securing information systems
play

Securing Information Systems Barbarians at the Gateway Learning - PDF document

Apr 08, 2024 •392 likes •610 views

10/16/2013 Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches are on the rise Understand the potentially damaging impact of security breaches Security must be made a top organizational

  1. 10/16/2013 Securing Information Systems Barbarians at the Gateway Learning Objectives • Security breaches are on the rise • Understand the potentially damaging impact of security breaches • Security must be made a top organizational priority • Understand the source and motivation of those initiating information security attacks • Recognize the potential entry points for security compromise 1-2 1

  2. 10/16/2013 Learning Objectives • Understand infiltration techniques such as social engineering, phishing, malware, Web site compromises (such as SQL injection), and more • Identify various methods and techniques to thwart infiltration • Identify critical steps to improve your individual and organizational information security • Recognize the major information security issues that organizations face; as well as the resources, methods, and approaches that can help make firms more secure 1-3 Introduction • Business establishments are increasingly under risk of information security threats – Network in TJX retail store was infiltrated via an insecure Wi-Fi base station – 45.7 million credit and debit card numbers were stolen – Driver’s licenses and other private information pilfered from 450,000 customers – TJX suffered under settlement costs and court-imposed punitive action to the tune of $150 million – Even without lawsuit liabilities , Forrester Research estimates that the cost to TJX for the data breach could surpass $1 billion over five years . 1-4 2

  3. 10/16/2013 The TJX Breach Factors that amplified severity of TJX security breach are: • – Personnel betrayal: An alleged FBI informant used insider information to mastermind the attacks – Management gaffe : Executives made conscious decisions not to upgrade legacy systems that were vulnerable to security compromises – Technology lapse: TJX used WEP , a insecure wireless security technology • failed to follow the most basic security measures like installing antivirus software, upgrading wireless security, encrypting data, and creating and using access controls, and establishing information system controls (general and application). – Procedural gaffes: TJX had received an extension on the rollout of mechanisms that might have discovered and plugged the hole before the hackers got in • Also willfully violated the Payment Card Industry (PCI) Data Security Standard by holding onto data for years 1-5 Lessons Learned • Information security must be a top organizational priority Item number: 95409048 • Information security isn’t just a technology problem; a host of personnel and procedural factors can create and amplify a firm’s vulnerability • A constant vigilance regarding security needs to be part of individual skill sets and a key component of organizations’ culture 1-6 3

  4. 10/16/2013 System Vulnerability and Abuse • An unprotected computer connected to Internet may be disabled within seconds • Security: • Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems • Controls: • Methods, policies, and organizational procedures that ensure safety of organization’s assets; accuracy and reliability of its accounting records; and operational adherence to management standards System Vulnerability and Abuse Why Systems Are Vulnerable • Hardware problems • Breakdowns, configuration errors, damage from improper use or crime • Software problems • Programming errors, installation errors, unauthorized changes • Disasters • Power failures, flood, fires, and so on • Use of networks and computers outside of firm’s control • E.g., with domestic or offshore outsourcing vendors 4

  5. 10/16/2013 System Vulnerability and Abuse Contemporary Security Challenges and Vulnerabilities Figure 7-1 The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network. System Vulnerability and Abuse Internet vulnerabilities • Network open to anyone • Size of Internet means abuses can have wide impact • Use of fixed Internet addresses with permanent connections to Internet eases identification by hackers • E-mail attachments • E-mail used for transmitting trade secrets • IM messages lack security, can be easily intercepted 5

  6. 10/16/2013 Compromising Web Sites SQL injection technique exploits sloppy programming practices • that do not validate user input – input SQL statements in a web form to get a badly designed website to dump the database content to the attacker – IBM identifies SQL injection as the fastest growing security threat, with over half a million attack attempts recorded each day. – Firms have to check the integrity of their Web sites for vulnerabilities • Related programming exploits: – DNS cache poisoning exploits • can redirect Internet address to IP address mapping and the consequences are huge. – Cross-site scripting attacks • may be used by attackers to bypass access controls accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007 1-11 Securing Wireless Networks - Challenges • Radio frequency bands easy to scan • SSIDs (service set identifiers) • Identify access points. • Broadcast multiple times. • War driving • Eavesdroppers drive by buildings and try to intercept network traffic • When hacker gains access to SSID, has access to network’s resources • WEP (Wired Equivalent Privacy) • Security standard for 802.11 • The WEP specification calls for an access point and its users to share the same 40- bit encrypted password. • Basic specification uses shared password for both users and access point • Users often fail to use security features • Assigning unique name to network’s SSID TJX fiasco – used WPA • • Wi-Fi Alliance finalized WAP2 specification, replacing WEP with stronger standards • Continually changing keys • Encrypted authentication system with central server 6

