SlideShare a Scribd company logo

MIS 428 information secuirty v1.pdf

D
DrSalehAlSaleh

Information security

Data & Analytics
1 of 30
Download to read offline
MIS 428 Information security Page 1 of 30 Information Systems Security
MIS 428 Information security Page 2 of 30 Introduction As computers and other digital devices have become essential to business and commerce, they have also increasingly become a target for attacks. In order for a company or an individual to use acomputingdevicewithconfidence,theymustfirstbeassuredthatthedeviceisnotcompromised in any way and that all communications will be secure. In this chapter, we will review the fundamentalconceptsofinformationsystemssecurityanddiscusssome ofthemeasuresthatcan be taken to mitigate security threats. We will begin with an overview focusing on how organizations can stay secure. Several different measures that a company can take to improve security will be discussed. We will then follow up by reviewing security precautions that individuals can takein order to secure theirpersonalcomputing environment.
MIS 428 Information security Page 3 of 30 What are the 3 Principles of Information Security? The basic tenets of information security are confidentiality, integrity and availability. Every element of the information security program must be designed to implement one or more of these principles. Together they are called the CIA Triad. The security triad The Information Security Triad: Confidentiality, Integrity, Availability (CIA)
MIS 428 Information security Page 4 of 30 Confidentiality Whenprotectinginformation,wewanttobeabletorestrictaccesstothosewhoareallowedtosee it;everyoneelseshouldbedisallowedfromlearninganythingaboutits contents.Thisistheessence of confidentiality. For example, federal law requires that universities restrict access to private student information. The university must be sure that only those who are authorized have access to viewthe grade records. Integrity Integrity is the assurance that the information being accessed has not been altered and truly representswhat is intended.Justas aperson with integrity means whathe orshe saysand canbe trusted to consistently represent the truth, information integrity means information truly representsitsintended meaning.Information can lose itsintegritythrough malicious intent, such aswhensomeonewhoisnotauthorizedmakesachangetointentionallymisrepresentsomething. Anexampleofthis wouldbe whenahacker is hiredto go intothe university’ssystemandchange a grade.Integritycan alsobelostunintentionally,such as when acomputer powersurge corrupts a file or someone authorized to make a change accidentally deletes a file or enters incorrect information. Availability Informationavailability is thethirdpartofthe CIAtriad.Availability means that informationcan be accessed and modified by anyone authorizedtodo soin an appropriatetimeframe. Depending on: • the typeofinformation, appropriatetimeframe canmean differentthings.For example, astocktrader needs informationtobeavailable immediately,while asales
MIS 428 Information security Page 5 of 30 personmaybe happyto get sales numbersforthe day in a reportthe nextmorning. Companies suchas Amazon.com willrequiretheir servers tobeavailable twenty-four hours a day,seven days a week.Other companies may not sufferiftheir web servers are downfor afewminutesonce in a while. ToolsforInformation Security In order to ensure the confidentiality, integrity, and availability of information, organizations can choose from a variety of tools. Each of these tools can be utilized as part of an overall informationsecurity policy, whichwillbediscussedin the next section. Authentication The mostcommonwaytoidentify someoneisthrough theirphysical appearance,but howdo we identify someone sitting behind a computer screen or at the ATM? Tools for authentication are usedtoensurethatthepersonaccessingtheinformationis,indeed,whotheypresentthemselves to be. Authenticationcanbeaccomplishedbyidentifyingsomeonethroughoneormoreofthreefactors: • userIDand password. Inthis case,the authentication is donebyconfirmingsomething thattheuser knows (theirID and password).Butthis form ofauthentication is easytocompromise, and stronger forms ofauthentication aresometimesneeded. • Identifyingsomeone only bysomething theyhave,suchas akey ora card,can also be problematic. Whenthatidentifying token is lostor stolen,the identitycanbeeasilystolen. • Thefinalfactor,something you are,is much harderto compromise.This factor identifies auserusing a physicalcharacteristic,suchas an eye-scanor fingerprint.Identifyingsomeone through their physical characteristics is calledbiometrics.
MIS 428 Information security Page 6 of 30 A more secure way to authenticate a user is to do multi-factor authentication. By combining two or more of the factors listed above, it becomes much more difficult for someone to misrepresent themselves. An example of this would be the use of an RSA (Rivest–Shamir–Adleman) RSA SecurID token.The RSAdevice issomething you have, andwillgeneratea newaccess codeevery sixty seconds.Tologintoan informationresource using theRSAdevice, you combinesomething you know, a four-digit PIN, with the code generated by the device. The only way to properly authenticate is bybothknowing thecode andhaving the RSAdevice. AccessControl Once a user has been authenticated, the next step is to ensure that they can only access the informationresourcesthatare appropriate.Thisisdone throughthe useof access control. Access control determines which users are authorized to read, modify, add, and/or delete information. Severaldifferentaccesscontrolmodelsexist.Herewewilldiscusstwo:theaccesscontrollist(ACL) and role-based access control (RBAC). Foreachinformationresourcethatanorganizationwishestomanage,alistofuserswhohavethe ability to take specific actions can be created. This is an access control list, or ACL. For each user, specific capabilities are assigned, such as read, write, delete, or add. Only users with those capabilities areallowedto performthosefunctions.If a userisnotonthe list,theyhave noability to even knowthattheinformationresource exists. ACLsaresimpletounderstandandmaintain.However,theyhaveseveraldrawbacks.Theprimary drawback is that each information resource is managed separately, so if a security administrator wantedtoaddorremove ausertoa largeset ofinformation resources, itwouldbe quitedifficult. Andasthenumberofusersandresourcesincrease,ACLsbecomehardertomaintain.Thishasled to an improved method of access control, called role-based access control, or RBAC. With RBAC,
MIS 428 Information security Page 7 of 30 insteadofgivingspecificusersaccessrightstoaninformationresource,usersareassignedtoroles and then those roles are assigned the access. This allows the administrators to manage users and roles separately, simplifying administration and,byextension, improving security. Comparison of ACL and RBAC (click to enlarge) Encryption Many times, an organization needs to transmit information over the Internet or transfer it on external media such as a CD or flash drive. In these cases, even with proper authentication and access control, it is possible for an unauthorized person to get access to the data. Encryption is a process of encodingdatauponitstransmission orstoragesothatonly authorized individuals can read it. This encoding is accomplished by a computer program, which encodes the plain text that needstobetransmitted;thentherecipientreceivesthe ciphertextanddecodesit(decryption).In order for this to work, the sender and receiver need to agree on the method of encoding so that both parties can communicate properly. Both parties share the encryption key, enabling them to encode and decode each other’s messages. This is called symmetric key encryption. This type of encryptionis problematic because the keyis available in two differentplaces. Analternativetosymmetrickeyencryptionispublickeyencryption.Inpublickeyencryption,two keysareused:apublickeyandaprivatekey.Tosendanencryptedmessage,youobtainthepublic key, encode the message, and send it. The recipient then uses the private key to decode it. The
MIS 428 Information security Page 8 of 30 public key can be givento anyone who wishes to send the recipient a message. Each user simply needsoneprivatekeyandonepublickeyinordertosecuremessages.Theprivatekeyisnecessary in orderto decrypt something sent with thepublickey.
MIS 428 Information security Page 9 of 30 Public key encryption (click for larger diagram) Sidebar:PasswordSecurity SowhyisusingjustasimpleuserID/passwordnotconsideredasecuremethodofauthentication? Itturnsoutthatthissingle-factorauthenticationisextremelyeasytocompromise.Goodpassword policies must be put in place in order to ensure that passwords cannot be compromised. Below are someofthe more commonpoliciesthatorganizations should putin place. • Requirecomplex passwords. Onereason passwords arecompromised is thattheycanbe easily guessed.Arecent studyfoundthatthetopthree passwords peopleused in2012 werepassword,123456and12345678.[1]Apasswordshouldnotbe simple, or a wordthatcan be foundin a dictionary. Oneof thefirstthings ahacker will do is tryto cracka password bytestingevery terminthe dictionary! Instead,a good passwordpolicyis onethatrequirestheuse ofa minimum of eightcharacters,andat leastoneupper-caseletter, one specialcharacter,and onenumber. • Changepasswords regularly.Itis essentialthatuserschangetheirpasswords ona regular basis.Users shouldchange their passwords everysixtytoninetydays, ensuringthatany passwords thatmighthave beenstolen orguessed willnotbe ableto be usedagainstthecompany. • Trainemployees nottogiveaway passwords. Oneof theprimarymethods thatis usedtosteal passwords is tosimply figurethem out byaskingtheusersoradministrators.Pretexting occurswhen anattackercalls ahelpdesk or securityadministratorand pretends tobe aparticular authorized user havingtrouble logging in. Then, by providing some personalinformation abouttheauthorizeduser, the attackerconvinces thesecurityperson to resetthepasswordand tell him what itis. Another waythat employees maybe tricked intogiving away passwords is throughe-mail phishing. Phishing occurs whenauser receives ane-mailthatlooks asif itis froma trustedsource,suchastheir bank, ortheir employer.Inthee-mail, theuseris asked to click a linkandlogin to a websitethatmimics thegenuine websiteand entertheir IDand password, whichare thencaptured bytheattacker.
MIS 428 Information security Page 10 of 30 Backups Anotheressential tool forinformation securityisa comprehensivebackupplanfortheentireorganization. Not only shouldthe dataon thecorporateservers bebacked up,but individual computers usedthroughout theorganization shouldalsobe backed up. Agoodbackup planshouldconsistof several components.
MIS 428 Information security Page 11 of 30 • Afullunderstanding ofthe organizational information resources.Whatinformation does the organization actually have?Where is itstored?Some data maybe stored onthe organization’s servers, otherdata onusers’hard drives,some inthecloud, and someonthird-partysites.An organization shouldmakea full inventory ofall oftheinformation thatneeds tobe backedupand determinethe bestway back itup. • Regular backups ofall data.Thefrequencyof backups shouldbe based on howimportantthedata is tothecompany, combined withtheabilityofthecompany toreplaceany datathat is lost.Critical data should be backed up daily, while less critical datacould be backedup weekly. • Offsitestorageofbackup datasets.Ifall ofthe backup datais beingstoredin thesamefacilityasthe originalcopies ofthe data,then asingle event, suchasanearthquake, fire, or tornado, wouldtake out boththe original dataandthe backup!It is essentialthatpartofthebackup plan is to storethe datain anoffsitelocation. • Testofdatarestoration. Ona regular basis, thebackups should be put tothetestby havingsome of thedatarestored. This willensurethattheprocess is workingand will give theorganization confidencein thebackup plan. Besides these considerations, organizations should also examine their operations to determine what effect downtime would have on their business. If their information technology were to be unavailable for any sustained period of time, how would it impact the business? Additional concepts related to backup include the following: • UniversalPowerSupply(UPS).AUPS is a device thatprovides batterybackupto criticalcomponents ofthesystem,allowingthem tostayonline longerand/orallowingtheITstafftoshutthem down usingproper proceduresin orderto preventthedata loss thatmight occurfrom a powerfailure. • Alternate,or “hot”sites.Some organizationschooseto have analternatesite wherean exactreplica of theircritical data is always keptup to date.Whenthe primarysitegoes down, thealternatesiteis immediatelybrought onlinesothat little orno downtime is experienced. As informationhasbecomea strategic asset, awhole industry has sprung up around the technologies necessaryfor implementing a properbackup strategy.A companycan contract
