SlideShare a Scribd company logo

Fundamentals of Information Systems Security Lesson 3Malic.docx

Download as DOCX, PDF
S
shericehewat

Fundamentals of Information Systems Security Lesson 3 Malicious Attacks, Threats, and Vulnerabilities © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 1 Learning Objective(s) Describe how malicious attacks, threats, and vulnerabilities impact an IT infrastructure. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key Concepts Malicious software and countermeasures Common attacks and countermeasures Social engineering and how to reduce risks Threats and types of attacks on wireless networks Threats and types of attacks on web applications Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Malicious Activity on the Rise Examples of the malicious attacks are everywhere Data breaches occur in both public and private sectors In 2013, China was top country of origin for cyberattacks, at 41 percent United States was second at 10 percent Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. What Are You Trying to Protect? Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Customer data IT and network infrastructure Intellectual property Finances and financial data Service availability and productivity Reputation What Are You Trying to Protect? Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Whom Are You Trying to Catch? Crackers Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning C ...

Education
1 of 39
Fundamentals of Information Systems Security Lesson 3 Malicious Attacks, Threats, and Vulnerabilities © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 1 Learning Objective(s) Describe how malicious attacks, threats, and vulnerabilities impact an IT infrastructure. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com All rights reserved. Key Concepts Malicious software and countermeasures Common attacks and countermeasures Social engineering and how to reduce risks Threats and types of attacks on wireless networks Threats and types of attacks on web applications Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Malicious Activity on the Rise Examples of the malicious attacks are everywhere Data breaches occur in both public and private sectors In 2013, China was top country of origin for cyberattacks, at 41 percent United States was second at 10 percent Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. What Are You Trying to Protect? Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Customer data IT and network infrastructure Intellectual property Finances and financial data
Service availability and productivity Reputation What Are You Trying to Protect? Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Whom Are You Trying to Catch? Crackers Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning
Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Black-hat hacker: Tries to break IT security and gain access to systems with no authorization in order to prove technical prowess. Black-hat hackers generally develop and use special software tools to exploit vulnerabilities. May exploit holes in systems but generally do not attempt to disclose vulnerabilities they find to the administrators of those systems. White-hat hacker: Also called an ethical hacker, is an information systems security professional who has authorization to identify vulnerabilities and perform penetration testing. Difference between white-hat hackers and black-hat hackers is that white-hat hackers will identify weaknesses for the purpose of fixing them, and black-hat hackers find weaknesses just for the fun of it or to exploit them. Gray-hat hackers: A hacker who will identify but not exploit discovered vulnerabilities, yet may still expect a reward for not disclosing the vulnerability openly. Cracker: Has a hostile intent, possesses sophisticated skills, and may be interested in financial gain. Crackers represent the greatest threat to networks and information resources. 9/3/2019 (c) ITT Educational Services, Inc. 7 Hackers
Black-hat White-hat Gray-hat Attack Tools Protocol analyzers (sniffers) Port scanners OS fingerprint scanners Vulnerability scanners Exploit software Wardialers Password crackers Keystroke loggers Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 9/3/2019 (c) ITT Educational Services, Inc. 8 What Is a Security Breach? Any event that results in a violation of any of the C-I-A security tenets Some security breaches disrupt system services on purpose Some are accidental and may result from hardware or software failures Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 9/3/2019 (c) ITT Educational Services, Inc. 9 Activities that Cause Security Breaches
Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 9/3/2019 (c) ITT Educational Services, Inc. 10 Denial of service (DoS) attacks Distributed denial of service (DDoS) attacks Unacceptable web-browsing behavior Wiretapping Use of a backdoor to access resources Accidental data modifications
Denial of Service Attack A coordinated attempt to deny service by occupying a computer to perform large amounts of unnecessary tasks Logic attacks Flooding attacks Protect using Intrusion prevention system (IPS) Intrusion detection system (IDS) Attacks launched using SYN flood Smurfing Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Distributed Denial of Service Attack
Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Overloads computers and prevents legitimate users from gaining access More difficult to stop than a DoS attack because DDoS originates from different sources Unacceptable Web Browsing Define acceptable web browsing in an acceptable use policy (AUP) Unacceptable use can include: Unauthorized users searching files or storage directories Users visiting prohibited websites Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning
Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Wiretapping Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Between-the-lines wiretapping: This type of wiretapping does not alter the messages sent by the legitimate user but inserts additional messages into the communication line when the legitimate user pauses. Piggyback-entry wiretapping: This type of wiretapping intercepts and modifies the original message by breaking the communications line and routing the message to another computer that acts as a host. 9/3/2019 (c) ITT Educational Services, Inc.
14 Active Between-the-lines wiretapping Piggyback-entry wiretapping Passive Also called sniffing Backdoors Hidden access included by developers Attackers can use them to gain access Data Modifications Data that is: Purposely or accidentally modified Incomplete Truncated Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Additional Security Challenges Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Spam and spim Hoaxes Cookies
Risks, Threats, Vulnerabilities Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Threats exploit vulnerabilities, which creates risk. You cannot eliminate risk. You can minimize the impact of threats. You can reduce the number of vulnerabilities. Minimizing threats and reducing vulnerabilities lessens overall risk. Threats, risks, and vulnerabilities negatively impact the CIA triad. 9/3/2019 (c) ITT Educational Services, Inc. 17 Risk
Probability that something bad is going to happen to an asset Threat Any action that can damage or compromise an asset Vulnerability An inherent weakness that may enable threats to harm system or networks Most Common Threats Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning
Company www.jblearning.com All rights reserved. Vulnerability covers a wide range of system and network weaknesses. Insecure servers or services include outdated packages, poorly programmed software, and cleartext protocols where encrypted protocols should be used. Exploitable applications and protocols include programming flaws that can be manipulated by attackers. Unprotected systems or network resources include development servers left in the open. Traffic interception and eavesdropping reveals private communications to snooping eyes. Lack of preventive or protective measures allows malware to infiltrate the network. 9/3/2019 (c) ITT Educational Services, Inc. 18 Malicious software Hardware or software failure Internal attacker Equipment theft External attacker
Natural disaster Industrial espionage Terrorism Threat Types Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
9/3/2019 (c) ITT Educational Services, Inc. 19 Disclosure threats Sabotage Espionage Alteration threats Denial or destruction threats DoS attack Unauthorized changes What Is a Malicious Attack? Page ‹#›
Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fabrications: Fabrications involve the creation of some deception in order to trick unsuspecting users. Interceptions: An interception involves eavesdropping on transmissions and redirecting them for unauthorized use. Interruptions: An interruption causes a break in a communication channel, which blocks the transmission of data. Modifications: A modification is the alteration of data contained in transmissions or files. 9/3/2019 (c) ITT Educational Services, Inc. 20 Four categories of attacks Fabrications Interceptions Interruptions
Modifications Types of Active Threats Birthday attacks Brute-force password attacks Dictionary password attacks IP address spoofing Hijacking Replay attacks Man-in-the-middle attacks Masquerading Social engineering Phishing Phreaking Pharming Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
9/3/2019 (c) ITT Educational Services, Inc. 21 What Is Malicious Software? Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Software that: Causes damage Escalates security privileges Divulges private data Modifies or deletes data
Virus Attaches itself to or copies itself into another program on a computer Tricks the computer into following instructions not intended by the original program developer Infects a host program and may cause that host program to replicate itself to other computers User who runs infected program authenticates the virus Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Worm A self-contained program that replicates and sends copies of itself to other computers without user input or action Does not need a host program to infect Is a standalone program
Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Trojan Horse Malware that masquerades as a useful program Trojans can: Hide programs that collect sensitive information Open backdoors into computers Actively upload and download files Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Rootkit Page ‹#›
Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Modifies or replaces one or more existing programs to hide traces of attacks Many different types of rootkits Conceals its existence once installed Is difficult to detect and remove Spyware Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning
Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Type of malware that specifically threatens the confidentiality of information Monitors keystrokes Scans files on the hard drive Snoops other applications Installs other spyware programs Reads cookies Changes default homepage on the web browser
What Are Common Types of Attacks? Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Attacks on availability: These attacks impact access or uptime to a critical system, application, or data. Attacks on people: These attacks involve using coercion or deception to get another human to divulge information or to perform an action (e.g., clicking on a suspicious URL link or opening an email attachment from an unknown email address). Attacks on IT assets: These attacks include penetration testing, unauthorized access, privileged escalation, stolen passwords, deletion of data, or performing a data breach. 9/3/2019 (c) ITT Educational Services, Inc. 28 Attacks on availability Attacks on people Attacks on IT assets
Social Engineering Attacks Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Authority: Using a position of authority to coerce or persuade an individual to divulge information. Consensus/social proof: Using a position that “everyone else has been doing it” as proof that it is okay or acceptable to do. Dumpster diving: Finding unshredded pieces of paper that may contain sensitive data or private data for identity theft. Familiarity/liking: Interacting with the victim in a frequent way that creates a comfort and familiarity and liking for an individual (e.g., a delivery person may become familiar to office workers over time) that might encourage the victim to want to help the familiar person. Hoax: Creating a con or a false perception in order to get an individual to do something or divulge information. Impersonation: Pretending to be someone else (e.g., an IT help desk support person, a delivery person, a bank representative).
Intimidation: Using force to extort or pressure an individual into doing something or divulging information. Trust: Building a human trust bond over time and then using that trust to get the individual to do something or divulge information. Scarcity: Pressuring another individual into doing something or divulging information for fear of not having something or losing access to something. Shoulder surfing: Looking over the shoulder of a person typing into a computer screen. Tailgating: Following an individual closely enough to sneak past a secure door or access area. Urgency: Using urgency or an emergency stress situation to get someone to do something or divulge information (e.g., claiming that there’s a fire in the hallway might get the front desk security guard to leave their her desk). Vishing: Performing a phishing attack by telephone in order to elicit personal information; using verbal coercion and persuasion (“sweet talking”) the individual under attack. Whaling: Targeting the executive user or most valuable employees, otherwise considered the “whale” or “big fish” (often called spear phishing). 9/3/2019 (c) ITT Educational Services, Inc. 29 Authority Dumpster diving
Hoax Impersonation Shoulder surfing Vishing Whaling Wireless Network Attacks Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning
Company www.jblearning.com All rights reserved. Bluejacking: Hacking and gaining control of the Bluetooth wireless communication link between a user’s earphone and smartphone device. Bluesnarfing: Packet sniffing communications traffic between Bluetooth devices. Evil twin: Faking an open or public wireless network to use a packet sniffer on any user who connects to it. IV attack: Modifying the initialization vector of an encrypted IP packet in transmission in hopes of decrypting a common encryption key over time. Jamming/Interference: Sending radio frequencies in the same frequency as wireless network access points to jam and interfere with wireless communications and disrupting availability for legitimate users. Near field communication attack: Intercepting, at close range (a few inches), communications between two mobile operating system devices. Packet sniffing: Capturing IP packets off a wireless network and analyzing the TCP/IP packet data using a tool such as Wireshark. Replay attacks: Replaying an IP packet stream to fool a server into thinking you are authenticating to it. Rogue access points: Using an unauthorized network device to offer wireless availability to unsuspecting users. War chalking: Creating a map of the physical or geographic location of any wireless access points and networks. War driving: Physically driving around neighborhoods or business complexes looking for wireless access points and networks that broadcast an open or public network connection. 9/3/2019 (c) ITT Educational Services, Inc. 30
Bluejacking Evil twin IV attack Packing sniffing Replay attacks War chalking War driving Web Application Attacks
Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Arbitrary/remote code execution: Having gained privileged access or sys admin rights access, the attacker can run commands or execute a command at will on the remote system. Buffer overflow: Attempting to push more data than the buffer can handle, thus creating a condition where further compromise might be possible. Client-side attack: Using malware on a user’s workstation or laptop, within an internal network, acting in tandem with a malicious server or application on the Internet (outside the protected network). Cookies and attachments: Using cookies or other attachments (or the information they contain) to compromise security. Cross-site scripting (XSS): Injecting scripts into a web application server to redirect attacks back to the client. This is not an attack on the web application but rather on users of the server to launch attacks on other computers that access it. Directory traversal /command injection: Exploiting a web application server, gaining root file directory access from outside the protected network, and executing commands, including data dumps. Header manipulation: Stealing cookies and browser URL information and manipulating the header with invalid or false
commands to create an insecure communication or action. Integer overflow: Creating a mathematical overflow which exceeds the maximum size allowed. This can cause a financial or mathematical application to freeze or create a vulnerability and opening. Lightweight Directory Access Protocol (LDAP) injection: Creating fake or bogus ID and authentication LDAP commands and packets to falsely ID and authenticate to a web application. Local shared objects (LSO): Using Flash cookies (named after the Adobe Flash player), which cannot be deleted through the browser’s normal configuration settings. Flash cookies can also be used to reinstate regular cookies that a user has deleted or blocked. • Malicious add-ons: Using software plug-ins or add-ons that run additional malicious software on legitimate programs or applications. • SQL injection: Injecting Structured Query Language (SQL) commands to obtain information and data in the back-end SQL database. • Watering-hole attack: Luring a targeted user to a commonly visited website on which has been planted the malicious code or malware, in hopes that the user will trigger the attack with a unknowing click. • XML injection: Injecting XML tags and data into a database in an attempt to retrieve data. • Zero-day: Exploiting a new vulnerability or software bug for which no specific defenses yet exist. 9/3/2019 (c) ITT Educational Services, Inc. 31 Buffer overflow
Header manipulation Lightweight Directory Access Protocol (LDAP) injection Malicious add-ons SQL injection XML injection Client-side attack What Is a Countermeasure? Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com
All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Countermeasures Detect vulnerabilities Prevent attacks Respond to the effects of successful attacks Get help from Law enforcement agencies Forensic experts Security consultants Security incident response teams (SIRTs)
Countering Malware Create a user education program Post regular bulletins about malware problems Never transfer files from an unknown or untrusted source (unless anti-malware is installed) Test new programs or open suspect files on a quarantine computer Install anti-malware software, make sure it remains current, and schedule regular malware scans Use a secure logon and authentication process Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Countering Malware (cont.) Stay abreast of developments in malware National Cyber Security Alliance (NCSA) www.staysafeonline.org United States Computer Emergency Readiness Team (US- CERT) http://us-cert.gov
Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Protecting Your System with Firewalls Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Firewall Program or dedicated hardware device Denies or permits traffic based on a set of rules
Inspects network traffic passing through it Summary Malicious software and countermeasures Common attacks and countermeasures Social engineering and how to reduce risks Threats and types of attacks on wireless networks Threats and types of attacks on web applications Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Fundamentals of Information Systems Security Lesson 3Malic.docx

