Business Plug-In B6

Information Security

McGraw-Hill/Irwin

2008 The McGraw-Hill Companies, All Rights Reserved

INTRODUCTION
Information security a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization This plug-in discusses how organizations can implement information security lines of defense through people first and technology second
B6-2

The First Line of Defense - People

The biggest issue surrounding information security is not a technical issue, but a people issue
Insiders Social engineering- It is using ones social skills to trick people into revealing access, credentials or other information valuable to the attacker.

B6-3

The First Line of Defense - People

The first line of defense for an organization for the insider issues is to develop information security policies and an information security plan
Information security policies identify the rules required to maintain information security Information security plan details how an organization will implement the information security policies
B6-4

The First Line of Defense - People

Five steps to creating an information security plan
1. 2. 3. 4. 5. Develop the information security policies Communicate the information security policies Identify critical information assets and risks Test and re evaluate risks Obtain stakeholder support

B6-5

The First Line of Defense - People

B6-6

The Second Line of Defense Technology

Three primary information security areas
1. Authentication and authorization 2. Prevention and resistance 3. Detection and response

B6-7

AUTHENTICATION AND AUTHORIZATION

Authentication a method for confirming users identities Authorization the process of giving someone permission to do or have something The most secure type of authentication involves a combination of the following:
1. Something the user knows such as a user ID and password 2. Something the user has such as a smart card or token 3. Something that is part of the user such as a fingerprint or voice signature
B6-8

Something the User Knows such as a User ID and Password

User ID and passwords are the most common way to identify individual users, and are the most ineffective form of authentication

Identity theft the forging of someones identity for the purpose of fraud Phishing a technique to gain personal information for the purpose of identity theft
B6-9

Something the User Has such as a Smart Card or Token

Smart cards and tokens are more effective than a user ID and a password
Token small electronic devices that change user passwords automatically Smart card a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing
B6-10

Something That Is Part of the User such as a Fingerprint or Voice Signature

This is by far the best and most effective way to manage authentication
Biometrics the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting

Unfortunately, this method can be costly.

B6-11

PREVENTION AND RESISTANCE

Technologies available to help prevent and build resistance to attacks include:
1. Content filtering 2. Encryption 3. Firewalls

B6-12

Content Filtering
Organizations can use content filtering technologies to filter e-mail and prevent e-mails containing sensitive information from transmitting and stop spam and viruses from spreading Content filtering occurs when organizations use software that filters content to prevent the transmission of unauthorized information Spam a form of unsolicited e-mail

B6-13

ENCRYPTION
If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it
Encryption scrambles information into an alternative form that requires a key or password to decrypt the information Public key encryption uses two keys: a public key that everyone can have and a private key for only the recipient
B6-14

ENCRYPTION

B6-15

FIREWALLS
One of the most common defenses for preventing a security breach is a firewall
Firewall hardware and/or software that guards a private network by analyzing the information leaving and entering the network

B6-16

FIREWALLS
Sample firewall architecture connecting systems located in Chicago, New York, and Boston

B6-17

DETECTION AND RESPONSE

If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage Antivirus software is the most common type of detection and response technology

B6-18

DETECTION AND RESPONSE

Hacker - people very knowledgeable about computers who use their knowledge to invade other peoples computers
1. White-hat hacker 2. Black-hat hacker 3. Hactivist : have philosophical and political reasons for breaking into system. 4. Script kiddies or script bunnies : find hacking code on the internet and click-and point their way into syatem to cause damage or spread viruses
B6-19

5. Cracker : A hacker with criminal intent 6. Cyberterrorist : seek to cause harm to people or to destroy critical system or information and use internet as a weapon of mass destruction

B6-20

DETECTION AND RESPONSE

Virus - software written with malicious intent to cause annoyance or damage
Worm Denial-of-service attack (DoS) Distributed denial-of-service attack (DDoS) Trojan-horse virus Backdoor program Polymorphic virus and worm
B6-21

DETECTION AND RESPONSE

Security threats to e-business include:
Elevation of privilege Hoaxes Malicious code Spoofing Spyware Sniffer Packet tampering
B6-22