MIS 428 Information security Page 12 of 30 witha service provider to backup all oftheir data orthey can purchase large amountsof online storage spaceand do it themselves.Technologies such as storage areanetworks and archival systems arenow used bymost largebusinesses.
MIS 428 Information security Page 13 of 30 Firewalls Networkconfigurationwithfirewalls,IDS, anda DMZ. Click to enlarge. Another method that an organization should use to increase security on its network is a firewall. A firewall can exist as hardware or software (or both). A hardware firewall is a device that is connected to the network and filters the packets based on a set of rules. A software firewall runs ontheoperatingsystemandinterceptspacketsastheyarrivetoacomputer.Afirewallprotectsall companyserversandcomputersbystoppingpacketsfromoutsidetheorganization’snetworkthat do not meeta strictsetof criteria.A firewall may also be configuredtorestrictthe flow of packets leaving the organization. This may be done to eliminate the possibility of employees watching YouTube videos orusing Facebookfroma companycomputer. Some organizations may choose to implement multiple firewalls aspartoftheir networksecurity configuration, creating one or more sections of their network that are partially secured. This segment ofthe networkisreferredtoas aDMZ,borrowing thetermdemilitarizedzone from the
MIS 428 Information security Page 14 of 30 military, and it is where an organization may place resources that need broader access but still need to be secured. IntrusionDetectionSystems Another device that can be placed on the network for security purposes is an intrusion detection system, or IDS.An IDS does not add any additional security; instead, it provides the functionality to identify if the network is being attacked. An IDS can be configured to watch for specific types of activities and then alert security personnel if that activity occurs. An IDS also can log various types of traffic on the network for analysis later. An IDS is an essential part of any good security setup. Sidebar:Virtual PrivateNetworks Usingfirewallsandothersecuritytechnologies,organizationscaneffectivelyprotectmanyoftheir information resources by making them invisible to the outside world. But what if an employee workingfromhomerequires accesstosomeoftheseresources?Whatifaconsultantishiredwho needs to do work on the internal corporate network from a remote location? In these cases, a virtual private network (VPN) is called for A VPN allows a user who is outside of a corporate network to take a detour around the firewall and access the internal network from the outside. Througha combinationofsoftware andsecurity measures, thisletsan organizationallowlimited access to its networks whileatthe same time ensuring overallsecurity.
MIS 428 Information security Page 15 of 30
MIS 428 Information security Page 16 of 30 Physical Security An organization can implement the best authentication scheme in the world, develop the best access control, and install firewalls and intrusion prevention, but its security cannot be complete without implementation of physical security. Physical security is the protection of the actual hardware and networking components that store and transmit information resources. To implementphysicalsecurity,anorganizationmustidentifyallofthevulnerableresourcesandtake measures to ensure that these resources cannot be physically tampered with or stolen. These measures include thefollowing. • Locked doors:Itmayseem obvious,but all thesecurityin theworld is useless ifan intruder cansimply walk in and physicallyremove acomputing device.High-valueinformation assets shouldbe secured ina location withlimited access. • Physicalintrusion detection:High-valueinformation assets should bemonitoredthroughtheuse of securitycamerasandothermeansto detectunauthorizedaccess tothephysicallocations wherethey exist. • Securedequipment:Devices should be locked downto preventthemfrom being stolen.One employee’s harddrivecould contain all of your customerinformation,so it is essentialthatitbe secured. • Environmentalmonitoring: An organization’s serversand otherhigh-valueequipmentshouldalways bekeptin aroom thatis monitoredfortemperature, humidity,and airflow. Therisk of aserverfailure rises whenthesefactorsgoout ofaspecifiedrange. • Employeetraining: One ofthemostcommon ways thievesstealcorporateinformation is to steal employee laptops while employees are traveling. Employees should betrained tosecuretheir equipment whenever theyareawayfromthe office.
MIS 428 Information security Page 17 of 30 Security Policies Besidesthetechnicalcontrolslistedabove,organizationsalsoneedtoimplementsecuritypolicies as a form of administrative control. In fact, these policies should really be a starting point in developinganoverallsecurityplan.Agoodinformation-securitypolicylaysouttheguidelinesfor employee use of the information resources of the company and provides the company recourse in the casethat anemployee violates apolicy. According tothe SANS Institute, a goodpolicy is “a formal, brief,and high-level statement orplan thatembraces anorganization’sgeneralbeliefs,goals,objectives,andacceptableproceduresfor a specified subject area.” Policies require compliance; failure to comply with a policy will result in disciplinaryaction.Apolicydoesnotlayoutthespecifictechnicaldetails,insteaditfocusesonthe desired results. A security policy should be based on the guiding principles of confidentiality, integrity, and availability.[2] A goodexampleof asecurity policy that manywillbe familiar with isawebusepolicy. Aweb use policy lays out the responsibilities of company employees as they use company resources to access the Internet. A good example of a web use policy is included in Harvard University’s “Computer Rulesand Responsibilities”policy, which can be found here. A security policy should also address any governmental or industry regulations that apply to the organization. For example, if the organization is a university, it must be aware of the Family Educational Rights and Privacy Act (FERPA), which restricts who has access to student information. Health care organizations are obligated to follow several regulations, such as the HealthInsurance Portability andAccountability Act(HIPAA).
MIS 428 Information security Page 18 of 30 Sidebar:Mobile Security As the use of mobile devices suchas smartphones and tablets proliferates, organizations must be ready toaddressthe unique security concerns that the use of these devices bring.One of thefirst questions an organization must consider is whether to allow mobile devices in the workplace at all. Many employees already have these devices, so the question becomes: Should we allow employees to bring their own devices and use them as part of their employment activities? Or should we provide the devices to our employees? Creating a BYOD (“Bring Your Own Device”) policy allows employees to integrate themselves more fully into their job and can bring higher employee satisfaction and productivity. In many cases, it may be virtually impossible to prevent employees from having their own smartphones or iPads in the workplace. If the organization provides the devices to its employees, it gains more control over use of the devices, but it also exposesitselftothepossibility of an administrative(and costly)mess. Mobiledevicescanposemanyuniquesecuritychallengestoanorganization.Probablyoneofthe biggest concerns is theft of intellectual property. For an employee with malicious intent, it would be a very simple process to connect a mobile device either to a computer via the USB port, or wirelessly to the corporate network, and download confidential data. It would also be easy to secretlytake a high-quality picture using a built-in camera. When an employee does have permission to access and save company data on his or her device, a different security threat emerges:that device nowbecomes a targetfor thieves.Theft of mobile devices (in this case, including laptops) is oneoftheprimary methodsthat datathieves use. So what can bedoneto secure mobiledevices? It will start with a goodpolicy regarding their use. Accordingtoa2013SANSstudy,organizationsshouldconsiderdevelopingamobiledevicepolicy that addresses the following issues: use of the camera, use of voice recording, application
MIS 428 Information security Page 19 of 30 purchases, encryption at rest, Wi-Fi autoconnect settings, bluetooth settings, VPN use, password settings, lostor stolendevice reporting, and backup.[3] Besides policies,there are severaldifferent toolsthat an organization can use to mitigate some of theserisks.Forexample,ifadeviceisstolenorlost,geolocationsoftwarecanhelptheorganization find it.Insome cases, it may evenmake sensetoinstall remotedata-removal software,whichwill remove data from adevice if it becomes a security risk. Usability When looking to secure information resources, organizations must balance the need for security withusers’needtoeffectivelyaccessandusetheseresources.Ifasystem’ssecuritymeasuresmake itdifficultto use,thenuserswillfindwaysaroundthe security, which maymakethesystemmore vulnerable than it would have been without the security measures! Take, for example, password policies. If the organization requires an extremely long password with several special characters, an employee mayresortto writing itdown andputting it ina drawersince itwillbeimpossibleto memorize.
MIS 428 Information security Page 20 of 30 Personal Information Security There is no way to have 100% security, but there are several simple steps we, as individuals, can take to makeourselves moresecure. • Keepyoursoftware upto date.Whenevera softwarevendordetermines thata securityflaw hasbeen foundin their software,they will releaseanupdatetothesoftwarethatyoucan download tofixthe problem. Turnon automatic updating onyourcomputer to automatethis process. • Installantivirussoftwareand keep itupto date.There are manygood antivirussoftware packages on themarkettoday. • Besmartaboutyourconnections.Youshould be aware ofyoursurroundings.When connectingtoa Wi-Finetwork in a publicplace, be aware thatyou could be atrisk ofbeingspied on by otherssharing thatnetwork.It is advisable notto access yourfinancial or personaldata whileattached toa Wi-Fi
MIS 428 Information security Page 21 of 30 hotspot.Youshould also beawarethatconnectingUSBflashdrives toyour device couldalsoput you atrisk.Donotattachanunfamiliar flashdrive toyour deviceunless youcan scan itfirstwithyour securitysoftware. • Backupyour data.Justas organizationsneed to back up theirdata, individuals need toas well.And thesamerules apply: doit regularlyand keep acopy ofit in anotherlocation. Onesimplesolution for this is tosetup anaccount with an online backupservice,suchasMozy orCarbonite,to automate your backups. • Secureyouraccounts withtwo-factorauthentication.Most e-mail and social media providersnow haveatwo-factor authentication option.The waythis works is simple: when you login to your accountfroman unfamiliar computerfor thefirsttime,itsends youa textmessagewithacode that youmustenterto confirm thatyou arereally you. This meansthatnoone elsecan log in toyour accounts without knowingyour passwordandhavingyour mobile phone with them. • Makeyour passwords long,strong,andunique. For your personalpasswords, you should followthe samerules thatarerecommendedfor organizations. Yourpasswords should be long(eight or more characters) andcontain atleasttwo ofthe following: upper-caseletters,numbers,andspecial characters.Youalso should usedifferentpasswords for differentaccounts,sothatif someone steals your password for oneaccount,theystillare locked out ofyour otheraccounts. • Besuspicious ofstrangelinks and attachments.Whenyoureceiveane-mail,tweet,orFacebookpost, besuspicious ofany links or attachments included there.Donot click on thelink directly ifyouare at allsuspicious.Instead, ifyou want toaccess thewebsite, findityourselfandnavigateto it directly. InformationSecurity vs Cybersecurity Informationsecurity differsfromcybersecurity in both scope and purpose.The twoterms are oftenused interchangeably,but moreaccurately, cybersecurity is a subcategory of information security.Informationsecurity is a broadfieldthat covers many areas such as physicalsecurity, endpointsecurity, data encryption,and networksecurity. It is also closely related to information assurance, whichprotects informationfromthreatssuch as natural disastersand serverfailures.
