830 likes | 1.77k Vues
CHAPTER OUTLINE. 3.1 Ethical Issues3.2 Threats to Information Security3.3 Protecting Information Resources. LEARNING OBJECTIVES. Describe the major ethical issues related to information technology and identify situations in which they occur.Describe the many threats to information security.Understand the various defense mechanisms used to protect information systems.Explain IT auditing and planning for disaster recovery..
 
                
                E N D
1. CHAPTER 3 Ethics, Privacy and Information Security Before, during, or after this chapter, you might want to show your students the 
PBS Video entitled “Cyberwar”.  It was done in 2003, but the topics remain current
today (particularly in light of the cyber attack on Estonia and the Republic of Georgia). 
Further, see the cyber attack on the U.S. electrical grid in the Wall Street Journal, April,
8, 2009).Before, during, or after this chapter, you might want to show your students the 
PBS Video entitled “Cyberwar”.  It was done in 2003, but the topics remain current
today (particularly in light of the cyber attack on Estonia and the Republic of Georgia). 
Further, see the cyber attack on the U.S. electrical grid in the Wall Street Journal, April,
8, 2009). 
2. CHAPTER OUTLINE 3.1 Ethical Issues
3.2 Threats to Information Security
3.3 Protecting Information Resources 
3. LEARNING OBJECTIVES Describe the major ethical issues related to information technology and identify situations in which they occur.
Describe the many threats to information security.
Understand the various defense mechanisms used to protect information systems.
Explain IT auditing and planning for disaster recovery. 
4. NASA Loses Secret Information for Years NASA is the subject of the chapter opening case.  
If you click on the NASA logo, you will go to the NASA home page.  NASA is the subject of the chapter opening case.  
If you click on the NASA logo, you will go to the NASA home page.   
5. Ethical Issues Ethics
Code of Ethics Ethics. A branch of philosophy that deals with what is considered to be right  and wrong.
A Code of Ethics is a collection of principles that are intended to guide decision making by members of an organization.Ethics. A branch of philosophy that deals with what is considered to be right  and wrong.
A Code of Ethics is a collection of principles that are intended to guide decision making by members of an organization. 
6. Fundamental Tenets of Ethics Responsibility
Accountability
Liability Responsibility means that you accept the consequences of your decisions and actions.
Accountability means a determination of who is responsible for actions that were taken.
Liability is a legal concept meaning that individuals have the right to recover the damages done to them by other individuals, organizations, or systems.Responsibility means that you accept the consequences of your decisions and actions.
Accountability means a determination of who is responsible for actions that were taken.
Liability is a legal concept meaning that individuals have the right to recover the damages done to them by other individuals, organizations, or systems. 
7. Unethical vs. Illegal What is unethical is not necessarily illegal.
     Ethics scenarios The link will take you to online Appendix W3.1 for 14 ethics scenarios.  Each of these scenarios elicits
interesting class discussions, because none are particularly “clear cut” as to what the “right thing to do” is.The link will take you to online Appendix W3.1 for 14 ethics scenarios.  Each of these scenarios elicits
interesting class discussions, because none are particularly “clear cut” as to what the “right thing to do” is. 
8. The Four Categories of Ethical Issues Privacy Issues 
Accuracy Issues
Property Issues 
Accessibility Issues Privacy Issues involve collecting, storing and disseminating information about individuals.
Accuracy Issues involve the authenticity, fidelity and accuracy of information that is collected and processed.
Property Issues involve the ownership and value of information.
Accessibility Issues revolve around who should have access to information and whether they should have to pay for this access.Privacy Issues involve collecting, storing and disseminating information about individuals.
Accuracy Issues involve the authenticity, fidelity and accuracy of information that is collected and processed.
Property Issues involve the ownership and value of information.
Accessibility Issues revolve around who should have access to information and whether they should have to pay for this access. 
9.               Privacy Issues 
10. You Be the Judge 
11.                   Privacy Court decisions have followed two rules:
  (1) The right of privacy is not absolute.        
        Your privacy must be balanced against the 
         needs of society.
   (2) The public’s right to know is superior to 
         the individual’s right of privacy. Privacy is the right to be left alone and to be free of unreasonable personal intrusions.Privacy is the right to be left alone and to be free of unreasonable personal intrusions. 
12.      Threats to Privacy Data aggregators, digital dossiers, and profiling
Electronic Surveillance
Personal Information in Databases
Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites 
 
