Transcript CS2216 - The State University of Zanzibar

CS2216 – PRINCIPLES OF COMPUTER
AND NETWORK SECURITY
WEEK 1: INFORMATION SECURITY
OVERVIEW
Security Definition
• In general, security is defined as “the quality
or state of being secure—to be free from
danger.”
• Security is often achieved by means of several
strategies usually undertaken simultaneously
or used in combination with one another.
Specialized areas of security
• Physical security, which encompasses strategies
to protect people, physical assets, and the
workplace from various threats including fire,
unauthorized access, or natural disasters
• Personal security, which overlaps with physical
security in the protection of the people within
the organization
• Operations security, which focuses on securing
the organization’s ability to carry out its
operational activities without interruption or
compromise
cont
• Communications security, which encompasses the
protection of an organization’s communications media,
technology, and content, and its ability to use these
tools to achieve the organization’s objectives
• Network security, which addresses the protection of
an organization’s data networking devices,
connections, and contents, and the ability to use that
network to accomplish the organization’s data
communication functions
• Information security includes the broad areas of
information security management, computer and data
security, and network security.
What is information security?
• Information security is defined by British
Standard Institute as “preservation of
confidentiality, integrity and availability of
information; in addition, other properties,
such as authenticity, accountability, nonrepudiation, and reliability can also be
involved”
Properties of information security
• Confidentiality means that information is
disclosed to an authorised user.
• Integrity means information is not modified by
an unauthorised user.
• Availability means information is available
when required to an authorised user.
cont
• Authenticity means a user attempting to access
the information is in fact the user to whom the
level of access belongs.
• Accountability means the user is responsible to
the safeguarding of the information the user
accesses.
• Non-repudiation means a sender of information
cannot denies having sent the information.
• Reliability means information is being
consistently processed according to its design.
CIA Triangle
• The C.I.A. triangle - confidentiality, integrity,
and availability - has expanded into a more
comprehensive list of critical characteristics of
information.
• C.I.A. triangle sometimes is called the pillars of
information security.
CIA - Triangle
INTEGRITY
CONFIDENTIALITY
AVAILABILITY
Commercial Example
• Confidentiality —An employee should not
come to know the salary of his manager
• Integrity —An employee should not be able
to modify the employee's own salary
• Availability —Paychecks should be printed on
time as stipulated by law
Military Example
• Confidentiality —The target coordinates of a
missile should not be improperly disclosed
• Integrity —The target coordinates of a missile
should not be improperly modified
• Availability —When the proper command is
issued the missile should fire
Security Trends 2015
• Cybercriminals are becoming more
sophisticated and collaborative with every
coming year.
• To combat the threat in 2015, information
security professionals must understand these
five trends:
1. Cybercrime
cont
• The Internet is an increasingly attractive hunting
ground for criminals, activists and terrorists
motivated to make money, get noticed, cause
disruption or even bring down corporations and
governments through online attacks.
• Today's cybercriminals primarily operate out of
the former Soviet states.
• They are highly skilled and equipped with very
modern tools — they often use 21st century tools
to take on 20th century systems.
cont
• In 2015, organizations must be prepared for the
unpredictable so they have the resilience to
withstand unforeseen, high impact events.
• "Cybercrime, along with the increase in online
causes (hacktivism), the increase in cost of
compliance to deal with the uptick in regulatory
requirements coupled with the relentless
advances in technology against a backdrop of
under investment in security departments, can all
combine to cause the perfect threat storm.
cont
• Organizations that identify what the business
relies on most will be well placed to quantify
the business case to invest in resilience,
therefore minimizing the impact of the
unforeseen."
2. Privacy and Regulation
• Most governments have already created, or are in
the process of creating, regulations that impose
conditions on the safeguard and use of Personally
Identifiable Information (PII), with penalties for
organizations that fail to sufficiently protect it.
• As a result, organizations need to treat privacy as
both a compliance and business risk issue, in
order to reduce regulatory sanctions and
business costs such as reputational damage and
loss of customers due to privacy breaches.
cont
• The patchwork nature of regulation around
the world is likely to become an increasing
burden on organizations in 2015.
