Information System 8- Securing Information

Learning Objectives

• Discuss the relationship between risk management and information security
• Explain the various types of threats to the security of information
• Identify the main goals of information security
• Discuss the different categorizations of security technologies and solutions
• Explain the basic functioning of security technologies and solutions, such as passwords and password managers, two-factor authentication, firewalls, biometrics, encryption, virus protection, and wireless security
• Discuss the main purposes and content of security policies

---

Introduction and Definitions

Information security is defined as the set of protections put in place to safeguard information systems and/or data from security threats such as unauthorized access, use, disclosure, disruption, modification, or destruction.

Risk Management

Risk management is the process of identifying, assessing, and prioritizing the security risks an organization may face.

Organizations may decide to accept the risks, try to mitigate or prevent those risks by investing in security protections, or share the security risks with another organizations (such as buy insurance).

• Security is focused on protecting the assets a company has from both external and internal threats.

  • External threats such as hackers and viruses threaten the valuable information in business
  • Internal threats include monitoring the network to make sure that policies are not being breached in a harmful way and that employees are only able to access systems they are authorized to

• Risk management has a larger focus than information security or cybersecurity

  • It includes analyzing and balancing risks with the resources available to mitigate them.

Information Security Concepts

• First, security is not only about technology but also about management and people. It needs to make sure that security tools are properly used and security policies are followed adequately.
• Second, the world of information security is somewhat unfair. One party must do everything to protect itself, while the other party (the attacker) only needs to find one weakness.
• Third, security for individuals, and even for organizations, requires what is called defense in depth. It means that there must be multiple layers of security protections in place.
  • Example: if you have very important data on your PC, defense in depth means that have a lock on the computer, a password to access it, a firewall to protect it, and even encryption of the data.

Levels of Security Protection in Depth

Three Main Levels

1. Protection of the information itself – example: https://www.online-toolz.com/tools/text-encryption-decryption.php
2. Protection of the computer on which the information is stored
3. Protection of the network to which the computer is connected

Security Goals

CIA: confidentiality, integrity, and availability

• Confidentiality involves making sure that only authorized individuals can access information or data.
• Integrity involves making sure that data are consistent and complete. – example: message data must not be modified during the transmission.
• Availability involves ensuring that systems and/or data are available when they are needed. – the organization must protect they systems from disruptions not only due to security threats but also due to power outages, hardware failures, and system updates.

Two additional goals:

• Authentication is basically making sure that the parties involved are who they say they are and that transactions, data, or communications are genuine.
• Nonrepudiation is particularly important in e-commerce, refers to making sure someone cannot renege/rɪ’neɪg/ on his or her obligations.

Information Security Threats

One definition of an information security threat is any event or circumstance with the potential to affect negatively the confidentiality, integrity, or availability of the resources of the organization (including information systems, data, people, and processes).

• Threats that affect confidentiality – unauthorized access to systems or data (someone accesses systems and/or data illegally, or theft and fraud).

• Threats that affect integrity – unauthorized access and illegally modify information in a database.

• Threats that affect availability – nature disasters or malicious software with similar consequences.

• Confidentiality, integrity, and availability are often considered the threat targets, while the methods used to conduct the attack are considered the threat vectors.

Threat Vectors for Unauthorized Access

• Hacking – Password cracker; Malware; Keystroke logger; Cryptojacking; Sniffing; Software security holes; Web-based attacks
• Social Engineering and Phishing – Tricking someone into giving out information or taking an action that reduces security or harms a system
• Web-based attacks – example: formjacking to control access to the site’s form page and collect the user information that is entered here
• Consequences of unauthorized access
  • rootkits – have access to everything on the system
  • backdoors – allowing them to access the system again at their will
  • victimization software – keystroke logger, spyware, attack software or other remote tools to control the systems
• Theft and fraud
  • Software – employees copy legitimate software installed on their company’s server to bring home or to give someone else
  • Hardware – e.g. USB drive can automatically copy everything when it is inserted.

Threat Vectors for Denial of Service

Denial of service attacks lead to legitimate users not being able to access a system or data that they should normally have access to.

• Intentional acts – many sophisticated tools
• Careless behavior – (1) education (2) automation of security tools and updates
• Nature disaster – a careful security disaster recovery plan

Malware

Malware refers to malicious software or malicious code.
Virus are computer program designed to perform unwanted functions. Some cause minor harm, such as sending undesirable messages. Others are very destructive, deleting all files on a computer or creating so much traffic on a network that it crashes and cannot be used by its users.