MIS 428 Information security Page 22 of 30 Cybersecurity primarily addressestechnology-related threats, with practices andtoolsthatcan prevent ormitigatethem.Anotherrelated category is data security, which focuses onprotecting an organization’sdatafromaccidentalor maliciousexposure to unauthorizedparties. InformationSecurity Policy AnInformationSecurity Policy (ISP)isa setof rulesthat guide individuals when using IT assets. Companies can createinformationsecurity policies to ensure that employees andother users followsecurity protocols andprocedures.Security policies areintended to ensurethatonly authorized users can access sensitive systemsand information. Creating aneffectivesecurity policy andtaking stepstoensure compliance isan important step towardspreventing and mitigating security threats.To make your policy trulyeffective,update it frequentlybased oncompany changes, newthreats, conclusions drawn frompreviousbreaches, and changes to security systems andtools. Make your informationsecurity strategypracticaland reasonable.Tomeettheneeds and urgency of different departments within theorganization,itis necessary to deploy a systemof exceptions,withan approvalprocess, enabling departments orindividualsto deviatefromthe rules in specific circumstances. Top InformationSecurity Threats There are hundreds of categoriesofinformation security threats and millions ofknown threat vectors.Below we cover some ofthe keythreatsthatare a priority for security teamsat modern enterprises.
MIS 428 Information security Page 23 of 30 Unsecure or PoorlySecuredSystems The speedandtechnological developmentoften leads to compromises in security measures.In other cases,systems aredevelopedwithout securityin mind, and remain in operation at an organizationaslegacy systems.Organizations mustidentify these poorlysecured systems,and mitigatethethreatbysecuring or patching them, decommissioning them,or isolatingthem. Social MediaAttacks Many people havesocial media accounts,where they often unintentionally sharea lotof informationabout themselves.Attackers can launch attacks directly viasocialmedia, for example byspreading malware via socialmediamessages, orindirectly, byusing information obtained from these sitestoanalyze user andorganizational vulnerabilities,and usethemto designan attack. Social Engineering Social engineering involves attackers sendingemailsand messagesthat trick users into performing actions that may compromisetheir security or divulgeprivateinformation.Attackers manipulate users usingpsychologicaltriggers like curiosity, urgency or fear. Because the source of asocialengineering message appearstobetrusted, people aremore likely to comply,for exampleby clicking a link that installsmalware ontheir device, orbyproviding personal information, credentials,or financial details. Organizations can mitigatesocial engineering bymaking users aware ofits dangers and training them to identify and avoid suspectedsocialengineering messages.In addition,technological systems can be usedtoblocksocial engineering at its source, orprevent usersfromperforming dangerous actions suchas clicking on unknown links or downloading unknown attachments.
MIS 428 Information security Page 24 of 30 Malware onEndpoints Organizational users workwitha largevariety of endpointdevices, including desktop computers, laptops,tablets, andmobile phones, many of which areprivately ownedand not under the organization’s control, andallofwhich connect regularly tothe Internet. A primarythreatonalltheseendpoints ismalware,which can be transmitted bya varietyof means, can result in compromiseoftheendpoint itself,and can alsoleadtoprivilege escalation to other organizational systems. Traditional antivirus software is insufficienttoblock all modernformsofmalware,and more advanced approaches are developing tosecuring endpoints, such as endpointdetection and response (EDR). Lackof Encryption Encryptionprocessesencode data sothat it can onlybedecoded byusers with secret keys.It is very effective inpreventingdatalossor corruption in case ofequipment loss ortheft,or in case organizational systemsare compromisedby attackers. Unfortunately,this measureis oftenoverlookedduetoitscomplexity andlack oflegal obligations associated withproper implementation.Organizations are increasingly adopting encryption, bypurchasing storagedevices or using cloud servicesthat support encryption,or using dedicated security tools. Security Misconfiguration Modernorganizations usea huge number oftechnological platforms andtools, inparticular web applications, databases,and Software asa Service (SaaS)applications,or Infrastructure as a Service (IaaS)fromproviderslike Amazon WebServices.
MIS 428 Information security Page 25 of 30 Enterprise gradeplatformsand cloud services have security features,butthese mustbe configured bytheorganization.Security misconfiguration dueto negligence or human error can result in a security breach.Another problem is“configurationdrift”,where correct security configurationcan quickly becomeoutofdateand make a system vulnerable,unbeknownst to IT or security staff. Organizations can mitigatesecurity misconfiguration using technological platforms that continuously monitorsystems, identify configuration gaps, andalertor evenautomatically remediateconfigurationissuesthat make systemsvulnerable. Top InformationSecurity Threats There are hundreds of categoriesofinformation security threats and millionsofknown threat vectors.Below we cover some ofthe keythreatsthatare a priority for security teamsat modern enterprises. Unsecure or PoorlySecuredSystems The speedand technological developmentoften leads to compromises in security measures.In other cases,systems aredevelopedwithout securityin mind, and remain in operation at an organizationaslegacy systems.Organizations mustidentify these poorlysecured systems,and mitigatethethreatbysecuring or patching them, decommissioning them,or isolatingthem. Social MediaAttacks Many people havesocial media accounts,where they often unintentionally sharea lotof informationabout themselves.Attackers can launch attacks directly viasocialmedia, for example byspreading malware via socialmediamessages, orindirectly, byusing information
MIS 428 Information security Page 26 of 30 obtained from these sitestoanalyze user andorganizational vulnerabilities,and usethemto designan attack. Security Misconfiguration Modernorganizations usea huge number oftechnological platforms andtools, inparticular web applications, databases,and Software asa Service (SaaS)applications,or Infrastructure as a Service (IaaS)fromproviderslike Amazon WebServices. Enterprise gradeplatformsand cloud services have security features,butthese mustbe configured bytheorganization.Security misconfiguration dueto negligence or human error can result in a security breach.Another problem is“configurationdrift”,where correct security configurationcan quickly becomeoutofdateand make a system vulnerable,unbeknownst to IT or security staff. Organizations can mitigatesecurity misconfiguration using technological platforms that continuously monitorsystems, identify configuration gaps, andalertor evenautomatically remediateconfigurationissuesthat make systemsvulnerable. Active vs PassiveAttacks Informationsecurity is intended to protectorganizations against malicious attacks. There are two primary typesof attacks:active and passive.Active attacks are considered moredifficultto prevent, andthefocus isondetecting, mitigating and recovering fromthem.Passive attacks are easier to prevent withstrong security measures.
MIS 428 Information security Page 27 of 30 Active Attack Anactive attackinvolvesintercepting a communication or message and altering itfor malicious effect.Therearethree commonvariantsof an activeattacks: • Interruption—theattacker interruptstheoriginal communication and createsnew, malicious messages, pretendingtobeone of thecommunicating parties. • Modification—theattacker uses existing communications, andeither replaysthemto fooloneofthe communicating parties,or modifiesthem to gain an advantage. • Fabrication—createsfake,or synthetic, communications, typically with theaim of achieving denial of service (DoS).This prevents users from accessing systemsor performing normaloperations. Passive Attack Ina passive attack, anattacker monitors, monitors asystem andillicitly copies information without altering it.Theythenuse thisinformationtodisruptnetworks or compromisetarget systems.The attackers do not make any changetothe communication or thetarget systems. This makes itmoredifficulttodetect.However,encryption can help prevent passive attacks because itobfuscatesthe data,making it more difficult forattackers tomake useofit.
I n f o r m a t i o n S e c u r i t y P a g e 28 | 30 InformationSecurity and DataProtectionLaws Informationsecurity is inconstantinteraction with the laws and regulationsoftheplaces where an organizationdoesbusiness.Dataprotection regulations around the worldfocus on enhancing the privacy ofpersonaldata, andplace restrictionson the way organizations can collect, store,and make use of customerdata. Data privacyfocuses onpersonallyidentifiableinformation (PII), and isprimarily concerned withhowthe data isstored andused.PII includesany datathatcan belinked directlytothe user, suchas name, ID number,dateof birth, physical address, orphone number.Itmay also include artifactslike social media posts, profile pictures and IP addresses.
I n f o r m a t i o n S e c u r i t y P a g e 29 | 30 InformationSecurity withImperva Imperva helpsorganizationsofall sizes implementinformation security programs andprotect sensitivedataand assets. Imperva ApplicationSecurity Imperva provides multi-layeredprotectionto makesure websites andapplications are available,easily accessibleand safe.The Impervaapplication security solution includes: • DDoS Protection Distributed Denial of Service Protection —maintain uptime in all situations.Prevent any type of DDoSattack, of any size, frompreventing access toyour website and networkinfrastructure. • CDN Content Delivery Network. —enhance websiteperformance andreduce bandwidthcosts withaCDNdesignedfordevelopers.Cache static resources at theedge while accelerating APIsand dynamicwebsites. • WAF Web Application Firewall. —cloud-based solution permits legitimatetraffic and prevents badtraffic,safeguardingapplications attheedge. Gateway WAF keeps applications andAPIs inside your networksafe. • RASPRuntime Application Self-Protection —keep your applications safe from within against known and zero-day attacks.Fastand accurate protection with no signatureor learning mode. • Zero-day attacks, also known aszero-dayexploitsorzero-day vulnerabilities,are cybersecurity attacks thattarget software vulnerabilitiesthat areunknown tothe software vendororthe public. Imperva DataProtection Imperva’s data security solutionprotectsyour datawherever it lives—on premises,in thecloud and in hybridenvironments.It alsoprovidessecurity and IT teams with fullvisibility intohow
I n f o r m a t i o n S e c u r i t y P a g e 30 | 30 the data isbeing accessed, used, andmovedaroundthe organization. Our comprehensive approachreliesonmultiplelayersofprotection,including: • Database firewall—blocks SQLinjection and other threats,whileevaluatingfor known vulnerabilities. • User rights management—monitors data accessand activities ofprivilegedusersto identify excessive, inappropriate, and unused privileges. • Data maskingand encryption—obfuscates sensitive data soitwouldbe uselessto the badactor,even if somehow extracted. • Data lossprevention (DLP)—inspects datain motion, atreston servers, in cloud storage,or onendpointdevices. • User behavioranalytics—establishesbaselinesofdata accessbehavior, uses machine learning todetect and alertonabnormaland potentially risky activity. • Data discovery andclassification—revealsthelocation, volume,and context ofdataon premises andin thecloud. • Databaseactivity monitoring—monitors relational databases, data warehouses,big data andmainframesto generate real-time alertsonpolicy violations. • Alert prioritization—Imperva usesAI andmachine learning technologyto look across the streamof security events andprioritizetheonesthat matter most.