• Organizations should look upon the EU's
struggles with data breach regulation and
privacy regulation as a temperature gauge and
plan accordingly.
3. Threats From Third-Party Providers
• Supply chains are a vital component of every
organization's global business operations and the
backbone of today's global economy.
• However, security chiefs everywhere are growing more
concerned about how open they are to numerous risk
factors.
• A range of valuable and sensitive information is often
shared with suppliers, and when that information is
shared, direct control is lost.
• This leads to an increased risk of its confidentiality,
integrity or availability being compromised.
4. BYOx Trends in the Workplace
• The bring-your-own (BYO) trend is here to stay
whether organizations like it or not, and few
organizations have developed good policy
guidelines to cope.
• As the trend of employees bringing mobile
devices, applications and cloud-based storage
and access in the workplace continues to grow,
businesses of all sizes are seeing information
security risks being exploited at a greater rate
than ever before.
cont
• These risks stem from both internal and external
threats including mismanagement of the device
itself, external manipulation of software
vulnerabilities and the deployment of poorly
tested, unreliable business applications.
• If you determine the BYO risks are too high for
your organization today, you should at least make
sure to stay abreast of developments.
• If you decide the risks are acceptable, make sure
you establish a well-structured BYOx program.
5. Engagement With Your People
• And that brings us full circle to every
organization's greatest asset and most vulnerable
target: people.
• Over the past few decades, organizations have
spent millions, if not billions, of dollars on
information security awareness activities.
• The rationale behind this approach was to take
their biggest asset — people — and change their
behavior, thus reducing risk by providing them
with knowledge of their responsibilities and what
they need to do.
cont
• But this has been — and will continue to be — a losing
proposition.
• Instead, organizations need to make positive security
behaviors part of the business process, transforming
employees from risks into the first line of defense in
the organization's security posture.
• As we move into 2015, organizations need to shift from
promoting awareness of the problem to creating
solutions and embedding information security
behaviors that affect risk positively.
• The risks are real because people remain a ‘wild card’.
Security Incidents
• What is an Information Security Incident?
• Where university information is concerned, an
information security incident can be defined
as any event or set of circumstances
threatening its confidentiality, its integrity or
its availability.
Examples of information
security incidents
• Examples of information security incidents can
include but are not limited to:
• The disclosure of confidential information to
unauthorised individuals
• Loss or theft of paper records, data or
equipment e.g.
• laptops, smartphones or memory sticks, on
which data is stored
cont
• Inappropriate access controls allowing
unauthorised use of information
• Suspected breach of the University IT and
Communications Acceptable Use Policy
• Attempts to gain unauthorised access to
computer systems, e, g hacking
• Records altered or deleted without authorisation
by the data “owner”
• Virus or other security attack on IT equipment
systems or networks
cont
• “Blagging” offence where information is obtained
by deception
• Breaches of physical security e.g. forcing of doors
or windows into secure room or filing cabinet
containing confidential information left unlocked
in accessible area
• Leaving IT equipment unattended when logged-in
to a user account without locking the screen to
stop others accessing information
cont
• Covert or unauthorised recording of meetings
and presentations
• Insecure disposal of paper documents or IT
and communications equipment allowing
others to recover and read confidential
information
Why Security?
• Computers and networks are the nerves of the
basic services and critical infrastructures in
our society
– Financial services and commerce
– Transportation
– Power grids
– Etc.
• Computers and networks are targets of attacks
by our adversaries.
cont
• In today's high technology environment, organisations
are becoming more and more dependent on their
information systems.
• The public is increasingly concerned about the proper
use of information, particularly personal data.
• The threats to information systems from criminals and
terrorists are increasing.
• Many organisations will identify information as an area
of their operation that needs to be protected as part of
their system of internal control.
cont
• Competitive advantage … is dependent on
superior access to information.
• Information is the oxygen of the modern age.
• It seeps through the walls topped by barbed wire,
it wafts across the electrified borders.
• It is vital to be worried about information security
because much of the value of a business is
concentrated in the value of its information.