Recommended

info-sys-security3.pptx
info-sys-security3.pptxinfo-sys-security3.pptx
info-sys-security3.pptxMhndHTaani
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Dr. Ahmed Al Zaidy
 
Funsec3e ppt ch03
Funsec3e ppt ch03Funsec3e ppt ch03
Funsec3e ppt ch03Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Dr. Ahmed Al Zaidy
 
Funsec3e ppt ch11
Funsec3e ppt ch11Funsec3e ppt ch11
Funsec3e ppt ch11Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Dr. Ahmed Al Zaidy
 
Dr_Kamal_ch01.pptx
Dr_Kamal_ch01.pptxDr_Kamal_ch01.pptx
Dr_Kamal_ch01.pptxMhndHTaani
 
cryptography.pptx
cryptography.pptxcryptography.pptx
cryptography.pptxMhndHTaani
 

Recommended

info-sys-security3.pptx
info-sys-security3.pptxinfo-sys-security3.pptx
info-sys-security3.pptxMhndHTaani
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Dr. Ahmed Al Zaidy
 
Funsec3e ppt ch03
Funsec3e ppt ch03Funsec3e ppt ch03
Funsec3e ppt ch03Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Dr. Ahmed Al Zaidy
 
Funsec3e ppt ch11
Funsec3e ppt ch11Funsec3e ppt ch11
Funsec3e ppt ch11Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Dr. Ahmed Al Zaidy
 
Dr_Kamal_ch01.pptx
Dr_Kamal_ch01.pptxDr_Kamal_ch01.pptx
Dr_Kamal_ch01.pptxMhndHTaani
 
cryptography.pptx
cryptography.pptxcryptography.pptx
cryptography.pptxMhndHTaani
 
Fundamentals of Information Systems Security Lesson 2The I.docx
Fundamentals of Information Systems Security Lesson 2The I.docxFundamentals of Information Systems Security Lesson 2The I.docx
Fundamentals of Information Systems Security Lesson 2The I.docxshericehewat
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Dr. Ahmed Al Zaidy
 
info-sys-security.pptx
info-sys-security.pptxinfo-sys-security.pptx
info-sys-security.pptxMhndHTaani
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Mukesh Chinta
 
Fundamentals of Information Systems Security Chapter 9
Fundamentals of Information Systems Security Chapter 9Fundamentals of Information Systems Security Chapter 9
Fundamentals of Information Systems Security Chapter 9Dr. Ahmed Al Zaidy
 
02_Security_Audit_-_Common_Cyber_Attacks_9.pdf
02_Security_Audit_-_Common_Cyber_Attacks_9.pdf02_Security_Audit_-_Common_Cyber_Attacks_9.pdf
02_Security_Audit_-_Common_Cyber_Attacks_9.pdfRakeshPatel583282
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?PECB
 
