Chapter Four

Information, Security and Controls

OPENING CASE 4.1: THE SONY PICTURES ENTERTAINMENT HACK:

● In November 2014, hackers successfully penetrate the SPE information systems and
copied terabytes of data that included confidential personal information about SPE
employees and theirdependents.The hackers also accessed unreleased movies and other
corporate data.The hack was accompanied by threats of terrorist action around the release
of a film called “The Interview.”

Responses:

The FBI launched an investigation and claimed that the North Korean government was
responsible for the attack. Sony pulled the movie and canceled showings of scheduled dates.
Large cinema chains followed suit, canceling their release of the movie. It was later released to
independent theaters and online movie services.

The Results:

There are many “open ends' ' around the responsibilities of SOE and the U.S. government.
Neither appear to be capable of protecting data from hackers.

Questions:

1. Was Sony’s response to the breach adequate?Why or why not?

2. Should governments help private organizations that are attacked (or allegedly attacked)
byforeign governments? Why or why not?

INTRODUCTION TO INFORMATION SECURITY

● Information security refers to all of the processes and policies designed to protect an
organization's information and information systems (IS) from unauthorized access, use,
disclosure, disruption,modification, or destruction.
● A threat to an information resource is any danger to which a system may be exposed.
● Exposure is the harm, loss or damage to a compromised resource.
● An information resource’s vulnerability is the possibility that the system will be harmed
by a threat.
 INFORMATION SECURITY

● Five key factors that affect the vulnerability and security organizational information
resources:
○ Today’s interconnected, interdependent, wirelessly networked business
environment;
○ Smaller, faster, cheaper computers and storage devices;
○ Decreasing skills necessary to be a computer hacker;
○ International organized crime taking over cybercrime;
○ Lack of management support.

UNINTENTIONAL THREATS TO INFORMATION SYSTEMS:

● Information systems are vulnerable to many potential hazards and threats.

● There are two major categories of threats:unintentional threats are acts performed without
malicious intent deliberate threats.

SECURITY THREATS:
HUMAN ERRORS:

● There are two important points to be made about employees.

● The higher the level of an employee, the greater the threat he or she poses to information
security.
● Employees in two areas of the organization pose especially significant threats to
information security: human resources and information systems (IS).
● What other employees could pose threats? How?
● Table 4.1, p. 88 describes how human mistakes(unintentional errors) manifest themselves
in many different ways:
○ Carelessness with laptops and other computing devices
○ Opening questionable emails
○ Careless Internet surfing
○ Poor password selection and use
○ Carelessness with one’s office
○ Carelessness using unmanaged devices
○ Carelessness with discarded equipment
○ Careless monitoring of environmental hazards

SOCIAL ENGINEERING:

● Social engineering is an attack in which the perpetrator uses social skills to trick or
manipulate a legitimate employee into providing confidential company information such
as passwords
● Techniques include:
○ Impersonation: pretending to be a company manager of an information systems
employee
○ Tailgating: following behind an employee to enter restricted areas
○ Shoulder surfing: watching over someone’s shoulder to view data or passwords

DELIBERATE THREATS TO INFORMATION SYSTEMS:

Ten common types:

1. Espionage or trespass
2. Information extortion
3. Sabotage or vandalism
4. Theft of equipment or information
5. Identity theft
6. Compromises to intellectual property
 7. Software attacks
8. Alien software
9. Supervisory control and data acquisition(SCADA) attacks
10. Cyberterrorism and cyberwarfare

1. ESPIONAGE OR TRESPASS:

● Espionage of trespass occurs when an unauthorized individual attempts to gain illegal

access to organizational information.
○ Competitive intelligence: legal information-gathering techniques.
Example: studying a company’s Web site
○ Industrial espionage crosses the legal boundary.Example: theft of confidential
data

2. THEFT OF EQUIPMENT OR INFORMATION:

● Small, powerful devices with increased storage such as laptops, smart phones, digital
cameras,thumb drives, and iPods are becoming easier to steal and easier for attackers to
use to steal information.
● Example: dumpster diving involves the practice of rummaging through commercial or
residential trash to find information that has been discarded so that passwords or
technical manuals to devices can be obtained.

