Information Security (I.S.) –An introduction Failure to Secure is an Opportunity to Fail ----- Casey W. O’Brien Univ. of Ghana | Dept. of Info. Studies | INFS213 | Mrs F. O. Entsua-Mensah 1
Information Security (I.S.)–An introduction
Failure to Secure is an Opportunity to Fail
----- Casey W. O’Brien
Univ. of Ghana | Dept. of Info. Studies | INFS213 | Mrs F. O. Entsua-Mensah 1
• To understand Information Security?
• To familiarize ourselves with some of thethreats to I. S.
• Security Measures in securing informationin the digital age.
• To appreciate the importance of I.S.
Florence O. Entsua-Mensah (Mrs)2
Lesson Objectives
Introduction
• Why this topic?• One key aspect of IM that has a lot of
attention is the issue of security ofinformation.
• Why do we need to keep informationsecured.
• How do we do that?
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah3
What is Security?
• “The quality or state of being secure—to befree from danger”
• A successful organization should have multiplelayers of security in place:
• Physical security• Personal security• Operations security• Communications security• Network security• Information security
What is Information Security?
• The protection of information and its criticalelements, including systems and hardwarethat use, store, and transmit that information.
• Includes both Electronic as well as PhysicalSecurity
What Is Information Security?• “Protection of information systems against
unauthorized access to or modification ofinformation, whether in storage, processing ortransit, and against the denial of service toauthorized users or the provision of service tounauthorized users, including those measuresnecessary to detect, document, and counter suchthreats.”
--United States’ National Information Assurance Glossary
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah6
What Is Information Security?• Three widely accepted elements of information
security are• (referred to as the “CIA Triad” / “CIA triangle”):
• Confidentiality• Integrity• Availability
• C.I.A. triangle is usually expanded into listof critical characteristics of information
Univ. of Ghana | Dept. of Info. Studies | INFS213 | Mrs F. O. Entsua-Mensah7
Confidentiality• Confidentiality refers to limiting information access
and disclosure to authorized users/persons only.• Confidentiality is related to the broader concept of
data privacy -- limiting access to individuals‘ personalinformation.
• In Ghana one can make reference to the DataProtection Act as a reasons to keep data confidential.
• Authentication methods like user-IDs & passwords canbe used to uniquely identify users and control accessto data systems.
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah8
Integrity
• Information has integrity when it is whole,complete, and uncorrupted.
• The integrity of information is threatened whenthe information is exposed to corruption,damage, destruction, or other disruption of itsauthentic state.
• Data corruption can occur while information isbeing stored or transmitted.
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah9
Integrity Cont’d
• It includes, data that have not been changedinappropriately, be it by accident or on purpose.
• Integrity implies that, the data actually camefrom the person or entity you think it did, ratherthan an imposter.
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah10
Availability (Recoverability)• Availability enables authorized users—persons
or computer systems—to access informationwithout interference or obstruction, and toreceive it in the required format.
• E.g. research libraries that require identificationbefore entrance. Librarians protect the contentsof the library so that they are available only toauthorized patrons.
• An information system that is not availablewhen you need it is almost as bad as none at all.
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah11
Maintaining a Balance• It is always good to ensure the right levels of
Confidentiality, Integrity, and Availability.
• That is, confidentiality Should not hinderaccess (availability) that much when accessis paramount for business transactions.
• Sometimes the security measures to ensureconfidentiality makes access to thatinformation time consuming.
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah12
Information Security Threats• What is a threat?A situation or an activity that could cause harmor danger (Macmillan English Dictionary, 2007).
• What then is an information security threat?/What does it mean to consider something asa threat to information security?
Macmillan English Dictionary for Advanced Learners CD-ROM 2nd Edition. CD-ROM ©Macmillan Publishers Limited 2007. Text © A&C Black Publishers Ltd 2007.
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah13
Threats to Information Security (1)• A threat is an object, person, or other entity
that represents a constant danger to an asset.• Some Security threats in the Digital age
• Malware (a malicious software that createsinconvenience for the user. They includecomputer viruses, worms, trojan horses,bots, spyware, adware, etc)
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah14
• Spam (unsolicited and mostly irrelevantmessages sent on the internet to a largenumber of users)
• Phishing (occurs when an attackerattempts to obtain personal or financialinformation using fraudulent means, mostoften by posing as another individual ororganization.)
Florence O. Entsua-Mensah (Mrs)15
Threats to Information Security (2)
• Spyware: A computer Software thatenables a user to obtain covertinformation about another userscomputer activities.
Florence O. Entsua-Mensah (Mrs)16
Threats to Information Security (3)
How dangerous are these threats?
• Spyware– limits our ability to protect theconfidentiality of the data as it grantsunauthorized access.
• Spams - can flood a users inbox and couldmake access to information difficult. Either byhaving to sift through a tall list for relevantmails or preventing incoming messagesbecause the inbox has reached its limit.