13. Data Aggregators, Digital Dossiers,           and Profiling Data aggregators are companies that collect public data (e.g., real estate records, telephone numbers) and nonpublic data (e.g., social security numbers, financial data, police records, motor vehicle records) and integrate them to produce digital dossiers.
Digital dossier is an electronic description of you and your habits.
Profiling is the process of creating a digital dossier.
The three logos are well-known data aggregators.  Clicking on each logo will take you to the respective home page of that company.Data aggregators are companies that collect public data (e.g., real estate records, telephone numbers) and nonpublic data (e.g., social security numbers, financial data, police records, motor vehicle records) and integrate them to produce digital dossiers.
Digital dossier is an electronic description of you and your habits.
Profiling is the process of creating a digital dossier.
The three logos are well-known data aggregators.  Clicking on each logo will take you to the respective home page of that company. 
14.     Electronic Surveillance Electronic Surveillance. The tracking of people‘s activities, online or offline, with the aid of computers.
The image demonstrates that many people are blissfully unaware that they can be under electronic surveillance while they are using their computers.
Electronic Surveillance. The tracking of people‘s activities, online or offline, with the aid of computers.
The image demonstrates that many people are blissfully unaware that they can be under electronic surveillance while they are using their computers.
 
15. Electronic Surveillance See "The State of Surveillance" article in BusinessWeek 
See the surveillance slideshow
See additional surveillance slides
And you think you have privacy?  (video)
Sense-through-the-Wall
 The BusinessWeek article is an interesting look at the state of surveillance today.
The surveillance slideshow accompanies the BusinessWeek article.
The additional surveillance slides show modern surveillance equipment.
     The video is a tongue-in-cheek look at how little privacy all of us have left.  The video is a great example of the 
impacts that data aggregators, digital dossiers, and profiling might have in the very near future.
     Sense-through-the-Wall is a technology by Oceanit (www.oceanit.com) that allows you to see if anyone
is in a building, prior to entering, by detecting a person’s heartbeat and respiration.  Clicking on the link will
show a brief animation of this technology.The BusinessWeek article is an interesting look at the state of surveillance today.
The surveillance slideshow accompanies the BusinessWeek article.
The additional surveillance slides show modern surveillance equipment.
     The video is a tongue-in-cheek look at how little privacy all of us have left.  The video is a great example of the 
impacts that data aggregators, digital dossiers, and profiling might have in the very near future.
     Sense-through-the-Wall is a technology by Oceanit (www.oceanit.com) that allows you to see if anyone
is in a building, prior to entering, by detecting a person’s heartbeat and respiration.  Clicking on the link will
show a brief animation of this technology. 
16. Personal Information in Databases Banks
Utility companies
Government agencies
Credit reporting agencies Personal Information in Databases. Information about individuals is being kept in many databases: banks, utilities co., govt. agencies, …etc.; the most visible locations are credit-reporting agencies.
Equifax, TransUnion, and Experian are the three best known credit reporting agencies.
Clicking on the logo of each company will take you to its homepage.Personal Information in Databases. Information about individuals is being kept in many databases: banks, utilities co., govt. agencies, …etc.; the most visible locations are credit-reporting agencies.
Equifax, TransUnion, and Experian are the three best known credit reporting agencies.
Clicking on the logo of each company will take you to its homepage. 
17. Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites Social Networking Sites often include electronic discussions such as chat rooms. These sites appear on the Internet, within corporate intranets, and on blogs.
A blog (Weblog) is an informal, personal journal that is frequently updated and intended for general public reading.
The logos represent popular social networking sites.  Clicking on the logo will take you to the respective home pages.
Social Networking Sites often include electronic discussions such as chat rooms. These sites appear on the Internet, within corporate intranets, and on blogs.
A blog (Weblog) is an informal, personal journal that is frequently updated and intended for general public reading.
The logos represent popular social networking sites.  Clicking on the logo will take you to the respective home pages.
 
18.      Social Networking Sites Can           Cause You Problems 
 Anyone can post derogatory information about you anonymously. 
   (See this Washington Post article.)
 You can also hurt yourself, as this article shows.
  The second article shows students how information they (or others) post to 
social networking sites can impact their lives, in particular, their job search.  
This information may take the form of text, images, etc.The second article shows students how information they (or others) post to 
social networking sites can impact their lives, in particular, their job search.  
This information may take the form of text, images, etc. 
19.       What Can You Do?  First, be careful what information you post on social networking sites.
 Second, a company, ReputationDefender, says it can remove derogatory information from the Web. Clicking on the ReputationDefender logo will take you to its homepage.
Clicking on the ReputationDefender logo will take you to its homepage.
 