Recommended

security IDS
security IDSsecurity IDS
security IDS
Gregory Hanis
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
Jazmine Brown
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
Careerera
 
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKINGIMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
International Journal of Technical Research & Application
 
IRJET - Study Paper on Various Security Mechanism of Cloud Computing
IRJET - Study Paper on Various Security Mechanism of Cloud ComputingIRJET - Study Paper on Various Security Mechanism of Cloud Computing
IRJET - Study Paper on Various Security Mechanism of Cloud Computing
IRJET Journal
 
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
Editor IJCATR
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptx
RushikeshChikane2
 
INTERVIEW QUESTION FOR IT AUDITOR
INTERVIEW QUESTION FOR IT AUDITORINTERVIEW QUESTION FOR IT AUDITOR
INTERVIEW QUESTION FOR IT AUDITOR
Infosec Train
 

Recommended

security IDS
security IDSsecurity IDS
security IDS
Gregory Hanis
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
Jazmine Brown
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
Careerera
 
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKINGIMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
International Journal of Technical Research & Application
 
IRJET - Study Paper on Various Security Mechanism of Cloud Computing
IRJET - Study Paper on Various Security Mechanism of Cloud ComputingIRJET - Study Paper on Various Security Mechanism of Cloud Computing
IRJET - Study Paper on Various Security Mechanism of Cloud Computing
IRJET Journal
 
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
Editor IJCATR
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptx
RushikeshChikane2
 
INTERVIEW QUESTION FOR IT AUDITOR
INTERVIEW QUESTION FOR IT AUDITORINTERVIEW QUESTION FOR IT AUDITOR
INTERVIEW QUESTION FOR IT AUDITOR
Infosec Train
 
International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)
irjes
 
1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC
SantosConleyha
 
1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC
AbbyWhyte974
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
KnownId
 
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression TechniquesIRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET Journal
 
Cisco cybersecurity essentials chapter 4
Cisco cybersecurity essentials chapter 4Cisco cybersecurity essentials chapter 4
Cisco cybersecurity essentials chapter 4
Mukesh Chinta
 
Is4560
Is4560Is4560
Is4560
Tara Hardin
 
Dnssec Case Study
Dnssec Case StudyDnssec Case Study
Dnssec Case Study
Lindsey Rivera
 
Module 1Introduction to cyber security.pptx
Module 1Introduction to cyber security.pptxModule 1Introduction to cyber security.pptx
Module 1Introduction to cyber security.pptx
Skippedltd
 
Iaetsd a survey on cloud storage security with
Iaetsd a survey on cloud storage security withIaetsd a survey on cloud storage security with
Iaetsd a survey on cloud storage security with
Iaetsd Iaetsd
 
Network Security
Network SecurityNetwork Security
Network Security
Beth Hall
 
Achieving data integrity by forming the digital signature using RSA and SHA-1...
Achieving data integrity by forming the digital signature using RSA and SHA-1...Achieving data integrity by forming the digital signature using RSA and SHA-1...
Achieving data integrity by forming the digital signature using RSA and SHA-1...
IOSR Journals
 
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
IJRTEMJOURNAL
 
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
journal ijrtem
 
Module 1.pptx
Module 1.pptxModule 1.pptx
Module 1.pptx
ssuser6e8e41
 
Data+security+sp10
Data+security+sp10Data+security+sp10
Data+security+sp10
ismaelhaider
 
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
Precise Testing Solution
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
IRJET Journal
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
Bios of leading Astrologers & Researchers
Bios of leading Astrologers & ResearchersBios of leading Astrologers & Researchers
Bios of leading Astrologers & Researchers
darmandersingh4580
 
Case Study 4 Where the cry of rebellion happen?
Case Study 4 Where the cry of rebellion happen?Case Study 4 Where the cry of rebellion happen?
Case Study 4 Where the cry of rebellion happen?
RemarkSemacio
 
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Klinik kandungan
 

More Related Content

Similar to MIS 428 information secuirty v1.pdf

1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC
SantosConleyha
 
1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC
AbbyWhyte974
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
KnownId
 
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
IJRTEMJOURNAL
 
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
journal ijrtem
 
Data+security+sp10
Data+security+sp10Data+security+sp10
Data+security+sp10
ismaelhaider
 

Similar to MIS 428 information secuirty v1.pdf (19)

International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)
 
1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC
 
1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC1. Original Post by Catherine JohnsonCryptographic MethodsC
1. Original Post by Catherine JohnsonCryptographic MethodsC
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
 
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression TechniquesIRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
 
Cisco cybersecurity essentials chapter 4
Cisco cybersecurity essentials chapter 4Cisco cybersecurity essentials chapter 4
Cisco cybersecurity essentials chapter 4
 
Is4560
Is4560Is4560
Is4560
 
Dnssec Case Study
Dnssec Case StudyDnssec Case Study
Dnssec Case Study
 
Module 1Introduction to cyber security.pptx
Module 1Introduction to cyber security.pptxModule 1Introduction to cyber security.pptx
Module 1Introduction to cyber security.pptx
 
Iaetsd a survey on cloud storage security with
Iaetsd a survey on cloud storage security withIaetsd a survey on cloud storage security with
Iaetsd a survey on cloud storage security with
 
Network Security
Network SecurityNetwork Security
Network Security
 
Achieving data integrity by forming the digital signature using RSA and SHA-1...
Achieving data integrity by forming the digital signature using RSA and SHA-1...Achieving data integrity by forming the digital signature using RSA and SHA-1...
Achieving data integrity by forming the digital signature using RSA and SHA-1...
 
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
 
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
Requirement Based Intrusion Detection in Addition to Prevention Via Advanced ...
 
