Chapter 4

4.1 Introduction to Information Security

Security: the degree of protection against criminal activity, danger, damage and/or loss.
Information Security: all the process and policies designed to protect an organization's
information and information systems (IS) from unauthorized access, use, disclosure,
disruption, modification, or destruction.

By protecting information from threats, we can achieve three main security goals:
Confidentiality: we can keep our secrets under control.
Integrity: our information is not corrupted.
Availability: we can see our information whenever we want.

Now how do these goals help us today. Take for example modern banking. Today we can
manage our money privately online, we can withdraw cash from an ATM anytime, day or
night. And we can quickly place an online order for just about anything, but without
information security, none of these things would be possible.

Key Information Security Terms:

Threat: any danger to which a system may be exposed.
Example: A virus is a threat as it can cause harm to our system software, and business
operations in general.

Vulnerability: the possibility that the system will suffer harm by a threat.
It's basically a weakness in design, implementation operation or internal control. Sometimes
connecting your computer to the Internet is a vulnerability by itself, especially if your
computer is not patched and secured against cyber-attacks.

Exposure: the harm, loss or damage that can result if a threat compromises that resource.
Threats to Information Security

Today, five key factors are contributing to the increasing vulnerability of organizational
information resources, making it much more difficult to secure them:
• Today’s interconnected, interdependent, wirelessly networked business environment
• Smaller, faster, cheaper computers and storage devices
• Decreasing skills necessary to be a computer hacker
• International organized crime taking over cybercrime
• Lack of management support

1- Today’s interconnected, interdependent, wirelessly networked business environment.

The Internet now enables millions of computers and computer networks to communicate
freely and seamlessly with one another. Organizations and individuals are exposed to a
world of untrusted networks and potential attackers.
A trusted network is any network within your organization.
An untrusted network is any network external to your organization.
In addition, wireless technologies enable employees to compute, communicate, and access
the Internet anywhere and anytime. Significantly, wireless is an inherently nonsecure
broadcast communications medium.

2- Smaller, faster, cheaper computers and storage devices

Modern computers and storage devices (e.g., thumb drives or flash drives) continue to
become smaller, faster, cheaper, and more portable, with greater storage capacity. These
characteristics make it much easier to steal or lose a computer or storage device that
contains huge amounts of sensitive information. Also, far more people are able to afford
powerful computers and connect inexpensively to the Internet, thus raising the potential of
an attack on information assets.

3- Decreasing skills necessary to be a computer hacker.

The reason is that the Internet contains information and computer programs called scripts
that users with few skills can download and use to attack any information system connected
to the Internet.
(Security experts can also use these scripts for legitimate purposes, such as testing the
security of various systems.)

Hacker: a person who finds out weaknesses in the computer system and exploits it.
Script kiddie: someone who lacks programming knowledge and uses existing software to
launch an attack.

4- International organized crime turning to cybercrime.

Cybercrime refers to illegal activities conducted over computer networks, particularly the
Internet. Defines (http://labs.idefense.com), a company that specializes in providing security
information to governments and Fortune 500 companies, maintains that groups of
well-organized criminal organizations have taken control of a global billion-dollar crime
network. The network, powered by skilful hackers, targets known software security
weaknesses. These crimes are typically nonviolent, but quite lucrative. Consider, for
example, that losses from armed robberies average hundreds of dollars, and those from
white-collar crimes average tens of thousands of dollars. In contrast, losses from computer
crimes average hundreds of thousands of dollars.
Also, computer crimes can be committed from anywhere in the world, at any time,
effectively providing an international haven for cybercriminals. Computer-based crimes
cause billions of dollars in damages to businesses each year, including the costs of both
repairing information systems and lost business.
Cybercrime: illegal activities conducted over computer networks, particularly the Internet.
Example: Bank Muscat card fraud incident.
An example of this joint attack has recently targeted by Bank Muscat, where a group of
hackers from different places around the world were able to steal millions of dollars from
international ATM machines using prepaid cards representing bank Muscat accounts.

5- Lack of management support.

For the entire organization to take security policies and procedures seriously, senior
managers must set the tone. Unfortunately, senior managers often do not do so. Ultimately,
however, lower-level managers may be even more important. These managers are in close
contact with employees every day and thus are in a better position to determine whether
employees are following security procedures.
Insufficient funding/ Technological obsolescence/ lack of attention

Top level management sometimes ignore security requirements. One of the main reasons
for this behaviour is that the security requirements are not cheap to acquire and people
usually don't see the actual value of security and privacy measurements until they fall
victims to hackers. Only then they pay very close attention to small security details, but it
might be too late to do so at that time, we have already defined security threats.
4.2 Unintentional Threats to Information Systems

Unintentional threats are acts performed without malicious intent that nevertheless
represent a serious threat to information security.
A major category of unintentional threats is human error.

