Abstract image of a woman sitting on books and studying on a laptop

Chapter-2 (1).pptx

Download as PPTX, PDF
P
PaulaRodalynMateo1

The document discusses the need for information security and the threats organizations face. It describes how information security protects an organization's ability to function, enables safe application operation, protects collected data, and safeguards technology assets. Common threats include intellectual property compromises, software attacks, quality of service deviations, espionage, human error, information extortion, missing security policies, sabotage, theft, hardware/software failures, technological obsolescence, and various types of attacks. Management must understand these threats and address information security in terms of business impact and cost.

Data & Analytics
1 of 39
Download to read offline
1
2
Most read
3
Most read
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Chapter 2 The Need for Security
Introduction • Primary mission of information security is to ensure systems and contents stay the same • If no threats existed, resources could be focused on improving systems, resulting in vast improvements in ease of use and usefulness • Attacks on information systems are a daily occurrence Principals of Information Security, Fourth Edition 2
Business Needs First • Information security performs four important functions for an organization – Protects the organization’s ability to function – Enables safe operation of applications implemented on its IT systems – Protects data the organization collects and uses – Safeguards technology assets in use
Protecting the Functionality of an Organization • Management (general and IT) responsible for implementation • Information security is both management issue and people issue • Organization should address information security in terms of business impact and cost
Enabling the Safe Operation of Applications • Organization needs environments that safeguard applications using IT systems • Management must continue to oversee infrastructure once in place—not relegate to IT department
Protecting Data that Organizations Collect and Use • Organization, without data, loses its record of transactions and/or ability to deliver value to customers • Protecting data in motion and data at rest are both critical aspects of information security
Safeguarding Technology Assets in Organizations • Organizations must have secure infrastructure services based on size and scope of enterprise • Additional security services may be needed as organization grows • More robust solutions may be needed to replace security programs the organization has outgrown
THREATS • Threat: an object, person, or other entity that represents a constant danger to an asset • Management must be informed of the different threats facing the organization
Table 2-1 Threats to Information Security
Compromises to Intellectual Property • Intellectual property (IP): “ownership of ideas and control over the tangible or virtual representation of those ideas” • The most common IP breaches involve software piracy • Two watchdog organizations investigate software abuse: – Software & Information Industry Association (SIIA) – Business Software Alliance (BSA) • Enforcement of copyright law has been attempted with technical security mechanisms
Deliberate Software Attacks • Malicious software (malware) designed to damage, destroy, or deny service to target systems • Includes: – Viruses – Worms – Trojan horses – Logic bombs – Polymorphic threats – Rootkit – Man-in-The-Middle – Ransomware – Adware – Bot
Deviations in Quality of Service • Includes situations where products or services are not delivered as expected • Information system depends on many interdependent support systems • Internet service, communications, and power irregularities dramatically affect availability of information and systems
Deviations in Quality of Service (cont’d.) • Internet service issues – Internet service provider (ISP) failures can considerably undermine availability of information – Outsourced Web hosting provider assumes responsibility for all Internet services as well as hardware and Web site operating system software • Communications and other service provider issues – Other utility services affect organizations: telephone, water, wastewater, trash pickup, etc. – Loss of these services can affect organization’s ability to function
Deviations in Quality of Service (cont’d.) • Power irregularities – Commonplace – Organizations with inadequately conditioned power are susceptible – Controls can be applied to manage power quality – Fluctuations (short or prolonged) • Excesses (spikes or surges) – voltage increase • Shortages (sags or brownouts) – low voltage • Losses (faults or blackouts) – loss of power
Espionage or Trespass • Access of protected information by unauthorized individuals • Shoulder surfing can occur anywhere a person accesses confidential information • Hackers use skill, guile, or fraud to bypass controls protecting others’ information
Figure 2-5 Shoulder Surfing
Figure 2-6 Hacker Profiles
