Transcript Chapter 1
Business Plug-In B6
Information Security
McGraw-Hill/Irwin
© 2008 The McGraw-Hill Companies, All Rights Reserved
LEARNING OUTCOMES
1.
Describe the relationship between information security
policies and an information security plan
2.
Summarize the five steps to creating an information
security plan
3.
Provide an example of each of the three primary security
areas: (1) authentication and authorization, (2)
prevention and resistance, and (3) detection and
response
4.
Describe the relationships and differences between
hackers and viruses
B6-2
INTRODUCTION
• Information security – a broad term
encompassing the protection of
information from accidental or intentional
misuse by persons inside or outside an
organization
• This plug-in discusses how organizations
can implement information security lines
of defense through people first and
technology second
B6-3
The First Line of Defense - People
• The biggest issue surrounding information
security is not a technical issue, but a
people issue
• 38% of security incidents originate within the
organization
– Insiders
– Social engineering
B6-4
The First Line of Defense - People
• The first line of defense an organization
should follow to help combat insider issues
is to develop information security policies
and an information security plan
– Information security policies – identify the
rules required to maintain information security
– Information security plan – details how an
organization will implement the information
security policies
B6-5
The First Line of Defense - People
•
Five steps to creating an information
security plan
1.
2.
3.
4.
5.
Develop the information security policies
Communicate the information security policies
Identify critical information assets and risks
Test and reevaluate risks
Obtain stakeholder support
B6-6
The First Line of Defense - People
B6-7
The Second Line of Defense Technology
•
Three primary information security areas
1. Authentication and authorization
2. Prevention and resistance
3. Detection and response
B6-8
AUTHENTICATION AND
AUTHORIZATION
•
Authentication – a method for confirming users’
identities
•
Authorization – the process of giving someone
permission to do or have something
•
The most secure type of authentication involves
a combination of the following:
1. Something the user knows such as a user ID and
password
2. Something the user has such as a smart card or token
3. Something that is part of the user such as a fingerprint
or voice signature
B6-9
Something the User Knows such as
a User ID and Password
•
User ID and passwords are the most common
way to identify individual users, and are the
most ineffective form of authentication
•
Identity theft – the forging of someone’s
identity for the purpose of fraud
•
Phishing – a technique to gain personal
information for the purpose of identity theft
B6-10
Something the User Knows such as
a User ID and Password
B6-11
Something the User Has such as a
Smart Card or Token
•
Smart cards and tokens are more effective
than a user ID and a password
– Token – small electronic devices that change
user passwords automatically
– Smart card – a device that is around the same
size as a credit card, containing embedded
technologies that can store information and
small amounts of software to perform some
limited processing
B6-12
Something That Is Part of the User such as
a Fingerprint or Voice Signature
•
This is by far the best and most effective
way to manage authentication
– Biometrics – the identification of a user
based on a physical characteristic, such as
a fingerprint, iris, face, voice, or handwriting
•
Unfortunately, this method can be costly
and intrusive
B6-13
PREVENTION AND RESISTANCE
•
Downtime can cost an organization
anywhere from $100 to $1 million per
hour
•
Technologies available to help prevent
and build resistance to attacks include:
1. Content filtering
2. Encryption
3. Firewalls
B6-14
Content Filtering
• Organizations can use content filtering
technologies to filter e-mail and prevent
e-mails containing sensitive information
from transmitting and stop spam and
viruses from spreading
– Content filtering – occurs when
organizations use software that filters
content to prevent the transmission of
unauthorized information
– Spam – a form of unsolicited e-mail
B6-15
Content Filtering
•
Worldwide corporate losses caused by Spam
(in billions)
B6-16
ENCRYPTION
•
If there is an information security breach
and the information was encrypted, the
person stealing the information would be
unable to read it
– Encryption – scrambles information into an
alternative form that requires a key or
password to decrypt the information
– Public key encryption – uses two keys: a
public key that everyone can have and a
private key for only the recipient
B6-17
ENCRYPTION
B6-18
FIREWALLS
•
One of the most common defenses for
preventing a security breach is a firewall
– Firewall – hardware and/or software that
guards a private network by analyzing the
information leaving and entering the
network
B6-19
FIREWALLS
•
Sample firewall architecture connecting
systems located in Chicago, New York,
and Boston
B6-20
DETECTION AND RESPONSE
•
If prevention and resistance strategies
fail and there is a security breach, an
organization can use detection and
response technologies to mitigate the
damage
•
Antivirus software is the most common
type of detection and response
technology
B6-21
DETECTION AND RESPONSE
•
Hacker - people very knowledgeable about
computers who use their knowledge to invade
other people’s computers
–
–
–
–
–
–
White-hat hacker
Black-hat hacker
Hactivist
Script kiddies or script bunnies
Cracker
Cyberterrorist
B6-22
DETECTION AND RESPONSE
•
Virus - software written with malicious
intent to cause annoyance or damage
–
–
–
–
–
–
Worm
Denial-of-service attack (DoS)
Distributed denial-of-service attack (DDoS)
Trojan-horse virus
Backdoor program
Polymorphic virus and worm
B6-23
DETECTION AND RESPONSE
• Security threats to e-business include:
– Elevation of privilege
– Hoaxes
– Malicious code
– Spoofing
– Spyware
– Sniffer
– Packet tampering
B6-24
Closing Case One
Thinking Like the Enemy
•
The Intense School offers several security
courses, including the five-day
“Professional Hacking Boot Camp” and
“Social Engineering in Two Days”
•
Main philosophy of the Intense School is
“To Know Thy Enemy”
•
The school is taught by several notorious
hackers
B6-25
Closing Case One Questions
1. How could an organization benefit from attending
one of the courses offered at the Intense School?
2. What are the two primary lines of security
defense and how can organizational employees
use the information taught by the Intense School
when drafting an information security plan?
3. Determine the difference between the two primary
courses offered at the Intense school,
“Professional Hacking Boot Camp” and “Social
Engineering in Two Days.” Which course is more
important for organizational employees to attend?
B6-26
Closing Case One Questions
4. If your employer sent you to take a
course at the Intense School, which one
would you choose and why?
5. What are the ethical dilemmas involved
with having such a course offered by a
private company?
B6-27
Closing Case Two
Hacker Hunters
•
Hackers are a new breed of crime fighters
•
Operation Firewall, targeting the
ShadowCrew, a gang whose members were
schooled in identity theft, bank account
pillage, and selling illegal goods on the
Internet, arrested 28 gang members in eight
states and six countries
B6-28
Closing Case Two Questions
1. What types of technology could big retailers use
to prevent identity thieves from purchasing
merchandise?
2. What can organizations do to protect themselves
from hackers looking to steal account data?
3. Authorities frequently tap online service
providers to track down hackers. Do you think it
is ethical for authorities to tap an online service
provider and read people’s e-mail? Why or why
not?
B6-29
Closing Case Two Questions
4. Do you think it was ethical for authorities to
use one of the high-ranking officials to trap
other gang members? Why or why not?
5. In a team, research the Internet and find
the best ways to protect yourself from
identity theft
B6-30