Human Errors

Human Mistake Description and Examples

Carelessness with laptops Losing or misplacing laptops, leaving them
in taxis,
and so on.
Carelessness with computing devices
Opening questionable e-mails
Careless Internet surfing
Poor password selection and use
Carelessness with one’s office
Carelessness using unmanaged devices
Carelessness with discarded equipment
Careless monitoring of environmental
hazards
Social Engineering:
An attack in which the perpetrator uses social skills to trick or manipulate a legitimate
employee into providing confidential information such as passwords. The most common
Losing or misplacing these devices or using
them carelessly so that malware is
introduced into an organization’s network.
Opening e-mails from someone unknown,
or clicking on links embedded in e-mails
Accessing questionable Web sites; can
result in malware and/or alien software
being introduced into the organization’s
network.
Choosing and using weak passwords
Leaving desks and filing cabinets unlocked
when employees go home at night; not
logging off the company network when
leaving the office for any extended period.
Of time
Unmanaged devices are those outside the
control of an organization’s IT department
and company security procedures. These
devices include computers belonging to
customers and business partners,
computers in the business centres of hotels,
and so on.
Discarding old computer hardware and
devices without completely wiping the
memory; includes computers, smartphones,
BlackBerry® units, and digital copiers and
printers.
These hazards, which include dirt, dust,
humidity, and static electricity, are harmful
to the operation of computing equipment.
example of social engineering occurs when the attacker impersonates someone else on the
telephone, such as a company manager or an information systems employee. The attacker
claims he forgot his password and asks the legitimate employee to give him a password to
use. Other common ploys include posing as an exterminator, an air-conditioning technician,
or a fire marshal.

Two other social engineering techniques are tailgating and shoulder surfing.

Tailgating is a technique designed to allow the perpetrator to enter restricted areas that are
controlled with locks or card entry. The perpetrator follows closely behind a legitimate
employee and, when the employee gains entry, the attacker asks him or her to “hold the
door.”
it occurs when an unauthorized person slips in through a door before it closes.

Shoulder surfing occurs when a perpetrator watches an employee’s computer screen over
the employee’s shoulder. This technique is particularly successful in public areas such as in
airports and on commuter trains and airplanes.
It occurs when the attacker watches another person’s computer screen over that person’s
shoulder

4.3 Deliberate Threats to Information Systems

There are many types of deliberate threats to information systems. We provide a list of 10
common types for your convenience.
• Espionage or trespass
• Information extortion
• Sabotage or vandalism
• Theft of equipment or information
• Identity theft
• Compromises to intellectual property
• Software attacks
• Alien software
• Supervisory control and data acquisition (SCADA) attacks
• Cyberterrorism and cyberwarfare

1- Espionage or trespass:
Occurs when an unauthorized individual attempts to gain illegal access to organizational
information. It is important to distinguish between competitive intelligence and industrial
espionage. Competitive intelligence consists of legal information-gathering techniques such
as studying a company’s Web site and press releases, attending trade shows, and similar
actions. In contrast, industrial espionage crosses the legal boundary.

2- Information extortion:
Occurs when an attacker either threatens to steal or actually steals information from a
company. The perpetrator demands payment for not stealing the information, for returning
stolen information, or for agreeing not to disclose the information.

3- Sabotage or vandalism:
Defacing an organization's website. potentially damaging the organization’s image and
causing its customers to lose faith. One form of online vandalism is a hacktivist or
cyberactivity operation. These are cases of high-tech civil disobedience to protest the
operations, policies, or actions of an organization or government agency.

4- Theft of equipment or information:

Computing devices and storage devices are becoming smaller yet more powerful with vastly
increased storage (e.g., laptops, personal digital assistants, smartphones, digital cameras,
thumb drives, and iPods). As a result, these devices are becoming easier to steal and easier
for attackers to use to steal information.

Dumpster diving: rummaging through commercial or residential trash to find information

that has been discarded.
5- Identity theft:
Assumption of another person’s identity, usually to gain access to their financial
information or to frame them for a crime. For example, stealing mail or dumpster diving
and Stealing personal information in computer databases.

6- Compromises to Intellectual Property (IP):

Trademark: an IP law protecting a recognizable sign, design, or expression that identifies
products or services of a particular source (e.g. brand name, logo, slogan, colour, sound,
smell, shapes, etc…)
Trade secret: an intellectual work such as business plan, that is a company secret and not
based on public information.
Copyright: a statuary grant that provides the creator of IP with ownership of the property for
the life of the creator plus 70 years (individuals) and a fixed 120 years from the date of
creation (corporations)
Piracy: the illegal copying of software.
Patent: a document that grants the holder exclusive rights on an invention or idea for 20
years.
7- Software attacks
Type Description
(1) Remote Attacks Requiring User Action

Virus: A segment of computer code that performs

malicious actions by attaching to another
computer program.
Worm: A segment of computer code that spreads
by itself and performs malicious actions
without requiring another computer
program.

Phishing attack Use deception to acquire sensitive personal

information by masquerading as
official-looking e-mails.

(2) Remote Attacks Needing No User Action

Denial-of-service attack Attackers sends so many information

requests to a target computer system that
the system cannot handle them
successfully, and typically crashes

(3) Attacks by a Programmer Developing a System

Trojan horse: a software program that hides in other

computer programs and reveal its designed
behavior only when it is activated. A typical
behavior of a Trojan horse is to capture your
sensitive information (e.g., passwords,
account numbers, etc.) and send them to
the creator of the Trojan horse.

