Chapter 8 – Securing Information Information Systems, First Edition John Wiley & Sons, Inc by France Belanger and Craig Van Slyke Contributor: Brian West,

Chapter 8 – Securing Information

Information Systems, First Edition John Wiley & Sons, Inc

by France Belanger and Craig Van SlykeContributor: Brian West, University of Louisiana

at Lafayette

8-1Copyright 2012 John Wiley & Sons, Inc.

My Mac is more secured than your windows-based PCs!

For quite a while, there were few viruses and other such programs (called malware) that targeted Mac systems. That resulted in a reputation that Mac systems were substantially safer than Windows-based PCs. One Mac lover, and security researcher, named Charlie Miller revealed in the spring of 2010 that he had identified 20 security vulnerabilities in Apple’s software.More recently, in the summer of 2010, new security issues surfaced with the release of the iPad.Macs only account for 8% of the U.S. market for computers, making this a much smaller pool of potential victims.

Copyright 2012 John Wiley & Sons, Inc. 8-2

Focus Questions

• Why is forensic software available online to everyone?

• Will increased use of Apple platforms lead to more security issues?

• Why are security issues in iPhones and iPads of concern for Mac users?


Information Security Concepts• Security is not about technology only, but also

about management and people– Employees must use security tools to be effective

• World of information security is somewhat unfair– How many security weaknesses does the hacker need

to break into a system? How many security weaknesses does the organization or individual need to fix or protect against?

• Defense in depth– Must be multiple layers of security protections in

place


Security Levels

Data can only be accessed with proper authorization for this data, the application that uses the data, the host computer on which the data is stored, and the network to which the host is connected.

Network and Host Access Control

Application Access Control

Data Access Policies and Controls

Data

Figure 8.1 – Access Levels for information Security


How to protect your computer?Many studies show that the weakest link in security is these same individuals who fail to perform basic steps in securing their computers, data, and networks. May be it is your case? Let’s see how secure your computer is with this learning activity.•Run one of the following application and print (to file) a copy of the vulnerability report.

– Shields Up application on the following website: www.grc.com

– Firewall test at Audit My PC: http://www.auditmypc.com/•Try to fix the issues identified, if applicable.•Bring your online report to class for discussion.


http://www.grc.com/

http://www.auditmypc.com/

Information Security Threats

Information security is much broader than what most people think of, like unauthorized access to individual or organizational data or systems. It includes dealing with natural disasters, such as earthquakes and fires, as well as dealing with any threats to computerized systems, such as viruses, hackers, and accidental loss of data or systems.


Denial of Service• Threats are those that render a system

inoperative or limit its capability to operate, or make data unavailable

• Result from intentional acts, careless behavior, or even natural disasters

• Natural disasters cannot be prevented but can be planned for (backups, redundancy, etc.)

• Careless behaviors, such as forgetting to perform proper backups of one’s computer, not installing security updates to an operating system, or failing to update one’s antivirus software


Virus and Other Malware

• Viruses are sent out to find any victim they can

• Lines of code that make up a virus can be embedded into other files

• The signature of the virus is the particular bit patterns that can be recognized, which is how virus detection software knows your computer has contracted a virus


Virus and Other Malware

• Viruses that are embedded into a legitimate file are often called Trojan horses

• Worms can propagate themselves throughout the Internet with no user intervention

• Viruses can also modify themselves as they move to other computers, changing their signature

• Spyware logs everything a user is doing on their computer


E-mail Bombing

• Sending a large amount of emails designed to disrupt normal functioning

• Smurfing is when hacker’s sometimes use an innocent 3rd party to send messages to an intended target

• Hackers are not only after information. Some are trying to force lost sales and revenue for companies.


Unauthorized Access

• Illegal access to systems, applications or data

•

• Passive access records transmissions

•

Hacker

Active Unauthorized Access

Passive Unauthorized Access

Hacker

Change $100 to $1000 on

server

“Listen” to transmission

Figure 8.2 – Passive vs. Active Unauthorized Access


Unauthorized Access

• Security holes– – – – –


What are hackers after?