20. Protecting Privacy Privacy Codes and Policies
Opt-out Model
Opt-in Model Privacy Codes and Policies. An organization’s guidelines with respect to protecting the privacy of customers, clients, and employees.
Opt-out model of informed consent permits the company to collect personal information until the customer specifically requests that the data not be collected.
Opt-in model of informed consent means that organizations are prohibited from collecting any personal information unless the customer specifically authorizes it.  (Preferred by privacy advocates.)
International Aspects of Privacy. Privacy issues that international organizations and governments face when information spans countries and jurisdictions.Privacy Codes and Policies. An organization’s guidelines with respect to protecting the privacy of customers, clients, and employees.
Opt-out model of informed consent permits the company to collect personal information until the customer specifically requests that the data not be collected.
Opt-in model of informed consent means that organizations are prohibited from collecting any personal information unless the customer specifically authorizes it.  (Preferred by privacy advocates.)
International Aspects of Privacy. Privacy issues that international organizations and governments face when information spans countries and jurisdictions. 
21. 3.2 Threats to Information Security 
22. Factors Increasing the Threats to Information Security Today’s interconnected, interdependent, wirelessly-networked business environment
Government legislation
Smaller, faster, cheaper computers and storage devices
Decreasing skills necessary to be a computer hacker * Organizations and individuals are now exposed to untrusted networks.  
   An untrusted network, in general, is any network external to your organization.
   The Internet, by definition, is an untrusted network.
* Government legislation:  Gramm-Leach-Bliley Act
                                    Health Insurance Portability and Accountability Act (HIPAA)
* Examples: thumb drives (flash drives), iPods, etc.
* Organizations and individuals are now exposed to untrusted networks.  
   An untrusted network, in general, is any network external to your organization.
   The Internet, by definition, is an untrusted network.
* Government legislation:  Gramm-Leach-Bliley Act
                                    Health Insurance Portability and Accountability Act (HIPAA)
* Examples: thumb drives (flash drives), iPods, etc.
 
23.      Decreasing Skill Necessary to be a Hacker 
24. Factors Increasing the Threats to Information Security (continued) International organized crime turning to cybercrime
Downstream liability
Increased employee use of unmanaged devices
Lack of management support Downstream liability occurs when Company A’s systems are attacked and 
taken over by the perpetrator.  Company A’s systems are then used to attack 
Company B.  Company A could be sued successfully by Company B, if Company A 
cannot prove that it exercised due diligence in securing its systems.
Due diligence means that a company takes all necessary security precautions, 
as judged by commonly accepted best practices.
Unmanaged devices are those outside the control of the IT department.  
Examples include devices in hotel business centers, customer computers, 
computers in restaurants such as McDonalds, Paneras, Starbucks, etc.
Lack of management support takes many forms: insufficient funding, technological
obsolescence, and lack of attention.Downstream liability occurs when Company A’s systems are attacked and 
taken over by the perpetrator.  Company A’s systems are then used to attack 
Company B.  Company A could be sued successfully by Company B, if Company A 
cannot prove that it exercised due diligence in securing its systems.
Due diligence means that a company takes all necessary security precautions, 
as judged by commonly accepted best practices.
Unmanaged devices are those outside the control of the IT department.  
Examples include devices in hotel business centers, customer computers, 
computers in restaurants such as McDonalds, Paneras, Starbucks, etc.
Lack of management support takes many forms: insufficient funding, technological
obsolescence, and lack of attention. 
25. A Look at Unmanaged Devices 
26. Key Information Security Terms Threat
Exposure
Vulnerability
Risk
Information system controls A threat to an information resource is any danger to which a system may be exposed.
The exposure of an information resources is the harm, loss or damage that can result if a threat compromises that resource.
A system’s vulnerability is the possibility that the system will suffer harm by a threat.
Risk is the likelihood that a threat will occur.
Information system controls are the procedures, devices, or software aimed at preventing a compromise to the system.A threat to an information resource is any danger to which a system may be exposed.
The exposure of an information resources is the harm, loss or damage that can result if a threat compromises that resource.
A system’s vulnerability is the possibility that the system will suffer harm by a threat.
Risk is the likelihood that a threat will occur.
Information system controls are the procedures, devices, or software aimed at preventing a compromise to the system. 
27.          Security Threats (Figure 3.1) 
28. Categories of Threats to Information Systems Unintentional acts
Natural disasters
Technical failures
Management failures
Deliberate acts
  (from Whitman and Mattord, 2003)
      Example of a threat (video) Whitman, M. E. & Mattord, H. (2003).  Principles of Information Security. Course Technology. Boston, MA. 
The threat video shows how a manufacturing system could be compromised.Whitman, M. E. & Mattord, H. (2003).  Principles of Information Security. Course Technology. Boston, MA. 
The threat video shows how a manufacturing system could be compromised. 
29.      Unintentional Acts Human errors
Deviations in quality of service by service providers (e.g., utilities)
Environmental hazards (e.g., dirt, dust, humidity) 
30.       Human Errors Tailgating
Shoulder surfing
Carelessness with laptops and portable computing devices
Opening questionable e-mails
Careless Internet surfing
Poor password selection and use
And more 
31.      Anti-Tailgating Door To deter tailgating, many companies have anti-tailgating doors protecting the entrance into high-security areas.  Note that only one person at a time can go through this door.To deter tailgating, many companies have anti-tailgating doors protecting the entrance into high-security areas.  Note that only one person at a time can go through this door. 
32.         Shoulder Surfing Shoulder surfing occurs when the attacker watches another person’s computer screen over that person’s shoulder.  Particularly dangerous in public areas such as airports, commuter trains, and on airplanes.Shoulder surfing occurs when the attacker watches another person’s computer screen over that person’s shoulder.  Particularly dangerous in public areas such as airports, commuter trains, and on airplanes. 
33. Most Dangerous Employees Human resources and MIS      As we are discussing human errors, we should note that the biggest threat to the security of an organization’s information assets are the company’s employees.
     In fact, the most dangerous employees are those in human resources and MIS.  HR employees have access to sensitive personal data on all employees.  MIS employees not only have access to sensitive personal data, but control the means to create, store, transmit, and modify these data.
     The image represents how a human resources or MIS employee has access to, or controls, sensitive information in the organization.     As we are discussing human errors, we should note that the biggest threat to the security of an organization’s information assets are the company’s employees.
     In fact, the most dangerous employees are those in human resources and MIS.  HR employees have access to sensitive personal data on all employees.  MIS employees not only have access to sensitive personal data, but control the means to create, store, transmit, and modify these data.
     The image represents how a human resources or MIS employee has access to, or controls, sensitive information in the organization. 
34. Social Engineering 60 Minutes Interview with Kevin Mitnick, the “King of Social Engineering”
Kevin Mitnick served several years in a federal prison.  Upon his release, he opened his own consulting firm, advising companies on how to deter people like him,
See his company here
      Social engineering is an attack where the attacker uses social skills to trick a legitimate employee into providing confidential company information such as passwords.
     Social engineering is a typically unintentional human error on the part of an employee, but it is the result of a deliberate action on the part of an attacker.
     The video shows Kevin Mitnick being interviewed by Ed Bradley of “60 Minutes.”  It is interesting to note Mitnick’s reaction as to whether or not he considered himself to be a criminal.
  
