KS

Information Security Notes

Information Security Fundamentals

Learning Objectives Overview

This summary aims to cover the following topics:

  1. Identification of five factors contributing to information resource vulnerability, with specific examples.

  2. Comparison and contrast of human mistakes and social engineering, with specific examples.

  3. Discussion of the 10 types of deliberate attacks.

  4. Definition of three risk mitigation strategies, with homeownership examples.

  5. Identification of three major types of organizational controls for information resources, with examples.

  6. Explanation of the criticality of protecting information assets and actions one can take.

Core Issues in Information Security

  • Perfect data security is difficult: Achieving absolute security is a significant challenge.

  • Economic Cyberwarfare: The increasing threat of nation-state or economically motivated cyberattacks.

  • Impossible to secure the internet: Its vastness and interconnectedness make complete security unfeasible.

Key Information Security Terms

  • Security: The degree of protection against criminal activity, danger, damage, or loss.

  • Information Security: Protecting an organization’s information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

  • Threat: Any danger to which an information resource may be exposed.

  • Exposure: The harm, loss, or damage that can result if a threat compromises an information resource.

  • Vulnerability: The possibility that an information resource will be harmed by a threat.

Factors Contributing to Information Resource Vulnerability

Five key factors significantly increase the vulnerability of information resources:

  1. Today’s interconnected, interdependent, wirelessly networked business environment: The growing reliance on networks, cloud services, and wireless communication creates more entry points for attackers. For example, a company connecting its internal network to a supplier's extranet can expose new vulnerabilities.

  2. Smaller, faster, inexpensive computers and storage devices: This allows for easier data theft and storage of vast amounts of stolen information. A small USB drive can hold sensitive company data, and powerful mini-computers can be used for sophisticated attacks.

  3. Decreasing skills necessary to be a computer hacker: User-friendly hacking tools and readily available online tutorials mean that individuals with minimal technical skills can launch sophisticated attacks. For instance, scripts and software kits automate complex attacks like denial-of-service.

  4. International organized crime taking over cybercrime: This shift from individual hackers to professional criminal organizations means cyberattacks are more sophisticated, financially motivated, and harder to trace. Ransomware operations are often run by these groups.

  5. Lack of management support: Insufficient investment in security measures, training, and policies due to management failing to prioritize information security leaves organizations exposed. An example is a company not updating its security software or investing in employee security training.

Types of Threats: Inside and Outside

Information resources face threats from both external and internal sources:

Outside Threats

  • Malware (viruses, worms, etc.): Malicious software designed to damage or disrupt computer systems.

  • Natural Disasters (floods, storms): Events that can physically destroy infrastructure and data.

  • Denial of Service (DoS) attacks: Overwhelming a system with requests to make it unavailable.

  • Unauthorized Users (crackers, hackers): External individuals seeking illegal access or control.

Inside Threats (Corporate LAN/Intranet)

  • Human-Created Disasters: Fire, Power outages, Other accidents leading to system failure.

  • Employees: Directly pose significant threats due to access and potential malicious intent or carelessness.

    • Application Programmer: Programming applications to function contrary to specifications (e.g., creating backdoors).

    • Systems Programmer: Bypassing or disabling security mechanisms, installing non-secure systems.

    • Operators: Duplication of confidential reports, initializing non-secure systems, theft of confidential material.

    • Users: Data entry errors, weak passwords, lack of training.

  • Other Insiders: Consultants, contract labor, janitors who might gain unauthorized access, commit theft, or copy data.

System-Specific Inside Threats

  • Systems Software: Failure of protection mechanisms, information leakage, installation of unauthorized software.

  • Hardware Threats: Terminals located in non-secure environments, personal computer systems used for fraudulent identification or illegal information leakage, physical theft of devices.

  • Databases: Unauthorized access, copying, or theft.

Human Mistakes vs. Social Engineering

Human Error

Human mistakes are unintentional actions or inactions that compromise security. They often stem from carelessness, lack of awareness, or insufficient training.

  • Severity: Higher-level employees with greater access privileges pose a greater threat due to the potential impact of their mistakes.

  • Significant Threat Areas:

    • Human Resources (HR): Access to vast amounts of personal employee data, salary information, and sensitive documents.

    • Information Systems (IS): Access to critical infrastructure, sensitive data, and system configurations.

  • Other Common Human Errors:

    • Carelessness with computing devices (e.g., leaving a laptop unlocked in public).

    • Opening questionable e-mails (e.g., clicking on malicious links).

    • Careless Internet surfing (e.g., visiting untrusted websites).

    • Poor password selection and use (e.g., using easy-to-guess passwords, reusing passwords).

    • Carelessness with one’s office (e.g., leaving sensitive documents on a desk).

    • Carelessness using unmanaged devices (e.g., using personal devices for work without security controls).

    • Carelessness with discarded equipment (e.g., not properly wiping data from old hard drives).

    • Careless monitoring of environmental hazards (e.g., not ensuring proper temperature control for servers).

  • Example: An employee accidentally uploads a sensitive company document to a public cloud storage service, making it accessible to anyone with the link.

