Professional Documents
Culture Documents
Security: the degree of protection against criminal activity, danger, damage and/or loss.
Information Security: all the process and policies designed to protect an organization's
information and information systems (IS) from unauthorized access, use, disclosure,
disruption, modification, or destruction.
By protecting information from threats, we can achieve three main security goals:
Confidentiality: we can keep our secrets under control.
Integrity: our information is not corrupted.
Availability: we can see our information whenever we want.
Now how do these goals help us today. Take for example modern banking. Today we can
manage our money privately online, we can withdraw cash from an ATM anytime, day or
night. And we can quickly place an online order for just about anything, but without
information security, none of these things would be possible.
Vulnerability: the possibility that the system will suffer harm by a threat.
It's basically a weakness in design, implementation operation or internal control. Sometimes
connecting your computer to the Internet is a vulnerability by itself, especially if your
computer is not patched and secured against cyber-attacks.
Exposure: the harm, loss or damage that can result if a threat compromises that resource.
Threats to Information Security
Today, five key factors are contributing to the increasing vulnerability of organizational
information resources, making it much more difficult to secure them:
• Today’s interconnected, interdependent, wirelessly networked business environment
• Smaller, faster, cheaper computers and storage devices
• Decreasing skills necessary to be a computer hacker
• International organized crime taking over cybercrime
• Lack of management support
Hacker: a person who finds out weaknesses in the computer system and exploits it.
Script kiddie: someone who lacks programming knowledge and uses existing software to
launch an attack.
Top level management sometimes ignore security requirements. One of the main reasons
for this behaviour is that the security requirements are not cheap to acquire and people
usually don't see the actual value of security and privacy measurements until they fall
victims to hackers. Only then they pay very close attention to small security details, but it
might be too late to do so at that time, we have already defined security threats.
4.2 Unintentional Threats to Information Systems
Unintentional threats are acts performed without malicious intent that nevertheless
represent a serious threat to information security.
A major category of unintentional threats is human error.
Human Errors
Poor password selection and use Choosing and using weak passwords
Carelessness with one’s office Leaving desks and filing cabinets unlocked
when employees go home at night; not
logging off the company network when
leaving the office for any extended period.
Of time
Carelessness using unmanaged devices Unmanaged devices are those outside the
control of an organization’s IT department
and company security procedures. These
devices include computers belonging to
customers and business partners,
computers in the business centres of hotels,
and so on.
Social Engineering:
An attack in which the perpetrator uses social skills to trick or manipulate a legitimate
employee into providing confidential information such as passwords. The most common
example of social engineering occurs when the attacker impersonates someone else on the
telephone, such as a company manager or an information systems employee. The attacker
claims he forgot his password and asks the legitimate employee to give him a password to
use. Other common ploys include posing as an exterminator, an air-conditioning technician,
or a fire marshal.
Two other social engineering techniques are tailgating and shoulder surfing.
Tailgating is a technique designed to allow the perpetrator to enter restricted areas that are
controlled with locks or card entry. The perpetrator follows closely behind a legitimate
employee and, when the employee gains entry, the attacker asks him or her to “hold the
door.”
it occurs when an unauthorized person slips in through a door before it closes.
Shoulder surfing occurs when a perpetrator watches an employee’s computer screen over
the employee’s shoulder. This technique is particularly successful in public areas such as in
airports and on commuter trains and airplanes.
It occurs when the attacker watches another person’s computer screen over that person’s
shoulder
There are many types of deliberate threats to information systems. We provide a list of 10
common types for your convenience.
• Espionage or trespass
• Information extortion
• Sabotage or vandalism
• Theft of equipment or information
• Identity theft
• Compromises to intellectual property
• Software attacks
• Alien software
• Supervisory control and data acquisition (SCADA) attacks
• Cyberterrorism and cyberwarfare
1- Espionage or trespass:
Occurs when an unauthorized individual attempts to gain illegal access to organizational
information. It is important to distinguish between competitive intelligence and industrial
espionage. Competitive intelligence consists of legal information-gathering techniques such
as studying a company’s Web site and press releases, attending trade shows, and similar
actions. In contrast, industrial espionage crosses the legal boundary.
2- Information extortion:
Occurs when an attacker either threatens to steal or actually steals information from a
company. The perpetrator demands payment for not stealing the information, for returning
stolen information, or for agreeing not to disclose the information.
3- Sabotage or vandalism:
Defacing an organization's website. potentially damaging the organization’s image and
causing its customers to lose faith. One form of online vandalism is a hacktivist or
cyberactivity operation. These are cases of high-tech civil disobedience to protest the
operations, policies, or actions of an organization or government agency.
Spam ware: alien software that is designed to use your computer as a launchpad for
spammers. Spam is unsolicited (unwanted) e-mail.
Cookie: are small amounts of information that Web sites store on your computer, temporary
or more or less permanently. In many cases, cookies are useful and innocuous.
For example, some cookies are passwords and user IDs that you do not want to retype every
time you access the Web site that issued the cookie. Cookies are also necessary for online
shopping because merchants use them for your shopping carts.
Risk analysis:
- assessing the value of each asset being protected.
- estimate the probability it might be compromised.
- compare the probable costs of it being compromised with the cost of protecting it.
Risk mitigation: is when the organization takes concrete actions against risk. It has two
functions:
(1) implement controls to prevent identified threats from occurring.
(2) develop a means of recovery should the threat become a reality.
Risk transference: Transfer the risk by using other means to compensate for the loss, such as
purchasing insurance and having off-site backups. (with third party)
Risk limitation: Limit the risk by implementing controls that minimize the impact of threat.
Risk Acceptance: accept the potential risk, continue operating with no controls, and absorb
any damages that occur.
1- Physical controls
prevent unauthorized individuals from gaining access to a company’s facilities. Common
physical controls include walls, doors, fencing, gates, locks, badges, guards, and alarm
systems.
Application controls: protect specific applications controls.
Authentication: ()المصداقية
Determines/confirms the identity of the person requiring access.
-Something the user has: these access controls include regular ID cards, smart cards.
-Something the user is: access controls that examine a user's physiological or behavioural
characteristics.
Biometrics
- Voice verification
- Fingerprints
- Retina scan
2- Authorization:
Determines which actions, rights, or privileges the person must do certain activities with
information resources, based on his/her verified identity.
Privilege: a collection of related computer system operations that can be performed by
users of the system.
Least privilege: a principle that users be granted the privilege for some activity only if there
is a justifiable need to grant this authorization.
Anti-malware systems: software packages that attempt to identify and eliminate viruses,
worms, and other malicious software.
Blacklisting: a process in which a company allows all software to run unless it is on the
blacklist.
Whitelisting: a process in which a company identifies the software that it will allow to run
and does not try to recognize malware.
Encryption: Process of converting an original message into a form that cannot be read by
anyone except the intended receiver.
How Digital Certificates Work?
Digital Certificate: an electronic document attached to a file certifying that the file is from
the organization that it claims to be from and has not been modified from its original format.
Certificate authorities: trusted intermediaries between two organizations, issue digital
certificates. (Sony and Dell)
Virtual Private Network and Tunnelling
Virtual private networking (VPN): a private network that uses a public network (usually the
Internet) to connect users.
To provide secure transmissions, VPN use a process called tunneling.
Tunneling encrypts each data packet that is sent, and places each encrypted packet inside
another packet.
Vulnerability management systems: (also called security on demand) extend the security
perimeter that exists for the organization’s managed devices, to unmanaged, remote
devices.