Espionage or Trespass (cont’d.) • Expert hacker – Develops software scripts and program exploits – Usually a master of many skills – Will often create attack software and share with others • Unskilled hacker – Many more unskilled hackers than expert hackers – Use expertly written software to exploit a system – Do not usually fully understand the systems they hack
Espionage or Trespass (cont’d.) • Other terms for system rule breakers: – Cracker: “cracks” or removes software protection designed to prevent unauthorized duplication – Phreaker: hacks the public telephone network
Forces of Nature • Forces of nature are among the most dangerous threats • Disrupt not only individual lives, but also storage, transmission, and use of information • Organizations must implement controls to limit damage and prepare contingency plans for continued operations
Human Error or Failure • Includes acts performed without malicious intent • Causes include: – Inexperience – Improper training – Incorrect assumptions • Employees are among the greatest threats to an organization’s data
Human Error or Failure (cont’d.) • Employee mistakes can easily lead to: – Revelation of classified data – Entry of erroneous data – Accidental data deletion or modification – Data storage in unprotected areas – Failure to protect information • Many of these threats can be prevented with controls
Figure 2-8 Acts of Human Error or Failure
Information Extortion • Attacker steals information from computer system and demands compensation for its return or nondisclosure • Commonly done in credit card number theft
Missing, Inadequate, or Incomplete Organizational Policy or Planning and Controls • Can make organizations vulnerable to loss, damage, or disclosure of information assets • Can make an organization more likely to suffer losses when other threats lead to attacks
Sabotage or Vandalism • Threats can range from petty vandalism to organized sabotage • Web site defacing can erode consumer confidence, dropping sales and organization’s net worth • Threat of hacktivist or cyber-activist operations rising • Cyberterrorism: much more sinister form of hacking
Theft • Illegal taking of another’s physical, electronic, or intellectual property • Physical theft is controlled relatively easily • Electronic theft is more complex problem; evidence of crime not readily apparent
Technical Hardware Failures or Errors • Occur when manufacturer distributes equipment containing flaws to users • Can cause system to perform outside of expected parameters, resulting in unreliable or poor service. • Some errors are terminal; some are intermittent
Technical Software Failures or Errors • Purchased software that contains unrevealed faults. • Combinations of certain software and hardware can reveal new software bugs. • Entire Web sites dedicated to documenting bugs.
Technological Obsolescence • Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems • Proper managerial planning should prevent technology obsolescence • IT plays large role
Attacks • Attacks – Acts or actions that exploits vulnerability (i.e., an identified weakness) in controlled system – Accomplished by threat agent that damages or steals organization’s information • Types of attacks – Malicious code: includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information – Hoaxes: transmission of a virus hoax with a real virus attached; more devious form of attack.
Attacks (cont’d.) • Types of attacks (cont’d.) – Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism – Password crack: attempting to reverse calculate a password – Brute force: trying every possible combination of options of a password – Dictionary: selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses
Attacks (cont’d.) • Types of attacks (cont’d.) – Denial-of-service (DoS): attacker sends large number of connection or information requests to a target • Target system cannot handle successfully along with other, legitimate service requests • May result in system crash or inability to perform ordinary functions – Distributed denial-of-service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously
Figure 2-11 Denial-of-Service Attacks
Attacks (cont’d.) • Types of attacks (cont’d.) – Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP address – Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network – Mail bombing: also a DoS; attacker routes large quantities of e-mail to target
Figure 2-12 IP Spoofing
Figure 2-13 Man-in-the-Middle Attack
Attacks (cont’d.) • Types of attacks (cont’d.) – Sniffers: program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network – Phishing: an attempt to gain personal/financial information from individual, usually by posing as legitimate entity – Pharming: redirection of legitimate Web traffic (e.g., browser requests) to illegitimate site for the purpose of obtaining private information
Attacks (cont’d.) • Types of attacks (cont’d.) – Social engineering: using social skills to convince people to reveal access credentials or other valuable information to attacker – “People are the weakest link. You can have the best technology; firewalls, intrusion-detection systems, biometric devices ... and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything.” — Kevin Mitnick – Timing attack: relatively new; works by exploring contents of a Web browser’s cache to create malicious cookie