3. IDENTITY THEFT

● In a web page titled;

○ Office of the Privacy Commissioner of Canada: Identity Theft and You,
you will find tips for reducing the risk of identity theft and suggestions for what to do if it does
happen.
● Causes include:
○ stealing mail or dumpster diving;
○ stealing personal information in computer databases;
○ infiltrating organizations that store large amounts of personal information (e.g.,
data aggregators such as Acxiom)
○ impersonating a trusted organization in an electronic communication (phishing).
4. COMPROMISES TO INTELLECTUAL PROPERTY:\

● Intellectual property is property created by individuals or corporations which is

protected under trade secret, patent or copyright laws.
○ Trade secret: intellectual work that is a company secret and is not based on
public information.•
○ Patent: grants the holder exclusive rights on an invention or process for 20 years.
○ Copyright: provides creators of intellectual property with ownership of the
property for life of the creator plus 50 years.

● Piracy: copying a software program without making payment to the owner.

5. TYPES OF SOFTWARE ATTACKS:

● Remote attacks requiring user action: virus, worm,phishing attack, spear phishing attack
● Remote attacks needing no user action: denial-of-service attack, distributed
denial-of-service attack
● Attacks by a programmer developing a system:Trojan horse, back door, logic bomb

6. Alien Software:

● Alien software: clandestine software that is installed on your computer without your
knowledge, also known as pestware
● Adware: software that causes pop-up advertisements to appear on your screen.
● Spyware: collects personal information about users without their consent.
○ Keystroke loggers (keyloggers): record your individual keystrokes [including
passwords] and your browsing history
○ Screen scrapers (screen grabbers): record your screen activity

● Spamware: unsolicited e-mail, usually advertising for products and services.

● Cookies: small amounts of information that Websites store on your computer, temporarily
or more or less permanently. are used to enable you to login to your favorite websites, for
example.
● Tracking cookies: track your actions on a particular web site, such as what you looked at
and how long you were there.
7. SUPERVISORY CONTROL AND DATA ACQUISITION(SCADA) ATTACKS:

● SCADA systems, such as those provided by Bentek Systems are used to monitor or to
control chemical, physical, and transport processes used in:
○ oil refineries
○ water and sewage treatment plants
○ electrical generator
○ nuclear power plants
○ other sensor-based systems, such as baby monitors.

8. CYBERTERRORISM AND CYBERWARFARE:

● Cyberterrorism and cyberwarfare refer to malicious acts in which attackers use a target’s
computer systems, particularly via the Internet, to cause physical real-world harm or
severe disruption,usually to carry out a political agenda
● The Canadian government has an explanation of cyber security and a description of
Canada’sCyber Security Strategy at
https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/cbr-scrt-strtgy/index-eng.aspx

9. WHAT ORGANIZATIONS ARE DOING TO PROTECT THEMSELVES:

● Developing security management strategies and allocating sufficient resources managed

by a ChiefSecurity Officer or CIO
● Developing software and services that deliver early warnings of trouble on the Internet.
● Early-warning systems are proactive, scanning theWeb for new viruses and alerting
companies to the danger.

10. DIFFICULTIES IN PROTECTING INFORMATION RESOURCES:

● 100’s of threats
● Many locations of computing resources
● Broad access to information assets
● Difficult to protect distributed networks
● Rapid technological changes
● Crimes can go undetected for long periods of time
● Violation of “inconvenient”security procedures
● Minimal knowledge needed to commit crimes
● High costs of prevention
● Difficult to conduct a cost-benefit justification
RISK MANAGEMENT:

● Risk management consists of three processes:

1. Risk analysis
2. Risk mitigation
3. Controls evaluation

Risk Analysis:

● Risk Analysis involves three steps:

1. Assessing the value of each asset being protected
2. Estimating the probability that each asset will be compromised
3. Comparing the probable costs of the assets being compromised with the costs of
protecting that asset

Risk Mitigation:

● Risk mitigation has two functions:

○ implementing controls to prevent identified threats from occurring, an
○ developing a means of recovery should the threat become a reality

● The three most common risk mitigation strategies:

1. Risk acceptance: Accept the potential risk, continue operator with no controls, and
absorb any damages that occur.
2. Risk limitation: Limit the risk by implementing controls that minimize the impact of the
threat.
3. Risk transference: Transfer the risk by using other means to compensate for the loss,
such as by purchasing insurance.

CONTROLS EVALUATION:

● The organization identifies security deficiencies and calculates the cost of implementing
controls.
● If the costs of implementing a control are greater than the value of the asset being
protected, the control is not cost effective.
 ● Effective management reporting improves an organization's ability to design and evaluate
controls.
● Enterprise risk management software from SAPRick Management are touted as assisting
with review risk management solutions.

CONTROLS:

• Categories of controls:

Security is only one aspect of operational controls (which are part of general controls).