Access Control, Authentication, and Public Key Infrastructure.docx
Access Control, Authentication, and Public Key Infrastructure.docxAccess Control, Authentication, and Public Key Infrastructure.docx
Access Control, Authentication, and Public Key Infrastructure.docxnettletondevon
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfCareerera
 
106 Threat defense and information security development trends
106 Threat defense and information security development trends106 Threat defense and information security development trends
106 Threat defense and information security development trendsSsendiSamuel
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowTechSoup
 
Best Security Practices for a Web Application
Best Security Practices for a Web Application Best Security Practices for a Web Application
Best Security Practices for a Web Application TriState Technology
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptxAbhishekDas794104
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditSBWebinars
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry BrianHuntMSFCPACRISC
 
Information security
Information securityInformation security
Information securityAlaaMahmoud108
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Brian Bissett
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxRambilashTudu
 
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...Global Business Events
 
You have been asked to explain the differences between certain categ.docx
You have been asked to explain the differences between certain categ.docxYou have been asked to explain the differences between certain categ.docx
You have been asked to explain the differences between certain categ.docxshericehewat
 
You have been asked to help secure the information system and users .docx
You have been asked to help secure the information system and users .docxYou have been asked to help secure the information system and users .docx
You have been asked to help secure the information system and users .docxshericehewat
 

More Related Content

Similar to Fundamentals of Information Systems Security Lesson 3Malic.docx

Fundamentals of Information Systems Security Lesson 2The I.docx
Fundamentals of Information Systems Security Lesson 2The I.docxFundamentals of Information Systems Security Lesson 2The I.docx
Fundamentals of Information Systems Security Lesson 2The I.docxshericehewat
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Dr. Ahmed Al Zaidy
 
info-sys-security.pptx
info-sys-security.pptxinfo-sys-security.pptx
info-sys-security.pptxMhndHTaani
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Mukesh Chinta
 
Fundamentals of Information Systems Security Chapter 9
Fundamentals of Information Systems Security Chapter 9Fundamentals of Information Systems Security Chapter 9
Fundamentals of Information Systems Security Chapter 9Dr. Ahmed Al Zaidy
 
02_Security_Audit_-_Common_Cyber_Attacks_9.pdf
02_Security_Audit_-_Common_Cyber_Attacks_9.pdf02_Security_Audit_-_Common_Cyber_Attacks_9.pdf
02_Security_Audit_-_Common_Cyber_Attacks_9.pdfRakeshPatel583282
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?PECB
 
Access Control, Authentication, and Public Key Infrastructure.docx
Access Control, Authentication, and Public Key Infrastructure.docxAccess Control, Authentication, and Public Key Infrastructure.docx
Access Control, Authentication, and Public Key Infrastructure.docxnettletondevon
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfCareerera
 
106 Threat defense and information security development trends
106 Threat defense and information security development trends106 Threat defense and information security development trends
106 Threat defense and information security development trendsSsendiSamuel
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowTechSoup
 
Best Security Practices for a Web Application
Best Security Practices for a Web Application Best Security Practices for a Web Application
Best Security Practices for a Web Application TriState Technology
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditSBWebinars
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry BrianHuntMSFCPACRISC
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Brian Bissett
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxRambilashTudu
 
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...Global Business Events
 

Similar to Fundamentals of Information Systems Security Lesson 3Malic.docx (20)

Fundamentals of Information Systems Security Lesson 2The I.docx
Fundamentals of Information Systems Security Lesson 2The I.docxFundamentals of Information Systems Security Lesson 2The I.docx
Fundamentals of Information Systems Security Lesson 2The I.docx
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2
 
info-sys-security.pptx
info-sys-security.pptxinfo-sys-security.pptx
info-sys-security.pptx
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1
 
Fundamentals of Information Systems Security Chapter 9
Fundamentals of Information Systems Security Chapter 9Fundamentals of Information Systems Security Chapter 9
Fundamentals of Information Systems Security Chapter 9
 
02_Security_Audit_-_Common_Cyber_Attacks_9.pdf
02_Security_Audit_-_Common_Cyber_Attacks_9.pdf02_Security_Audit_-_Common_Cyber_Attacks_9.pdf
02_Security_Audit_-_Common_Cyber_Attacks_9.pdf
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?
 
Access Control, Authentication, and Public Key Infrastructure.docx
Access Control, Authentication, and Public Key Infrastructure.docxAccess Control, Authentication, and Public Key Infrastructure.docx
Access Control, Authentication, and Public Key Infrastructure.docx
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
 
106 Threat defense and information security development trends
106 Threat defense and information security development trends106 Threat defense and information security development trends
106 Threat defense and information security development trends
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to Know
 
Best Security Practices for a Web Application
Best Security Practices for a Web Application Best Security Practices for a Web Application
Best Security Practices for a Web Application
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance Audit
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry
 
Information security
Information securityInformation security
Information security
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
 
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
 

More from shericehewat

You have been asked to explain the differences between certain categ.docx
You have been asked to explain the differences between certain categ.docxYou have been asked to explain the differences between certain categ.docx
You have been asked to explain the differences between certain categ.docxshericehewat
 
You have been asked to help secure the information system and users .docx
You have been asked to help secure the information system and users .docxYou have been asked to help secure the information system and users .docx
You have been asked to help secure the information system and users .docxshericehewat
 
You have been asked to participate in a local radio program to add.docx
You have been asked to participate in a local radio program to add.docxYou have been asked to participate in a local radio program to add.docx
You have been asked to participate in a local radio program to add.docxshericehewat
 
You have been hired asa cons.docx
You have been hired asa cons.docxYou have been hired asa cons.docx
You have been hired asa cons.docxshericehewat
 
