INSY50 – INFORMATION SECURITY

CYBERATTACK - an intentional and malicious effort by

an organization or an individual to breach the

systems of another organization or individual.

CYBERSECURITY THREATS

1. Malware Attack - Users may be asked to take an action, such as clicking a link or opening an
attachment.

Malware attacks include:

> Trojan virus — tricks a user into thinking it is a harmless file.

> Ransomware — prevents access to the data of the victim and threatens to delete or publish it unless a
ransom

is paid.

> Spyware — this malware enables malicious actors to gain unauthorized access to data, including
sensitive information like payment details and credentials.

2. Social Engineering Attacks - Social engineering attacks work by psychologically manipulating

users into performing actions desirable to an attacker, or divulging sensitive information.

Social engineering attacks include:

> Phishing — attackers send fraudulent correspondence that seems to come from legitimate sources,
usually via email.

> Pretexting — occurs when a threat actor lies to the target to gain access to privileged data.

> Malvertising — online advertising controlled by hackers, which contains malicious code that infects a
user’s computer when they click, or even just view the ad.

> Vishing — voice phishing (vishing) attacks use social engineering techniques to get targets to divulge
financial or personal information over the phone.

3. Distributed Denial of Service - The objective of a denial of service (DoS) attack is to overwhelm
the resources of a target system and cause it to stop functioning, denying access to its users.

- Distributed denial of service (DDoS) is a variant of DoS in which attackers compromise a large number of
computers or other devices, and use them in a coordinated attack against the target system.
CYBERTHREAT ACTORS

Common sources of cyberthreats include:

> Terrorists — terrorists may attack government or military targets, but at times may also

target civilian websites to disrupt and cause lasting damage.

> Organized crime groups — criminal groups infiltrate systems for monetary gain. Organized crime
groups use phishing, spam, and malware to carry out identity theft and online fraud. There are organized
crime groups who exist to sell hacking services to others as well, maintaining even support and services
for profiteers and industrial spies alike.

> Hackers — Hacking in simple terms means an illegal intrusion into a computer system and/or network.
It is also known as CRACKING. Government websites are the hot target of hackers due to the press
coverage it receives. Hackers enjoy media coverage.

TYPES OF HACKERS

> White Hat - an ethical hacker who attempts to find vulnerabilities in computers and network systems by
identifying security weaknesses and informing the appropriate personnel.

> Black Hat - describes a deceptive user, computer hacker, or an individual who attempts to break into a
computer system or computer network.

> Gray Hat - is a reference to a computer hacker who acts illegally to expose a security threat but does
not use that threat maliciously against the vulnerable party.

INFORMATION SYSTEMS SECURITY

The Information Security Triad: Confidentiality, Integrity, Availability (CIA)

I. Confidentiality

> When protecting information, we want to be able to restrict access to those who are allowed to see it;
everyone else should be disallowed from learning anything about its contents.

II. Integrity

> Integrity is the assurance that the information being accessed has not been altered and truly represents
what is intended.
III. Availability

> Availability means that information can be accessed and modified by anyone authorized to do so in an
appropriate timeframe. Depending on the type of information, appropriate timeframe can mean different
things.

Tools in Information Security

I. Authentication

> Tools for authentication are used to ensure that the person accessing the information is, indeed, who
they present themselves to be. II. Access Control

> Access control determines which users are authorized to read, modify, add, and/or delete information.

III. Encryption

> Encryption is a process of encoding data upon its transmission or storage so that only authorized
individuals can read it.

Password Security

1. Require complex passwords

2. Change password regularly

3. Train employees not to give away passwords

Backups

> Another essential tool for information security is a comprehensive backup plan for the entire
organization. Not only should the data on the corporate servers be backed up, but individual computers
used throughout the organization should also be backed up.

Additional concepts related to backup include the following:

1. Universal Power Supply (UPS).

> A UPS is a device that provides battery backup to critical components of the system, allowing them to
stay online longer and/or allowing the IT staff to shut them down using proper procedures in order to
prevent the data loss that might occur from a power failure.
2. Alternate, or “hot” sites.

> Some organizations choose to have an alternate site where an exact replica of their critical data is
always kept up to date. When the primary site goes down, the alternate site is immediately brought online
so that little or no downtime is experienced.

Physical Security

> Physical security is the protection of the actual hardware and networking components that store and
transmit information resources. To implement physical security, an organization must identify all of the
vulnerable resources and take measures to ensure that these resources cannot be physically tampered
with or stolen.

1. Locked doors

2. Physical intrusion detection

3. Secured equipment

4. Environmental monitoring

5. Employee training

Personal Information Security

- Keep your software up to date.

- Install antivirus software and keep it up to date.

- Be smart about your connections.

- Back up your data.

- Secure your accounts with two-factor authentication.

- Make your passwords long, strong, and unique.

- Be suspicious of strange links and attachments.