Importance of Information Security

What is Security?

• Security is about
– Honest user
– Dishonest Attacker
– How the Attacker
• Disrupts honest user’s use of the system (Integrity, Availability)

Network Attacker – Intercepts and

controls network communication

Web Attacker – Sets up malicious

site visited by victim; no control of
network
Two main types of network attacks: OS Attacker – Controls malicious
• Passive
files and applications
• Active
 Common Type of Web Application Attacks

1. Cross-Site Scripting (XSS) - Cross-site scripting (XSS) is a type of web application attack that
involves injecting malicious scripts into web pages that are viewed by other users.

2. Cross-Site Request Forgery (CSRF) - a type of web application attack that tricks a user into
executing an unwanted action on a web application that they are already authenticated with.
This is typically accomplished by sending a specially crafted link or script to the user, which
then performs the unwanted action when clicked.

3. XML External Entity (XXE) - XML External Entity (XXE) is a type of web application attack that
involves exploiting vulnerabilities in XML parsers used by a web application. This can allow an
attacker to read sensitive data or execute unauthorized actions on the web application’s server.

4. Injection Attacks - Injection attacks involve inserting malicious code into a web application,
typically in the form of input data such as SQL queries, commands, or scripts.

5. Fuzz testing - also known as fuzzing, is a technique used to discover vulnerabilities in a web
application by sending it random or invalid input data. The goal of fuzz testing is to identify how
the web application responds to different inputs and to find errors and crashes.
 Common Type of Web Application Attacks

6. DDoS (Distributed Denial-of-Service) - A Distributed Denial-of-Service (DDoS) attack is a type

of web application attack that involves overwhelming a web application with a large volume of
traffic from multiple sources, such as botnets or compromised devices. This can cause the web
application to become unavailable to legitimate users.
7. Brute Force Attack - A brute force attack is an automated method of guessing a username
and password combination to gain unauthorized access to a web application. Attackers use
software tools to try different combinations of usernames and passwords until they
successfully guess the correct one.
8. Path Traversal - Path traversal is a type of web application attack that involves manipulating
file paths in a web application in order to access unauthorized files or directories on the server.
Path traversal attacks typically occur when a web application does not properly validate user
input, allowing an attacker to traverse up and down directory structures to access sensitive
files.

• botnet - is a network of computers infected by malware that are under the control of a
single attacking party, known as the “bot-herder.” Each individual machine under the control
of the bot-herder is known as a bot.
Common botnet actions include: email spam and financial breach
 Attacker

SYSTEM

Network Attacker – Intercepts and

controls network communication

Web Attacker – Sets up malicious site

visited by victim; no control of network

OS Attacker – Controls malicious files

and applications

Confidentiality: Attacker does not learn Player 456’s secrets

Integrity: Attacker does not undetectably corrupt system’s function for Player 456
Availability: Attacker does not keep system from being useful to Player 456
Information Security Terminology
(continued)
 Information Security Terminology
(continued)

Term Example in the given scenario Example in Information Security

 Identity and Data Theft

• Preventing data theft

– Security is often associated with theft prevention
– The theft of data is one of the largest causes of financial loss
due to an attack
– Individuals are often victims of data thievery
• Thwarting identity theft
– Identity theft involves using someone’s personal information
to establish bank or credit card accounts
• Cards are then left unpaid, leaving the victim with the debts and
ruining their credit rating
 Importance of Information Security

• Avoiding legal consequences

– A number of federal and state laws have been enacted to
protect the privacy of electronic data
• The Health Insurance Portability and Accountability Act of 1996
(HIPAA)
• The Sarbanes-Oxley Act of 2002 (Sarbox)
• The Gramm-Leach-Bliley Act (GLBA)
• USA Patriot Act (2001)
• The California Database Security Breach Act (2003)
• Children’s Online Privacy Protection Act of 1998 (COPPA)
 Importance of Information Security

Avoiding legal consequences

• R.A. 8792 (E-Commerce Act) - This Law recognizes use of electronic
commercial and non-commercial transactions and electronic signature;
prescribes penalties for piracy of protected materials through the use of
telecommunication networks and for hacking of computer programs; and
prescribes grounds for liability of service providers.
• R.A. 9775 (Anti-Child Pornography Act of 2009) - "Child" refers to a person
below eighteen (18) years of age or over but is unable to fully take care of, or
protect, himself/herself from abuse, neglect, cruelty, exploitation or
discrimination because of a physical or mental disability or condition.
• R.A. 9995 (Anti-Photo and Video Voyeurism Act of 2009) - It protects the
victims who are made to believe that they are performing sexual acts in
private. A person violates this Republic Act when he/she has not obtained
consent of any of the persons in the picture or video but chooses to copy,
reproduce, and make public the said materials.
 Importance of Information Security

Avoiding legal consequences

• R.A. 10173 (Data Privacy Act of 2012) - aims to protect personal data in
information and communications systems both in the government and the
private sector.
• R.A. 10175 (Cybercrime Prevention Act of 2012) - completely address crimes
committed against and by means of computer system on 12 September
2012. It includes penal substantive rules, procedural rules and also rules on
international cooperation.
 Importance of Information Security

Maintaining Productivity
– Cleaning up after an attack diverts resources such as time
and money away from normal activities

Cost of attacks
 Importance of Information Security

Cyberterrorism - (also known as digital terrorism) is defined as

disruptive attacks by recognised terrorist organisations against
computer systems with the intent of generating alarm, panic, or
the physical disruption of the information system.

• Foiling cyberterrorism
– Cyberterrorism
• Attacks by terrorist groups using computer technology and the
Internet
– Utility telecommunications, and financial services companies
are considered prime target of cyberterrorists