Module 1.pptx
Module 1.pptxModule 1.pptx
Module 1.pptx
 
Data+security+sp10
Data+security+sp10Data+security+sp10
Data+security+sp10
 
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 

Recently uploaded

Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Klinik kandungan
 
Capstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATION
Capstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATIONCapstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATION
Capstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATION
LakpaYanziSherpa
 
Identify Rules that Predict Patient’s Heart Disease - An Application of Decis...
Identify Rules that Predict Patient’s Heart Disease - An Application of Decis...Identify Rules that Predict Patient’s Heart Disease - An Application of Decis...
Identify Rules that Predict Patient’s Heart Disease - An Application of Decis...
ThinkInnovation
 
Abortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Jeddah | +966572737505 | Get CytotecAbortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
Simplify hybrid data integration at an enterprise scale. Integrate all your d...
Simplify hybrid data integration at an enterprise scale. Integrate all your d...Simplify hybrid data integration at an enterprise scale. Integrate all your d...
Simplify hybrid data integration at an enterprise scale. Integrate all your d...
varanasisatyanvesh
 
Displacement, Velocity, Acceleration, and Second Derivatives
Displacement, Velocity, Acceleration, and Second DerivativesDisplacement, Velocity, Acceleration, and Second Derivatives
Displacement, Velocity, Acceleration, and Second Derivatives
23050636
 
Abortion pills in Jeddah |+966572737505 | get cytotec
Abortion pills in Jeddah |+966572737505 | get cytotecAbortion pills in Jeddah |+966572737505 | get cytotec
Abortion pills in Jeddah |+966572737505 | get cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
In Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi Arabia
In Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi ArabiaIn Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi Arabia
In Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi Arabia
ahmedjiabur940
 
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
wsppdmt
 
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNKDATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
Timothy Spann
 
原件一样(UWO毕业证书)西安大略大学毕业证成绩单留信学历认证
原件一样(UWO毕业证书)西安大略大学毕业证成绩单留信学历认证原件一样(UWO毕业证书)西安大略大学毕业证成绩单留信学历认证
原件一样(UWO毕业证书)西安大略大学毕业证成绩单留信学历认证
pwgnohujw
 

Recently uploaded (20)

Bios of leading Astrologers & Researchers
Bios of leading Astrologers & ResearchersBios of leading Astrologers & Researchers
Bios of leading Astrologers & Researchers
 
Case Study 4 Where the cry of rebellion happen?
Case Study 4 Where the cry of rebellion happen?Case Study 4 Where the cry of rebellion happen?
Case Study 4 Where the cry of rebellion happen?
 
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
 
DBMS UNIT 5 46 CONTAINS NOTES FOR THE STUDENTS
DBMS UNIT 5 46 CONTAINS NOTES FOR THE STUDENTSDBMS UNIT 5 46 CONTAINS NOTES FOR THE STUDENTS
DBMS UNIT 5 46 CONTAINS NOTES FOR THE STUDENTS
 
Capstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATION
Capstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATIONCapstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATION
Capstone in Interprofessional Informatic // IMPACT OF COVID 19 ON EDUCATION
 
Predictive Precipitation: Advanced Rain Forecasting Techniques
Predictive Precipitation: Advanced Rain Forecasting TechniquesPredictive Precipitation: Advanced Rain Forecasting Techniques
Predictive Precipitation: Advanced Rain Forecasting Techniques
 
社内勉強会資料_Object Recognition as Next Token Prediction
社内勉強会資料_Object Recognition as Next Token Prediction社内勉強会資料_Object Recognition as Next Token Prediction
社内勉強会資料_Object Recognition as Next Token Prediction
 
DAA Assignment Solution.pdf is the best1
DAA Assignment Solution.pdf is the best1DAA Assignment Solution.pdf is the best1
DAA Assignment Solution.pdf is the best1
 
Identify Rules that Predict Patient’s Heart Disease - An Application of Decis...
Identify Rules that Predict Patient’s Heart Disease - An Application of Decis...Identify Rules that Predict Patient’s Heart Disease - An Application of Decis...
Identify Rules that Predict Patient’s Heart Disease - An Application of Decis...
 
Abortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Jeddah | +966572737505 | Get CytotecAbortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Jeddah | +966572737505 | Get Cytotec
 
Digital Transformation Playbook by Graham Ware
Digital Transformation Playbook by Graham WareDigital Transformation Playbook by Graham Ware
Digital Transformation Playbook by Graham Ware
 
Simplify hybrid data integration at an enterprise scale. Integrate all your d...
Simplify hybrid data integration at an enterprise scale. Integrate all your d...Simplify hybrid data integration at an enterprise scale. Integrate all your d...
Simplify hybrid data integration at an enterprise scale. Integrate all your d...
 
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
 
Displacement, Velocity, Acceleration, and Second Derivatives
Displacement, Velocity, Acceleration, and Second DerivativesDisplacement, Velocity, Acceleration, and Second Derivatives
Displacement, Velocity, Acceleration, and Second Derivatives
 
Abortion pills in Jeddah |+966572737505 | get cytotec
Abortion pills in Jeddah |+966572737505 | get cytotecAbortion pills in Jeddah |+966572737505 | get cytotec
Abortion pills in Jeddah |+966572737505 | get cytotec
 
In Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi Arabia
In Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi ArabiaIn Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi Arabia
In Riyadh ((+919101817206)) Cytotec kit @ Abortion Pills Saudi Arabia
 
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
 
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNKDATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
 
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
 
原件一样(UWO毕业证书)西安大略大学毕业证成绩单留信学历认证
原件一样(UWO毕业证书)西安大略大学毕业证成绩单留信学历认证原件一样(UWO毕业证书)西安大略大学毕业证成绩单留信学历认证
原件一样(UWO毕业证书)西安大略大学毕业证成绩单留信学历认证
 

