Professional Documents
Culture Documents
Information security cannot completely prevent attacks or guarantee that a system is secure; rather it creates a defense that attempts to ward off attacks and prevents the collapse of the system when an attack occurs. Thus information security is protection. It is intended to protect information that has value to people and organizations, and that value comes from the characteristics of the information. Three characteristics are: 1. Confidentiality ensures that only authorized parties can view the information 2. Integrity ensures that the information is correct and no unauthorized person or malicious software has altered that data 3. Availability ensures that data is accessible to authorized users Information security attempts to safe guard these 3 characteristics of information. The third objective of information security is to protect the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information. Information security is achieved through a combination of three entities. Information, hardware, software, and communications are protected in 3 layers: products, people, and procedures. These 3 layers interact with each other. Products Form the physical security around the data. May be as basic as door locks or as complicated as special hardware or software. People Those who implement and properly use security products to protect data. Procedures plans and policies established by an organization to ensure that people correctly use the products. For example, procedures tell people how to use products to protect information. Thus a more comprehensive definition of information security is that which protects the integrity, confidentiality, and availability of information. Asset something that has value Threat an event or object that may defeat the security measures in place and result in a loss. A threat by itself does not mean that security has been compromised; rather, it simply means that the potential for creating a loss is real. A loss can be the theft of information, a delay in information being transmitted, which results in a financial penalty, or the loss of good will or reputation. Threat agent person or thing that has the power to carry out a threat. It could be a person attempt to break into a secure computer network, or a force of nature that could destroy computer equipment and thus destroy information, or it could be a virus that attacks a computer network. Vulnerability weakness that allows a threat agent to bypass security. An example is a software defect in an operating system that allows an unauthorized user to gain access to a computer without a password. Exploiting taking advantage of a security vulnerability or weakness. A hacker who knows an e-mail system does not scan attachments for a virus and sends infected e-mail messages to users is exploiting the vulnerability. Risk the likelihood that a threat agent will exploit a vulnerability. There are 3 options when dealing with risks: accept the risk, diminish the risk, or transfer the risk.
2. Thwarting Identity Theft Identity theft involves using someones personal information, such as a Social Security Number, to establish bank or credit card accounts that are then left unpaid, leaving the victim with the debts and ruining their credit rating. Credit agencies now identify patterns common to identity theft to prevent its occurrence, and consumers can now receive a free copy of their credit report each year. The best defense against identity theft is to prevent private data from being stolen. 3. Avoiding Legal Consequences The Health Insurance Portability and Accountability Act of 1996 (HIPAA) healthcare enterprises must guard protected health information and implement policies and procedures to safeguard it, whether its paper or electronic format. The Sarbanes-Oxley Act of 2002 (Sarbox) attempts to fight corporate corruption and covers the corporate officers, auditors, and attorneys of publicly traded companies. Stringent reporting requirements and internal controls on electronic financial reporting systems are required. The Gramm-Leach-Bliley Act (GLBA) Like HIPAA, it protects private data. It requires banks and financial institutions to alter consumers of their policies and practices in disclosing customer information. All electronic and paper containing personally identifiable financial information must be protected. USA Patriot Act (2001) designed to broaden the surveillance of law enforcement agencies so they can detect and suppress terrorism. Businesses, organizations, and colleges must provide information including records and documents, to law enforcement agencies under a valid court order, subpoena, or other authorized agency. The California Database Security Breach Act (2003) It requires businesses to inform California residents within 48 hours if a breach of personal information has or is believed to have occurred. It defines personal information such as a name, Social Security number, drivers license number, state ID card, account number, credit card number, or debit card number and required security access codes. 40 other states now have similar laws. Childrens Online Privacy Protection Act of 1998 (COPPA) requires operators of online services or Web sites designed for children under the age of 13 to obtain parental consent prior to the collection, use, disclosure, or display of a childs personal information. COPPA also prohibits sites from limiting childrens participation in an activity unless they disclose more personal information than is reasonably necessary to participate. 4. Maintaining Productivity Employees cannot be productive and complete important tasks during an attack and its aftermath because computers and networks cannot function properly. 5. Foiling Cyberterrorism Cyberterrorism - attacks launched by cyberterrorists that could cripple a nations electronic and commercial infrastructure. Utility companies, telecommunications, and financial services are considered prime targets of cyberterrorists because they can significantly disrupt business and personal activities by destroying a few targets.
