Avoidance

 Using alternative means, avoiding risky tasks

 Cont.
• A strategy is developed detailing the information security controls

• Types of Controls
 Preventive:

 negative event from occurring: intruders

 Detective

 recognizing wrong incidents: unauthorized access attempts

 Corrective

 mitigating the impact

• Principles of least permissions and least privileges

 Cont.
• IS Security Mechanisms:
 Developing Information System Security Policy

 Use of authentication mechanism

 Access control

 Back-ups

 Firewalls

 Intrusion detection system

 Physical Security
 IS Security Policy & Procedure
• Policies and procedures include:
 Information policy: handling, storage, transmission, and destroying

 Security policy: access limitations, audit-control software, firewalls,

etc.

 Use policy: proper use

 Backup policy: requirements – critical data

 Account management policy: adding & removing users

 Incident handling procedures: list procedures to follow when handling a

security breach.

 Disaster recovery plan: restore computer operations in case of a natural

or deliberate disaster
 Authentication Mechanism
• Use of Passwords: secret alphanumeric text used for
authentication
 can be compromised if it is weak

• Use of key or smart cards:

 can be easily stolen/lost

• Use of physical characteristics

 Biometric: Identification via fingerprints, retinal patterns in

the eye, facial features, or other bodily characteristics

 Access Control
• which users are authorized to read, write, modify, add, delete
after login through password

• only those with such capabilities are allowed to perform those

functions
 Physical Security
• Locked doors

• Physical intrusion detection

 Security cameras

• Secured equipment – e.g. hard disc – locked

• Environmental monitoring

 monitoring temperature, humidity, airflow  for servers

and other high value equipment

• Employee training – how to secure

 Antivirus
• used to prevent, detect and remove malware

• It runs in the background at all times.

• It should be kept updated.

• It runs computer disk scans periodically.

Eg. McAfee, Norton, Kaspersky.

!