MIS 428 information secuirty v1.pdf

  • 1. MIS 428 Information security Page 1 of 30 Information Systems Security
  • 2. MIS 428 Information security Page 2 of 30 Introduction As computers and other digital devices have become essential to business and commerce, they have also increasingly become a target for attacks. In order for a company or an individual to use acomputingdevicewithconfidence,theymustfirstbeassuredthatthedeviceisnotcompromised in any way and that all communications will be secure. In this chapter, we will review the fundamentalconceptsofinformationsystemssecurityanddiscusssome ofthemeasuresthatcan be taken to mitigate security threats. We will begin with an overview focusing on how organizations can stay secure. Several different measures that a company can take to improve security will be discussed. We will then follow up by reviewing security precautions that individuals can takein order to secure theirpersonalcomputing environment.
  • 3. MIS 428 Information security Page 3 of 30 What are the 3 Principles of Information Security? The basic tenets of information security are confidentiality, integrity and availability. Every element of the information security program must be designed to implement one or more of these principles. Together they are called the CIA Triad. The security triad The Information Security Triad: Confidentiality, Integrity, Availability (CIA)
  • 4. MIS 428 Information security Page 4 of 30 Confidentiality Whenprotectinginformation,wewanttobeabletorestrictaccesstothosewhoareallowedtosee it;everyoneelseshouldbedisallowedfromlearninganythingaboutits contents.Thisistheessence of confidentiality. For example, federal law requires that universities restrict access to private student information. The university must be sure that only those who are authorized have access to viewthe grade records. Integrity Integrity is the assurance that the information being accessed has not been altered and truly representswhat is intended.Justas aperson with integrity means whathe orshe saysand canbe trusted to consistently represent the truth, information integrity means information truly representsitsintended meaning.Information can lose itsintegritythrough malicious intent, such aswhensomeonewhoisnotauthorizedmakesachangetointentionallymisrepresentsomething. Anexampleofthis wouldbe whenahacker is hiredto go intothe university’ssystemandchange a grade.Integritycan alsobelostunintentionally,such as when acomputer powersurge corrupts a file or someone authorized to make a change accidentally deletes a file or enters incorrect information. Availability Informationavailability is thethirdpartofthe CIAtriad.Availability means that informationcan be accessed and modified by anyone authorizedtodo soin an appropriatetimeframe. Depending on: • the typeofinformation, appropriatetimeframe canmean differentthings.For example, astocktrader needs informationtobeavailable immediately,while asales
  • 5. MIS 428 Information security Page 5 of 30 personmaybe happyto get sales numbersforthe day in a reportthe nextmorning. Companies suchas Amazon.com willrequiretheir servers tobeavailable twenty-four hours a day,seven days a week.Other companies may not sufferiftheir web servers are downfor afewminutesonce in a while. ToolsforInformation Security In order to ensure the confidentiality, integrity, and availability of information, organizations can choose from a variety of tools. Each of these tools can be utilized as part of an overall informationsecurity policy, whichwillbediscussedin the next section. Authentication The mostcommonwaytoidentify someoneisthrough theirphysical appearance,but howdo we identify someone sitting behind a computer screen or at the ATM? Tools for authentication are usedtoensurethatthepersonaccessingtheinformationis,indeed,whotheypresentthemselves to be. Authenticationcanbeaccomplishedbyidentifyingsomeonethroughoneormoreofthreefactors: • userIDand password. Inthis case,the authentication is donebyconfirmingsomething thattheuser knows (theirID and password).Butthis form ofauthentication is easytocompromise, and stronger forms ofauthentication aresometimesneeded. • Identifyingsomeone only bysomething theyhave,suchas akey ora card,can also be problematic. Whenthatidentifying token is lostor stolen,the identitycanbeeasilystolen. • Thefinalfactor,something you are,is much harderto compromise.This factor identifies auserusing a physicalcharacteristic,suchas an eye-scanor fingerprint.Identifyingsomeone through their physical characteristics is calledbiometrics.
  • 6. MIS 428 Information security Page 6 of 30 A more secure way to authenticate a user is to do multi-factor authentication. By combining two or more of the factors listed above, it becomes much more difficult for someone to misrepresent themselves. An example of this would be the use of an RSA (Rivest–Shamir–Adleman) RSA SecurID token.The RSAdevice issomething you have, andwillgeneratea newaccess codeevery sixty seconds.Tologintoan informationresource using theRSAdevice, you combinesomething you know, a four-digit PIN, with the code generated by the device. The only way to properly authenticate is bybothknowing thecode andhaving the RSAdevice. AccessControl Once a user has been authenticated, the next step is to ensure that they can only access the informationresourcesthatare appropriate.Thisisdone throughthe useof access control. Access control determines which users are authorized to read, modify, add, and/or delete information. Severaldifferentaccesscontrolmodelsexist.Herewewilldiscusstwo:theaccesscontrollist(ACL) and role-based access control (RBAC). Foreachinformationresourcethatanorganizationwishestomanage,alistofuserswhohavethe ability to take specific actions can be created. This is an access control list, or ACL. For each user, specific capabilities are assigned, such as read, write, delete, or add. Only users with those capabilities areallowedto performthosefunctions.If a userisnotonthe list,theyhave noability to even knowthattheinformationresource exists. ACLsaresimpletounderstandandmaintain.However,theyhaveseveraldrawbacks.Theprimary drawback is that each information resource is managed separately, so if a security administrator wantedtoaddorremove ausertoa largeset ofinformation resources, itwouldbe quitedifficult. Andasthenumberofusersandresourcesincrease,ACLsbecomehardertomaintain.Thishasled to an improved method of access control, called role-based access control, or RBAC. With RBAC,
  • 7. MIS 428 Information security Page 7 of 30 insteadofgivingspecificusersaccessrightstoaninformationresource,usersareassignedtoroles and then those roles are assigned the access. This allows the administrators to manage users and roles separately, simplifying administration and,byextension, improving security. Comparison of ACL and RBAC (click to enlarge) Encryption Many times, an organization needs to transmit information over the Internet or transfer it on external media such as a CD or flash drive. In these cases, even with proper authentication and access control, it is possible for an unauthorized person to get access to the data. Encryption is a process of encodingdatauponitstransmission orstoragesothatonly authorized individuals can read it. This encoding is accomplished by a computer program, which encodes the plain text that needstobetransmitted;thentherecipientreceivesthe ciphertextanddecodesit(decryption).In order for this to work, the sender and receiver need to agree on the method of encoding so that both parties can communicate properly. Both parties share the encryption key, enabling them to encode and decode each other’s messages. This is called symmetric key encryption. This type of encryptionis problematic because the keyis available in two differentplaces. Analternativetosymmetrickeyencryptionispublickeyencryption.Inpublickeyencryption,two keysareused:apublickeyandaprivatekey.Tosendanencryptedmessage,youobtainthepublic key, encode the message, and send it. The recipient then uses the private key to decode it. The
  • 8. MIS 428 Information security Page 8 of 30 public key can be givento anyone who wishes to send the recipient a message. Each user simply needsoneprivatekeyandonepublickeyinordertosecuremessages.Theprivatekeyisnecessary in orderto decrypt something sent with thepublickey.
  • 9. MIS 428 Information security Page 9 of 30 Public key encryption (click for larger diagram) Sidebar:PasswordSecurity SowhyisusingjustasimpleuserID/passwordnotconsideredasecuremethodofauthentication? Itturnsoutthatthissingle-factorauthenticationisextremelyeasytocompromise.Goodpassword policies must be put in place in order to ensure that passwords cannot be compromised. Below are someofthe more commonpoliciesthatorganizations should putin place. • Requirecomplex passwords. Onereason passwords arecompromised is thattheycanbe easily guessed.Arecent studyfoundthatthetopthree passwords peopleused in2012 werepassword,123456and12345678.[1]Apasswordshouldnotbe simple, or a wordthatcan be foundin a dictionary. Oneof thefirstthings ahacker will do is tryto cracka password bytestingevery terminthe dictionary! Instead,a good passwordpolicyis onethatrequirestheuse ofa minimum of eightcharacters,andat leastoneupper-caseletter, one specialcharacter,and onenumber. • Changepasswords regularly.Itis essentialthatuserschangetheirpasswords ona regular basis.Users shouldchange their passwords everysixtytoninetydays, ensuringthatany passwords thatmighthave beenstolen orguessed willnotbe ableto be usedagainstthecompany. • Trainemployees nottogiveaway passwords. Oneof theprimarymethods thatis usedtosteal passwords is tosimply figurethem out byaskingtheusersoradministrators.Pretexting occurswhen anattackercalls ahelpdesk or securityadministratorand pretends tobe aparticular authorized user havingtrouble logging in. Then, by providing some personalinformation abouttheauthorizeduser, the attackerconvinces thesecurityperson to resetthepasswordand tell him what itis. Another waythat employees maybe tricked intogiving away passwords is throughe-mail phishing. Phishing occurs whenauser receives ane-mailthatlooks asif itis froma trustedsource,suchastheir bank, ortheir employer.Inthee-mail, theuseris asked to click a linkandlogin to a websitethatmimics thegenuine websiteand entertheir IDand password, whichare thencaptured bytheattacker.
  • 10. MIS 428 Information security Page 10 of 30 Backups Anotheressential tool forinformation securityisa comprehensivebackupplanfortheentireorganization. Not only shouldthe dataon thecorporateservers bebacked up,but individual computers usedthroughout theorganization shouldalsobe backed up. Agoodbackup planshouldconsistof several components.
  • 11. MIS 428 Information security Page 11 of 30 • Afullunderstanding ofthe organizational information resources.Whatinformation does the organization actually have?Where is itstored?Some data maybe stored onthe organization’s servers, otherdata onusers’hard drives,some inthecloud, and someonthird-partysites.An organization shouldmakea full inventory ofall oftheinformation thatneeds tobe backedupand determinethe bestway back itup. • Regular backups ofall data.Thefrequencyof backups shouldbe based on howimportantthedata is tothecompany, combined withtheabilityofthecompany toreplaceany datathat is lost.Critical data should be backed up daily, while less critical datacould be backedup weekly. • Offsitestorageofbackup datasets.Ifall ofthe backup datais beingstoredin thesamefacilityasthe originalcopies ofthe data,then asingle event, suchasanearthquake, fire, or tornado, wouldtake out boththe original dataandthe backup!It is essentialthatpartofthebackup plan is to storethe datain anoffsitelocation. • Testofdatarestoration. Ona regular basis, thebackups should be put tothetestby havingsome of thedatarestored. This willensurethattheprocess is workingand will give theorganization confidencein thebackup plan. Besides these considerations, organizations should also examine their operations to determine what effect downtime would have on their business. If their information technology were to be unavailable for any sustained period of time, how would it impact the business? Additional concepts related to backup include the following: • UniversalPowerSupply(UPS).AUPS is a device thatprovides batterybackupto criticalcomponents ofthesystem,allowingthem tostayonline longerand/orallowingtheITstafftoshutthem down usingproper proceduresin orderto preventthedata loss thatmight occurfrom a powerfailure. • Alternate,or “hot”sites.Some organizationschooseto have analternatesite wherean exactreplica of theircritical data is always keptup to date.Whenthe primarysitegoes down, thealternatesiteis immediatelybrought onlinesothat little orno downtime is experienced. As informationhasbecomea strategic asset, awhole industry has sprung up around the technologies necessaryfor implementing a properbackup strategy.A companycan contract
