Jan '21

Unit 08

Security Information

Learning Objectives

 Analyze why IS need special protection from destruction

and computer crime.

 Understand the value of Information Security and explain

about general and application control.

 Describe the types of security threats and organizational

frauds.

1
 Jan '21

Learning Objectives

 Understanding about the defense strategies and different

security measures.

 Get an overview of policy and technology for safeguarding

information system.

8.1) Value of Information Security :

8.1.1 CONCEPT AND GOAL  In order to attain the applicable
OF INFORMATION
SECURITY : objectives of preserving

 Confidentiality

 Integrity and

 Availability

2
 Jan '21

8.1.1) Concept & Goal of Information Security :

Information Systems Security is a function whose mission is to

 Establish security policies and their associated procedures

 Control elements over their information assets.

With the goal of guaranteeing their confidentiality, integrity,

and availability.

8.1.1) Concept & Goal of Information Security :

3
 Jan '21

8.1.2) Computer Crime :

 The biggest An unauthorized use, access, modification, and
destruction of hardware, software, data, or network resources.
 An unauthorized release of information.
 An unauthorized copying of software.
 Denying an end user access to his or her own hardware,
software, data, or network resources.
 Using computer or network resources to obtain information.
7

8.2) Security Threats for Business :

8.2.1 Unintentional and Intentional Threats :

Unintentional Threats

Unintentional threats fall into three major categories:

1) Human errors

2) Environmental hazards

3) Computer system failures.

8

4
 Jan '21

8.2.1) Unintentional and Intentional Threats :

Intentional Threats :

a) Computer Viruses and Other Types of MalwareWorm

b) Denial of Service (DoS) Attacks

c) Data, Program, or Web Site Alteration

8.2.1) Unintentional and Intentional Threats

:
Intentional Threats :

1) Computer Viruses and Other Types of MalwareWorm :

 This damage can take place immediately after a computer is

infected (that is, the malware software is installed) or it can
begin when a particular condition is met.

 The most common other types of malware are :

 Computer Viruses
 Computer Worms
 Trojan Horses
10
 Mobile Malware

5
 Jan '21

8.2.1) Unintentional and Intentional Threats :

Computer Viruses and Other Types of MalwareWorm :

a) Computer Viruses :

 Malicious program embedded in a file that is designed to

cause harm to the computer system.

 Software program that is installed without the permission or

knowledge of the computer user.

 Typically has a detrimental effect, such as corrupting the

system or destroying data.
11

Computer Viruses :

12

6
 Jan '21

8.2.1) Unintentional and Intentional Threats :

Computer Viruses and Other Types of MalwareWorm :

b) Computer Worms :

 Malicious program designed to spread rapidly by

sending copies of itself to other computers.

 A worm is self-executing; that is, it does not require a

host to replicate.

 With these characteristics, a worm is able to enter a

computer without any active participation by its user.
13

8.2.1) Unintentional and Intentional Threats :

Computer Viruses and Other Types of MalwareWorm :

c) Trojan Horse :

 A Trojan horse is a program that appears to be useful

or kind but actually conceals a smaller program.

 For example, a Trojan horse may be delivered as an e-

mail attachment and described as a computer game.

14

7
 Jan '21

8.2.1) Unintentional and Intentional Threats

: Viruses and Other Types of MalwareWorm :
Computer

d) Mobile Malware :

 In addition to computers, malware also can infect

smartphones, media tablets, printers, and other devices that
contain computing hardware and software.

 While more than 90% of today’s mobile malware is spread

via malicious links, smartphones with Bluetooth capabilities.

15

Intentional Threats :
2) Denial of Services (DoS) Attack :

16

8
 Jan '21

8.2.1) Unintentional and Intentional Threats :

Intentional Threats :
3) Data, program or Web Site Alteration :

 Hacker breaches a computer system in order to delete

data, change data, modify programs, or otherwise
alter the data and programs located there.

 For example, a student might try to hack into the school

database to change his or her grade.

 A hacker might change a program located on a company

server in order to steal money or information. 17

8.2.2) VULNERABILITIES & DEFENSE-IN-DEPTH

MODEL:

18

9
 Jan '21

8.2.2) VULNERABILITIES & DEFENSE-IN-DEPTH

MODEL:
Step 1: Senior management commitment and support

 Senior managers’ influence is needed to implement and

maintain security, ethical standards, privacy practices, and
internal control.