Detecting Phishing• The email is addressed to

you using your email account info

• The email does not have a personalized salutation

• When you hover the mouse over the hyperlink, the site does not seem to be from the proper company (

• When you hover the mouse over the hyperlink, the site seems to be located in another country

• The email makes you feel your response is urgent or something bad is going to happen.


Theft and Fraud• Employees copy

legitimate software installed on their company’s servers to bring home or to give to someone else

• Theft of hardware has become an increasing concern

• Theft of data, on USB drives


Figure 8.5 – USB Thumb Drive

Security Goals

• Confidentiality involves making sure that information or data can only be accessed by individuals authorized to access them

• Integrity involves making sure that the data are consistent and complete

• Availability involves ensuring that system and/or data are available when they are needed


Security Goals

Two additional goals•Authentication is basically making sure that the parties involved are who they say they are, and that transactions, data, or communications are genuine•Non-repudiation refers to making sure one cannot renege on their obligations, for example by denying that they entered into a transaction with a web merchant


Security Controls

• ________________stop or limit the security threat from happening in the first place (anti-virus scans)

• _________________repair damages after a security problem has occurred (anti-virus quarantine)

• _________________find or discover where and when security threats occurred (audit logs)


Physical Security

Security solutions that involve protecting the physical•Locks for laptops•Drive shredders to make sure that discarded disk drives cannot be read•Wiring closets are locked properly•Proper personnel have access to key information systems


User Profiles

Users are assigned profiles and a set of privileges to access only what the needLevels of Identification•Possession is when an individual owns a form of identification (driver’s license, student ID)•Knowledge is when an individual needs to know something to gain access (passwords)•Traits requires recognition of physical or behavioral human characteristics (biometrics)


User Profiles

Rank Password Count Rank Password Count

1 123456 64 11 iloveyou 7

2 123456789 18 12 daniel 7

3 alejandra 11 13 000000 7

4 111111 10 14 roberto 7

5 alberto 9 15 654321 6

6 tequiero 9 16 bonita 6

7 alejandro 9 17 sebastian 6

8 12345678 9 18 beatriz 6

9 1234567 8 19 mariposa 5

10 estrella 7 20 america 5


Table 8.1 – Top Ten Passwords Used in Hotmail Accounts hacked in October 2009

Do NOT:• • Do:• •

How strong is your password?Passwords are one of the most used security solutions to control access to systems. How strong is your password?•Select two passwords you use frequently, and test their level of security using one of the following password checkers:

– http://www.microsoft.com/protect/fraud/passwords/checker.aspx– http://www.passwordmeter.com/

•Read the information on how to create a strong password at:– http://www.microsoft.com/protect/fraud/passwords/create.aspx

•Create a strong password. Test it. Do not use it for your accounts!•Bring to class the following:

– The level of security of your two passwords (be honest; but do not tell us the passwords!)

– The strong password you created and what it stands for.


http://www.microsoft.com/protect/fraud/passwords/checker.aspx

http://www.passwordmeter.com/

http://www.microsoft.com/protect/fraud/passwords/create.aspx

Biometrics


• Fingerprint recognition • Facial recognition• Iris/retina recognition • DNA recognition• Odor recognition• Ear recognition• Signature recognition Figure 8.6 – Fingerprint Scanner

Biometrics Authentication

• Match the individual with their stored biometric data, also called one to one matching

• Verify that a person is who they say they are


Enrollment

Authentication

Capture Process Store

Compare

Match: Authenticated!

No match: No Access!

Figure 8.7 – Authentication in Biometrics

Biometrics Identification

• Identify an individual from an entire population of individuals

• Identify a person among a large number of potential registered users


Enrollment

Identification

CaptureProcess Store

Capture Process

SearchMatch:

Identified!