  • 12. MIS 428 Information security Page 12 of 30 witha service provider to backup all oftheir data orthey can purchase large amountsof online storage spaceand do it themselves.Technologies such as storage areanetworks and archival systems arenow used bymost largebusinesses.
  • 13. MIS 428 Information security Page 13 of 30 Firewalls Networkconfigurationwithfirewalls,IDS, anda DMZ. Click to enlarge. Another method that an organization should use to increase security on its network is a firewall. A firewall can exist as hardware or software (or both). A hardware firewall is a device that is connected to the network and filters the packets based on a set of rules. A software firewall runs ontheoperatingsystemandinterceptspacketsastheyarrivetoacomputer.Afirewallprotectsall companyserversandcomputersbystoppingpacketsfromoutsidetheorganization’snetworkthat do not meeta strictsetof criteria.A firewall may also be configuredtorestrictthe flow of packets leaving the organization. This may be done to eliminate the possibility of employees watching YouTube videos orusing Facebookfroma companycomputer. Some organizations may choose to implement multiple firewalls aspartoftheir networksecurity configuration, creating one or more sections of their network that are partially secured. This segment ofthe networkisreferredtoas aDMZ,borrowing thetermdemilitarizedzone from the
  • 14. MIS 428 Information security Page 14 of 30 military, and it is where an organization may place resources that need broader access but still need to be secured. IntrusionDetectionSystems Another device that can be placed on the network for security purposes is an intrusion detection system, or IDS.An IDS does not add any additional security; instead, it provides the functionality to identify if the network is being attacked. An IDS can be configured to watch for specific types of activities and then alert security personnel if that activity occurs. An IDS also can log various types of traffic on the network for analysis later. An IDS is an essential part of any good security setup. Sidebar:Virtual PrivateNetworks Usingfirewallsandothersecuritytechnologies,organizationscaneffectivelyprotectmanyoftheir information resources by making them invisible to the outside world. But what if an employee workingfromhomerequires accesstosomeoftheseresources?Whatifaconsultantishiredwho needs to do work on the internal corporate network from a remote location? In these cases, a virtual private network (VPN) is called for A VPN allows a user who is outside of a corporate network to take a detour around the firewall and access the internal network from the outside. Througha combinationofsoftware andsecurity measures, thisletsan organizationallowlimited access to its networks whileatthe same time ensuring overallsecurity.
  • 15. MIS 428 Information security Page 15 of 30
  • 16. MIS 428 Information security Page 16 of 30 Physical Security An organization can implement the best authentication scheme in the world, develop the best access control, and install firewalls and intrusion prevention, but its security cannot be complete without implementation of physical security. Physical security is the protection of the actual hardware and networking components that store and transmit information resources. To implementphysicalsecurity,anorganizationmustidentifyallofthevulnerableresourcesandtake measures to ensure that these resources cannot be physically tampered with or stolen. These measures include thefollowing. • Locked doors:Itmayseem obvious,but all thesecurityin theworld is useless ifan intruder cansimply walk in and physicallyremove acomputing device.High-valueinformation assets shouldbe secured ina location withlimited access. • Physicalintrusion detection:High-valueinformation assets should bemonitoredthroughtheuse of securitycamerasandothermeansto detectunauthorizedaccess tothephysicallocations wherethey exist. • Securedequipment:Devices should be locked downto preventthemfrom being stolen.One employee’s harddrivecould contain all of your customerinformation,so it is essentialthatitbe secured. • Environmentalmonitoring: An organization’s serversand otherhigh-valueequipmentshouldalways bekeptin aroom thatis monitoredfortemperature, humidity,and airflow. Therisk of aserverfailure rises whenthesefactorsgoout ofaspecifiedrange. • Employeetraining: One ofthemostcommon ways thievesstealcorporateinformation is to steal employee laptops while employees are traveling. Employees should betrained tosecuretheir equipment whenever theyareawayfromthe office.
  • 17. MIS 428 Information security Page 17 of 30 Security Policies Besidesthetechnicalcontrolslistedabove,organizationsalsoneedtoimplementsecuritypolicies as a form of administrative control. In fact, these policies should really be a starting point in developinganoverallsecurityplan.Agoodinformation-securitypolicylaysouttheguidelinesfor employee use of the information resources of the company and provides the company recourse in the casethat anemployee violates apolicy. According tothe SANS Institute, a goodpolicy is “a formal, brief,and high-level statement orplan thatembraces anorganization’sgeneralbeliefs,goals,objectives,andacceptableproceduresfor a specified subject area.” Policies require compliance; failure to comply with a policy will result in disciplinaryaction.Apolicydoesnotlayoutthespecifictechnicaldetails,insteaditfocusesonthe desired results. A security policy should be based on the guiding principles of confidentiality, integrity, and availability.[2] A goodexampleof asecurity policy that manywillbe familiar with isawebusepolicy. Aweb use policy lays out the responsibilities of company employees as they use company resources to access the Internet. A good example of a web use policy is included in Harvard University’s “Computer Rulesand Responsibilities”policy, which can be found here. A security policy should also address any governmental or industry regulations that apply to the organization. For example, if the organization is a university, it must be aware of the Family Educational Rights and Privacy Act (FERPA), which restricts who has access to student information. Health care organizations are obligated to follow several regulations, such as the HealthInsurance Portability andAccountability Act(HIPAA).
  • 18. MIS 428 Information security Page 18 of 30 Sidebar:Mobile Security As the use of mobile devices suchas smartphones and tablets proliferates, organizations must be ready toaddressthe unique security concerns that the use of these devices bring.One of thefirst questions an organization must consider is whether to allow mobile devices in the workplace at all. Many employees already have these devices, so the question becomes: Should we allow employees to bring their own devices and use them as part of their employment activities? Or should we provide the devices to our employees? Creating a BYOD (“Bring Your Own Device”) policy allows employees to integrate themselves more fully into their job and can bring higher employee satisfaction and productivity. In many cases, it may be virtually impossible to prevent employees from having their own smartphones or iPads in the workplace. If the organization provides the devices to its employees, it gains more control over use of the devices, but it also exposesitselftothepossibility of an administrative(and costly)mess. Mobiledevicescanposemanyuniquesecuritychallengestoanorganization.Probablyoneofthe biggest concerns is theft of intellectual property. For an employee with malicious intent, it would be a very simple process to connect a mobile device either to a computer via the USB port, or wirelessly to the corporate network, and download confidential data. It would also be easy to secretlytake a high-quality picture using a built-in camera. When an employee does have permission to access and save company data on his or her device, a different security threat emerges:that device nowbecomes a targetfor thieves.Theft of mobile devices (in this case, including laptops) is oneoftheprimary methodsthat datathieves use. So what can bedoneto secure mobiledevices? It will start with a goodpolicy regarding their use. Accordingtoa2013SANSstudy,organizationsshouldconsiderdevelopingamobiledevicepolicy that addresses the following issues: use of the camera, use of voice recording, application
  • 19. MIS 428 Information security Page 19 of 30 purchases, encryption at rest, Wi-Fi autoconnect settings, bluetooth settings, VPN use, password settings, lostor stolendevice reporting, and backup.[3] Besides policies,there are severaldifferent toolsthat an organization can use to mitigate some of theserisks.Forexample,ifadeviceisstolenorlost,geolocationsoftwarecanhelptheorganization find it.Insome cases, it may evenmake sensetoinstall remotedata-removal software,whichwill remove data from adevice if it becomes a security risk. Usability When looking to secure information resources, organizations must balance the need for security withusers’needtoeffectivelyaccessandusetheseresources.Ifasystem’ssecuritymeasuresmake itdifficultto use,thenuserswillfindwaysaroundthe security, which maymakethesystemmore vulnerable than it would have been without the security measures! Take, for example, password policies. If the organization requires an extremely long password with several special characters, an employee mayresortto writing itdown andputting it ina drawersince itwillbeimpossibleto memorize.
  • 20. MIS 428 Information security Page 20 of 30 Personal Information Security There is no way to have 100% security, but there are several simple steps we, as individuals, can take to makeourselves moresecure. • Keepyoursoftware upto date.Whenevera softwarevendordetermines thata securityflaw hasbeen foundin their software,they will releaseanupdatetothesoftwarethatyoucan download tofixthe problem. Turnon automatic updating onyourcomputer to automatethis process. • Installantivirussoftwareand keep itupto date.There are manygood antivirussoftware packages on themarkettoday. • Besmartaboutyourconnections.Youshould be aware ofyoursurroundings.When connectingtoa Wi-Finetwork in a publicplace, be aware thatyou could be atrisk ofbeingspied on by otherssharing thatnetwork.It is advisable notto access yourfinancial or personaldata whileattached toa Wi-Fi
  • 21. MIS 428 Information security Page 21 of 30 hotspot.Youshould also beawarethatconnectingUSBflashdrives toyour device couldalsoput you atrisk.Donotattachanunfamiliar flashdrive toyour deviceunless youcan scan itfirstwithyour securitysoftware. • Backupyour data.Justas organizationsneed to back up theirdata, individuals need toas well.And thesamerules apply: doit regularlyand keep acopy ofit in anotherlocation. Onesimplesolution for this is tosetup anaccount with an online backupservice,suchasMozy orCarbonite,to automate your backups. • Secureyouraccounts withtwo-factorauthentication.Most e-mail and social media providersnow haveatwo-factor authentication option.The waythis works is simple: when you login to your accountfroman unfamiliar computerfor thefirsttime,itsends youa textmessagewithacode that youmustenterto confirm thatyou arereally you. This meansthatnoone elsecan log in toyour accounts without knowingyour passwordandhavingyour mobile phone with them. • Makeyour passwords long,strong,andunique. For your personalpasswords, you should followthe samerules thatarerecommendedfor organizations. Yourpasswords should be long(eight or more characters) andcontain atleasttwo ofthe following: upper-caseletters,numbers,andspecial characters.Youalso should usedifferentpasswords for differentaccounts,sothatif someone steals your password for oneaccount,theystillare locked out ofyour otheraccounts. • Besuspicious ofstrangelinks and attachments.Whenyoureceiveane-mail,tweet,orFacebookpost, besuspicious ofany links or attachments included there.Donot click on thelink directly ifyouare at allsuspicious.Instead, ifyou want toaccess thewebsite, findityourselfandnavigateto it directly. InformationSecurity vs Cybersecurity Informationsecurity differsfromcybersecurity in both scope and purpose.The twoterms are oftenused interchangeably,but moreaccurately, cybersecurity is a subcategory of information security.Informationsecurity is a broadfieldthat covers many areas such as physicalsecurity, endpointsecurity, data encryption,and networksecurity. It is also closely related to information assurance, whichprotects informationfromthreatssuch as natural disastersand serverfailures.