Step 2: Acceptable use policies and IT security training

 The next step in building an effective IT security program

is to develop security policies and provide training to
ensure that everyone is aware of and understands them.
19

8.2.2) VULNERABILITIES & DEFENSE-IN-DEPTH

MODEL:
Step 3: IT Security Procedures and Enforcement

 If users’ activities are not monitored for compliance, the

AUP is useless. Therefore, the next step is to implement
monitoring procedures, training, and enforcement of the
AUP.

Step 4: Hardware and Software

 The last step in the model is implementation of software

and hardware needed to support.
20

10
 Jan '21

8.2.2) VULNERABILITIES & DEFENSE-IN-DEPTH

MODEL:
 Data has to be protected by different layers of defense as
shown in the figure.

21

8.2.3) Insiders and Outsiders :

Insiders :

 Who are authorized to use the computer system but are

misusing their authorization.

 Insider fraud is a term referring to a variety of criminal

behaviors perpetrated by an organization’s own employees
or contractors.

22

11
 Jan '21

8.2.3) Insiders and Outsiders :

Outsiders :

 Who penetrate a computer system frequently via

communications lines.

 A hacker or cracker known as an outsider is not an

employee of a company or government agency whose
computer systems have been attacked.

23

8.2.4) INTERNAL FRAUD PREVENTION AND DETECTION

a) Corporate Governance
 Here are the few
steps of Internal b) Intelligent Analysis, Audit Trails,
fraud Prevention and and Anomaly Detection.
Detection :
c) Identity Theft.

24

12
 Jan '21

8.3) Security Risks Assessment :

7.3.1 Defense Strategies :

 The defense strategy and controls that should be used

depend on what needs to be protected and the cost - benefit
analysis.

 The following are the major objectives of defense strategies:

a) Prevention and Deterrence
b) Detection
c) Contain the Damage
d) Recovery
e) Correction
25
f) Awareness and Compliance

8.3.1) Defense Strategies :

a) Prevention and Deterrence :

 Properly designed controls may prevent errors from

occurring, deter criminals from attacking the system, and,
better yet, deny access to unauthorized people.

b) Detection :

 The earlier an attack is detected, the easier it is to

combat, and the less damage is done.

 Detection can be performed in many cases by using

special diagnostic software, at a minimal cost. 26

13
 Jan '21

8.3.1) Defense Strategies :

c) Contain the Damage :

 This objective is to minimize or limit losses once a

malfunction has occurred.

 This process is also called damage control.

d) Recovery :

 A recovery plan explains how to fix a damaged information

system as quickly as possible.

 Replacing rather than repairing components is one route to 27

fast recovery.

8.3.1) Defense Strategies :

e) Correction :

 Correcting the causes of damaged systems can prevent the

problem from occurring again.

f) Awareness and Compliance :

 All organization members must be educated about the

hazards and must comply with the security rules and
regulations.
28

14
 Jan '21

8.3.2) General & Application Control :

 A defense strategy is also going to require several controls.

 General controls are established to protect the system
regardless of the specific application.

 Application controls are safeguards that are intended to

protect specific applications.

29

8.3.2) General & Application Control :

30

15
 Jan '21

8.3.2) General & Application Control :

General Control :
Software controls :

 Authorised access to systems

Hardware controls / Physical Control :
 Physically secure hardware
 Monitor for and fix malfunction
 Environmental systems and protection
 Backup of disk-based data
31

8.3.2) General & Application Control :

General Control :
Access controls :

 Consists of all the policies and procedures

a company uses to prevent improper
access to systems by unauthorized
insiders and outsiders.

 Types of Access controls are :

a) Passwords
b) Tokens, Smart cards
c) Biometric Authentications 32

16
 Jan '21

8.3.2) General & Application Control :

General Control :
Biometric Authentications :
 Hand Geometry
 Blood vessel pattern Recognition
 Voice, Signature
 Keystroke Dynamics
 Facial Recognition
 Facial Thermography
 Fingerprints, Iris scan
33

General Control :

Biometric Authentications :

34

17
 Jan '21

8.3.2) General & Application Control :

Application Control :

 They are unique to each computerized application.

 Application controls are specific to a given application.

 Include such measures as validating input data,

processing and disseminate information only to
authorized users.

