CHAPTER
OBJECTIVES
- Introduction
to Information Security
- Unintentional
Threats to Information Security
- Deliberate
Threats to Information Security
- What
Organizations Are Doing to Protect
Information
Resources
- Information
Security Controls
Information security refers to all of the
processes and policies designed to protect an organization’s information and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction.
A threat to an information resource is any
danger to which a system may be exposed.
The exposure of an information resources is
the harm, loss or damage that can result if a threat compromises that
resource.
Five Factors
Increasing the Vulnerability of Information Resources:
* Today’s interconnected, interdependent,
wirelessly-networked business environment
* Smaller, faster, cheaper computers and
storage devices
* Decreasing
skills necessary to be a hacker
* Organized
crime taking over cybercrime
* ack of
management support
Organizations and individuals are now exposed to
un-trusted networks.
An untrusted network, in general, is
any network external to your organization.
The Internet, by definition, is an untrusted network.
Most
Dangerous Employees
the biggest threat to the security of an organization’s
information assets are the company’s employees.
In fact, the most dangerous employees are those in human resources and MIS. HR employees have access to sensitive personal
data on all employees. MIS employees not only have access to sensitive
personal data, but also control the means to create, store, transmit, and
modify these data.
Human Errors
Carelessness with laptops and portable computing
devices
Opening questionable e-mails
Careless Internet surfing
Poor password selection and use
Social
Engineering
is an attack where the attacker uses social skills to
trick a legitimate employee into providing confidential company information
such as passwords.
Social engineering is a typically unintentional
human error on the part of an employee, but it is the result of a deliberate
action on the part of an attacker.
There are many types of deliberate attacks including:
• Espionage or
Trespass
Information
extortion
• Sabotage or
vandalism
• Theft of
equipment or information
• Identity
theft
• Compromises
to intellectual property
• Soft ware
attacks
• Alien soft
ware
• Supervisory
control and data acquisition (SCADA) attacks
•
Cyberterrorism and cyberwarfare
Risk
Management
Risk. The probability that a threat will impact an
information resource.
Risk management. To identify, control and minimize
the impact of threats.
Risk analysis. To assess the value of each asset
being protected, estimate the probability it might be compromised, and compare
the probable costs of it being compromised with the cost of protecting it.
Risk mitigation is when the organization takes
concrete actions against risk. It has two functions:
(1) implement controls to prevent identified threats
from occurring,
(2) developing
a means of recovery should the threat become a reality.
Information
Security Controls
Access Controls
No comments:
Post a Comment