     Social engineering is an attack where the attacker uses social skills to trick a legitimate employee into providing confidential company information such as passwords.
     Social engineering is a typically unintentional human error on the part of an employee, but it is the result of a deliberate action on the part of an attacker.
     The video shows Kevin Mitnick being interviewed by Ed Bradley of “60 Minutes.”  It is interesting to note Mitnick’s reaction as to whether or not he considered himself to be a criminal.
  
 
35. Natural Disasters 
36. Deliberate Acts Espionage or trespass
Information extortion
Sabotage or vandalism
Theft of equipment or information
For example, dumpster diving
 Espionage or trespass:  Competitive intelligence consists of legal information-gathering techniques.  
Industrial espionage crosses the legal boundary.
The two images show dumpster divers.  Many dumpster divers wear protective clothing and use snorkels, as it is not a good idea to receive cuts from items in the dumpster, and the air is foul.
The tiny size of the Sony Microvault thumb drive illustrates how easy it is to steal these devices.
Espionage or trespass:  Competitive intelligence consists of legal information-gathering techniques.  
Industrial espionage crosses the legal boundary.
The two images show dumpster divers.  Many dumpster divers wear protective clothing and use snorkels, as it is not a good idea to receive cuts from items in the dumpster, and the air is foul.
The tiny size of the Sony Microvault thumb drive illustrates how easy it is to steal these devices.
 
37. Deliberate Acts (continued) Identity theft video
Compromises to intellectual property
 The identity theft video gives an excellent overview of the problem and how it affects lives.  The video continues with a look at how to prevent identity theft.
Compromises to intellectual property
Intellectual property. Property created by individuals or corporations which is protected under trade secret, patent, and copyright laws.
Trade secret. Intellectual work, such as a business plan, that is a company secret and is not based on public information.
Patent. Document that grants the holder exclusive rights on an invention or process for 20 years.
Copyright. Statutory grant that provides creators of intellectual property with ownership of the property for life of the creator plus 70 years.
Piracy. Copying a software program without making payment to the owner.
Virus is a segment of computer code that performs malicious actions by attaching to another computer program.
Worm is a segment of computer code that performs malicious actions and will spread by itself without requiring another computer program.
Trojan horse is a computer program that hides in another computer program and reveals its designated behavior only when it is activated.
Logic bomb is a segment of computer code that is embedded inside an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time or date.
The identity theft video gives an excellent overview of the problem and how it affects lives.  The video continues with a look at how to prevent identity theft.
Compromises to intellectual property
Intellectual property. Property created by individuals or corporations which is protected under trade secret, patent, and copyright laws.
Trade secret. Intellectual work, such as a business plan, that is a company secret and is not based on public information.
Patent. Document that grants the holder exclusive rights on an invention or process for 20 years.
Copyright. Statutory grant that provides creators of intellectual property with ownership of the property for life of the creator plus 70 years.
Piracy. Copying a software program without making payment to the owner.
Virus is a segment of computer code that performs malicious actions by attaching to another computer program.
Worm is a segment of computer code that performs malicious actions and will spread by itself without requiring another computer program.
Trojan horse is a computer program that hides in another computer program and reveals its designated behavior only when it is activated.
Logic bomb is a segment of computer code that is embedded inside an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time or date.
 