More Related Content

PPTX
Need for security attacks and threats Chap 2.pptx
sania82678
 
PPTX
why security is needed
sourov_das
 
PPT
Security information for internet and security
Somesh Kumar
 
PDF
internet securityand cyber law Unit2
Royalzig Luxury Furniture
 
PPT
IT-Security Awareness and Training session
sameerroushan
 
PPT
Security Of Information Assets and why it matters.ppt
hellasassin
 
PPT
IT-Security-20210426203847.ppt
RamaNingaiah
 
PPT
IT-Security Assessment for IT assets.ppt
santoshsahu190428
 
Need for security attacks and threats Chap 2.pptx
sania82678
 
why security is needed
sourov_das
 
Security information for internet and security
Somesh Kumar
 
internet securityand cyber law Unit2
Royalzig Luxury Furniture
 
IT-Security Awareness and Training session
sameerroushan
 
Security Of Information Assets and why it matters.ppt
hellasassin
 
IT-Security-20210426203847.ppt
RamaNingaiah
 
IT-Security Assessment for IT assets.ppt
santoshsahu190428
 

Similar to Chapter-2 (1).pptx (20)

PPT
IT-Security-20210426203847.ppt
Ian Dave Balatbat
 
PPT
IT-Security-20210426203847.ppt
ssuser6c59cb
 
PPTX
Management Information Systems ( Security and Control.pptx
NamugenyiBetty
 
PPTX
DOC-20250311-WA00nnjnnnnnnnnnnnnnnnnnn..pptx
AlishbaAbbasi5
 
PPT
MIS part 4_CH 11.ppt
EndAlk15
 
PPT
22 need-for-security
Al Balqa Applied University
 
PDF
Information Systems Audit - Auditing Information Systems
ssuser557ea5
 
PPTX
IS Unit II.pptx
LAVANYAsrietacin
 
PPT
Rainer+3e Student Pp Ts Ch03
kbzdox ivanovich
 
PDF
Based on the below and using the 12 categories of threats identify 3 .pdf
arri2009av
 
PPTX
unit 5 FCS efujhgdkkifevnurdviutfjiutdffgii
nickyy222333
 
PPTX
Threats to information security
arun alfie
 
PPTX
Information system security Unit 1.pptx
Dr. Pallawi Bulakh
 
PPTX
Chapter 9 security privacy csc
Hisyam Rosly
 
PDF
Cyber Security.pdf
preethajoseph5
 
PPTX
unit -ii security1.pptx for Information system management
emjalaraju1
 
PPTX
chapitre 1 introduction to ethical hakcing.pptx
rsi3pfe
 
PPTX
Computer security
sruthiKrishnaG
 
PPTX
Computer security and
Rana Usman Sattar
 
PPTX
SECURING INFORMATION SYSTEM 1.pptx
CabdullhiY
 
IT-Security-20210426203847.ppt
Ian Dave Balatbat
 
IT-Security-20210426203847.ppt
ssuser6c59cb
 
Management Information Systems ( Security and Control.pptx
NamugenyiBetty
 
DOC-20250311-WA00nnjnnnnnnnnnnnnnnnnnn..pptx
AlishbaAbbasi5
 
MIS part 4_CH 11.ppt
EndAlk15
 
22 need-for-security
Al Balqa Applied University
 
Information Systems Audit - Auditing Information Systems
ssuser557ea5
 
IS Unit II.pptx
LAVANYAsrietacin
 
Rainer+3e Student Pp Ts Ch03
kbzdox ivanovich
 
Based on the below and using the 12 categories of threats identify 3 .pdf
arri2009av
 
unit 5 FCS efujhgdkkifevnurdviutfjiutdffgii
nickyy222333
 
Threats to information security
arun alfie
 
Information system security Unit 1.pptx
Dr. Pallawi Bulakh
 
Chapter 9 security privacy csc
Hisyam Rosly
 
Cyber Security.pdf
preethajoseph5
 
unit -ii security1.pptx for Information system management
emjalaraju1
 
chapitre 1 introduction to ethical hakcing.pptx
rsi3pfe
 
Computer security
sruthiKrishnaG
 
Computer security and
Rana Usman Sattar
 
SECURING INFORMATION SYSTEM 1.pptx
CabdullhiY
 
Ad

Recently uploaded (20)