You have been appointed as a system analyst in the IT department of .docx
You have been appointed as a system analyst in the IT department of .docxYou have been appointed as a system analyst in the IT department of .docx
You have been appointed as a system analyst in the IT department of .docxshericehewat
 
You choose one and I will upload the materials for u.Choose 1 of.docx
You choose one and I will upload the materials for u.Choose 1 of.docxYou choose one and I will upload the materials for u.Choose 1 of.docx
You choose one and I will upload the materials for u.Choose 1 of.docxshericehewat
 
You are Incident Commander and principal planner for the DRNC even.docx
You are Incident Commander and principal planner for the DRNC even.docxYou are Incident Commander and principal planner for the DRNC even.docx
You are Incident Commander and principal planner for the DRNC even.docxshericehewat
 
You DecideCryptographic Tunneling and the OSI ModelWrite a p.docx
You DecideCryptographic Tunneling and the OSI ModelWrite a p.docxYou DecideCryptographic Tunneling and the OSI ModelWrite a p.docx
You DecideCryptographic Tunneling and the OSI ModelWrite a p.docxshericehewat
 
You are working as a behavioral health specialist in a neurological .docx
You are working as a behavioral health specialist in a neurological .docxYou are working as a behavioral health specialist in a neurological .docx
You are working as a behavioral health specialist in a neurological .docxshericehewat
 
You are to write up a reflection (longer than 2 pages) that discusse.docx
You are to write up a reflection (longer than 2 pages) that discusse.docxYou are to write up a reflection (longer than 2 pages) that discusse.docx
You are to write up a reflection (longer than 2 pages) that discusse.docxshericehewat
 
You can only take this assignment if you have the book Discovering t.docx
You can only take this assignment if you have the book Discovering t.docxYou can only take this assignment if you have the book Discovering t.docx
You can only take this assignment if you have the book Discovering t.docxshericehewat
 
You are to interview a woman 50 and older and write up the interview.docx
You are to interview a woman 50 and older and write up the interview.docxYou are to interview a woman 50 and older and write up the interview.docx
You are to interview a woman 50 and older and write up the interview.docxshericehewat
 
You are to complete TWO essays and answer the following questions.  .docx
You are to complete TWO essays and answer the following questions.  .docxYou are to complete TWO essays and answer the following questions.  .docx
You are to complete TWO essays and answer the following questions.  .docxshericehewat
 
You are the vice president of a human resources department and Susan.docx
You are the vice president of a human resources department and Susan.docxYou are the vice president of a human resources department and Susan.docx
You are the vice president of a human resources department and Susan.docxshericehewat
 
You are the purchasing manager of a company that has relationships w.docx
You are the purchasing manager of a company that has relationships w.docxYou are the purchasing manager of a company that has relationships w.docx
You are the purchasing manager of a company that has relationships w.docxshericehewat
 
You are to briefly describe how the Bible is related to the topics c.docx
You are to briefly describe how the Bible is related to the topics c.docxYou are to briefly describe how the Bible is related to the topics c.docx
You are to briefly describe how the Bible is related to the topics c.docxshericehewat
 
You are the manager of an accounting department and would like to hi.docx
You are the manager of an accounting department and would like to hi.docxYou are the manager of an accounting department and would like to hi.docx
You are the manager of an accounting department and would like to hi.docxshericehewat
 
You are the new chief financial officer (CFO) hired by a company. .docx
You are the new chief financial officer (CFO) hired by a company. .docxYou are the new chief financial officer (CFO) hired by a company. .docx
You are the new chief financial officer (CFO) hired by a company. .docxshericehewat
 
You are the manager of a team of six proposal-writing professionals..docx
You are the manager of a team of six proposal-writing professionals..docxYou are the manager of a team of six proposal-writing professionals..docx
You are the manager of a team of six proposal-writing professionals..docxshericehewat
 
You are the environmental compliance officer at a company that is .docx
You are the environmental compliance officer at a company that is .docxYou are the environmental compliance officer at a company that is .docx
You are the environmental compliance officer at a company that is .docxshericehewat
 

More from shericehewat (20)

You have been asked to explain the differences between certain categ.docx
You have been asked to explain the differences between certain categ.docxYou have been asked to explain the differences between certain categ.docx
You have been asked to explain the differences between certain categ.docx
 
You have been asked to help secure the information system and users .docx
You have been asked to help secure the information system and users .docxYou have been asked to help secure the information system and users .docx
You have been asked to help secure the information system and users .docx
 
You have been asked to participate in a local radio program to add.docx
You have been asked to participate in a local radio program to add.docxYou have been asked to participate in a local radio program to add.docx
You have been asked to participate in a local radio program to add.docx
 
You have been hired asa cons.docx
You have been hired asa cons.docxYou have been hired asa cons.docx
You have been hired asa cons.docx
 
You have been appointed as a system analyst in the IT department of .docx
You have been appointed as a system analyst in the IT department of .docxYou have been appointed as a system analyst in the IT department of .docx
You have been appointed as a system analyst in the IT department of .docx
 
You choose one and I will upload the materials for u.Choose 1 of.docx
You choose one and I will upload the materials for u.Choose 1 of.docxYou choose one and I will upload the materials for u.Choose 1 of.docx
You choose one and I will upload the materials for u.Choose 1 of.docx
 
You are Incident Commander and principal planner for the DRNC even.docx
You are Incident Commander and principal planner for the DRNC even.docxYou are Incident Commander and principal planner for the DRNC even.docx
You are Incident Commander and principal planner for the DRNC even.docx
 
You DecideCryptographic Tunneling and the OSI ModelWrite a p.docx
You DecideCryptographic Tunneling and the OSI ModelWrite a p.docxYou DecideCryptographic Tunneling and the OSI ModelWrite a p.docx
You DecideCryptographic Tunneling and the OSI ModelWrite a p.docx
 
You are working as a behavioral health specialist in a neurological .docx
You are working as a behavioral health specialist in a neurological .docxYou are working as a behavioral health specialist in a neurological .docx
You are working as a behavioral health specialist in a neurological .docx
 