Figure 8.8 – Identification in Biometrics

Firewalls

• Computer or a router that controls access in and out of the organization’s networks

• Cannot protect an organization from a virus

• Cannot prevent hackers from an unsecured computer

• Should be implemented at different locations in the organization


Figure 8.10 – A firewall architecture for Defense in Depth

Breaking the EncryptionPart 1. •Given the following plaintext:

a b c d e f g h I j k l m n o p q r s t u v w x y z •and the following resulting ciphertext:

b c d e f g h I j k l m n o p q r s t u v w x y z a •What is the cipher?Part 2. Using the cipher, convert the words: computer lab closedPart 3. Using the following cipher and your personally selected keys below, convert the text: Fun for Spring Break.

Key selection: – Pick a number from 1 to 5– Pick a sign + or –– Pick a symbol (!,@,#,$,%,^,&,*)– Use this cipher to encode: new letter = original letter (sign selected) number,

spaces replaced with symbol selected.


Encryption

• Strength of an encryption technique is related to the length of the key

• The larger the size of the key, the more secure the encryption

• Keys in use commercially are 256-bit or longer• A 64-bit key can be broken in thirty-three to

thirty-four days or less


Asymmetric Encryption• Two keys are used• Public key is used to

encrypt messages• Using the public key,

anyone can encrypt messages for the intended recipient

• The private key is used to decrypt those messages

• Only the recipient has the private key


Insert asymmetric half of encryption figure

Symmetric Encryption

• The same key is used to encrypt and decrypt data

• Individuals have to be very careful with whom they share their encryption keys

• Both types of encryption are often used together


Insert symmetric half of encryption figure

Uses for Encryption

• Protect data on servers and computers• Securing data and transmissions

– VPNs are used to create a secured tunnel of communication over the Internet between two parties

– Look for the lock icon or the https:// in the URL to indicate that your online transaction is secure


Virus Protection

• Today anti-virus software has become very easy to use and to keep up-to-date

• If viruses are found, the software can remove the virus, quarantine the file, or delete the file

• Newer virus protection tools, called behavioral-based protection tools, look for suspicious behaviors in programs instead of just a virus’ signature


Wireless Security• Best protection for wireless networks is

encryption• _____________________is an older encryption

algorithm, which can be easily cracked within minutes today

• ______________________, is a more recent and powerful encryption algorithm widely available in most routers

• Further protection for home wireless networks is to disable the broadcasting of the network’s ID (SSID)


Security Policies

• Security policies describe what the general security guidelines are for an organization

• Security procedures describe describing how to implement the security policies– “All users must change their passwords every two

months.” • A security policy should include a list of actions

for the enforcement of procedures• Education and training are very important to

security policy success


Where’s the Security?Now that we have explored all of the security threats and solutions, we need to see how they all fit together. For this learning activity, you need to map the threats to security and the goals of information security to the security solutions available. Prepare a table that contains the following information:•Column 1: List all of the main security threats that we discussed.•Column 2: List all of the security solutions that can address each of the security threats you have identified (there might be many solutions for each threat).•Column 3: For each security solution in column 2, indicate which security goal is met by the security solution.


Risk Management

• Process of identifying, assessing and prioritizing the security risks an organization may face

• Analyze and balance risks with the resources available to mitigate them

• Management determines where the company would be most vulnerable and how likely it is a risk would affect it


Summary

• There are three main categories of information security threats: denial of service, unauthorized access, and theft and fraud.

• There are three main goals that security tools and policies are meant to address: Confidentiality, Integrity, and Availability (CIA)

• Security solutions and tools (also called security controls) can be classified as preventive, detective, or corrective controls


Summary

• There are many security solutions. User profiles, biometrics, firewalls, encryption, anti-virus, wireless security, and security policies are a few.

• Risk management is the process of identifying, assessing and prioritizing the security risks an organization may face


Copyright 2012 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein.

8-39Copyright 2012 John Wiley & Sons, Inc.

Chapter 8 – Securing Information Information Systems, First Edition John Wiley & Sons, Inc by France Belanger and Craig Van Slyke Contributor: Brian West,

Documents

information security

security weaknesses

security tools

security researcher

security vulnerabilities

security levels data

new security issues

edition john wiley sons