 They Include input, processing, and output

controls.
35

8.3.2) Network Security :

Three layers of network security measures :

36

18
 Jan '21

8.4.1) Policies & Legislation in the context of Nepal :

Policies & Legislation in the context of Nepal,

overview of

a) Electronic Transaction Act, 2007

b) Cyber Law Enforcement in Nepal

c) IT Policy, 2010

37

8.4.1) Policies & Legislation in the context of

Nepal :
a) Electronic Transaction Act, 2007 :

 It is expedient to make, legal provisions for authentication

and regularization of the recognition, validity, integrity and
reliability of electronic transactions.

 The act has defined many terms related to cyber activities.

 It also has the strong provisions of punishment against cyber

crimes.
38

19
 Jan '21

8.4.1) Policies & Legislation in the context of

Nepal :
b) Cyber Law Enforcement in Nepal :

 Cyber Law includes an ample variety of legal issues

related to the Internet and other communications
technology, including intellectual property, privacy,
freedom of expression, and jurisdiction.

 The cyber law of Nepal is on the process of development.

Recent Ordinance of E-Commerce (2004 AD) is a milestone
of cyber law in Nepal.
39

8.4.1) Policies & Legislation in the context of

Nepal :
b) Cyber Law Enforcement in Nepal :

 Cyber law encompasses laws relating to :

 Electronic and Digital Signatures, Cyber Crime
 Intellectual Property (IP), Patents for inventions
 Trade marks for brand identification
 Designs for product appearance
 Copyright for material
 Data Protection and Privacy
Internet Gambling
40


20
 Jan '21

8.4.1) Policies & Legislation in the context of

Nepal :
c) IT Policy, 2010 :
 World is emerging into a small Cyber world and Nepal also
took first step towards it in 2000.
 IT Policy was introduced as a means to develop IT sector in
Nepal.
 Later on in the year 2010 updated IT policy has came.
 The main vision of IT Policy is :
“ To place Nepal on the global map of information
technology”. 41

8.4.2) Computer Monitoring Software and

Video Surveillance :

a) Computer Monitoring Software :

 Computer monitoring software is used specifically for the
purpose of recording keystrokes.

 Monitoring someone’s computer activity.

 Some programs also have apps that can be used to

monitor media tablet and smartphone activity. 42

21
 Jan '21

8.4.2) Computer Monitoring Software and

Video Surveillance :
a) Computer Monitoring Software :

 Computer monitoring programs record the activities

taking place (such as the amount of time spent on and
tasks performed via the Web or installed software),

 Take screenshots of the screen at specified intervals.

43

8.4.2) Computer Monitoring Software and

Video Surveillance :
b) Video Surveillance :

 The idea of video surveillance is nothing new.

 Many retail stores, banks, office buildings, and other

privately owned facilities that are open to the public
routinely use closed - circuit security cameras to
monitor activities taking place at those facilities for
security purposes.
44

22
 Jan '21

8.4.2) Computer Monitoring Software

and Video Surveillance :

b) Video Surveillance :

45

8.4.3) Internal Control Environment &

Employee Precautions :
a) Internal Control Environment :
 The internal control environment is the work
atmosphere that a company sets for its employees.
 Internal control is a process designed to achieve:
a)Reliability of financial reporting
b)Operational efficiency
c)Compliance with laws
d)Regulations and policies 46

e)Safeguarding of assets

23
 Jan '21

8.4.3) Internal Control Environment and

Employee Precautions :
b) Employee Precautions :

 While only about 20% of business security breaches are

committed by insiders.
 They are responsible for the majority (66.7%) of exposed
records.
 These breaches are typically malicious in nature, with an
employee deliberately performing the act .
 In either case, employers should be cautious. 47

8.4.3) Internal Control Environment and

Employee Precautions :
b) Employee Precautions :

 Some suggestions to avoid security breaches by employees

are listed below.
a) Screen Potential New Hires Carefully
b) Watch for Disgruntled Employees and Ex-Employees
c) Develop Policies and Controls
d) Use Software to Manage Employee Devices and
Prevent Data Leaks
e) Ask Business Partners to Review Their Security 48

24
 Jan '21

8.4.4) Protecting Personal and Workplace

Privacy :
a) The Employer’s Responsibilities :

 To protect the personal privacy of their employees and

customers.

 Businesses and organizations have a responsibility to keep

private information about their employees the company, and
their customers safe.

49

8.4.4) Protecting Personal and Workplace

Privacy :
b) The Employee’s Responsibilities :

 Employees have the responsibility to read a company’s

employee policy when initially hired.

 And to review it periodically to ensure that they understand

the policy.

 And do not violate any company rules while working for that
organization.
50

25
 Jan '21

END

51
51

26