You are to write up a reflection (longer than 2 pages) that discusse.docx
You are to write up a reflection (longer than 2 pages) that discusse.docxYou are to write up a reflection (longer than 2 pages) that discusse.docx
You are to write up a reflection (longer than 2 pages) that discusse.docx
 
You can only take this assignment if you have the book Discovering t.docx
You can only take this assignment if you have the book Discovering t.docxYou can only take this assignment if you have the book Discovering t.docx
You can only take this assignment if you have the book Discovering t.docx
 
You are to interview a woman 50 and older and write up the interview.docx
You are to interview a woman 50 and older and write up the interview.docxYou are to interview a woman 50 and older and write up the interview.docx
You are to interview a woman 50 and older and write up the interview.docx
 
You are to complete TWO essays and answer the following questions.  .docx
You are to complete TWO essays and answer the following questions.  .docxYou are to complete TWO essays and answer the following questions.  .docx
You are to complete TWO essays and answer the following questions.  .docx
 
You are the vice president of a human resources department and Susan.docx
You are the vice president of a human resources department and Susan.docxYou are the vice president of a human resources department and Susan.docx
You are the vice president of a human resources department and Susan.docx
 
You are the purchasing manager of a company that has relationships w.docx
You are the purchasing manager of a company that has relationships w.docxYou are the purchasing manager of a company that has relationships w.docx
You are the purchasing manager of a company that has relationships w.docx
 
You are to briefly describe how the Bible is related to the topics c.docx
You are to briefly describe how the Bible is related to the topics c.docxYou are to briefly describe how the Bible is related to the topics c.docx
You are to briefly describe how the Bible is related to the topics c.docx
 
You are the manager of an accounting department and would like to hi.docx
You are the manager of an accounting department and would like to hi.docxYou are the manager of an accounting department and would like to hi.docx
You are the manager of an accounting department and would like to hi.docx
 
You are the new chief financial officer (CFO) hired by a company. .docx
You are the new chief financial officer (CFO) hired by a company. .docxYou are the new chief financial officer (CFO) hired by a company. .docx
You are the new chief financial officer (CFO) hired by a company. .docx
 
You are the manager of a team of six proposal-writing professionals..docx
You are the manager of a team of six proposal-writing professionals..docxYou are the manager of a team of six proposal-writing professionals..docx
You are the manager of a team of six proposal-writing professionals..docx
 
You are the environmental compliance officer at a company that is .docx
You are the environmental compliance officer at a company that is .docxYou are the environmental compliance officer at a company that is .docx
You are the environmental compliance officer at a company that is .docx
 

Recently uploaded

How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxPooja Bhuva
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
Philosophy of china and it's charactistics
Philosophy of china and it's charactisticsPhilosophy of china and it's charactistics
Philosophy of china and it's charactisticshameyhk98
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsNbelano25
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxUmeshTimilsina1
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptxJoelynRubio1
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 

Recently uploaded (20)

How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Philosophy of china and it's charactistics
Philosophy of china and it's charactisticsPhilosophy of china and it's charactistics
Philosophy of china and it's charactistics
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf arts
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 

