INFO101 – Module 3

Introduction to information systems

Ho Thi Thanh Tuyen

Trimester 3 – 2024
Lecture 7: Information Security
 Agenda

1. Introduction to Information Security

2. Information security threats
3. The CIA model that guides information security
4. How to protect organisations against security threats
Introduction Information Security

Information security means

protecting information and
information systems from
unauthorized access, use, disclosure,
disruption, modification, or
destruction (Wikipedia)
Introduction Information Security
 Agenda

1. Introduction to Information Security

2. Information security threats
3. The CIA model that guides information security
4. How to protect organisations against security threats
What information security threats do organisations face?
What information security threats do organisations face?

There are two major categories of threats:

▪ Unintentional threats.
▪ Deliberate threats

https://limeproxies.netlify.app/blog/top-10-information-security-threats-in-2018/
Threats (1/2): Unintentional threats

• Human Carelessness … with laptops, web sites, emails, password

selection, office security, getting rid of old computers …
• Physical access (including contractors, e.g. security or
cleaning)
• Social Engineering (e.g. impersonation (pretend), tailgating
(follows), shoulder surfing, phishing, spear phishing)
Threats (1/2): Unintentional threats
Use of technologies

http://www.tekspecz.com/new-blog-2/2015/6/20/what-part-of-malware-you-dont-understand
Discussion

• Group 1: Spyware
• Group 2: Rootkit
• Group 3: Trojan
• Group 4: Worm
• Group 5: Adware
→ Concept and example
Threats (2/2): Deliberate threats

• Virus, Worm, Trojan horse, back door, logic bomb …

• Insecure WiFi
• Denial of Service and Distributed DoS (“DDoS”)
• RFID

• Who?
o Amateurs (“fun”), “hacktavists”, individual
criminals, organized crime, foreign governments, …
Threats (2/2): Deliberate threats
Remote Attacks Requiring User Action
Threats (2/2): Deliberate threats
Remote Attacks Needing No User Action
Threats (2/2): Deliberate threats
Attacks by a Programmer Developing a System
Factors contributing to the increasing
vulnerability of organisational information

1. Interconnected networked business environment

2. Smaller, faster, cheaper computer and storage devices … including
unexpected ones (like a fish tank thermometer?)
3. Decreasing skills necessary to be a computer hacker
4. International organised crime taking over cybercrime
5. Lack of management support
Every ‘computer’ is a vulnerability.
The Internet of Things makes more targets.
• Even the thermometer in your fish tank ….

• https://thehackernews.com/2018/04/iot-hacking-thermometer.html
 Agenda

1. Introduction to Information Security

2. Information security threats
3. The CIA model that guides information security
4. How to protect organisations against security threats
CIA model

The C.I.A Triad

Integrity
Confidentiality
A set of rules that limits access to information.

Can be, among other things -

• Secure storage of documents and data;
• Having (and applying) security policies;
• Education of information custodians and end users;
• Cryptography.
Availability

Information needs to be available to those that need it (e.g. those who

are authorised to access it) and denied to those that don’t.
Integrity
Information musty be trustworthy and accurate. The completeness of
information is as important as its other attributes.
• Avoid corruption – deliberate or accidental;
• Can be achieved through algorithmic mechanisms like checksums,
hash values, etc.
 Agenda

1. Introduction to Information Security

2. Information security threats
3. The CIA model that guides information security
4. How to protect organisations against security threats
What are the ways organisations try to
protect themselves against security threats?
Information Security Controls
• Physical controls
• Access controls
o Passwords
• and alternatives
o Authorisation
• Communication controls
o Firewalls, proxy servers
Other defences
• Anti-malware, virus checkers, etc.
• Whitelisting
• Encryption

• Constant monitoring
Security is a management issue
Management must take responsibility:

good governance, e.g. security policy, risk assessment, allocation of

sufficient resources, training programmes, etc.

back up the staff who deal with ‘social engineering’ tactics.

SETA
Security Education Training Awareness programmes are used to build
competence and confidence that an organisation can deal with a threat
to its security.

Could be part of employee orientation.

All employees should be aware that security is part of the job – though
that is often not what they think.
After the event – Business Continuity Planning
• Where are the backups?
o Tapes -- local and remote
o Virtual -- cloud, other servers

• Alternative hardware
o Hot sites, etc.
Privacy, security and ethics

• All come together when personal information is hacked.

• Not new, but technology greatly increases the opportunity
• and therefore the risks.
What you should do …

• Have a virus checker installed

• Back up regularly (off site)
• Do not use an easy to guess password
• Enable two factor authentication
• Do not click on links in email … especially on mobile devices
• Phone scams – verify, or call back
• Avoid using insecure WiFi
• Encrypt sensitive data (with strong encryption)
• Think before sending
• Think about where to store information (e.g. keep confidential information off
• the cloud)
• Do not use workplace for very private stuff