Chapter 13 Summary
docx
keyboard_arrow_up
School
Louisiana State University, Shreveport *
*We aren’t endorsed by this school
Course
703
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
7
Uploaded by jrasco
Chapter 13: Information Security: Barbarians at the Gateway (and Just About Everywhere Else)
Section 1: Why Is This Happening? Who Is Doing It? And What's Their Motivation?
Description: This section discusses the various sources of cyber attacks and their motivations. It covers criminals, hacktivists, nation states, and more. Attacks are increasing in sophistication and
scale. Motivations for Cyber Attacks:
- Account theft and illegal funds transfer
- Stealing personal or financial data - Compromising computing assets for use in other crimes
- Extortion - Espionage
- Cyberwarfare
- Terrorism
- Pranksters
- Protest hacking (hacktivism) - Revenge (disgruntled employees)
Types of Attackers:
- Criminals steal over $100 million from US banks in 2009 without direct contact (Kroft, 2009)
- Underground cybercrime market where data harvesters sell to fraudsters (Singel, 2008)
- Hackers use botnets of zombie computers for spam, click fraud, DDoS attacks (Higgins, 2008; Krebs, 2007) - Extortionists leverage botnets and data to demand ransom (Kroft, 2009)
- Corporate espionage by insiders, rivals, foreign nations targeting projects like F-35 (Gorman, et. al., 2009; Vijayan, 2007)
- Nation states conducting cyberwarfare attacks disrupting infrastructure (Kroft, 2009)
- Hacktivists targeting sites in protest (Schectman, 2009) - Disgruntled employees seeking revenge (Vijayan, 2010)
Law Enforcement Challenges: - Technical and legal complexity slow pursuit and prosecution
- Agencies underfunded, understaffed, and lacking skills for modern threats
Section 2: Where Are Vulnerabilities? Understanding the Weaknesses
Description: This section discusses how organizations create vulnerabilities through technology choices, data collection practices, and organizational structure. Key Vulnerabilities:
- Nearly all organizations online, making networks entry points for criminals (King, 2009) - Complex vendor software and hardware with potential weaknesses (Matwyshyn, 2009)
- Firms hoarding large amounts of data create more targets (Matwyshyn, 2009)
- Flatter orgs allow lower levels access to more sensitive data and systems (Matwyshyn, 2009)
TJX Case Study:
- Hackers breached network via insecure WiFi using WEP, a known weak protocol (Anthes, 2008)
- TJX delayed implementing security standard, allowing long term breach (Anthes, 2008) - Estimated $1.35-$4.5 billion total losses from theft of over 45 million card numbers (King, 2009)
Key Takeaways: - Security must be top priority given rising attacks and their potential impacts
- Breaches stem from technology, process, and personnel weaknesses within organizations
- Preventing vulnerabilities is important but cannot guarantee 100% security
Section 3: Taking Action
Description: This section will discuss approaches organizations can take to minimize risks and damage from potential breaches.
Potential Approaches:
- Implement strong access controls, encryption, firewalls, IDS, regular audits/testing (Matwyshyn, 2009)
- Comply with security standards like PCI DSS and continuously improve practices (Anthes, 2008)
- Provide security awareness training for all personnel (Matwyshyn, 2009) - Establish response plans, designate team, and practice incident response (Matwyshyn, 2009)
- Consider cyber insurance to transfer some financial risk (Matwyshyn, 2009)
- Advocate for improved legal framework, resources for law enforcement (Kroft, 2009)
Key Takeaways: - A constant vigilance and security as a priority across technology, people and processes is needed
- While cannot guarantee no attacks, proper measures can minimize risks and reduce damage
- Individuals and organizations must both take proactive steps given rising threats Vulnerabilities
and Entry Points for Attack
User and Administrator Threats Description: Users and administrators themselves can pose threats if they engage in malicious or careless behavior. Insider threats make up 70% of security incidents according to research firm Gartner.
