Information Systems Security
Dec 17, 2015
Information Systems Security
Introduction
Sharon Garcia• UNM Graduate Student• Masters of Accountancy-Information
Assurance Track• Information Systems Security Course
Project
Why Does ISS Matter?
• To some extent everyone creates and uses technology.
• It matters because all information that is generated has economic potential.
• This information can be collected, organized, and turned into something more than it originally started as.
http://www.wired.co.uk/news/archive/2013-02/05/weakness-in-tsl-protocol/viewgallery/293669
Facebook…
• Signing up for Facebook does not “cost” you anything… or does it?
• Facebook makes money in different ways but mainly from advertising.
• Instead of charging you a fee for the service they offer they record your personal information, along with all the other information you generate and sell that information to external vendors.
So… Why do Facebook’s profits matter?
• If Facebook is compromised, their profits are directly affected.
• In other words, when it’s users’ accounts are compromised they lose money. Tons of money.
http://money.cnn.com/2012/02/02/technology/thebuzz/
Facebook, other companies, and the United States government, all need employees who can detect vulnerabilities in their information systems.
• Programmers• Data Analysts• Web Designers• Network Administrators• Forensic Analysts
What Type Of Technologies and Techniques Do They Use in ISS?
• A Whole Ton.• Cryptography, Steganography,
Redundancy, Network Safety and Password Protections (Policies and Procedures), Data Analytics (Benford’s Law), and on and on.
Cryptography
• Heartbleed affects potentially two-thirds of systems on the Internet
• “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.” –www.heartbleed.com
• What is SSL and OpenSSL?
Cryptography• You’ve definitely heard of
this… but not by this name.• Encryption takes data and
translates it into something that is undecipherable unless you have the “key” that will translate it back into the original data.
Cryptography Example
http://en.wikipedia.org/wiki/Cryptography
Question for You
What are some ways that Heartbleed can be stopped?
Steganography• Steganography has been used for
hundreds of years.• ZeusVM Trojan – stole property from
approximately “70 enterprises and agencies across 14 countries.” - http://www.crn.com.au/
Steganography
• Uses something to hide something in…
• Enables a user to hide a message, picture, or audio file, within a picture or audio file…
• What?
http://www.giuseppe-arcimboldo.org/Winter-(L'Inverno).html
Steganography Example
• I want to send my best friend a message without anyone knowing that I sent it to her. I could write a message, hide it within a picture using steganography software, and then send her the picture with the message inside it. My best friend would then have to use the same program to extract the message from the picture.
Question For You
What was the name of the Malware that attacked
approximately 70 enterprises in 14 countries?
Redundancy (Backups)
• Dropped your laptop?• Spilled soda on your computer?• Dog chewed through the power cord while
you were working on an assignment?
• Hopefully you saved your work somewhere else than on the device you were using!
Redundancy
• Dividing a computer’s disk drives in ways that allow for data to be spread across them. This lets the data exist in multiple places at once in the event that one disk crashes, gets hacked, catches fire, or worse.
Redundancy Example• RAID 0, RAID 1, RAID 2…
http://en.wikipedia.org/wiki/File:RAID_6.svg
Question For You
What are some other ways you can protect your data?
Network Safety and Password Protections (Policies and Procedures)
• You are only as strong (or safe) as your weakest link.
• Policies and Procedures ensure that everyone on the network utilizes the same method to protect against vulnerabilities and threats.
Policies and Procedures
Question For You
What is considered a “strong” password?
Forensic Analytics
• Using the data generated to find inconsistencies that may expose unethical, fraudulent, or criminal activities.
• Benford’s Law• Microsoft Excel, Microsoft
Access, IDEA, Qlickview
Forensic Analytics Example
• Benford’s Law
http://www.isaca.org/Journal/Past-Issues/2011/Volume-3/Pages/Understanding-and-Applying-Benfords-Law.aspx
Question For You
What is the equation for Benford’s Law?
Conclusion
• There are many different types of ISS that exist.
• White Hats and Black Hats.• Use technology safely.
Questions?