7/29/2019 ISM 3004- 13

1/3

CH 13

13.01 DEFCON2 INFO SECURITY

Defcon 5 is nice, defcon 1 all out nuclear war, worst time in defcon 2 Cuban nuclear crisis

-risks have been getting larger

PWC security capabilities degrading since 2008

Enterprise security news: 2011 to be the worst year for security breaches

The 451 Group: theres a broad trend here that the internet is getting more hostile, criminals are more

determined

Potentially damaging impact of breaches

TJX breach- 45.6 million credit cards; 1.3-4.5 billion

Avg breach in 2010 costs 3.8 million$

9 million per breach: 5 yr analysis: Digital Forensics Association

Sony PlayStation Network: 77 million had data hacked; angry users

Information week: attacks more complex, more expensive to clean up , and 44% more frequent

Info Security must be top organizational priority

Poor security can have significant immediate costs

o Notifying people that data is lostBreaches damage reputation more cost b/c lack of trustRisk of increased legislation

o Increase compliance costs13.02 Five Ws

Who?Outsider Threats

The term hacker refers to clever skilled programmer. Today they are people trying to break into anotherscomputer system. white-hat identify security weaknesses for good purposeCorporate Spies trying to exploit weaknesses and take away competitive advantage

Cyber Extortionist someone tries to extort money from somebody else.Ex: New York Life insurance

Cyber Terrorist use of information security attacks as tool of terrorCyber Warfare other nations developed military doctrines for fighting war on the internet

Ex: US considered cyber warfare in attack plan on LibyaHacking activism use of hacking techniques to force change

Insider ThreatsDisgruntled employees can cause significant damage by giving away information

Most malicious insiders use less skilled techniques but can still cause serious damageSocial engineering an outsider who exploits the naivety of an insider to gain access

-need to teach employees on danger of being niceNegligencefailure to exercise due care failure to lock computerOther error risk has become more significant because of flatter organizations

Vertical hierarchy the losses are not that large because multiple layers

What can we Do?Principle of least Privilege user given no more privilege than necessaryto perform a job-must identify what that person job is? What do they actually need minimum?

-Restricting access to certain resources a lot of risk involvedRole Based Access Controls identify roles within organization-give certain access to roles NOT individuals

- Each role gives a certain accessibility orEx: manager gives access to look at records of employees

7/29/2019 ISM 3004- 13

2/3

Cloud-when you put your company into the cloud you have a new group of insiders cloud group- important to think about security issues in the cloud

What is happening?DDoS distributed denial of service - take out software so you can not provide service

Ex: send millions of emails to web so it crashes and have no emailMillions of computers used - spammingHacking & cyber extortion give us $ or else we b/c we have access and toolsBot Net bad guy compromises PC and they have a BOT which can be controlled by a outside force

- This allows them to attack nearby computers and it grows- Can tell them to do whatever he or she wants to do- Ex: launch emails or DoS attacks

Where? EverywhereWhy? - $, corporate espionage, activism cause, political reasons.

13.03 Vulnerabilities

How?War driving drive around with wireless card seeking unprotected networks

Wireless equivalent privacy easily defeated, ancient protection-guess passwords using social engineering by researching person before handBrute force using all dictionary words to attack and guess passwordPhysical threats-dumpster diving, destruction of property, keep servers in locked rooms- legal fees paid for settlement, not just stealing it but destruction of data ( losing information) shoulder- do not let user education be forgottenPhishing use of a spoofed email address to try and trick somebody to giving you information

- Broad spectrum attack, someone will be nave, send out millions of emailsSpear phishing attack is highly targeted ex: criminal finds list of all employee email addresses ofcompany x, say corporate email server is being updated and we need new information

- Started in around 200813.04 Taking ActionLayer upon layer of security ex; fortressPatch it to protect itpatch management errors and bugs in software always happen fix w/ patch

- Actively manage by monitoring apply patches- Ex: Secunia PSI makes it easier to keep pc as safe as possible- Software.ufl.edu has secunia

Encryption - Public Key we want to lock the data , door has the data, one key that can lock the door

and one key that can unlock the door,,, some people we do not want in so we give them one keyPublic key- allows to lock or encrypt data does NOT represent a risk b/c can only encrypt1 person only has the private key decrypts information

Data at Rest stored on some type of device2 strategies: file encryption & whole disk encryption

File individual files (by apps) or (programs) whole the whole hard drive (provides greater levelof security)Data in motion transmitted from point A to point B

1) VPN2) IP sec3) SSL/TLS

Mobile Devices- Each mobile device allows opportunity & risk for organization

7/29/2019 ISM 3004- 13

3/3

- When you establish policy you want unified management (clearly define roles &responsibility)

Policy lays out big pictureStandard addresses the details (full compliance w/ policy rules that help implement)Configuration requirements change over time-all devices must be compliant w/ policies and standards

NAC

network admission control-idea is that more and more people BYOD to plug into network- employee owned IT assets that want to get on network (less control)

Antivirus & patch are up to date? How? NAC

-attach device to network- assesses security of anti-virus and OS version checks w/ machine first-gatekeeper for network

-could have separate networks for employees and guests