PPTX
9 Bioterrorism.pptxnsbhsjdgdhdvkdbebrkndbd
venkeshiyer98
 
PPTX
Introduction to Fundamentals of Data Security
SibtainHaider13
 
PPTX
PPT for Diseases (1)-2, types of diseases.pptx
salilbansal7
 
PDF
CS3352FOUNDATION OF DATA SCIENCE _1_MAterial.pdf
mohanapriya462996
 
PDF
©️ 01_Algorithm for Microsoft New Product Launch - handling web site - by Ale...
none
 
PDF
2025-08 San Francisco FinOps Meetup: Tiering, Intelligently.
RTylerCroy
 
PPTX
Stats annual compiled ipd opd ot br 2024
nigamvertika
 
PPTX
inbound6529290805104538764.pptxmmmmmmmmm
hacheldelrosario
 
PPTX
inbound2857676998455010149.pptxmmmmmmmmm
hacheldelrosario
 
PPTX
transformers as a tool for understanding advance algorithms in deep learning
ajay77470
 
PPTX
OJT-Narrative-Presentation-Entrep-group.pptx_20250808_102837_0000.pptx
DhannaMarceloBacan
 
PPTX
indiraparyavaranbhavan-240418134200-31d840b3.pptx
janbenijami
 
PPTX
Machine Learning and working of machine Learning
AnujChetry
 
PDF
A biomechanical Functional analysis of the masitary muscles in man
AnkitNayak56
 
PPTX
DATA ANALYTICS COURSE IN PITAMPURA.pptx
venikaa7soni
 
PPTX
Hushh.ai: Your Personal Data, Your Business
adil643655
 
PPTX
recommendation Project PPT with details attached
AlanChen266674
 
PDF
©️ 02_SKU Automatic SW Robotics for Microsoft PC.pdf
none
 
PDF
Concepts of Database Management, 10th Edition by Lisa Friedrichsen Test Bank.pdf
solutions manual team
 
PPTX
chuitkarjhanbijunsdivndsijvndiucbhsaxnmzsicvjsd
siddi1404
 
9 Bioterrorism.pptxnsbhsjdgdhdvkdbebrkndbd
venkeshiyer98
 
Introduction to Fundamentals of Data Security
SibtainHaider13
 
PPT for Diseases (1)-2, types of diseases.pptx
salilbansal7
 
CS3352FOUNDATION OF DATA SCIENCE _1_MAterial.pdf
mohanapriya462996
 
©️ 01_Algorithm for Microsoft New Product Launch - handling web site - by Ale...
none
 
2025-08 San Francisco FinOps Meetup: Tiering, Intelligently.
RTylerCroy
 
Stats annual compiled ipd opd ot br 2024
nigamvertika
 
inbound6529290805104538764.pptxmmmmmmmmm
hacheldelrosario
 
inbound2857676998455010149.pptxmmmmmmmmm
hacheldelrosario
 
transformers as a tool for understanding advance algorithms in deep learning
ajay77470
 
OJT-Narrative-Presentation-Entrep-group.pptx_20250808_102837_0000.pptx
DhannaMarceloBacan
 
indiraparyavaranbhavan-240418134200-31d840b3.pptx
janbenijami
 
Machine Learning and working of machine Learning
AnujChetry
 
A biomechanical Functional analysis of the masitary muscles in man
AnkitNayak56
 
DATA ANALYTICS COURSE IN PITAMPURA.pptx
venikaa7soni
 
Hushh.ai: Your Personal Data, Your Business
adil643655
 
recommendation Project PPT with details attached
AlanChen266674
 
©️ 02_SKU Automatic SW Robotics for Microsoft PC.pdf
none
 
Concepts of Database Management, 10th Edition by Lisa Friedrichsen Test Bank.pdf
solutions manual team
 
