CSG3309 IT Security Management

The Need for Security

Threats to Information
Recap – What is Information Security
Information Security (InfoSec) is not the same as computer security (ComSec).
ComSec is a subset of InfoSec

Information security (InfoSec) focuses on the protection of information and the

characteristics that give it value, such as confidentiality, integrity, and
availability, and includes the technology that houses and transfers that
information through a variety of protection mechanisms such as policy, training
and awareness programs, and technology.

Information security: a “well-informed sense of assurance that the information

risks and controls are in balance.” — Jim Anderson, Inovant (2002)
Recap – Critical Characteristics of Information

The value of information comes from the characteristics it posses.

The CIA triad encompasses confidentiality, integrity and availability,

however, has expanded to include:

accuracy authenticity availability

confidentiality Integrity possession
utility repudiation
Objectives

 Understand the four functions

Information Security performs for
organisations
 Explain the value of information and why
it needs protection
 Identify and categorize threats and threat
types
 Introduction to threat models
 Analyze the Target Case study
Introduction

 Primary mission of information security is to ensure the

confidentiality, integrity and availability of information systems
are protected
 If no threats existed, resources could be focused on improving
systems, resulting in vast improvements in ease of use and
usefulness
 Threat of attack on information systems are a constant concern
 Threats are constantly changing
Key Terms
Threat: an object, person, or other entity
that represents a constant danger to an asset

Attack: an intentional or unintentional act

that can damage or compromise information
and the systems that support it

Exploit: a technique used to compromise a

system

Vulnerability: a potential weakness in an

asset or its defensive control systems
Key Terms
Data: items of fact collected by an
organisation. Data includes raw numbers,
facts and words

Information: Organised and structured data

presented to provide context and usefulness

Information Asset: Information that has

value to an organisation and the systems that
store, process and transmit the information
Source: Principles of Information Security, Whitman & Mattord
Organisational Assets Used in Systems

Management of Information Security, 5th Edition, © Cengage Learning

 Information Security Functions

Information security performs four

important functions for organisations.
These are:
1. Protect the organisations
ability to function
2. Protect data and information
the organisation collects and
uses
3. Enables safe operation of
applications implemented on
its IT systems
4. Safeguard organisations
technology assets
Protect the organisations ability to function

The communities of interest are responsible

for facilitating the information security program
to protect the organisations ability to function
• Associated with risk management, Communities

policy and enforcement as opposed to

of Interest
It Management
technology
• Information security is both a InfoSec Management
management issue and people issue
• Organisation should address
information security in terms of Business Management
business impact and cost
Protect data and information the organisation collects and uses

Organisation, without data, loses its record of

transactions and/or ability to deliver value to
customers

Protecting data in motion, data in use, and data

at rest are all critical aspects of information
security
Enable safe operation of applications

• Organisations need environments that safeguard

applications using IT systems
• Organisations today are under pressure to
provide efficient and secure operating
environments
• Management must continue to oversee
infrastructure once in place—not relegate
management to IT department
Safeguard organisations technology assets

• Organisations must have secure infrastructure

hardware based on size and scope of enterprise

• Additional security services may be needed as an

organisation grows

• More robust solutions may

be needed to replace security
programs the organisation
has outgrown
Why do we need Information
Security?
Information Security?

Why do we need to protect information?

• Information has value
• Information has an impact on business
objectives
• Breach on security has consequences
(financial, legal, medical, social)
• Compliance

Value of information depends on context

Why do we Need InfoSec?

Threats to information security have the potential to cause

serious harm.

Information Security breach Serious Harm?

• Medical records • Financial Loss
• Flights • Reputational damage
• Banks • Psychological impacts
• Critical Infrastructure • Death
Office of the Australian Information Commissioner (OAIC)

Source: https://www.oaic.gov.au
Why do we Need InfoSec? – OAIC 2022
Key Statistics – OAIC Jan – June 2022
396 breaches were notified compared to 460 in July to December
2021 (14% decrease).

Malicious or criminal attack remains the leading source of

breaches accounting for
250 notifications (63% of the total), down 1% in number from
253.

Data breaches resulting from human error accounted for 131

notifications (33% of the total), down 31% in number from 189.

Health remains the highest reporting sector notifying 20% of breaches,

followed by finance (13%)

Source: https://www.oaic.gov.au
Why do we Need InfoSec? – OAIC 2022
Breakdown – OAIC 2022
Key Statistics – OAIC Jan – June 2022

Malicious or criminal attacks were the largest

source of data breaches accounting for 63% of
reported breaches.

Human error accounted for 33% while

reported system faults were 4%.

