This document discusses information security, which involves defending information from unauthorized access, use, disclosure, disruption or destruction. It outlines two major aspects of information security - IT security, which involves securing technology and information systems, and information assurance, which ensures data is not lost due to issues like natural disasters. The document also discusses common threats to information systems like unauthorized access, malware and social engineering. It provides security controls to protect systems, including physical controls to restrict access, technical controls using software and hardware, and administrative controls like security policies.

1. Threats
Security Controls
Protecting Information System

2. What is Information
Security? Known as InfoSec, which is the practice of
defending information from unauthorized
access, use, disclosure, disruption,
modification, perusal, inspection, recording
or destruction.
It is a general term that can be used
regardless of the form the data may take
(electronic, physical, etc...)

3. Two major aspects
of Information Security:
I.T. Security: Sometimes referred to
as computer security, Information
Technology Security is information security
applied to technology (most often some
form of computer system).
It is worthwhile to note that
a computer does not necessarily mean a
home desktop. A computer is any device
with a processor and some memory.

4. IT security specialists are almost always
found in any major
enterprise/establishment due to the nature
and value of the data within larger
businesses.
They are responsible for keeping all of
the technology within the company secure
from malicious cyber attacks that often
attempt to breach into critical private
information or gain control of the internal
systems.

5. Two major aspects
of information security:
Information assurance: The act of ensuring
that data is not lost when critical issues
arise.
These issues include but are not limited to:
natural disasters, computer/server
malfunction, physical theft, or any other
instance where data has the potential of
being lost.

6. • Since most information is stored on
computers in our modern era,
information assurance is typically dealt
with by IT security specialists.
• One of the most common methods of
providing information assurance is to
have an off-site backup of the data in
case one of the mentioned issues arise.

7. Threats to Information System
• There are many information
security threats that we need to
be constantly aware of and
protect against in order to ensure
our sensitive information remains
secure.

8. Unauthorized Access –
Enter at your own risk
• The attempted or successful access of
information or systems, without permission
or rights to do so.
 Ensure you have a properly configured
firewall, up to date malware prevention
software and all software has the latest
security updates.
 Protect all sensitive information, utilizing
encryption where appropriate, and use strong
passwords that are changed regularly.

9. Cyber Espionage –
Hey, get off my network!
• The act of spying through the use of
computers, involving the covert access or
‘hacking’ of company or
government networks to obtain sensitive
information.
 Be alert for social engineering attempts and
verify all requests for sensitive information.
 Ensure software has the latest security
updates, your network is secure and monitor
for unusual network behavior.

10. Malware – You installed what?!
• A collective term for malicious software, such
as viruses, worms and trojans; designed to
infiltrate systems and information for criminal,
commercial or destructive purposes.
 Ensure you have a properly configured
firewall, up to date malware prevention and
all software has the latest security updates.
 Do not click links or open attachments in
emails from unknown senders, visit un-trusted
websites or install dubious software.

11. Data Leakage – I seek what
you leak.
• The intentional or accidental loss, theft or
exposure of sensitive company or personal
information
 Ensure all sensitive information stored on
removable storage media, mobile devices or
laptops is encrypted
 Be mindful of what you post online, check
email recipients before pressing send, and
never email sensitive company information
to personal email accounts

12. Mobile Device Attack – Lost, but
not forgotten
• The malicious attack on, or unauthorized
access of mobile devices and the information
stored or processed by them; performed
wirelessly or through physical possession.
 Keep devices with you at all times, encrypt
all sensitive data and removable storage
media, and use strong passwords.
 Avoid connecting to insecure, un-trusted
public wireless networks and ensure
Bluetooth is in ‘undiscoverable’ mode.

13. Social Engineering – Go find
some other mug
• Tricking and manipulating others by phone,
email, online or in-person, into divulging
sensitive information, in order to access
company information or systems.
 Verify all requests for sensitive information, no
matter how legitimate they may seem, and
never share your passwords with anyone – not
even the helpdesk.
 Never part with sensitive information if in
doubt, and report suspected social engineering
attempts immediately.