Logic Bomb: a segment of computer code that is

embedded within an organization’s existing
computer programs and is designed to
activate and perform a destructive action at
a certain time and date.
8- Alien Software
Spyware: software that collect personal information about users without their consent
- Keystroke loggers: record your keystrokes and your Web browsing history.
- Screen scrapers: record a continuous “movie” of what you do on a screen.

Adware: software that causes pop-up advertisements to appear on your screen.

Spam ware: alien software that is designed to use your computer as a launchpad for
spammers. Spam is unsolicited (unwanted) e-mail.

Cookie: are small amounts of information that Web sites store on your computer, temporary
or more or less permanently. In many cases, cookies are useful and innocuous.
For example, some cookies are passwords and user IDs that you do not want to retype every
time you access the Web site that issued the cookie. Cookies are also necessary for online
shopping because merchants use them for your shopping carts.

9- Supervisory Control and Data Acquisition (SCADA) Attacks

refers to a large-scale, distributed measurement and control system.

10- Cyber-terrorism and Cyber-warfare

refer to malicious acts in which attackers use a target’s computer systems, particularly via
the Internet, to cause physical, real-world harm or severe disruption, often to carry out a
political agenda.

4.4 What Organizations Are Doing to Protect Information Resources

Risk: the probability that a threat will impact an information resource
Risk management: to identify, control and minimize the impact of threats. In other words,
risk management seeks to reduce risk to acceptable levels.
Risk management consists of three processes: risk analysis, risk mitigation, and controls
evaluation.

Risk analysis:
- assessing the value of each asset being protected.
- estimate the probability it might be compromised.
- compare the probable costs of it being compromised with the cost of protecting it.

Risk mitigation: is when the organization takes concrete actions against risk. It has two
functions:
(1) implement controls to prevent identified threats from occurring.
(2) develop a means of recovery should the threat become a reality.

Risk Mitigation Strategies

Risk transference: Transfer the risk by using other means to compensate for the loss, such as
purchasing insurance and having off-site backups. (with third party)
Risk limitation: Limit the risk by implementing controls that minimize the impact of threat.
Risk Acceptance: accept the potential risk, continue operating with no controls, and absorb
any damages that occur.

4.5 Information Security Controls

1- Physical controls
prevent unauthorized individuals from gaining access to a company’s facilities. Common
physical controls include walls, doors, fencing, gates, locks, badges, guards, and alarm
systems.
Application controls: protect specific applications controls.

Access Controls Communications

Controls

2- Access controls: restriction of unauthorized user access to computer resources.

Authentication: (‫)المصداقية‬
Determines/confirms the identity of the person requiring access.

-Something the user knows:

Password: a private combination of characters that only the user should know.
example: nam3-beeS
Passphrases: a series of characters that is longer than a password but can be memorized
easily.
example: omanFT2brazilworldcup

-Something the user has: these access controls include regular ID cards, smart cards.
-Something the user is: access controls that examine a user's physiological or behavioural
characteristics.
Biometrics
- Voice verification
- Fingerprints
- Retina scan

To identify authorized users more efficiently and effectively, organizations frequently

implement more than one type of authentication, a strategy known as multifactor
authentication.

2- Authorization:
Determines which actions, rights, or privileges the person must do certain activities with
information resources, based on his/her verified identity.
Privilege: a collection of related computer system operations that can be performed by
users of the system.
Least privilege: a principle that users be granted the privilege for some activity only if there
is a justifiable need to grant this authorization.

3- Communications (network) controls: protect the movement of data across networks

and include border security controls, authentication, and authorization.
Firewall: System that enforces access-control policy between two networks.

Anti-malware systems: software packages that attempt to identify and eliminate viruses,
worms, and other malicious software.

Blacklisting: a process in which a company allows all software to run unless it is on the
blacklist.

Whitelisting: a process in which a company identifies the software that it will allow to run
and does not try to recognize malware.

Encryption: Process of converting an original message into a form that cannot be read by
anyone except the intended receiver.
How Digital Certificates Work?

Digital Certificate: an electronic document attached to a file certifying that the file is from
the organization that it claims to be from and has not been modified from its original format.
Certificate authorities: trusted intermediaries between two organizations, issue digital
certificates. (Sony and Dell)
Virtual Private Network and Tunnelling

Virtual private networking (VPN): a private network that uses a public network (usually the
Internet) to connect users.
To provide secure transmissions, VPN use a process called tunneling.
Tunneling encrypts each data packet that is sent, and places each encrypted packet inside
another packet.

Secure Socket Layer (SSL):

now called transport layer security (TLS): is an encryption standard used for secure
transactions such as credit card purchases and online banking.

Vulnerability management systems: (also called security on demand) extend the security
perimeter that exists for the organization’s managed devices, to unmanaged, remote
devices.

4- Information Systems Auditing

Information systems auditing: Independent or unbiased observers task to ensure that

information systems work properly.
Audit: Examination of information systems, their inputs, outputs and processing.

Types of Auditors and Audits

Internal: Performed by corporate internal auditors.
External: Reviews internal audit as well as the inputs, processing and outputs of information
systems.