  7. 10/16/2013 System Vulnerability and Abuse Wi-Fi Security Challenges Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the resources of a network without authorization. Figure 7-2 Malicious Software: Viruses, Worms, Trojan Horses, and Spyware • Malware • Viruses (email, IM, video, data files downloaded etc) • Rogue software program that attaches itself to other software programs or data files in order to be executed • Most antivirus software is effective against only those viruses already known when the software is written. • Worms • Independent computer programs that copy themselves from one computer to other computers over a network • Trojan horses • Software program that appears to be benign but then does something other than expected. • In 2004, users were enticed by a sales message from a supposed anti-virus vendor. • On the vendor’s site, a small program called Mitglieder was downloaded to the user’s machine. The program enabled outsiders to infiltrate the user’s machine. 7

  8. 10/16/2013 Malicious Software: Viruses, Worms, Trojan Horses, and Spyware • Malware (cont.) • Spyware • Small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising • Key loggers • Record every keystroke on computer to steal serial numbers, passwords, launch Internet attacks Cookies • Cookie – a small file that contains information about you and your Web activities, which a Web site places on your computer • Handle cookies by using – Web browser cookie management option – Buy a program that manages cookies • Not executable, cannot deliver a virus or other malicious code • Only web server that delivered it can read it • Your computer can store cookies from many web sites • May be a security risk if it is implemented poorly on site that you have shared personal information with and rely on cookies to access it – Anyone who can access the cookie on your hard drive can now access that personal information – Most reputable sites to not rely on cookies for authentication alone. 8-16 8

  9. 10/16/2013 Hackers and Computer Crime • Activities include: • System intrusion • System damage • Cybervandalism • Intentional disruption, defacement, destruction of Web site or corporate information system Hackers and Computer Crime • Computer crime • D efined as “any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution” • Computer may be target of crime: • Breaching confidentiality of protected computerized data • Accessing a computer system without authority • Computer may be instrument of crime: • Theft of trade secrets • Using e-mail for threats or harassment 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Securing Software Systems by Preventing Information Leaks Kangjie Lu Georgia Institute of

Securing Software Systems by Preventing Information Leaks Kangjie Lu Georgia Institute of

Securing Software Systems by Preventing Information Leaks Kangjie Lu Georgia Institute of Technology Computer devices are everywhere 2 Foundational software systems 3 Inherent insecurity: Vulnerabilities and insecure designs Implemented in

774 views • 74 slides
Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach;

Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach;

Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach; using old security practices Solution: Initiative to use minimal up-to-date industry practices, for example, salting passwords Illustrates

1.38k views • 56 slides
Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach;

Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach;

10/29/2014 Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach; using old security practices Solution: Initiative to use minimal up-to-date industry practices, for example, salting passwords

540 views • 28 slides
Securing distributed systems with information flow control Nickolai Zeldovich Silas

Securing distributed systems with information flow control Nickolai Zeldovich Silas

Securing distributed systems with information flow control Nickolai Zeldovich Silas Boyd-Wickizer David Mazires Traditional web applications: lots of trusted (yellow) code HTTP User's Application User's browser front Database User's

1.16k views • 66 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Securing Information Systems Reading: Laudon & Laudon chapter 7 Additional Reading: Brien

Securing Information Systems Reading: Laudon & Laudon chapter 7 Additional Reading: Brien

Securing Information Systems Reading: Laudon & Laudon chapter 7 Additional Reading: Brien & Marakas chapter 11 COMP 5131 1 Outline System Vulnerability and Abuse Business Value of Security and Control Establishing

734 views • 40 slides
Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

www.securing.pl Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

998 views • 67 slides
RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6

RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6

RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6 Abraham A. Clements 3,4,5 Saurabh Bagchi 1,4 Mathias Payer 2,5 1 2 3 4 5 6 Sandia National Laboratories is a multimission laboratory managed and

771 views • 59 slides
Practical approaches to managing and securing cyber-physical systems Sanjiv Doshi, Principal

Practical approaches to managing and securing cyber-physical systems Sanjiv Doshi, Principal

Practical approaches to managing and securing cyber-physical systems Sanjiv Doshi, Principal Engineer - Cisco Nov 2018 Ciscos take on Cyber-Physical Systems Cyber-Physical Systems are fundamentally integration of three components

321 views • 13 slides
Securing Your Social Media Strategy enterprisebanking.com/non-profit Disclaimer The information

Securing Your Social Media Strategy enterprisebanking.com/non-profit Disclaimer The information

Securing Your Social Media Strategy enterprisebanking.com/non-profit Disclaimer The information contained in this presentation as well as the comments of the presenters, do not necessarily represent the views, positions, or opinions of

774 views • 45 slides
Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches, Fixes, Revisions Antivirus Software Post-Install Security Checklist: Windows/UNIX File System Security Issues Chapter 10 User

361 views • 8 slides
Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken

Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken

Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken Wai-Kin Au School of Computing Science University of Glasgow Zhaohui Tang School of Infocomm Republic Polytechnic, Singapore 1 Introduction

576 views • 21 slides
Securing Real-Time Microcontroller Systems through Customized Memory View Switching Wh What are

Securing Real-Time Microcontroller Systems through Customized Memory View Switching Wh What are

Slide-deck for Graduate Computer Security (CS563) Fall 2018 University of Illinois Prof. Adam Bates Securing Real-Time Microcontroller Systems through Customized Memory View Switching Wh What are Real-ti time Mi Microcontrollers?