14. Insiders – I see bad
people
• An employee or worker with malicious intent
to steal sensitive company information,
commit fraud or cause damage to company
systems or information
 Ensure access to sensitive information is
restricted to only those that need it and
revoke access when no longer required
 Report all suspicious activity or workers
immediately

15. Phishing – Think before
you link
• A form of social engineering, involving the sending
of legitimate looking emails aimed at fraudulently
extracting sensitive information from recipients,
usually to gain access to systems or for identity
theft.
• Look out for emails containing unexpected or
unsolicited requests for sensitive information, or
contextually relevant emails from unknown senders.
• Never click on suspicious looking links within
emails, and report all suspected phishing attempts
immediately.

16. System Compromise –
Only the strong survive
• A system that has been attacked and taken over by
malicious individuals or ‘hackers’, usually through
the exploitation of one or more vulnerabilities, and
then often used for attacking other systems.
 Plug vulnerable holes by ensuring software has the
latest security updates and any internally developed
software is adequately security reviewed.
 Ensure systems are hardened and configured
securely, and regularly scan them for vulnerabilities.

17. Spam – Email someone else
• Unsolicited email sent in bulk to many
individuals, usually for commercial gain, but
increasingly for spreading malware.
 Only give your email to those you trust and
never post your address online for others to
view.
 Use a spam filter and never reply to spam
emails or click links within them.

18. Denial of Service – Are you still there?
• An intentional or unintentional attack on a
system and the information stored on it,
rendering the system unavailable and
inaccessible to authorized users.
 Securely configure and harden all networks
and network equipment against known DoS
attacks.
 Monitor networks through log reviews and the
use of intrusion detection or prevention
systems

19. Identity Theft – You will never be me
• The theft of an unknowing individual’s
personal information, in order to fraudulently
assume that individual’s identity to commit a
crime, usually for financial gain.
• Never provide personal information to un-trusted
individuals or websites.
• Ensure personal information is protected when
stored and securely disposed of when no
longer needed.

20. Protecting Information System
1. Data security is fundamental
Data security is crucial to all academic,
medical and business operations.
 All existing and new business and data
processes should include a data security
review to be sure data is safe from loss and
secured against unauthorized access.

21. 2. Plan ahead
Create a plan to review your data security
status and policies and create routine
processes to access, handle and store the
data safely as well as archive unneeded
data.
 Make sure you and your colleagues know
how to respond if you have a data loss or
data breach incident.

22. 3. Know what data you have
The first step to secure computing is
knowing what data you have and
what levels of protection are
required to keep the data both
confidential and safe from loss.

23. 4. Scale down the data
Keep only the data you need for
routine current business, safely archive
or destroy older data, and remove it
from all computers and other devices
(smart phones, laptops, flash drives,
external hard disks).

24. 5. Lock up!
Physical security is the key to safe and
confidential computing.
All the passwords in the world won't get
your laptop back if the computer itself is
stolen.
Back up the data to a safe place in the event
of loss.

25. Information Security Controls
Security is generally defined as the freedom
from danger or as the condition of safety.
 Computer security, specifically, is the
protection of data in a system against
unauthorized disclosure, modification, or
destruction and protection of the computer
system itself against unauthorized use,
modification, or denial of service.

26. Physical Controls
 It is the use of locks, security guards, badges,
alarms, and similar measures to control access
to computers, related equipment (including
utilities), and the processing facility itself.
 In addition, measures are required for
protecting computers, related equipment, and
their contents from espionage, theft, and
destruction or damage by accident, fire, or
natural disaster (e.g., floods and earthquakes).

27. Technical Controls
Involves the use of safeguards
incorporated in computer hardware,
operations or applications software,
communications hardware and
software, and related devices.
 Technical controls are sometimes
referred to as logical controls.