38. Deliberate Acts (continued) Software attacks
Virus 
Worm 
1988: first widespread worm, created by Robert T. Morris, Jr.
(see the rapid spread of the Slammer worm)
Trojan horse
Logic Bomb A virus is a segment of computer code that performs malicious actions by attaching to another computer program.
A worm is a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program.
A Trojan horse is a software program that hides in other computer programs and reveal its designed behavior only when it is activated.  A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.
A logic bomb is a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.A virus is a segment of computer code that performs malicious actions by attaching to another computer program.
A worm is a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program.
A Trojan horse is a software program that hides in other computer programs and reveal its designed behavior only when it is activated.  A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.
A logic bomb is a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date. 
39. Software attacks (continued)
Phishing attacks
Phishing slideshow
Phishing quiz
Phishing example
Phishing example
Distributed denial-of-service attacks
See botnet demonstration Phishing attacks use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages.
     The phishing slideshow presents a nice demonstration of how phishing works.
     The phishing quiz presents a variety of e-mails.  You must decide which are legitimate and which are phishing attempts.
     The phishing examples show actual phishing attempts.
     
In a distributed denial-of-service attack, the attacker first takes over many computers.  These computers are called zombies or bots.  Together, these bots form a botnet.
     The botnet demonstration shows how botnets are created and how they work.Phishing attacks use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages.
     The phishing slideshow presents a nice demonstration of how phishing works.
     The phishing quiz presents a variety of e-mails.  You must decide which are legitimate and which are phishing attempts.
     The phishing examples show actual phishing attempts.
     
In a distributed denial-of-service attack, the attacker first takes over many computers.  These computers are called zombies or bots.  Together, these bots form a botnet.
     The botnet demonstration shows how botnets are created and how they work. 
40. Deliberate Acts (continued) Software attacks (continued)
     Can you be Phished? This video won the Grand Prize at the 2006 EDUCAUSE Computer Security Awareness Video Contest.
It takes a humorous, tongue-in-cheek look at college students and their lack of information security
awareness.This video won the Grand Prize at the 2006 EDUCAUSE Computer Security Awareness Video Contest.
It takes a humorous, tongue-in-cheek look at college students and their lack of information security
awareness. 
41. How to Detect a Phish E-mail 
42. Is the email really from eBay, or PayPal, or a bank? 
  As Spammers get better, their emails look more genuine.  How do you tell if it’s a scam and phishing for personal information?  Here’s how ...
 
43.    Is the email really from eBay, or PayPal,   or a bank?     As an example, here is what the email said: 
Return-path: <service@paypal.com>
From: "PayPal"<service@paypal.com>
Subject: You have 1 new Security Message Alert !
   