Fundamentals of Information Systems Security Lesson 3Malic.docx

  • 1. Fundamentals of Information Systems Security Lesson 3 Malicious Attacks, Threats, and Vulnerabilities © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 1 Learning Objective(s) Describe how malicious attacks, threats, and vulnerabilities impact an IT infrastructure. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
  • 2. www.jblearning.com All rights reserved. Key Concepts Malicious software and countermeasures Common attacks and countermeasures Social engineering and how to reduce risks Threats and types of attacks on wireless networks Threats and types of attacks on web applications Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Malicious Activity on the Rise Examples of the malicious attacks are everywhere Data breaches occur in both public and private sectors In 2013, China was top country of origin for cyberattacks, at 41 percent United States was second at 10 percent Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
  • 3. www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. What Are You Trying to Protect? Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Customer data IT and network infrastructure Intellectual property Finances and financial data
  • 4. Service availability and productivity Reputation What Are You Trying to Protect? Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Whom Are You Trying to Catch? Crackers Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning
  • 5. Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Black-hat hacker: Tries to break IT security and gain access to systems with no authorization in order to prove technical prowess. Black-hat hackers generally develop and use special software tools to exploit vulnerabilities. May exploit holes in systems but generally do not attempt to disclose vulnerabilities they find to the administrators of those systems. White-hat hacker: Also called an ethical hacker, is an information systems security professional who has authorization to identify vulnerabilities and perform penetration testing. Difference between white-hat hackers and black-hat hackers is that white-hat hackers will identify weaknesses for the purpose of fixing them, and black-hat hackers find weaknesses just for the fun of it or to exploit them. Gray-hat hackers: A hacker who will identify but not exploit discovered vulnerabilities, yet may still expect a reward for not disclosing the vulnerability openly. Cracker: Has a hostile intent, possesses sophisticated skills, and may be interested in financial gain. Crackers represent the greatest threat to networks and information resources. 9/3/2019 (c) ITT Educational Services, Inc. 7 Hackers
  • 6. Black-hat White-hat Gray-hat Attack Tools Protocol analyzers (sniffers) Port scanners OS fingerprint scanners Vulnerability scanners Exploit software Wardialers Password crackers Keystroke loggers Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security
  • 7. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 9/3/2019 (c) ITT Educational Services, Inc. 8 What Is a Security Breach? Any event that results in a violation of any of the C-I-A security tenets Some security breaches disrupt system services on purpose Some are accidental and may result from hardware or software failures Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 9/3/2019 (c) ITT Educational Services, Inc. 9 Activities that Cause Security Breaches
  • 8. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 9/3/2019 (c) ITT Educational Services, Inc. 10 Denial of service (DoS) attacks Distributed denial of service (DDoS) attacks Unacceptable web-browsing behavior Wiretapping Use of a backdoor to access resources Accidental data modifications
  • 9. Denial of Service Attack A coordinated attempt to deny service by occupying a computer to perform large amounts of unnecessary tasks Logic attacks Flooding attacks Protect using Intrusion prevention system (IPS) Intrusion detection system (IDS) Attacks launched using SYN flood Smurfing Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Distributed Denial of Service Attack
  • 10. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Overloads computers and prevents legitimate users from gaining access More difficult to stop than a DoS attack because DDoS originates from different sources Unacceptable Web Browsing Define acceptable web browsing in an acceptable use policy (AUP) Unacceptable use can include: Unauthorized users searching files or storage directories Users visiting prohibited websites Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning
  • 11. Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Wiretapping Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Between-the-lines wiretapping: This type of wiretapping does not alter the messages sent by the legitimate user but inserts additional messages into the communication line when the legitimate user pauses. Piggyback-entry wiretapping: This type of wiretapping intercepts and modifies the original message by breaking the communications line and routing the message to another computer that acts as a host. 9/3/2019 (c) ITT Educational Services, Inc.
  • 12. 14 Active Between-the-lines wiretapping Piggyback-entry wiretapping Passive Also called sniffing Backdoors Hidden access included by developers Attackers can use them to gain access Data Modifications Data that is: Purposely or accidentally modified Incomplete Truncated Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
  • 13. www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Additional Security Challenges Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Spam and spim Hoaxes Cookies
  • 14. Risks, Threats, Vulnerabilities Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Threats exploit vulnerabilities, which creates risk. You cannot eliminate risk. You can minimize the impact of threats. You can reduce the number of vulnerabilities. Minimizing threats and reducing vulnerabilities lessens overall risk. Threats, risks, and vulnerabilities negatively impact the CIA triad. 9/3/2019 (c) ITT Educational Services, Inc. 17 Risk
  • 15. Probability that something bad is going to happen to an asset Threat Any action that can damage or compromise an asset Vulnerability An inherent weakness that may enable threats to harm system or networks Most Common Threats Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning
  • 16. Company www.jblearning.com All rights reserved. Vulnerability covers a wide range of system and network weaknesses. Insecure servers or services include outdated packages, poorly programmed software, and cleartext protocols where encrypted protocols should be used. Exploitable applications and protocols include programming flaws that can be manipulated by attackers. Unprotected systems or network resources include development servers left in the open. Traffic interception and eavesdropping reveals private communications to snooping eyes. Lack of preventive or protective measures allows malware to infiltrate the network. 9/3/2019 (c) ITT Educational Services, Inc. 18 Malicious software Hardware or software failure Internal attacker Equipment theft External attacker
  • 17. Natural disaster Industrial espionage Terrorism Threat Types Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
  • 18. 9/3/2019 (c) ITT Educational Services, Inc. 19 Disclosure threats Sabotage Espionage Alteration threats Denial or destruction threats DoS attack Unauthorized changes What Is a Malicious Attack? Page ‹#›
  • 19. Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fabrications: Fabrications involve the creation of some deception in order to trick unsuspecting users. Interceptions: An interception involves eavesdropping on transmissions and redirecting them for unauthorized use. Interruptions: An interruption causes a break in a communication channel, which blocks the transmission of data. Modifications: A modification is the alteration of data contained in transmissions or files. 9/3/2019 (c) ITT Educational Services, Inc. 20 Four categories of attacks Fabrications Interceptions Interruptions
  • 20. Modifications Types of Active Threats Birthday attacks Brute-force password attacks Dictionary password attacks IP address spoofing Hijacking Replay attacks Man-in-the-middle attacks Masquerading Social engineering Phishing Phreaking Pharming Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
  • 21. 9/3/2019 (c) ITT Educational Services, Inc. 21 What Is Malicious Software? Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Software that: Causes damage Escalates security privileges Divulges private data Modifies or deletes data
  • 22. Virus Attaches itself to or copies itself into another program on a computer Tricks the computer into following instructions not intended by the original program developer Infects a host program and may cause that host program to replicate itself to other computers User who runs infected program authenticates the virus Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Worm A self-contained program that replicates and sends copies of itself to other computers without user input or action Does not need a host program to infect Is a standalone program
  • 23. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Trojan Horse Malware that masquerades as a useful program Trojans can: Hide programs that collect sensitive information Open backdoors into computers Actively upload and download files Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Rootkit Page ‹#›