Social Engineering

Social engineering is a deliberate attack where the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information (e.g., passwords) or performing actions that compromise security. It exploits human psychology rather than technical vulnerabilities.

  • Methods:

    • Tailgating: An unauthorized individual physically follows an authorized person into a secure area.

    • Spear Phishing: A highly targeted phishing attack where the attacker researches specific individuals or organizations to craft a personalized, believable message aimed at obtaining sensitive information.

    • Phishing: A fraudulent attempt to obtain sensitive information (e.g., usernames, passwords, credit card details) by masquerading as a trustworthy entity in an electronic communication (e.g., email).

    • Shoulder Surfing: Observing a person's personal information (like a password or PIN) over their shoulder.

  • Example: A hacker calls an IT help desk pretending to be a high-level executive who forgot their password and needs it reset immediately, providing just enough plausible details to convince the help desk employee.

Deliberate Attacks on Information Systems

Deliberate threats are malicious actions performed by individuals who use technical means to disrupt an organization's regular business operations, identify IT weaknesses, gain protected information, or otherwise further an attack plan via access to IT systems. There are 10 main types:

  1. Espionage or Trespassing: Occurs when an unauthorized individual attempts to gain illegal access to organizational information.

    • Example: A competitor’s employee tries to break into a company’s server room or hack into their network to steal schematics for a new product.

  2. Information Extortion: Occurs when an attacker either threatens to steal, or actually steals, information from a company. The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information.

    • Example: Ransomware (or digital extortion) is malicious software that blocks access to a computer system or encrypts an organization’s data until the organization pays a sum of money.

  3. Sabotage or Vandalism: Deliberate acts that involve defacing an organization’s website, potentially damaging the organization’s image and causing its customers to lose faith. One form of online vandalism is a hacktivist or cyberactivist operation.

    • Example: A group of activists defaces a corporation's website to protest its environmental policies.

  4. Theft of Equipment or Information: Involves the physical or digital stealing of company assets.

    • Example: Dumpster diving involves rummaging through commercial or residential trash to find discarded information like paper files, letters, memos, photographs, IDs, passwords, credit cards.

  5. Identity Theft: The deliberate assumption of another person’s identity, usually to gain access to their financial information or to frame them for a crime.

    • Example: A criminal obtains someone's Social Insurance Number (SIN) and uses it to open new credit accounts in their name.

  6. Compromises to Intellectual Property: Stealing or illegally using copyrighted material (e.g., software, music, videos) or trade secrets.

    • Example: An employee copies proprietary software code developed by their company and sells it to a rival firm.

  7. Software Attacks: Modern cybercriminals use sophisticated, blended malware attacks, typically through the Web, to make money.

    • See table for detailed types of software attacks below.

  8. Alien Software: Clandestine software installed on your computer through deceptive methods, often tracking web surfing habits and personal behaviors.

    • Examples: Adware (software that displays advertisements), Spyware (software that gathers information without consent), Keyloggers (records keystrokes), Spamware (used to send unsolicited emails), Cookies (small text files, some tracking), Tracking cookies (specifically used to track user activity across sites).

  9. Supervisory Control and Data Acquisition (SCADA) Attacks: Targeting systems used to monitor or control critical industrial processes like those in oil refineries, water treatment plants, electrical generators, and nuclear power plants. Attacks can cause physical damage or widespread disruption.

    • Example: An attacker gains control of a SCADA system managing a power grid, potentially causing widespread blackouts.

  10. Cyberterrorism and Cyberwarfare: Malicious acts where attackers use a target’s computer systems, particularly through the internet, to cause physical, real-world harm or severe disruption, often to carry out a political agenda.

    • Example: A nation-state launches a cyberattack against another country's financial infrastructure to cripple its economy.

Detailed Software Attacks

Type

Description

Remote Attacks Requiring User Action

Virus

Segment of computer code that performs malicious actions by attaching to another computer program.

Polymorphic virus

Segment of computer code that modifies itself (i.e., changes its computer code) to avoid detection by anti-malware systems, while keeping the same functionality.

Worm

Segment of computer code that performs malicious actions and will replicate, or spread, by itself (without requiring another computer program).

Phishing attack

Uses deception to acquire sensitive personal information by masquerading as official-looking emails or instant messages.

Spear phishing attack

Targets large groups of people. The attackers find out as much information as they can about an individual, tailoring their attacks to improve their chances that they will, and obtain sensitive, personal information.

Whaling attack

Phishing attack that targets specific high-value individuals such as senior executives in an attempt to steal sensitive information from a company such as financial data or personal details about employees.

Smishing attack

A phishing attack carried out over mobile text message. Also known as Short Message Service phishing.

Vishing attack

Short for "voice phishing," these attacks attempt to defraud people over the phone.

Remote Attacks Needing No User Action

Denial-of-service attack

An attacker sends so many information requests to a target computer system that the target cannot manage them successfully and typically ceases to function (crashes).