235 views • 19 slides
Securing the Future of our Coastline Information Session Theme 1 Tuesday 16 th June 2020 Welcome

Securing the Future of our Coastline Information Session Theme 1 Tuesday 16 th June 2020 Welcome

Securing the Future of our Coastline Information Session Theme 1 Tuesday 16 th June 2020 Welcome and Introductions Acknowledgement of Country Welcome to: Jeff Tate, incoming Presiding Member, Coast Protection Board Annabel

1.25k views • 104 slides
Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with

Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with

Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with Brian Levine & Patrick Stahlberg) University of Massachusetts, Amherst History a record of past data and operations performed on a system.

777 views • 29 slides
Securing telephone-based card payment data An introduction to the new PCI SSC information

Securing telephone-based card payment data An introduction to the new PCI SSC information

v1.2 Securing telephone-based card payment data An introduction to the new PCI SSC information supplement on delivering PCI DSS compliance in the MOTO channel World leading experts in achieving and maintaining PCI DSS compliance in contact

295 views • 25 slides
What is Social n Information Engineering? n Access to computer system n Revenge 2/15/12

What is Social n Information Engineering? n Access to computer system n Revenge 2/15/12

Thompson Consulting Group, LLC Disclaimer WWW.TgroupOnline.Com This course provides a basic overview of Social Engineering, and is not legal advice. There is no warranty, expressed or implied, in connection with making this program

340 views • 6 slides
Todays Presenters Ken McDonnell Financial Education Program Analyst, Office of Financial

Todays Presenters Ken McDonnell Financial Education Program Analyst, Office of Financial

Todays Presenters Ken McDonnell Financial Education Program Analyst, Office of Financial Education, Division of Consumer Education and Engagement, Consumer Financial Protection Bureau Thea Hart Adult Services Librarian, Springfield

928 views • 43 slides
SCAMS FRAUD and ABUSE! Observations and Lessons Even the best of us can let out guard

SCAMS FRAUD and ABUSE! Observations and Lessons Even the best of us can let out guard

8/28/2019 Cha harlottesville/Albemarle TRIA RIAD SCAMS FRAUD and ABUSE! Observations and Lessons Even the best of us can let out guard down If you dont recognize the caller Dont answer the phone Or..Just hang up

48 views • 4 slides
Money Smart Week: Debt Management / Credit Repair State of Connecticut Department of Banking

Money Smart Week: Debt Management / Credit Repair State of Connecticut Department of Banking

Money Smart Week: Debt Management / Credit Repair State of Connecticut Department of Banking Bristol Public Library April 23, 2013 Goals For you to benefit from every federal, State, and local program--- that you qualify for Provide

811 views • 31 slides
RETAIL SECURITY Characteristics, challenges and solutions for retail security High street and

RETAIL SECURITY Characteristics, challenges and solutions for retail security High street and

RETAIL SECURITY Characteristics, challenges and solutions for retail security High street and mall stores Different types of retail require different security Low-high value goods systems, but there are Medium volume of goods several

598 views • 11 slides
Reverse Mortgages The opportunity for brokers post major bank exits 13 March 2019 Agenda

Reverse Mortgages The opportunity for brokers post major bank exits 13 March 2019 Agenda

Reverse Mortgages The opportunity for brokers post major bank exits 13 March 2019 Agenda Heartland overview Growing demand Market insights Heartland Reverse Mortgage Criteria Fulfilment process and client safeguards

493 views • 28 slides
to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection

to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection

Fake Antivirus- Journey from Trojan to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection Vectors Packer Evolution How do they work ? DeepSec 2011 Introduction Fake AntiVirus (FakeAV) is a

794 views • 51 slides
Nobel Laureates 2007 Physics: Chemistry: Prof. Peter Grnberg, Prof. Gerhard Ertl, FZ Jlich

Nobel Laureates 2007 Physics: Chemistry: Prof. Peter Grnberg, Prof. Gerhard Ertl, FZ Jlich

Nobel Laureates 2007 Physics: Chemistry: Prof. Peter Grnberg, Prof. Gerhard Ertl, FZ Jlich Fritz Haber Institut der and MPG, Berlin Prof. Albert Fert, Paris Giant Magneto Resistance: GMR Electrical resistance of stacked magnetic

1.07k views • 48 slides

More recommend