   Note that they even give
   advice in the right column
   about security 
44. Example Continued – bottom of the email 
45.      How to see what is happening              View Source In Outlook, right click on email, click ‘view source’
In GroupWise, open email and click on the Message Source tab
In Mozilla Thunderbird, click on View, and Source.
Below is the part of the text that makes the email look official – the images came from the PayPal website. 
46. View Source – The Real Link In the body it said, “If you are traveling, “Travelling Confirmation Here” 
Here is where you are really being sent
href=3Dftp://futangiu:futangiu@209.202.224.140/index.htm
Notice that the link is not only not PayPal, it is an IP address, 2 giveaways of a fraudulent link. 
47. Another Example – Amazon 
View Source 
48. Deliberate Acts (continued) Alien Software
Spyware (see video)
Spamware
Cookies
Cookie demo
 Spyware collects personal information about users without their consent.  Two types of spyware are keystroke loggers (keyloggers) and screen scrapers.  Keystroke loggers record your keystrokes and your Web browsing history.  Screen scrapers record a continuous “movie” of what you do on a screen.
     The spyware video provides a nice overview of spyware and how to avoid it.
Spamware is alien software that is designed to use your computer as a launchpad for spammers.  Spam is unsolicited e-mail.
Cookies are small amounts of information that Web sites store on your computer.
     The cookie demo will show you how much information your computer sends when you connect to a Web site.Spyware collects personal information about users without their consent.  Two types of spyware are keystroke loggers (keyloggers) and screen scrapers.  Keystroke loggers record your keystrokes and your Web browsing history.  Screen scrapers record a continuous “movie” of what you do on a screen.
     The spyware video provides a nice overview of spyware and how to avoid it.
Spamware is alien software that is designed to use your computer as a launchpad for spammers.  Spam is unsolicited e-mail.
Cookies are small amounts of information that Web sites store on your computer.
     The cookie demo will show you how much information your computer sends when you connect to a Web site. 
49. Keystroke Logger 
50. Example of CAPTCHA 
51. Deliberate Acts (continued) Supervisory control and data acquisition (SCADA) attacks  A supervisory control and data acquisition (SCADA) system is a large-scale, distributed, measurement and control system.
SCADA systems are the link between the electronic world and the physical world.
     The picture shows wireless sensors (black boxes with yellow faces) controlling valves in a chemical plant.  Note the old manual wheel used to control the valve.
     These sensors are typically connected to the company’s network.  If the company’s network is compromised, these sensors can be made to perform malicious actions.A supervisory control and data acquisition (SCADA) system is a large-scale, distributed, measurement and control system.
SCADA systems are the link between the electronic world and the physical world.
     The picture shows wireless sensors (black boxes with yellow faces) controlling valves in a chemical plant.  Note the old manual wheel used to control the valve.
     These sensors are typically connected to the company’s network.  If the company’s network is compromised, these sensors can be made to perform malicious actions. 
52. What if a SCADA attack were successful? The northeastern power outage shown here was caused by a tree limb breaking a high-voltage wire.
However, a successful SCADA attack on the U.S. power grid could have the same results.The northeastern power outage shown here was caused by a tree limb breaking a high-voltage wire.
However, a successful SCADA attack on the U.S. power grid could have the same results. 
53. Results of the power outage in NYC New York City during the blackout (on the left).
People walking home during the blackout (on the right).New York City during the blackout (on the left).
People walking home during the blackout (on the right). 
54. More results of power outage in NYC Many tourists simply slept on the street or on in hotel lobbies, as elevators were not working (above left).
Hundreds of thousands of people walking home from Manhattan during the blackout (above right).Many tourists simply slept on the street or on in hotel lobbies, as elevators were not working (above left).
Hundreds of thousands of people walking home from Manhattan during the blackout (above right). 
55. A Successful (Experimental) SCADA                         Attack Video of an experimental SCADA attack 
  that was successful This video shows the results of an successful (thankfully experimental) SCADA attack on a generator.  Notice that the generator overheats!This video shows the results of an successful (thankfully experimental) SCADA attack on a generator.  Notice that the generator overheats! 
56. Example of Cyber Warfare This video is an outstanding look at the cyber warfare directed at Estonia.This video is an outstanding look at the cyber warfare directed at Estonia. 
57. 3.3 Protecting Information Resources 
58.                         Risk! 
59. And then there is real risk! One has to wonder what this soldier did to have this job assigned to him!One has to wonder what this soldier did to have this job assigned to him! 
60. Risk Management Risk
Risk management
Risk analysis
Risk mitigation Risk. The probability that a threat will impact an information resource.
Risk management. To identify, control and minimize the impact of threats.
Risk analysis. To assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.
Risk mitigation is when the organization takes concrete actions against risk. It has two functions:
(1) implement controls to prevent identified threats from occurring, and
(2) developing a means of recovery should the threat become a reality.
--------------------------------------Risk. The probability that a threat will impact an information resource.
Risk management. To identify, control and minimize the impact of threats.
Risk analysis. To assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.
Risk mitigation is when the organization takes concrete actions against risk. It has two functions:
(1) implement controls to prevent identified threats from occurring, and
(2) developing a means of recovery should the threat become a reality.
-------------------------------------- 
61. Risk Mitigation Strategies Risk Acceptance
Risk limitation
Risk transference Risk Acceptance. Accept the potential risk, continue operating with no controls, and absorb any damages that occur.
Risk limitation. Limit the risk by implementing controls that minimize the impact of threat.
Risk transference. Transfer the risk by using other means to compensate for the loss, such as purchasing insurance.Risk Acceptance. Accept the potential risk, continue operating with no controls, and absorb any damages that occur.
Risk limitation. Limit the risk by implementing controls that minimize the impact of threat.
Risk transference. Transfer the risk by using other means to compensate for the loss, such as purchasing insurance. 
62. Risk Optimization This graph comes from Spies Among Us by Ira Winkler (page 37, Figure 2.3).  Note: It is important to optimize risk rather than minimize risk.  Companies can slide the vertical line (risk optimization line) back and forth.  In doing so, companies can see the trade-offs between the amount they spend on countermeasures and the potential loss they can expect.
         If the line slides to the left, company will spend less on countermeasures, but have greater potential loss.  If the line slides to the right, the company will spend more on countermeasures, but have lower potential loss.                          This graph comes from Spies Among Us by Ira Winkler (page 37, Figure 2.3).  Note: It is important to optimize risk rather than minimize risk.  Companies can slide the vertical line (risk optimization line) back and forth.  In doing so, companies can see the trade-offs between the amount they spend on countermeasures and the potential loss they can expect.
         If the line slides to the left, company will spend less on countermeasures, but have greater potential loss.  If the line slides to the right, the company will spend more on countermeasures, but have lower potential loss.                           
63. Controls Physical controls
Access controls
Communications (network) controls
Application controls Physical controls. Physical protection of computer facilities and resources.
Access controls. Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.
          Communications (network) controls. To protect the movement of data across networks and include  
          border security controls, authentication and authorization.
          Application controls protect specific applications.
Physical controls. Physical protection of computer facilities and resources.
Access controls. Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.
          Communications (network) controls. To protect the movement of data across networks and include  
          border security controls, authentication and authorization.
          Application controls protect specific applications.
 