Distributed denial-of-service attack (DDoS)

An attacker first takes over many computers, typically by using malicious software. These computers are called zombies or bots. The attacker uses these bots—which form a botnet—to deliver a coordinated stream of information requests to a target computer, causing it to crash.

Attacks by a Programmer Developing a System

Trojan horse

Software programs that hide in other computer programs and reveal their designed behavior only when they are activated.

Back door

Typically a password, known only to the attackers, that allows them to access a computer system at will, without having to go through any security procedures (also called a trap door).

Logic bomb

A segment of computer code that is embedded within an organization's existing computer programs and is designed to activate and perform a destructive action under specific conditions, such as at a certain time or date.

Protecting Information Resources: Risk Management

Definitions

  • Risk: The likelihood that a threat will occur.

  • Risk Management: A process that identifies, controls, and minimizes the impact of threats, in an effort to reduce risk to manageable levels.

Steps in Risk Analysis

Risk analysis involves three interrelated steps:

  1. Assess the value of each asset being protected: Determine the criticality and financial/operational worth of each information resource (e.g., customer database, financial records).

  2. Estimate the probability that each asset will be compromised: Evaluate the likelihood of various threats successfully exploiting vulnerabilities (e.g., 5\% chance of a successful ransomware attack per year).

  3. Compare the probable costs of the asset’s being compromised with the costs of protecting that asset: Weigh the potential damage from a security breach against the expense of implementing security controls. For example, if protecting a database costs 10,000 but its compromise could cost 1,000,000, protection is highly advisable.

Enterprise Risk Management and Mitigation Strategies

Risk mitigation has two primary functions:

  1. Implementing controls: To prevent identified threats from occurring.

  2. Developing means of recovery: If the threat becomes a reality (e.g., a disaster recovery plan).

There are three main risk mitigation strategies:

  1. Risk Acceptance: Accept the potential risk, continue operating with no controls, and absorb any damages that occur.

    • Home Ownership Example: Choosing not to buy flood insurance for a home in a low-risk flood zone, accepting that any flood damage will be paid out-of-pocket.

  2. Risk Transference: Transfer the risk to another party.

    • Home Ownership Example: Purchasing homeowner's insurance to transfer the financial risk of fire, theft, or natural disaster damage to an insurance company.

  3. Risk Limitation: Limit the risk by implementing controls that minimize the impact of the threat.

    • Home Ownership Example: Installing a sophisticated alarm system, strong locks, and security cameras to reduce the likelihood and impact of a home invasion or theft.

Information Security Controls

Organizations use three major types of controls to protect their information resources:

1. General Controls

General controls are established to protect the overall security of information systems and the wider organizational infrastructure.

  • Physical Controls: Prevent unauthorized individuals from gaining access to a company’s facilities or physical assets.

    • Examples: Walls, Doors, Fencing, Gates, Locks, Employee badges, Security guards, Alarm systems.

  • Access Controls: Restrict unauthorized users from using information resources.

    • Authentication: Determines the identity of the person requiring access.

      • Methods: Something the user is (biometrics like fingerprints, facial recognition), something the user has (smart card, token), something the user does (voice recognition, signature verification), something the user knows (passwords, passphrases, PINs).

    • Authorization: Determines which actions, rights, or privileges the verified person has, based on their authenticated identity.

      • Example: A user might be authenticated to access the network, but authorized only to view specific files in their department.

    • Basic Guidelines for Passwords:

      • Difficult to guess.

      • Long rather than short (e.g., 12 characters or more).

      • Should have uppercase letters, lowercase letters, numbers, and special characters.

      • Not recognizable words.

      • Not the name of anything or anyone familiar (e.g., family names, pet names).

      • Not a recognizable string of numbers (e.g., a Social Security Number, birthday).

  • Communication Controls: Deals with the movement of data across networks.

    1. Firewalls: A system that prevents a specific type of information from moving between untrusted networks and private trusted networks.

      • How they work: Firewalls act as a barrier, inspecting incoming and outgoing network traffic based on predefined rules. They can be software-based (on individual computers) or hardware-based (network devices).

      • Location: Often deployed at network perimeters (between the Internet and the Demilitarized Zone (DMZ), and between the DMZ and the internal Corporate LAN/Intranet) and even within the internal network.

    2. Anti-malware systems: Software packages that attempt to identify and eliminate viruses, worms, and other malicious software.

      • Functionality: These systems actively scan files, emails, and web traffic for known malware signatures and unusual behaviors.

    3. Whitelisting and Blacklisting:

      • Whitelisting: A strategy under which only pre-approved or trusted users, entities, or actions are allowed to operate on a system or network.

        • Example: Only allowing specific applications to run on company computers, blocking all others.

      • Blacklisting: Allows everything to run or be accessed except for specific banned items.

        • Example: Blocking access to known malicious websites or preventing specific malware executables from running.

    4. Encryption: The process of converting an original message (plaintext) into a form (ciphertext) that cannot be read by anyone except the intended recipient. It uses mathematical algorithms and keys.

      • Purpose: Ensures confidentiality and data integrity during transmission or storage.

    5. Virtual Private Networking (VPN): Creates a secure