  • 22. MIS 428 Information security Page 22 of 30 Cybersecurity primarily addressestechnology-related threats, with practices andtoolsthatcan prevent ormitigatethem.Anotherrelated category is data security, which focuses onprotecting an organization’sdatafromaccidentalor maliciousexposure to unauthorizedparties. InformationSecurity Policy AnInformationSecurity Policy (ISP)isa setof rulesthat guide individuals when using IT assets. Companies can createinformationsecurity policies to ensure that employees andother users followsecurity protocols andprocedures.Security policies areintended to ensurethatonly authorized users can access sensitive systemsand information. Creating aneffectivesecurity policy andtaking stepstoensure compliance isan important step towardspreventing and mitigating security threats.To make your policy trulyeffective,update it frequentlybased oncompany changes, newthreats, conclusions drawn frompreviousbreaches, and changes to security systems andtools. Make your informationsecurity strategypracticaland reasonable.Tomeettheneeds and urgency of different departments within theorganization,itis necessary to deploy a systemof exceptions,withan approvalprocess, enabling departments orindividualsto deviatefromthe rules in specific circumstances. Top InformationSecurity Threats There are hundreds of categoriesofinformation security threats and millions ofknown threat vectors.Below we cover some ofthe keythreatsthatare a priority for security teamsat modern enterprises.
  • 23. MIS 428 Information security Page 23 of 30 Unsecure or PoorlySecuredSystems The speedandtechnological developmentoften leads to compromises in security measures.In other cases,systems aredevelopedwithout securityin mind, and remain in operation at an organizationaslegacy systems.Organizations mustidentify these poorlysecured systems,and mitigatethethreatbysecuring or patching them, decommissioning them,or isolatingthem. Social MediaAttacks Many people havesocial media accounts,where they often unintentionally sharea lotof informationabout themselves.Attackers can launch attacks directly viasocialmedia, for example byspreading malware via socialmediamessages, orindirectly, byusing information obtained from these sitestoanalyze user andorganizational vulnerabilities,and usethemto designan attack. Social Engineering Social engineering involves attackers sendingemailsand messagesthat trick users into performing actions that may compromisetheir security or divulgeprivateinformation.Attackers manipulate users usingpsychologicaltriggers like curiosity, urgency or fear. Because the source of asocialengineering message appearstobetrusted, people aremore likely to comply,for exampleby clicking a link that installsmalware ontheir device, orbyproviding personal information, credentials,or financial details. Organizations can mitigatesocial engineering bymaking users aware ofits dangers and training them to identify and avoid suspectedsocialengineering messages.In addition,technological systems can be usedtoblocksocial engineering at its source, orprevent usersfromperforming dangerous actions suchas clicking on unknown links or downloading unknown attachments.
  • 24. MIS 428 Information security Page 24 of 30 Malware onEndpoints Organizational users workwitha largevariety of endpointdevices, including desktop computers, laptops,tablets, andmobile phones, many of which areprivately ownedand not under the organization’s control, andallofwhich connect regularly tothe Internet. A primarythreatonalltheseendpoints ismalware,which can be transmitted bya varietyof means, can result in compromiseoftheendpoint itself,and can alsoleadtoprivilege escalation to other organizational systems. Traditional antivirus software is insufficienttoblock all modernformsofmalware,and more advanced approaches are developing tosecuring endpoints, such as endpointdetection and response (EDR). Lackof Encryption Encryptionprocessesencode data sothat it can onlybedecoded byusers with secret keys.It is very effective inpreventingdatalossor corruption in case ofequipment loss ortheft,or in case organizational systemsare compromisedby attackers. Unfortunately,this measureis oftenoverlookedduetoitscomplexity andlack oflegal obligations associated withproper implementation.Organizations are increasingly adopting encryption, bypurchasing storagedevices or using cloud servicesthat support encryption,or using dedicated security tools. Security Misconfiguration Modernorganizations usea huge number oftechnological platforms andtools, inparticular web applications, databases,and Software asa Service (SaaS)applications,or Infrastructure as a Service (IaaS)fromproviderslike Amazon WebServices.
  • 25. MIS 428 Information security Page 25 of 30 Enterprise gradeplatformsand cloud services have security features,butthese mustbe configured bytheorganization.Security misconfiguration dueto negligence or human error can result in a security breach.Another problem is“configurationdrift”,where correct security configurationcan quickly becomeoutofdateand make a system vulnerable,unbeknownst to IT or security staff. Organizations can mitigatesecurity misconfiguration using technological platforms that continuously monitorsystems, identify configuration gaps, andalertor evenautomatically remediateconfigurationissuesthat make systemsvulnerable. Top InformationSecurity Threats There are hundreds of categoriesofinformation security threats and millionsofknown threat vectors.Below we cover some ofthe keythreatsthatare a priority for security teamsat modern enterprises. Unsecure or PoorlySecuredSystems The speedand technological developmentoften leads to compromises in security measures.In other cases,systems aredevelopedwithout securityin mind, and remain in operation at an organizationaslegacy systems.Organizations mustidentify these poorlysecured systems,and mitigatethethreatbysecuring or patching them, decommissioning them,or isolatingthem. Social MediaAttacks Many people havesocial media accounts,where they often unintentionally sharea lotof informationabout themselves.Attackers can launch attacks directly viasocialmedia, for example byspreading malware via socialmediamessages, orindirectly, byusing information
  • 26. MIS 428 Information security Page 26 of 30 obtained from these sitestoanalyze user andorganizational vulnerabilities,and usethemto designan attack. Security Misconfiguration Modernorganizations usea huge number oftechnological platforms andtools, inparticular web applications, databases,and Software asa Service (SaaS)applications,or Infrastructure as a Service (IaaS)fromproviderslike Amazon WebServices. Enterprise gradeplatformsand cloud services have security features,butthese mustbe configured bytheorganization.Security misconfiguration dueto negligence or human error can result in a security breach.Another problem is“configurationdrift”,where correct security configurationcan quickly becomeoutofdateand make a system vulnerable,unbeknownst to IT or security staff. Organizations can mitigatesecurity misconfiguration using technological platforms that continuously monitorsystems, identify configuration gaps, andalertor evenautomatically remediateconfigurationissuesthat make systemsvulnerable. Active vs PassiveAttacks Informationsecurity is intended to protectorganizations against malicious attacks. There are two primary typesof attacks:active and passive.Active attacks are considered moredifficultto prevent, andthefocus isondetecting, mitigating and recovering fromthem.Passive attacks are easier to prevent withstrong security measures.
  • 27. MIS 428 Information security Page 27 of 30 Active Attack Anactive attackinvolvesintercepting a communication or message and altering itfor malicious effect.Therearethree commonvariantsof an activeattacks: • Interruption—theattacker interruptstheoriginal communication and createsnew, malicious messages, pretendingtobeone of thecommunicating parties. • Modification—theattacker uses existing communications, andeither replaysthemto fooloneofthe communicating parties,or modifiesthem to gain an advantage. • Fabrication—createsfake,or synthetic, communications, typically with theaim of achieving denial of service (DoS).This prevents users from accessing systemsor performing normaloperations. Passive Attack Ina passive attack, anattacker monitors, monitors asystem andillicitly copies information without altering it.Theythenuse thisinformationtodisruptnetworks or compromisetarget systems.The attackers do not make any changetothe communication or thetarget systems. This makes itmoredifficulttodetect.However,encryption can help prevent passive attacks because itobfuscatesthe data,making it more difficult forattackers tomake useofit.
  • 28. I n f o r m a t i o n S e c u r i t y P a g e 28 | 30 InformationSecurity and DataProtectionLaws Informationsecurity is inconstantinteraction with the laws and regulationsoftheplaces where an organizationdoesbusiness.Dataprotection regulations around the worldfocus on enhancing the privacy ofpersonaldata, andplace restrictionson the way organizations can collect, store,and make use of customerdata. Data privacyfocuses onpersonallyidentifiableinformation (PII), and isprimarily concerned withhowthe data isstored andused.PII includesany datathatcan belinked directlytothe user, suchas name, ID number,dateof birth, physical address, orphone number.Itmay also include artifactslike social media posts, profile pictures and IP addresses.
  • 29. I n f o r m a t i o n S e c u r i t y P a g e 29 | 30 InformationSecurity withImperva Imperva helpsorganizationsofall sizes implementinformation security programs andprotect sensitivedataand assets. Imperva ApplicationSecurity Imperva provides multi-layeredprotectionto makesure websites andapplications are available,easily accessibleand safe.The Impervaapplication security solution includes: • DDoS Protection Distributed Denial of Service Protection —maintain uptime in all situations.Prevent any type of DDoSattack, of any size, frompreventing access toyour website and networkinfrastructure. • CDN Content Delivery Network. —enhance websiteperformance andreduce bandwidthcosts withaCDNdesignedfordevelopers.Cache static resources at theedge while accelerating APIsand dynamicwebsites. • WAF Web Application Firewall. —cloud-based solution permits legitimatetraffic and prevents badtraffic,safeguardingapplications attheedge. Gateway WAF keeps applications andAPIs inside your networksafe. • RASPRuntime Application Self-Protection —keep your applications safe from within against known and zero-day attacks.Fastand accurate protection with no signatureor learning mode. • Zero-day attacks, also known aszero-dayexploitsorzero-day vulnerabilities,are cybersecurity attacks thattarget software vulnerabilitiesthat areunknown tothe software vendororthe public. Imperva DataProtection Imperva’s data security solutionprotectsyour datawherever it lives—on premises,in thecloud and in hybridenvironments.It alsoprovidessecurity and IT teams with fullvisibility intohow
  • 30. I n f o r m a t i o n S e c u r i t y P a g e 30 | 30 the data isbeing accessed, used, andmovedaroundthe organization. Our comprehensive approachreliesonmultiplelayersofprotection,including: • Database firewall—blocks SQLinjection and other threats,whileevaluatingfor known vulnerabilities. • User rights management—monitors data accessand activities ofprivilegedusersto identify excessive, inappropriate, and unused privileges. • Data maskingand encryption—obfuscates sensitive data soitwouldbe uselessto the badactor,even if somehow extracted. • Data lossprevention (DLP)—inspects datain motion, atreston servers, in cloud storage,or onendpointdevices. • User behavioranalytics—establishesbaselinesofdata accessbehavior, uses machine learning todetect and alertonabnormaland potentially risky activity. • Data discovery andclassification—revealsthelocation, volume,and context ofdataon premises andin thecloud. • Databaseactivity monitoring—monitors relational databases, data warehouses,big data andmainframesto generate real-time alertsonpolicy violations. • Alert prioritization—Imperva usesAI andmachine learning technologyto look across the streamof security events andprioritizetheonesthat matter most.