• Phishing: affects confidentiality
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah17
Other Information Security Threats
Other forms of attacks include:
• Social Engineering• Password Attacks• Threats to Privacy
Florence O. Entsua-Mensah (Mrs)18
Social Engineering (1)• Manipulating a person or persons into divulging
confidential information.• But, I am not dumb!!!• so does this really apply to me?
• YES! Attackers are ALSO not dumb.• Social Engineers are coming up with much better
and much more elaborate schemes to attack users.• – Even corporate executives can be tricked into
revealing VERY secret info
Florence O. Entsua-Mensah (Mrs)19
Social Engineering (2)
What can I do to protect myself?• NEVER give out your password to ANYBODY.
– Any system administrator should have theability to change your password without havingto know an old password
Florence O. Entsua-Mensah (Mrs)20
Social Engineering (3)
Florence O. Entsua-Mensah (Mrs)21
Social Engineering (4)
• Any observations or submissions fromthe afore-presented conversation orchat?
• Lets discuss your opinions.
Florence O. Entsua-Mensah (Mrs)22
Password Attacks• Password Guessing
– Ineffective except in targeted cases• Dictionary Attacks
– Password are stored in computers ashashes, and these hashes.– These can sometimes get exposed.– Check all known words with the stored hashes
Florence O. Entsua-Mensah (Mrs)23
Password Security
• Many Web sites require a username andpassword to access the information storedon it.
• To prevent anyone from guessing yourpasswords, you should always create anduse strong passwords.
• A strong password consists of at least eightcharacters of upper- and lowercase lettersand numbers.
Florence O. Entsua-Mensah (Mrs)24
Strong PasswordCharacteristics of Strong Passwords;• Should have eight or more characters• Does not contain your user name, real name, or company
name• Does not contain a complete dictionary word in any
language• Is different from previous passwords you have used• Contains both upper- and lowercase letters, numbers, and
special characters (such as ~ ! @; # $ % ^; &; * ( ) _ +; – =; {} | [ ] \ : “ ; ’ <; >;? , . /)
Florence O. Entsua-Mensah (Mrs)25
Class Activity• Create a Strong PasswordWhat would you make of this as a password?• “I was born in Accra, before 1990.”• substituting the character < for the word before
= IwbiA,<1990COMPARE WITH THE PASSWORD YOU CREATED
What of this: “I was born at 3:00 A.M. in Accra” =“Iwb@3:00AMiA”
Florence O. Entsua-Mensah (Mrs)26
PRIVACY
• The digital age has raised a lot of issuesabout privacy.
• Especially with devices that makes datacapturing easy and difficult to detect. E.g.Mobile phone cameras
Florence O. Entsua-Mensah (Mrs)27
What is Privacy• Freedom from observation, intrusion, or
attention of others• Society’s needs sometimes trump individual
privacy• Privacy rights are not absolute• Balance needed
– Individual rights– Society’s need
• Privacy and “due process”Florence O. Entsua-Mensah (Mrs)28
• Filling forms for loans, insurance claims, etc.• Placing online orders• Subscription for magazines, newsletters, etc.• Application for schools, jobs, etc.• Registrations
Florence O. Entsua-Mensah (Mrs)29
How Did They Get My Data?
Collecting Personal Information• Often voluntary
– Filling out a form– Registering for a prize– Supermarket “Rewards” cards
• Legal, involuntary sources– Demographics– Change of address– Various directories– Government records
Florence O. Entsua-Mensah (Mrs)30
Amazon’s Privacy Policy (a snapshot)
Florence O. Entsua-Mensah (Mrs)31
Privacy policies
• You might have observed thatorganizations with CCTV* cameras attheir premises warn users of theirfacilities that they are being watched onthe cameras.
Why?
*Closed-Circuit Television
Florence O. Entsua-Mensah (Mrs)32
Beware!
Florence O. Entsua-Mensah (Mrs) 33
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah36
Why is Information Security.important?
• Protects the organization’s ability to function.NB: Organizations cannot function well withuntrue information. – i.e. information with lowintegrity.
• Enables the safe operation of computer applications that run on theorganization’s IT network.
• Prevents data theft
• Protects the data the organization collects anduses. NB: the law requires organizations thatcollect data on their customers to keep it safeand protected. E.g. medical records.
• Avoids legal consequences of not securing information
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah37
How do we keep informationsecured?• At the personal level• At Organizational level
• Suggestions• Passwords• ID Cards• CCTV
• Necessary tools for IS:• policy, awareness, training, education, technology
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah38
In Summary…• Some specialist in the field have theorized
that information can not be 100% secured.• Even sometimes the bearer of the
information needs protection.• Some specialist in the field have argued that
the CIA triad is no longer sufficient to ensuresecurity. They usually propose an extendedversion of the CIA triad.
• NB: Information security is not just aboutcomputer security. Who can tell me why?
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah39
Thank you …. Any Questions?
Univ. of Ghana | Dept. of Info. Studies |INFS213 | Mrs F. O. Entsua-Mensah40