28. Technical Controls
 Preventive technical controls are used to prevent
unauthorized personnel or programs from gaining
remote access to computing resources. Examples of
these controls include:
o Access control software
oAntivirus software
oLibrary control systems
oPasswords
oSmart cards
oEncryption
oDial-up access control and callback systems

29. Administrative Controls
 Consists of management constraints, operational
procedures, accountability procedures, and
supplemental administrative controls established
to provide an acceptable level of protection for
computing resources.
 In addition, administrative controls include
procedures established to ensure that all
personnel who have access to computing
resources have the required authorizations and
appropriate security clearances.

30. Administrative Controls
 Preventive administrative controls are personnel-oriented
techniques for controlling people’s behavior to ensure the
confidentiality, integrity, and availability of computing data
and programs. Examples of preventive administrative
controls include:
o Security awareness and technical training
o Separation of duties
o Procedures for recruiting and terminating
employees
o Security policies and procedures
o Supervision.
o Disaster recovery, contingency, and emergency plans
o User registration for computer access

32. Web 2.0
 Sites that allow users to do more than just retrieve
information.
 Instead of merely reading, a user is invited to
comment on published articles, or create a user
account or profile on the site, which may enable
increased participation.
 By increasing emphasis on these already-extant
capabilities, they encourage the user to rely more
on their browser for user interface, application
software and file storage facilities.

33. Web 2.0
This has been called "network as platform"
computing.
Major features of Web 2.0 include social
networking sites, user created Web sites,
self-publishing platforms, tagging, and social
bookmarking.
Users can provide the data that is on a Web
2.0 site and exercise some control over that
data.

34. Web 2.0
Web 2.0 offers all users the same
freedom to contribute.
While this opens the possibility for
serious debate and collaboration, it
also increases the incidence of
"spamming" and "trolling" by
unscrupulous or misanthropic users.

35. Features of Web 2.0 Technologies
 Folksonomy- free classification of information; allows users to
collectively classify and find information (e.g. Tagging)
 Rich User Experience- dynamic content; responsive to user input
 User as a Contributor- information flows two ways between site owner
and site user by means of evaluation, review, and commenting
 Long tail- services offered on demand basis; profit is realized through
monthly service subscriptions more than one-time purchases of goods
over the network
 User Participation - site users add content for others to see (e.g.
Crowdsourcing)

36. Features of Web 2.0 Technologies
 Software as a service - Web 2.0 sites developed API to
allow automated usage, such as by an app or mashup
 Basic Trust - contributions are available for the world to
use, reuse, or re-purpose
 Dispersion - content delivery uses multiple channels (e.g.
file sharing, permalinks); digital resources and services are
sought more than physical goods

37. Features of Web 2.0 Technologies
Web 2.0 can be described in three parts:
 Rich Internet application (RIA) — defines the experience
brought from desktop to browser whether it is from a
graphical point of view or usability point of view.
 Web-oriented architecture (WOA) — is a key piece in Web
2.0, which defines how Web 2.0 applications expose their
functionality so that other applications can leverage and
integrate the functionality providing a set of much richer
applications.
Examples are feeds, RSS, Web Services, mash-ups.

38. Features of Web 2.0 Technologies
Web 2.0 can be described in three parts:
Social Web — defines how Web 2.0 tends to
interact much more with the end user and
make the end-user an integral part.

39. Categories of Web 2.0
1. Mashups - sites using existing technologies for an
entirely new purpose...like WikiMapia.org.
 It takes the functions of a wiki and overlays it with Google
Maps for an entirely new kind of map. You can see
ProgrammableWeb.com for more mashups.
2. Aggregators - A site or program that gathers data from
multiple sources and organizes the information to present in
a new, more streamlined or appropriate format.
Examples: Digg.com is a top aggregator site. So is Slashdot
for the more technical people. And of course our dearly
beloved, Google (and any other search engine for that matter)
are the mothers of all aggregators.

40. Categories of Web 2.0
3. Social Networking - Websites focusing on connecting people
with other people directly like MySpace.
4. Social Media - User-generated content like blogs or Flickr.
5. Video - Online television such as YouTube.
6. Web Applications - online programs that can do virtually
everything your existing software programs can do.
Zoho for instance can replace your Microsoft Office
programs.