  • 24. Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Modifies or replaces one or more existing programs to hide traces of attacks Many different types of rootkits Conceals its existence once installed Is difficult to detect and remove Spyware Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning
  • 25. Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Type of malware that specifically threatens the confidentiality of information Monitors keystrokes Scans files on the hard drive Snoops other applications Installs other spyware programs Reads cookies Changes default homepage on the web browser
  • 26. What Are Common Types of Attacks? Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Attacks on availability: These attacks impact access or uptime to a critical system, application, or data. Attacks on people: These attacks involve using coercion or deception to get another human to divulge information or to perform an action (e.g., clicking on a suspicious URL link or opening an email attachment from an unknown email address). Attacks on IT assets: These attacks include penetration testing, unauthorized access, privileged escalation, stolen passwords, deletion of data, or performing a data breach. 9/3/2019 (c) ITT Educational Services, Inc. 28 Attacks on availability Attacks on people Attacks on IT assets
  • 27. Social Engineering Attacks Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Authority: Using a position of authority to coerce or persuade an individual to divulge information. Consensus/social proof: Using a position that “everyone else has been doing it” as proof that it is okay or acceptable to do. Dumpster diving: Finding unshredded pieces of paper that may contain sensitive data or private data for identity theft. Familiarity/liking: Interacting with the victim in a frequent way that creates a comfort and familiarity and liking for an individual (e.g., a delivery person may become familiar to office workers over time) that might encourage the victim to want to help the familiar person. Hoax: Creating a con or a false perception in order to get an individual to do something or divulge information. Impersonation: Pretending to be someone else (e.g., an IT help desk support person, a delivery person, a bank representative).
  • 28. Intimidation: Using force to extort or pressure an individual into doing something or divulging information. Trust: Building a human trust bond over time and then using that trust to get the individual to do something or divulge information. Scarcity: Pressuring another individual into doing something or divulging information for fear of not having something or losing access to something. Shoulder surfing: Looking over the shoulder of a person typing into a computer screen. Tailgating: Following an individual closely enough to sneak past a secure door or access area. Urgency: Using urgency or an emergency stress situation to get someone to do something or divulge information (e.g., claiming that there’s a fire in the hallway might get the front desk security guard to leave their her desk). Vishing: Performing a phishing attack by telephone in order to elicit personal information; using verbal coercion and persuasion (“sweet talking”) the individual under attack. Whaling: Targeting the executive user or most valuable employees, otherwise considered the “whale” or “big fish” (often called spear phishing). 9/3/2019 (c) ITT Educational Services, Inc. 29 Authority Dumpster diving
  • 29. Hoax Impersonation Shoulder surfing Vishing Whaling Wireless Network Attacks Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning
  • 30. Company www.jblearning.com All rights reserved. Bluejacking: Hacking and gaining control of the Bluetooth wireless communication link between a user’s earphone and smartphone device. Bluesnarfing: Packet sniffing communications traffic between Bluetooth devices. Evil twin: Faking an open or public wireless network to use a packet sniffer on any user who connects to it. IV attack: Modifying the initialization vector of an encrypted IP packet in transmission in hopes of decrypting a common encryption key over time. Jamming/Interference: Sending radio frequencies in the same frequency as wireless network access points to jam and interfere with wireless communications and disrupting availability for legitimate users. Near field communication attack: Intercepting, at close range (a few inches), communications between two mobile operating system devices. Packet sniffing: Capturing IP packets off a wireless network and analyzing the TCP/IP packet data using a tool such as Wireshark. Replay attacks: Replaying an IP packet stream to fool a server into thinking you are authenticating to it. Rogue access points: Using an unauthorized network device to offer wireless availability to unsuspecting users. War chalking: Creating a map of the physical or geographic location of any wireless access points and networks. War driving: Physically driving around neighborhoods or business complexes looking for wireless access points and networks that broadcast an open or public network connection. 9/3/2019 (c) ITT Educational Services, Inc. 30
  • 31. Bluejacking Evil twin IV attack Packing sniffing Replay attacks War chalking War driving Web Application Attacks
  • 32. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Arbitrary/remote code execution: Having gained privileged access or sys admin rights access, the attacker can run commands or execute a command at will on the remote system. Buffer overflow: Attempting to push more data than the buffer can handle, thus creating a condition where further compromise might be possible. Client-side attack: Using malware on a user’s workstation or laptop, within an internal network, acting in tandem with a malicious server or application on the Internet (outside the protected network). Cookies and attachments: Using cookies or other attachments (or the information they contain) to compromise security. Cross-site scripting (XSS): Injecting scripts into a web application server to redirect attacks back to the client. This is not an attack on the web application but rather on users of the server to launch attacks on other computers that access it. Directory traversal /command injection: Exploiting a web application server, gaining root file directory access from outside the protected network, and executing commands, including data dumps. Header manipulation: Stealing cookies and browser URL information and manipulating the header with invalid or false
  • 33. commands to create an insecure communication or action. Integer overflow: Creating a mathematical overflow which exceeds the maximum size allowed. This can cause a financial or mathematical application to freeze or create a vulnerability and opening. Lightweight Directory Access Protocol (LDAP) injection: Creating fake or bogus ID and authentication LDAP commands and packets to falsely ID and authenticate to a web application. Local shared objects (LSO): Using Flash cookies (named after the Adobe Flash player), which cannot be deleted through the browser’s normal configuration settings. Flash cookies can also be used to reinstate regular cookies that a user has deleted or blocked. • Malicious add-ons: Using software plug-ins or add-ons that run additional malicious software on legitimate programs or applications. • SQL injection: Injecting Structured Query Language (SQL) commands to obtain information and data in the back-end SQL database. • Watering-hole attack: Luring a targeted user to a commonly visited website on which has been planted the malicious code or malware, in hopes that the user will trigger the attack with a unknowing click. • XML injection: Injecting XML tags and data into a database in an attempt to retrieve data. • Zero-day: Exploiting a new vulnerability or software bug for which no specific defenses yet exist. 9/3/2019 (c) ITT Educational Services, Inc. 31 Buffer overflow
  • 34. Header manipulation Lightweight Directory Access Protocol (LDAP) injection Malicious add-ons SQL injection XML injection Client-side attack What Is a Countermeasure? Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com
  • 35. All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Countermeasures Detect vulnerabilities Prevent attacks Respond to the effects of successful attacks Get help from Law enforcement agencies Forensic experts Security consultants Security incident response teams (SIRTs)
  • 36. Countering Malware Create a user education program Post regular bulletins about malware problems Never transfer files from an unknown or untrusted source (unless anti-malware is installed) Test new programs or open suspect files on a quarantine computer Install anti-malware software, make sure it remains current, and schedule regular malware scans Use a secure logon and authentication process Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Countering Malware (cont.) Stay abreast of developments in malware National Cyber Security Alliance (NCSA) www.staysafeonline.org United States Computer Emergency Readiness Team (US- CERT) http://us-cert.gov
  • 37. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Protecting Your System with Firewalls Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Firewall Program or dedicated hardware device Denies or permits traffic based on a set of rules
  • 38. Inspects network traffic passing through it Summary Malicious software and countermeasures Common attacks and countermeasures Social engineering and how to reduce risks Threats and types of attacks on wireless networks Threats and types of attacks on web applications Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page ‹#› Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.