• Information is, as Grant says, the basis of
competitive advantage.
cont
• And in the not-for-profit sector, with increased
public awareness of identity theft and the
power of information, it is also, the area of an
organisation's operations that most needs
control.
• Without information, neither businesses nor
the not-for-profit sector could function.
Valuing and protecting information are crucial
tasks for the modern organisation.
Growing IT Security Importance and
New Career Opportunities
• The increased risk of cyber-attacks is driving a
demand for cyber-security professionals.
• Telecommunications: Network architects are
essential to the security infrastructure.
Individuals with experience in creating and
working with cloud networks—and who
understand business processes and networkaware devices—will make the greatest
contribution.
cont
• Programming: Experience working with
secure life cycle development, along with an
understanding of coding practices and code
review, can translate into all aspects of
security analysis—from basic event
management to forensics and incident
response.
cont
• Cloud Storage: As data moves into public and
private clouds, professionals who have an
understanding of how the cloud is being used
from a variety of aspects—such as service
planning, architecture and data flow through
each layer in the cloud network—may be
equipped to handle security and compliance
controls.
cont
• Database: As we begin to take advantage of
big data to analyze historical trends and
correlations in our networks and beyond, we
need people with a blend of knowledge about
database technology, coupled with analytic,
statistical and mathematical skills to sort
through data elements and find valuable
relationships.
cont
• Security Pros Need Soft Skills
• Cyber-security professionals obviously need a
baseline of technology skills, but on its own,
tech savvy is not enough. People in security
also need to have soft skills and some
distinctive personality traits. These include the
following:
cont
• Inquisitive minds: Workers who display
detective-like thought processes that enable
them to analyze how to do and use things
differently than intended are often the best
analysts, researchers and operational
specialists.
cont
• Knowledge of psychology, sociology and
organizational behavior: With so many
vulnerabilities created by human error, it is
critical to be well-trained in business
processes; be able to think the way users
think; and be able to predict how users might
deviate from best practices—inadvertently or
not.
cont
• Open-minded nature: The threat landscape
changes rapidly. We may need to tear down
infrastructure tomorrow that we built today.
Cyber-professionals must be able to adapt
quickly to situational changes.
Twelve (12) Information Security
Principles
• Principle 1: Focus on the Business
• Connect with business leaders to make sure
security is a part of business and risk
management processes.
Principle 2
• Deliver quality and value:
• Communicate with stakeholders so that
changing security requirement can be met and
to promote the value of information security
both financial and non-financial.
Principle 3
• Comply with relevant legal and regulatory
requirement:
• Avoid civil or criminal penalties by identifying
compliance obligations and translating the
into information security requirements. The
penalties should be made clear.
Principle 4
• Accurately report security performance:
• Use security metrics such as compliance,
incidents, control status and cost to
demonstrate how security performance is
helping the company meet its objectives.
Principle 5
• Evaluate current and future threats:
• Trends and security threats should be defined
and monitored so that you can address them
proactively – before you have a security
problem.
Principle 6
• Promote continuous improvement:
• Reduce costs, improve efficient and promote
culture of security by sharing information with
your organization. Keep your IT department
agile and always striving for improvement.
Principle 7
• Adopt a risk-based approach:
• Address options for assessing risk and
document procedures in consistent manner.
Decide if your plan includes: accepting risk,
avoid risk, transferring risk or mitigating risk.
Principle 8
• Protect classified information:
• Identify and classify information according to
its level of confidentiality and protect it
accordingly through all stages of the
information lifecycle.
Principle 9
• Concentrate on critical business applications:
• Prioritize security resources to protect
business applications where security incidents
would have greatest impact on the business.
Principle 10
• Develop system securely:
• Build quality, cost-effective systems that
business can rely on. Make information
security an integral part of the design.
Principle 11
• Act in a professional and ethical manner:
• Security rely on the ability of your team to
perform duties in a responsible way while
understanding the integrity of the information
they are protecting. Support respect the
needs of the business.
Principle 12
• Foster a security-positive culture:
• Make information security part of “businessas-usual”. Educate users on how to protect
critical information and systems. Make users
aware of the threats and risks they face.