chuitkarjhanbijunsdivndsijvndiucbhsaxnmzsicvjsd
siddi1404
 
Ad

Chapter-2 (1).pptx

  • 1. Chapter 2 The Need for Security
  • 2. Introduction • Primary mission of information security is to ensure systems and contents stay the same • If no threats existed, resources could be focused on improving systems, resulting in vast improvements in ease of use and usefulness • Attacks on information systems are a daily occurrence Principals of Information Security, Fourth Edition 2
  • 3. Business Needs First • Information security performs four important functions for an organization – Protects the organization’s ability to function – Enables safe operation of applications implemented on its IT systems – Protects data the organization collects and uses – Safeguards technology assets in use
  • 4. Protecting the Functionality of an Organization • Management (general and IT) responsible for implementation • Information security is both management issue and people issue • Organization should address information security in terms of business impact and cost
  • 5. Enabling the Safe Operation of Applications • Organization needs environments that safeguard applications using IT systems • Management must continue to oversee infrastructure once in place—not relegate to IT department
  • 6. Protecting Data that Organizations Collect and Use • Organization, without data, loses its record of transactions and/or ability to deliver value to customers • Protecting data in motion and data at rest are both critical aspects of information security
  • 7. Safeguarding Technology Assets in Organizations • Organizations must have secure infrastructure services based on size and scope of enterprise • Additional security services may be needed as organization grows • More robust solutions may be needed to replace security programs the organization has outgrown
  • 8. THREATS • Threat: an object, person, or other entity that represents a constant danger to an asset • Management must be informed of the different threats facing the organization
  • 9. Table 2-1 Threats to Information Security
  • 10. Compromises to Intellectual Property • Intellectual property (IP): “ownership of ideas and control over the tangible or virtual representation of those ideas” • The most common IP breaches involve software piracy • Two watchdog organizations investigate software abuse: – Software & Information Industry Association (SIIA) – Business Software Alliance (BSA) • Enforcement of copyright law has been attempted with technical security mechanisms
  • 11. Deliberate Software Attacks • Malicious software (malware) designed to damage, destroy, or deny service to target systems • Includes: – Viruses – Worms – Trojan horses – Logic bombs – Polymorphic threats – Rootkit – Man-in-The-Middle – Ransomware – Adware – Bot
  • 12. Deviations in Quality of Service • Includes situations where products or services are not delivered as expected • Information system depends on many interdependent support systems • Internet service, communications, and power irregularities dramatically affect availability of information and systems
  • 13. Deviations in Quality of Service (cont’d.) • Internet service issues – Internet service provider (ISP) failures can considerably undermine availability of information – Outsourced Web hosting provider assumes responsibility for all Internet services as well as hardware and Web site operating system software • Communications and other service provider issues – Other utility services affect organizations: telephone, water, wastewater, trash pickup, etc. – Loss of these services can affect organization’s ability to function
  • 14. Deviations in Quality of Service (cont’d.) • Power irregularities – Commonplace – Organizations with inadequately conditioned power are susceptible – Controls can be applied to manage power quality – Fluctuations (short or prolonged) • Excesses (spikes or surges) – voltage increase • Shortages (sags or brownouts) – low voltage • Losses (faults or blackouts) – loss of power
  • 15. Espionage or Trespass • Access of protected information by unauthorized individuals • Shoulder surfing can occur anywhere a person accesses confidential information • Hackers use skill, guile, or fraud to bypass controls protecting others’ information
  • 17. Figure 2-6 Hacker Profiles
  • 18. Espionage or Trespass (cont’d.) • Expert hacker – Develops software scripts and program exploits – Usually a master of many skills – Will often create attack software and share with others • Unskilled hacker – Many more unskilled hackers than expert hackers – Use expertly written software to exploit a system – Do not usually fully understand the systems they hack
  • 19. Espionage or Trespass (cont’d.) • Other terms for system rule breakers: – Cracker: “cracks” or removes software protection designed to prevent unauthorized duplication – Phreaker: hacks the public telephone network
