Managing IT Security

What are Cyberattacks?

As long as your computer is connected to the internet, that
connection can go both ways.
The attackers are mostly malicious pranksters, looking to
access personal and business machines or disrupt net service
with virus programs proliferated via email, usually just to
prove they can.
However, there are also more serious attackers out there
whose goals could range from mining valuable data (your
credit card or bank information, design secrets, research
secrets, etc) to even disrupting critical systems like the stock
market, power grids, air-traffic controllers programs, and the
most dangerous-our nuclear weapons
 Cyberspace as a Battleground?

Each day, there is an increase in the number of threats.

These threats come in the form of computer intrusion
(hacking), denial of service attacks, and virus deployment.
 BUSINESS VALUE OF SECURITY AND
CONTROL

• Inadequate security and control may create serious

legal liability.

• Businesses must protect not only their own information

assets but also those of customers, employees, and
business partners. Failure to do so can lead to costly
litigation for data exposure or theft.

• A sound security and control framework that protects

business information assets can thus produce a high
return on investment.
Why Systems Are Vulnerable
 Threats to Information Security
 A threat to an information resource is any
danger to which a system may be exposed.
 The exposure of an information resources is the
harm, loss or damage that can result if a threat
compromises that resource.
 A system’s vulnerability is the possibility that
the system will suffer harm by a threat.
 Risk is the likelihood that a threat will occur.
 Information system controls are the
procedures, devices, or software aimed at
preventing a compromise to the system.
 Unintentional Threats
 Human errors can occur in the design of the
hardware and/or information system.
 Also can occur in programming, testing, data
collection, data entry, authorization and
procedures.
 Contribute to more than 50% of control and
security-related problems in organizations.
 Intentional Threats

 Typically, criminal in nature.

 Cybercrimes are fraudulent activities committed
using computers and communications networks,
particularly the Internet.
 Average cybercrime involves about $600,000
according to FBI.
 Intentional Threats

 (Ethical) Hacker. An outside person who has

penetrated a computer system, usually with no
criminal intent.
 Cracker. A malicious hacker.
 Social engineering. Computer criminals or
corporate spies get around security systems by
building an inappropriate trust relationship with
insiders.
 Networks and security
Information flows across many machines
over which there is no control
Getting from here to there means
passing through every place in between
“Packets” of information travel through
many other computers
Downloaded files may be “infected”

 Is the use of Internet less secure than the

real world?
 Yes, the Internet is an insecure network
 What is Internet security?
Internet security protects computer resources against the risks
and threads that arise as a result of a connection to the Internet

THREE AREAS OF CONCERN:

a) that inappropriate material will

be passed to and from the untrusted network - protection of data

b)that unauthorised users will be able to gain access to the

trusted network from untrusted network - protection of
communication system

c) that the operations of the trusted network may be disrupted as

a result of attack from the untrusted network - protection from
denial of services
 C.I.A. TRIANGLE
Figure 3
Confidentiality

INFORMATION

Integrity Availability
 Types of Risks

 Clear text data transmission

 Actual attacks
– Breaking into a system
– Obtaining unauthorised access to Internet
services
 Disinformation
– E-mail spoofing (ease of masquerade)
 Viruses, Worms
 Inappropriate use of computer resources
– Selling or giving away information
 Automated Attacks
 Complex attacks are now being
automated
 Tedious attacks are also being
automated
 Multiple machines can be attacked at
once
 “Hacking” tools are being made
freely available over the Internet,
through bulletin boards, and at
meetings
 Internet-based threats
 Sniffers
– Software that collects network traffic
– Usually focused on collecting host names, user IDs, and
passwords
 Denial-of-service. An attacker sends so many information
requests to a target system that the target cannot handle them
successfully and can crash the entire system.
 Internet protocol IP address spoofing
– Directing people to bogus sites and getting them to enter
security information like passwords
 E-mail phishing, spamming
– Pretending to be someone else and delivering a bogus
message or reading mail addressed to others, very easily
done
– Converting a list of repeated messages into a program and
sending it to everyone in a newsgroup subscription list
(could be thousands) or to all newsgroups
 Software Attacks