• Trojan horses – viruses are embedded into a legitimate file
• Worms – propagate themselves throughout the Internet with no user intervention
• Stealth virus – more advanced virus that changes its own bit pattern to become undetectable by virus scanners
• Polymorphic virus – a virus that modifies itself each time it infects a computer to avoid detection
• Macro virus – infects documents by inserting commands
• Spyware – captures everything users do on their computers, unbeknown to them
• Ransomware – installed on the victim’s computer via viruses, unauthorized access, or phishing

Other Threats

• Spamming involves sending emails to many individuals at once, often promoting various legitimate or nonlegitimate products.
  • Huge volume of unwanted messages
  • Include malware
• Spimming similar to spamming, but sent via text messaging.
• Virus hoaxes

Security Technologies and Solutions

Preventive, Corrective, and Detective Controls

• The goal of preventive controls is to stop or limit the security threat from happening in the first place – antivirus software give alerts
• The goal of detective controls is to find or discover where and when security threats occur – audit logs
• The goal of corrective controls is to repair damages after a security problem has occurred – antivirus software remove a virus

Physical Security versus Logical Security

Physical access controls are those security solutions that involve protecting physical access to systems, applications, or data

• Locks for laptops, locked computer rooms, and secured rooms for backup storage
• Drive shredders should be used to make sure the discarded disk drives cannot be read again
• Wiring closets are properly locked and secured
• Selection of personnel
  Logical access controls include security solutions that protect access to systems, applications, or data by ensuring that users or systems are authenticated and allowed to have such access
• Logical access controls use many technologies to require authentication of users and systems trying to access specific applications, networks, data, or computers. These include user profiles, biometrics, firewalls, and encryption.

User Profiles

• User profiles are one of the main solutions used to prevent unauthorized access to systems, data, and applications.

• User profiles require that individuals be differentiated from one another using one or several levels of identification: possession, knowledge, or trait.

  • Possession is when an individual owns a form of identification. For example, your driver’s license, your student ID, and your passport are possession forms of identification.

• Knowledge is when an individual needs to know something to gain access. Passwords are a good example of knowledge required to access systems. Combining possession and knowledge, such as requiring a personal identification number (PIN) with a banking card, provides more security.
• Traits require recognition of physical or behavioral human characteristics, such as a fingerprint or a signature style, to gain access to systems, data, or applications. This is part of biometrics.

Two-Factor Authentication

With 2FA, you add an extra step to logging into an application or device that goes beyond using your username and password.
Examples: Apple, Google, LinkedIn, Amazon.com, some banks

Virus Protection

• Antivirus software looks for the signatures or variations of the virus in files and systems.
• Unfortunately, most antivirus programs are primarily reactive –> detect existing viruses or ones that look similar to an old virus.

Biometrics

Biometrics uses human traits and characteristics to recognize individuals.

• Physiological Biometrics
  • Fingerprint recognition
  • Facial recognition
  • Retina recognition
  • DNA recognition
  • Voice recognition
• Behavioral Biometrics
  • Signature recognition
  • Keystroke recognition

Firewall

A firewall is a computer or a router that controls access in and out of the organization’s networks, applications, and computers.

There are several types of firewalls, which vary in how they control access into and out of the organization.

• Packet-level firewall – e.g. if the source IP is from an acceptable computer
• Stateful inspection firewall
• Application-layer firewall

Rendering Data Unreadable: Encryption

Encryption, also known as cryptography, is the use of mathematical algorithms to convert a message or data into information that is scrambled to make it unreadable.

Types of Cryptography

Two types of cryptographic systems:

1. Asymmetric – two keys are used. Public key is used to encrypt messages. Private key is used to decrypt those message.
2. Symmetric – the same key is used to encrypt and decrypt data.

Encryption in Business Applications:

• Virtual private network (VPN) – A VPN is a connection that makes use of an open wired network such as the Internet but that provides a secured channel through encryption and other security features.
• Web and Credit Card Security – Encryption is also used for protecting information in business transactions online.
  • Security certificates – Public key is included in your browser, browser can then generate a secret key and and it to the server, and decrypted by the server.
  • EMV Chip card technology – Europay, MasterCard, and Visa (EMV) use chip to replace magnetic stripes. The technology allows data to be stored on the chip.
  • Near Field Communications

Wireless Security

The best protection for wireless networks remains encryption.

• WEP, Wired Equivalent Privacy – older encryption algorithm
• WPA, Wi-Fi Protected Access – more powerful encryption algorithm
• WPA-2 – even more powerful and is widely available in most routers (256-bit key)
• A further protection for home wireless networks is to disable the broadcasting of the network’s ID (SSID)

Security Policies

• Security policies describe what the general security guidelines are for an organization
• Security procedures describe how to implement the security policies
  • Example: “All users must change their passwords every two months”