MSIS-830 Unit 2 (ch02)
MSIS-830 Unit 2 (ch02)
Chapter 2
Why Security is Needed
Learning Objectives
2
Learning Objectives (cont’d.)
5
Protecting the Functionality of an
Organization
• Management (general and IT)
responsible for implementation
• Information security is both
management issue and people issue
• Organization should address
information security in terms of
business impact and cost
6
Enabling the Safe Operation of
Applications
• Organization needs environments that
safeguard applications using IT
systems
• Management must continue to oversee
infrastructure once in place—not
relegate to IT department
7
Protecting Data that Organizations
Collect and Use
• Organization, without data, loses its
record of transactions and/or ability to
deliver value to customers
• Protecting data in motion and data at
rest are both critical aspects of
information security
8
Safeguarding Technology Assets in
Organizations
• Organizations must have secure
infrastructure services based on size
and scope of enterprise
• Additional security services may be
needed as organization grows
• More robust solutions may be needed
to replace security programs the
organization has outgrown
9
Threats
10
Table 2-1 Threats to Information Security4 11
Compromises to Intellectual Property
12
Deliberate Software Attacks
15
Worm
16
Trojan Horses
17
Trojan Horses
19
Polymorphic Threat
20
Virus Hoaxes
21
Espionage or Trespass
• Expert hacker
– Develops software scripts and program
exploits
– Usually a master of many skills
• Several programming languages, networking
protocols, and operating systems and also
exhibits a mastery of the technical
environment of the chosen targeted system
– Will often create attack software and share with
others
23
Espionage or Trespass (cont’d.)
• Unskilled hacker
– Many more unskilled hackers than expert
hackers
– Use expertly written software to exploit a
system
• Novice hackers become script kiddies
– Hackers of limited skill who use expertly
written software to exploit a system, but do
not fully understand or appreciate the
systems they hack
24
Espionage or Trespass (cont’d.)
25
Forces of Nature
27
Human Error or Failure (cont’d.)
28
Information Extortion
29
Missing, Inadequate, or Incomplete
30
Sabotage or Vandalism
32
Technical Hardware Failures or Errors
34
Technological Obsolescence
35
Attacks
• Attacks
– Acts or actions that exploits vulnerability (i.e., an
identified weakness) in controlled system
– Accomplished by threat agent that damages or
steals organization’s information
• Types of attacks
– Malicious code: includes execution of viruses,
worms, Trojan horses, and active Web scripts with
intent to destroy or steal information
– Hoaxes: transmission of a virus hoax with a real
virus attached
• more devious form of attack
36
Attacks (cont’d.)
40
Spoofing
43
Attacks (cont’d.)
44
Attacks (cont’d.)
46
Attacks (cont’d.)
47
Secure Software Development
50
Software Design Principles (cont’d.)
54
Buffer Overuns
56
Cross-Site Scripting
58
Failure to Protect Network Traffic
59
Failure to Store and Protect Data
Securely
• Programmers are responsible for
integrating access controls into, and
keeping secret information out of,
programs
• Access controls regulate who, what,
when, where and how individuals and
systems interact with data
60
Failure to Properly Implement Strong
Access Controls
• Failure to properly implement sufficiently
strong access controls makes the data
vulnerable, while overly strict access
controls hinder business users in the
performance of their duties
• The integration of secret information can
put that information at risk of disclosure
– Such as the “hard coding” of passwords,
encryption keys, or other sensitive
information
61
Failure to Use Cryptographically Strong
Random Numbers
• Many computer systems use random
number generators
• These “random” number generators use a
mathematical algorithm, based on a seed
value and another system component
(such as the computer clock) to simulate a
random number
• Those who understand the workings of
such a “random” number generator can
predict particular values at particular times
62
Format String Problems
64
Improper File Access
67
Integer Bugs
69
SQL Injection
71
Trusting Network Address Resolution
(cont’d.)
• The DNS system relies on a process of
automated updates that can be
exploited
• Attackers most commonly compromise
segments of the DNS by either
attacking the name of the name server
and substituting their own DNS primary
name server or by responding before
an actual DNS can
72
Unauthenticated Key Exchange
73
Magic URLs and Hidden Forms
74
Use of Weak Password-Based Systems
76