Source: https://www.oaic.gov.au
 Malicious or Criminal Attack Breakdown

65% Cyber incidents

23% Social engineering
7% Theft
5% Rouge employees

Source: https://www.oaic.gov.au
 Cyber Incidents Breakdown - OAIC 2022

Source: https://www.oaic.gov.au
 Human Error Breakdown - OAIC 2022

Source: https://www.oaic.gov.au
Threats to Information Security
Threats to Information Security

• Approximately 4.1
billion people have
some form of internet
access, just over 50% of
the world's population.
• increase of 24% since
2010.

Source: ITU, Global & Regional ICT Data, retrieved from

https://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx, last updated 30 November
2019
BDO Cyber Security Survey 2018
Organisations seeking to enhance their cyber security capabilities will need to get a better understanding of the
cyber threats related to them and their industry. They will need to understand which threat actors or groups will be
targeting them and anticipate their motives and strategies.

Hacktivists Criminals Insiders Nation States

Motives Motives Motives Motives

• Advance political or social Financial gain • Personal or financial gain Economic or political advantage
profile • Revenge
• financial • financial

Targets Targets Targets Targets

• Corporate secrets
• Sensitive business information
• Information related to key
business personnel
Impacts
• Disruption of business services
• Reputational damage
• Loss of consumer confidence
• Financial payment systems or
processes
• Personal identifiable information
(PII)
• Health information
Impacts
• Financial loss
• Regulatory penalties
• Consumer and share holder
litigation
• Loss of consumer confidence
• Sales deals or market strategies
• Corporate secrets, IP R&D
• Business operations
• Personal information
Impacts
• Trade secret disclosure
• Operation disruption
• Reputational damage
• Financial loss
• Trade secrets
• Intelligence agencies
• Sensitive business information
• Emerging technologies
administration or public policy
Impacts
• Loss of competitive advantage
• Political and reputational
impacts
• Damage to public confidence
• Financial impacts
Cyber Threat Landscape
Organisation's need to understand threats to their information systems and who or
what could target them.
• According to a survey conducted by Dimension Data (2018) ransomware attacks rose by
350% in 2017.
• Expected 2022/2023 trends:
• Deep faking (top 10 deep fakes)
• Ransomware, Phishing, Malware
• Espionage, State based attacks, Insider threats
• Supply Chain Vulnerabilities (Solarwinds)
• IoT devices
• COVID?

Some 24% of organisations cite a lack of understanding of their current risk

profile as a barrier to deploying better security systems.
 Threats to Information Security
Category of Threat
Threats to Information
Compromise to Intellectual Property
Privacy, copyright infringement
Deviations in quality of service
Espionage or trespass
Forces of nature
Human error or failure
Information extortion
Sabotage or vandalism
Software attacks
Technical hardware failures or errors
Technical software failures or errors
Technological obsolescence
Theft
Attack Vectors - Examples
Security
ISP, power or WAN outages
Unauthorised access and/or data collection
Fire, flood, earthquake
Accidents or employee mistakes
Blackmail, information disclosure
Destruction of system or information
Viruses, worms, denial of service attacks
Equipment failure
Bugs, code problems
Outdated technologies
Illegal confiscation of equipment or information
Compromises to Intellectual Property
 Intellectual property (IP): “ownership of ideas and
control over the tangible or virtual representation of
those ideas”
 The most common IP breaches involve software
piracy
 Two watchdog organisations investigate software
abuse:
• Software & Information Industry Association (SIIA)
• Business Software Alliance (BSA)
 Enforcement of copyright law has been attempted
with technical security mechanisms
Deviations in Quality of Service

 Includes situations where products or services are not

delivered as expected
 Information system depends on many interdependent
support systems
 Internet service, communications, and power irregularities
dramatically affect availability of information and systems

What principle of the CIA triad does this threat breach?

Deviations in Quality of Service . . .
Internet service issues
• Internet service provider (ISP) failures can considerably
undermine availability of information
• Outsourced Web hosting provider assumes responsibility for all
Internet services as well as hardware and Web site operating
system software
Communications and other service provider issues
• Other utility services affect organisations: telephone, water,
wastewater, trash pickup, etc.
• Loss of these services can affect organisation’s ability to function
• Power irregularities
Espionage or Trespass

 Access of protected information by unauthorized

individuals
 Competitive intelligence (legal) vs. industrial
espionage (illegal)
 Shoulder surfing can occur anywhere a person accesses
confidential information
 Controls let trespassers know they are encroaching on
organisation’s cyberspace
 Hackers use skill, guile, or fraud to bypass controls
protecting others’ information
Forces of Nature
 Disrupt not only individual lives,
but also storage, transmission,
and use of information