Controls come in “Layers”

● Control environment
● General controls
● Application controls

CONTROL ENVIRONMENT:

● Encompasses management attitudes towards controls, as evidenced by management

actions, as well as by stated policies that address
○ Ethical issues
○ Quality of supervision
● This is part of the organizational culture
● Firewalls are an example of a general computer control that are part of the control
environment and can help to prevent botnets
 WHERE DEFENSE MECHANISMS(CONTROLS) ARE LOCATED:

CATEGORIES OF GENERAL CONTROLS INCLUDE:

● Physical: walls, doors, fencing, gates, locks,badges, guards, alarm systems, pressure
sensors,and motion detectors.
● Access Controls: can be physical (e.g. locks) or logical (e.g. passwords)
● Communication: firewalls, anti-malware systems,whitelisting and blacklisting,
encryption, virtual private networks (VPNs), transport layer security(TLS), and employee
monitoring systems.

Authentication:

● To authenticate (verify the identify of) authorized personnel, an organization can use one
or more of the following types of methods:
○ something the user is (biometrics)
○ something the user has
○ something the user does
○ something the user knows
BASIC GUIDELINES FOR CREATING STRONG PASSWORDS:

● Difficult to guess•
● Long rather than short
● Uppercase letters, lowercase letters, numbers,and special characters
● Do not use recognizable words
● Do not use the name of anything or anyone familiar (family names or names of pets)
● Do not use a recognizable string of numbers(Social Insurance Number or a birthday)

AUTHORIZATION:

● Authorization determines which actions, rights, or privileges the person has, based on his
or her verified identify.
● Privilege (also known as profile): the computer operations that a user is allowed to
perform
● Least privilege: users are granted the privilege for activities only if they need it for their
job.

COMMUNICATIONS CONTROLS:

● Firewalls
● Anti-malware systems, for example Norton:
○ http://symantec-norton.com/default.aspx?lang=en-CA&par=goo_caenbroad_norto
n&gclid=CKLX5I-u-bkCFfFDMgod4k0AJg

● Whitelisting and blacklisting

● How encryption works: http://www.howstuffworks.com/encryption.htm
● Virtual private networks (VPN)
● Transport layer security (TLS – formerly secure socket layer SSL) provided by
Symantec:http://www.symantec.com/en/ca/
● Employee monitoring systems
FIREWALLS FOR HOME (A) AN ORGANIZATION:

HOW PUBLIC KEY ENCRYPTION WORKS:

 HOW DIGITAL CERTIFICATES WORK:

VIRTUAL PRIVATE NETWORK AND TUNNELING:

● VPNs have several advantages:

○ Allow remote users to access the company network
○ Provide flexibility to access the network remotely
○ Organizations can impose their security policies through VPNs.
EMPLOYEE MONITORING SYSTEM:

● Employee Monitoring Systems examples:

○ SpectorSoft
○ Forcepoint

APPLICATION CONTROLS:

● Controls that apply to individual applications(functional areas), e.g. payroll. Examples for
functional areas include:
○ Input: Edits that check for reasonable data ranges(accuracy)
○ Processing: Automatically check that each line of an invoice adds to the total
(accuracy for total and completeness of line items)
○ Output: Supervisor reviews payroll journal for unusual amounts (exceptions)
before cheques are printed (authorization).

BUSINESS CONTINUITY PLANNING (BCP),BACKUP, AND RECOVERY

● BCP – purpose
● Provide continuous availability
● Be able to recover in the event of a hardware or software failure
● Ensure that critical systems are available and operating
● In the event of a major disaster, organizations can employ several strategies for business
continuity including:
○ hot sites
○ warm sites
○ old sites
○ off-site data storage

INFORMATION SYSTEMS AUDITING:

● Types and examples of auditors:

○ External: public accounting firm
○ Government: Canada Revenue Agency
○ Internal: work for specific organizations
○ Specialist: IT auditors
CHAPTER CLOSING:

1. There are five factors that contribute to the increasing vulnerability of information
resources such as smaller, faster, cheaper computers and storage devices.

2. Human mistakes are unintentional errors. Social Engineering is an attack where the
perpetrator uses social skills to trick or manipulate a legitimate employee into providing
confidential company information.

3. There are ten types of deliberate attacks to information systems such as espionage.

4. The three risk mitigation strategies are risk acceptance, risk limitation and risk
transference.

5. Information systems are protected with a wide variety of controls such as security
procedures,physical guards, and detection software.

6. Professionals such as IT auditors help to assess information systems