Viruses. Segments of computer code that performs

unintended actions ranging from merely annoying to
destructive.
Worms. Destructive programs that replicate themselves
without requiring another program to provide a safe
environment for replication.
Trojan horses. Software progams that hide in other
computer programs and reveal their designed behavior
only when they are activated.
 Denial of Service Attacks
In a denial of service attack, a hacker access to a system
and uses that system to attack the target computer,
flooding it with more requests for services than the
target can handle. In a distributed denial of service
attack, hundreds of computers (known as a zombies) are
compromised, loaded with DOS attack software and then
remotely activated by the hacker.
 Network Security
 Authorization, Access Control:
protect intranet from flooding: Firewalls, Captcha
 Confidentiality, Data Integrity:
protect contents against snoopers: Encryption
 Authentication:
both parties prove identity before starting transaction:
Digital certificates
 Non-repudiation:
proof that the document originated by you & you only:
Digital signature
Corporate Firewall
 Encryption
 All encryption systems use a key.
 Symmetric encryption. Sender and the
recipient use the same key.
 Public-key encryption. Uses two different keys:
a public key and a private key.
 Certificate authority. Asserts that each
computer is identified accurately and provides
the public keys to each computer.
 Encryption (shared key)

m: message
k: shared key

- Sender and receiver agree on a key K

- No one else knows K
- K is used to derive encryption key EK & decryption key DK
- Sender computes and sends EK(Message)
- Receiver computes DK(EK(Message))
- Example: DES: Data Encryption Standard
 VPN

 Virtual Private Networking. Uses the Internet

to carry information within a company and
among business partners but with increased
security by uses of encryption, authentication
and access control.
 Public key encryption

m: message
sk: private secret key
pk: public key

· Separate public key pk and private key sk

· Private key is kept secret by receiver
· Dsk(Epk(mesg)) = mesg and vice versa
· Knowing Ke gives no clue about Kd
 Public Key Infrastructure

• Secure Sockets Layer (SSL) and its successor

Transport Layer Security (TLS): protocols for
secure information transfer over the Internet;
enable client and server computer encryption
and decryption activities as they communicate
during a secure Web session.
• Secure Hypertext Transfer Protocol (S-HTTP):
used for encrypting data flowing over the
Internet; limited to Web documents, whereas
SSL and TLS encrypt all data being passed
between client and server.
 Digital certificates
How to establish authenticity of a public key?
 Digital signature

Sign: sign(sk,m) = Dsk(m)

Verify: Epk(sign(sk,m)) = m
Sign on small hash function to reduce cost
 Controls
 Controls evaluation. Identifies security
deficiencies and calculates the costs of
implementing adequate control measures.
 General controls. Established to protect the
system regardless of their application.
Physical controls. Physical protection of computer
facilities and resources.
Access controls. Restriction of unauthorized user
access to computer resources; use biometrics and
passwords controls for user identification.
 Security Audits
 Information systems auditing. Independent or
unbiased observers task to ensure that
information systems work properly.
 Types of Auditors and Audits
Internal. Performed by corporate internal auditors.
External. Reviews internal audit as well as the inputs,
processing and outputs of information systems.
Audit. Examination of information systems, their
inputs, outputs and processing.
 Protecting Information Resources
 Risk. The probability that a threat will impact an
information resource.
 Risk management. To identify, control and
minimize the impact of threats.
 Risk analysis. To assess the value of each
asset being protected, estimate the probability it
might be compromised, and compare the
probable costs of it being compromised with the
cost of protecting it.
 Protecting Information Resources
 Risk mitigation is when the organization takes
concrete actions against risk. It has two
functions:
(1) implement controls to prevent identified
threats from occurring, and
(2) developing a means of recovery should
the threat become a reality.
 Risk Mitigation Strategies
 Risk Acceptance. Accept the potential risk,
continue operating with no controls, and absorb
any damages that occur.
 Risk limitation. Limit the risk by implementing
controls that minimize the impact of threat.
 Risk transference. Transfer the risk by using
other means to compensate for the loss, such as
purchasing insurance.
 Disaster Recovery Planning
 Disaster recovery. The chain of events linking
planning to protection to recovery, disaster
recovery plan.
 Disaster avoidance. Oriented towards
prevention.
 Hot sites. External data center that is fully
configured and has copies of the organization’s
data and programs.
 Business Continuity

An important element in any security system is the business continuity plan,

also known as the disaster recovery plan. Such a plan outlines the process
by which businesses should recover from a major disaster.
 The purpose of a business continuity plan is to keep the business running
after a disaster occurs.
 Recovery planning is part of asset protection.
 Planning should focus on recovery from a total loss of all capabilities.
 Proof of capability usually involves some kind of what-if analysis that
shows that the recovery plan is current.
 All critical applications must be identified and their recovery procedures
addressed.
 The plan should be written so that it will be effective in case of disaster.