64. Where Defense Mechanisms (Controls) Are Located 
65. Access Controls Authentication
Something the user is (biometrics powerpoints)
Video on biometrics
The latest biometric: gait recognition
The Raytheon Personal Identification Device
Something the user has
Something the user does
Something the user knows
passwords
passphrases Authentication - Major objective is proof of identity. 
Something the User Is  - Also known as biometrics, these access controls examine a user's innate physical characteristics.  
     The biometrics video is an outstanding look at all types of biometrics. (28 minutes) 
     The Raytheon Personal Identification Device combines biometrics and RFID.
Something the User Has -  These access controls include regular ID cards, smart cards, and tokens. 
Something the User Does -  These access controls include voice and signature recognition. 
Something the User Knows  - These access controls include passwords and passphrases. A password is a private combination of characters that only the user should know. A passphrase is a series of characters that is longer than a password but can be memorized easily. Authentication - Major objective is proof of identity. 
Something the User Is  - Also known as biometrics, these access controls examine a user's innate physical characteristics.  
     The biometrics video is an outstanding look at all types of biometrics. (28 minutes) 
     The Raytheon Personal Identification Device combines biometrics and RFID.
Something the User Has -  These access controls include regular ID cards, smart cards, and tokens. 
Something the User Does -  These access controls include voice and signature recognition. 
Something the User Knows  - These access controls include passwords and passphrases. A password is a private combination of characters that only the user should know. A passphrase is a series of characters that is longer than a password but can be memorized easily.  
66. Access Controls (continued) Authorization
Privilege
Least privilege Authorization - Permission issued to individuals and groups to do certain activities with information resources, based on verified identity. 
A privilege is a collection of related computer system operations that can be performed by users of the system.
Least privilege is a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.Authorization - Permission issued to individuals and groups to do certain activities with information resources, based on verified identity. 
A privilege is a collection of related computer system operations that can be performed by users of the system.
Least privilege is a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization. 
67. Communication or Network Controls Firewalls
Anti-malware systems
Whitelisting and Blacklisting
Intrusion detection systems
Encryption Firewalls. System that enforces access-control policy between two networks.
Anti-malware systems (also called antivirus software) are software packages that attempt to identify and eliminate viruses, worms, and other malicious software.  The logos show three well-known anti-malware companies.  Clicking on the link will take you to each company’s homepage, respectively.
Whitelisting is a process in which a company identifies the software that it will allow to run and does not try to recognize malware.
Blacklisting is a process in which a company allows all software to run unless it is on the blacklist.
Intrusion Detection Systems are designed to detect all types of malicious network traffic and computer usage that cannot be detected by a firewall.
Encryption. Process of converting an original message into a form that cannot be read by anyone except the intended receiver.Firewalls. System that enforces access-control policy between two networks.
Anti-malware systems (also called antivirus software) are software packages that attempt to identify and eliminate viruses, worms, and other malicious software.  The logos show three well-known anti-malware companies.  Clicking on the link will take you to each company’s homepage, respectively.
Whitelisting is a process in which a company identifies the software that it will allow to run and does not try to recognize malware.
Blacklisting is a process in which a company allows all software to run unless it is on the blacklist.
Intrusion Detection Systems are designed to detect all types of malicious network traffic and computer usage that cannot be detected by a firewall.
Encryption. Process of converting an original message into a form that cannot be read by anyone except the intended receiver. 
68. Basic Home Firewall (top) and Corporate Firewall (bottom) In a basic home firewall, the firewall is implemented as software on the home computer.
An organizational firewall has the following components:
     (1) external firewall facing the Internet
     (2) a demilitarized zone (DMZ) located between the two firewalls; the DMZ contains 
           company servers that typically handle Web page requests and e-mail.
     (3) an internal firewall that faces the company networkIn a basic home firewall, the firewall is implemented as software on the home computer.
An organizational firewall has the following components:
     (1) external firewall facing the Internet
     (2) a demilitarized zone (DMZ) located between the two firewalls; the DMZ contains 
           company servers that typically handle Web page requests and e-mail.
     (3) an internal firewall that faces the company network 
69. How Public Key Encryption                   Works For a complete look at how encryption works, see
http://www.howstuffworks.com/encryption.htm
For a complete look at how encryption works, see
http://www.howstuffworks.com/encryption.htm
 