Some hackers believe it is ethical as long as they do not commit theft, vandalism, or breach any confidentiality. These hackers who call themselves White Hats claim their motive is to improve security by seeking out security holes so they can be fixed. Script Kiddies want to break into computers to create damage. Script kiddies, unlike hackers, are unskilled users and do their work by downloading automated hacking software (scripts) from Web sites and using it to break into computers. Because script kiddies do not understand the technology behind what they are doing, they often indiscriminately target a wide range of computers, causing problems for a large audience. A computer spy is a person who has been hired to break into a computer and steal information. They are hired to attack a specific computer or system that contains sensitive information. Their goal is to break into that computer or system and take the information without drawing any attention to their actions. Employees are one of the largest information security threats to a business. This can be brought on by carelessness, offering of money, being blackmailed, or being disgruntled into retaliation. Cybercriminals are a loose-knit network of attackers, identity thieves, and financial fraudsters. Many security experts believe that cybercriminals belong to organized gangs of young and mostly Eastern European attackers due to strong technical universities, low incomes, unstable legal system, and tense political relations. Cybercriminals have a more focused goal, which is money. Targeting attacks against financial networks, unauthorized access to information, and the theft of personal information is sometimes known as cybercrime. Financial cybercrime is divided into two categories. The first uses stolen credit card data, online financial account information such as PayPal accounts or Social Security numbers. Once obtained this information is usually posted on a cybercrime Web site for sale to other cybercriminals. They then purchase online goods and is shipped to Americans whose homes serve as drop-off points. Then the Americans send the goods overseas (called re-shipping) before anyone is aware that a stolen credit card number was used. Once the goods are received, it is then sold on the black market. The second category involves sending millions of spam e-mails to peddle counterfeit drugs, pirated software, fake watches, and pornography. Cyberterrorists their motivation may be defined as ideology, or attacks for the sake of their principles or beliefs. 1. To deface electronic information and spread misinformation and propaganda 2. To deny service to legitimate computer users 3. To commit unauthorized intrusions into systems and networks that result in critical infrastructure outages and corruption of vital data.
B. SCRIPT KIDDIES
C. SPIES
D. EMPLOYEES
E. CYBERCRIMINALS
F. CYBERTERRORISTS
4. Circulate to Other Systems once the network or system has been compromised; the attacker then uses it as a base to attack other networks and computers. The same tools are then used to probe for information on other systems. 5. Paralyze networks and Devices if the attacker chooses, he or she may also work to maliciously damage the infected computer or network. This may include deleting or modifying files, stealing valuable information, crashing the computer, or performing denial of service attacks.
As important as a strong network security perimeter is to blocking attacks, some attacks will slip through the defense. It is vital to have local security on all of the personal computers as well to defend against any attack that breaches the perimeter. 2. Update Defenses New types of online attacks appear on a regular basis. It is essential that users today be resourceful in continually updating defenses to protect their information. This involves updating defensive hardware and software as well as applying operating system patches on a regular basis. 3. Minimize Losses It is important to realize that some attacks will get through security perimeters and local defenses. It is important that action be taken in advance in order to minimize losses. This may involve keeping backup copies of important data stored in a safe place. Or, for an organization it may be having an entire business recovery policy that details what to do in the event of a successful attack. 4. Send Secure Information As users send e-mail and other information out over the Internet, it is important that it be protected and kept secure. This might involve scrambling the data so that unauthorized eyes cannot read it. In other instances it might require reestablishing a secure electronic link between the sender and receiver that would prevent an attacker from being able to reach the information. It often involves taking proactive steps to thwart attackers.