  • 20. Forces of Nature • Forces of nature are among the most dangerous threats • Disrupt not only individual lives, but also storage, transmission, and use of information • Organizations must implement controls to limit damage and prepare contingency plans for continued operations
  • 21. Human Error or Failure • Includes acts performed without malicious intent • Causes include: – Inexperience – Improper training – Incorrect assumptions • Employees are among the greatest threats to an organization’s data
  • 22. Human Error or Failure (cont’d.) • Employee mistakes can easily lead to: – Revelation of classified data – Entry of erroneous data – Accidental data deletion or modification – Data storage in unprotected areas – Failure to protect information • Many of these threats can be prevented with controls
  • 23. Figure 2-8 Acts of Human Error or Failure
  • 24. Information Extortion • Attacker steals information from computer system and demands compensation for its return or nondisclosure • Commonly done in credit card number theft
  • 25. Missing, Inadequate, or Incomplete Organizational Policy or Planning and Controls • Can make organizations vulnerable to loss, damage, or disclosure of information assets • Can make an organization more likely to suffer losses when other threats lead to attacks
  • 26. Sabotage or Vandalism • Threats can range from petty vandalism to organized sabotage • Web site defacing can erode consumer confidence, dropping sales and organization’s net worth • Threat of hacktivist or cyber-activist operations rising • Cyberterrorism: much more sinister form of hacking
  • 27. Theft • Illegal taking of another’s physical, electronic, or intellectual property • Physical theft is controlled relatively easily • Electronic theft is more complex problem; evidence of crime not readily apparent
  • 28. Technical Hardware Failures or Errors • Occur when manufacturer distributes equipment containing flaws to users • Can cause system to perform outside of expected parameters, resulting in unreliable or poor service. • Some errors are terminal; some are intermittent
  • 29. Technical Software Failures or Errors • Purchased software that contains unrevealed faults. • Combinations of certain software and hardware can reveal new software bugs. • Entire Web sites dedicated to documenting bugs.
  • 30. Technological Obsolescence • Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems • Proper managerial planning should prevent technology obsolescence • IT plays large role
  • 31. Attacks • Attacks – Acts or actions that exploits vulnerability (i.e., an identified weakness) in controlled system – Accomplished by threat agent that damages or steals organization’s information • Types of attacks – Malicious code: includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information – Hoaxes: transmission of a virus hoax with a real virus attached; more devious form of attack.
  • 32. Attacks (cont’d.) • Types of attacks (cont’d.) – Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism – Password crack: attempting to reverse calculate a password – Brute force: trying every possible combination of options of a password – Dictionary: selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses
  • 33. Attacks (cont’d.) • Types of attacks (cont’d.) – Denial-of-service (DoS): attacker sends large number of connection or information requests to a target • Target system cannot handle successfully along with other, legitimate service requests • May result in system crash or inability to perform ordinary functions – Distributed denial-of-service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously
  • 35. Attacks (cont’d.) • Types of attacks (cont’d.) – Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP address – Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network – Mail bombing: also a DoS; attacker routes large quantities of e-mail to target
  • 36. Figure 2-12 IP Spoofing
  • 38. Attacks (cont’d.) • Types of attacks (cont’d.) – Sniffers: program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network – Phishing: an attempt to gain personal/financial information from individual, usually by posing as legitimate entity – Pharming: redirection of legitimate Web traffic (e.g., browser requests) to illegitimate site for the purpose of obtaining private information
  • 39. Attacks (cont’d.) • Types of attacks (cont’d.) – Social engineering: using social skills to convince people to reveal access credentials or other valuable information to attacker – “People are the weakest link. You can have the best technology; firewalls, intrusion-detection systems, biometric devices ... and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything.” — Kevin Mitnick – Timing attack: relatively new; works by exploring contents of a Web browser’s cache to create malicious cookie