70. How Digital Certificates Work A digital certificate is an electronic document attached to a file certifying that the file is from 
     the organization that it claims to be from and has not been modified from its original
     format.
Certificate authorities, which are trusted intermediaries between two organizations, issue
     digital certificates.A digital certificate is an electronic document attached to a file certifying that the file is from 
     the organization that it claims to be from and has not been modified from its original
     format.
Certificate authorities, which are trusted intermediaries between two organizations, issue
     digital certificates. 
71. Communication or Network Controls (continued) Virtual private networking
Secure Socket Layer (now transport layer security)
Vulnerability management systems
Employee monitoring systems A virtual private network is a private network that uses a public network (usually the Internet) to connect users.
Secure socket layer (SSL), now called transport layer security (TLS), is an encryption standard used for secure transactions such as credit card purchases and online banking.
Vulnerability management systems (also called security on demand) extend the security perimeter that exists for the organization’s managed devices, to unmanaged, remote devices.
Employee monitoring systems monitor employees’ computers, e-mail activities, and Internet surfing activities.A virtual private network is a private network that uses a public network (usually the Internet) to connect users.
Secure socket layer (SSL), now called transport layer security (TLS), is an encryption standard used for secure transactions such as credit card purchases and online banking.
Vulnerability management systems (also called security on demand) extend the security perimeter that exists for the organization’s managed devices, to unmanaged, remote devices.
Employee monitoring systems monitor employees’ computers, e-mail activities, and Internet surfing activities. 
72. Virtual Private Network and Tunneling Tunneling encrypts each data packet that is sent and places each encrypted packet 
     inside another packet.Tunneling encrypts each data packet that is sent and places each encrypted packet 
     inside another packet. 
73. Popular Vulnerability Management Systems The logos are of three companies that provide vulnerability management systems.  Clicking on the logo will take you to each company’s home page.The logos are of three companies that provide vulnerability management systems.  Clicking on the logo will take you to each company’s home page. 
74. Popular Employee Monitoring Systems The logos are of companies that provide employee monitoring systems.  Clicking on the logo will take you to each company’s home page.
The logos are of companies that provide employee monitoring systems.  Clicking on the logo will take you to each company’s home page.
 
75. Employee Monitoring System This image provides a demonstration of how an employee monitoring system 
looks to the network administrator.  He or she sees the screens that everyone 
is on, and c “zoom in” on any one person’s screen.This image provides a demonstration of how an employee monitoring system 
looks to the network administrator.  He or she sees the screens that everyone 
is on, and c “zoom in” on any one person’s screen. 
76. Business Continuity Planning, Backup, and Recovery Hot Site
Warm Site
Cold Site Hot Site is a fully configured computer facility, with all services, communications links, and physical plant operations.
Warm Site provides many of the same services and options of the hot site, but it typically does not include the actual applications the company runs.
Cold Site provides only rudimentary services and facilities and so does not supply computer hardware or user workstations.Hot Site is a fully configured computer facility, with all services, communications links, and physical plant operations.
Warm Site provides many of the same services and options of the hot site, but it typically does not include the actual applications the company runs.
Cold Site provides only rudimentary services and facilities and so does not supply computer hardware or user workstations. 
77. Information Systems Auditing Types of Auditors and Audits
Internal
External Information systems auditing. Independent or unbiased observers task to ensure that information systems work properly. 
Audit. Examination of information systems, their inputs, outputs and processing.
Types of Auditors and Audits
Internal. Performed by corporate internal auditors.
External. Reviews internal audit as well as the inputs, processing and outputs of information systems.Information systems auditing. Independent or unbiased observers task to ensure that information systems work properly. 
Audit. Examination of information systems, their inputs, outputs and processing.
Types of Auditors and Audits
Internal. Performed by corporate internal auditors.
External. Reviews internal audit as well as the inputs, processing and outputs of information systems. 
78. IS Auditing Procedure Auditing around the computer
Auditing through the computer
Auditing with the computer Auditing around the computer means verifying processing by checking for known outputs or specific inputs.
Auditing through the computer means inputs, outputs and processing are checked.
Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware.Auditing around the computer means verifying processing by checking for known outputs or specific inputs.
Auditing through the computer means inputs, outputs and processing are checked.
Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware. 
79. Chapter Closing Case Clicking on the IFAW logo takes you to its homepage and clicking on the 
Check Point logo takes you to its homepage.Clicking on the IFAW logo takes you to its homepage and clicking on the 
Check Point logo takes you to its homepage.