 Organisations must implement

controls to limit damage and
prepare contingency plans for
continued operations

 Forces of nature are among the

most dangerous threats
Human Error or Failure
 Includes acts performed without malicious intent
 Employee mistakes can easily lead to:
Revelation of classified data
Entry of erroneous data
Accidental data deletion or modification
Data storage in unprotected areas
Causes include:
Inexperience, Improper training
 Employees are among the greatest threats to an organisation’s
data
 Can be prevented with education and training
Information Extortion
• Attacker steals information
from computer system
• She/He demands
compensation for its return
or nondisclosure

Commonly done in credit card

number theft or ransomware
Sabotage or Vandalism

 Threats can range from petty vandalism to organized

sabotage

 Web site defacing can erode consumer confidence,

dropping sales and organisation’s net worth

 Threat of hacktivist or cyber-activist operations rising

 Cyber terrorism: much more sinister form of hacking

Software Attacks
Attacks
• Acts or actions that exploits vulnerability (i.e., an identified
weakness) in controlled system
• Accomplished by threat agent that damages or steals organisation’s
information
Types of attacks
• Malicious code: includes execution of viruses, worms, Trojan horses,
and active Web scripts with intent to destroy or steal information
• Hoaxes: transmission of a virus hoax with a real virus attached; more
devious form of attack
Deliberate Software Attacks
Malicious software (malware) designed to damage,
destroy, or deny service to target systems
Includes:
• Viruses / Worms
• Ransomware
• Trojan horses
• Logic bombs
• Back door or trap door
• Polymorphic threats
• Virus and worm hoaxes
Technical Hardware / Software Failures or Errors

 Occur when manufacturer distributes equipment containing

flaws to users
 Can cause system to perform outside of expected parameters,
resulting in unreliable or poor service
 Some errors are terminal; some are intermittent
 Purchased software that contains unrevealed faults
 Combinations of certain software and hardware can reveal new
software bugs
 Entire Web sites dedicated to documenting bugs
Technological Obsolescence
 Antiquated/outdated infrastructure can lead to unreliable,
untrustworthy systems

 Proper managerial planning should prevent technology

obsolescence

 IT plays large role

Theft

 Illegal taking of another’s physical, electronic, or

intellectual property

 Physical theft is controlled relatively easily

 Electronic theft is more complex problem;

evidence of crime not readily apparent
Threat Intelligence and Threat Models
 Threat Intelligence
Case Study (Target)
organisations rely on threat intelligence to make informed decisions about risks impacting
their information assets and people.

 Threat intelligence is information about threats and threat agents that help mitigate cyber
attack. Information is based on past, current and future trends.

 Threat intelligence provides the context necessary to make informed decisions about the
protection of information systems

Threat intelligence sources can include:

• open-source intelligence (OSINT)
• social media intelligence (SMINT)
• technical intelligence or intelligence from the
dark web
Threat Intelligence - Types
1. Case Study (Target)
Tactical:
technical intelligence (includes Indicators of Compromise for
example, IP addresses, file names, running services) which can
assist in the identification of threat actors

2. Operational:
details of the motivation or capabilities of threat actors, including
their tools, techniques and procedures

3. Strategic:
intelligence about the overarching risks associated with cyber
threats which can be used to drive high-level organisational
strategy
Threat Models
Casehelp
Threat Models Study (Target)
to prioritize security threats by identifying high-
risk vulnerabilities or threats and mitigate threats to protect sensitive
data.

Threat modelling is part of the risk management process and helps to

define:

• what we need to protect (information assets)

• who we need to protect it from (threat agents)
• what their capabilities are (motive, opportunity, resources)
• what countermeasures exist to prevent or mitigate these threats
(risk control)
Threat Modeling
Case Study (Target)
Threat modelling comprises of the identification, evaluation and
documentation of threats that apply to an information system

Identify the attackers possible goals

- you need to approach threat modelling from an attackers
perspective using basic assumptions

• Potential entry point, attack surface

• Protected resources or assets
• Data flows, paths between systems
• Trust boundaries in the system (subnets, DMZ)
Case Study (Target)
Case Study (Target)
In December 2013 over 40 million credit cards were stolen
from nearly 2000 Target stores by accessing data on point of
sale (POS) system.

• Vendor subject to phishing attack

• Lacked network segregation
• POS vulnerable to attack
• Detection strategies failed
• Human factors
Summary
Summary

 Understand the four

functions Information
Security performs for
organisations
 Explain the value of
information and why it
needs protection
 Identify and categorise
threats and threat types
 Understand the concepts
of threat intelligence and
threat models