- Bad apples: Rogue employees who steal secrets, install malware, or hold a firm hostage through ransomware (page 8)
- Social engineering: Con games that trick users into revealing sensitive information or granting access. Attackers use background information from social media to craft convincing stories. (page 9)
- Phishing: Cons executed through technology to trick users into revealing information or downloading malware. Includes spear phishing which targets specific organizations. Watch for spoofed email addresses and URLs that don't match the actual destination. (page 10-11)
- Weak or reused passwords: Users tend to have poor and reused passwords that put all accounts at risk if one is compromised. Password managers and strong, unique passwords are recommended. (page 12)
Network Vulnerabilities
Description: Issues that can arise from how a network is configured and accessed. - Sniffers and compromised network equipment: Devices that intercept and monitor network traffic can steal credentials and sensitive information. (Figure 13.1 page 9)
- Weak authentication on open networks: Public hotspots lack security which allows attackers to intercept traffic. (Figure 13.1 page 9)
- DNS hijacking and redirects: Altering DNS settings to send traffic to malicious sites instead of the intended destinations. Client and Software Weaknesses
- Outdated and unpatched OS/software: Known vulnerabilities haven't been addressed leaving "doors" open to attack. (Figure 13.1 page 9)
- Programming flaws: Bugs and flaws in code like SQL injection and cross-site scripting that weren't caught during development. (Figure 13.1 page 9)
- Weak file/folder permissions and information sharing settings (page 11)
- Removable media/device insertion: Malware can be introduced this way if media isn't scanned. (Figure 13.1 page 9)
Physical Access Threats
- Dumpster diving and stolen hardware/media: Sensitive materials and devices discarded or stolen could provide access. (Figure 13.1 page 9) - Tailgating and impersonation: Tricking physical access controls by following employees or posing as legitimate visitors. (page 9)
- Eavesdropping: Keyloggers, microphones, and cameras can capture sensitive information. (Figure 13.1 page 9)
Web 2.0 and Social Media Risks - Malware spreading through social networks masquerading as messages from friends (page 12)
- Shortened URLs hide destination until clicked and zero-day exploits may not be detected yet (page 12)
- Oversharing of information like Congressman Hoekstra revealing a secret trip on Twitter (Figure 13.4 page 13)
Every connection point has vulnerabilities, so understanding where weaknesses exist is important
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
for security improvement. (page 9) Vulnerabilities and Threats to Information Systems
Password Vulnerabilities - Many legacy systems were not designed with security in mind and do not enforce strong passwords or regular resets
- Biometrics were thought to replace passwords but have not caught on widely due to cost and novelty of technology ("Biometrics never caught on and it never will” - Richard Power, Carnegie
Mellon University CyLab fellow)
- Single-use passwords delivered to external devices like phones provide stronger security but slow down the user experience Password Best Practices
- Create separate, unique passwords for highest priority accounts like email and banking - Passwords should be at least 8 characters including numbers and symbols
- Do not use dictionary words or common phrases even with substitutions as cracking tools can guess these
- Create passwords based on acronyms of phrases only you would know such as "M1stCwarlsIbaT" from the phrase "My first Cadillac was a real lemon so I bought a Toyota"
Malware Threats
- Malware seeks to compromise systems without permission through various infection methods
- Client PCs and servers are primary targets but any connected device is at risk
- Attackers use techniques like phishing and infected removable media to introduce malware
- Once on a system, malware looks for vulnerabilities in software to spread and perform malicious actions
- Common malware types include viruses, worms, and trojans that infect, automatically spread, or masquerade respectively - Malware goals include creating botnets for spam/fraud, serving unwanted ads, spying, keylogging, and screen capturing
- Tools make launching automated attacks easy for criminals
Application Vulnerabilities
- SQL injection targets sites that do not validate user input, allowing hackers to alter database queries - Cross-site scripting and HTTP header injection target weaknesses in site programming
- All applications and partner offerings must be rigorously tested for vulnerabilities
Network Threats - Open WiFi access points and lack of monitoring allow unauthorized access to internal networks
- DNS cache poisoning can redirect traffic to malicious sites that install malware
Physical Threats
- Discarded media and trash may contain recoverable sensitive data requiring secure disposal
- Shoulder surfing and eavesdropping devices risk exposing data visually or aurally
Encryption
- Encrypting sensitive data before storage or transmission prevents damage from loss or theft - VPNs encrypt network traffic especially important on untrusted connections (Bank of America example)
- Encryption management is challenging but compliance will likely mandate its increased use
Vulnerabilities and Threats to Mobile Devices
- Jailbroken phones lack security restrictions, making them easy targets (Rick Astley malware example) - Malware spreads via email, browsing, multimedia messaging, and Bluetooth on phones
- Default apps like browsers are increasingly exploited to install malware via drive-by downloads
- Location data from infected devices has helped law enforcement in some cases (Pittsburgh mugging example)
Website Ad Scams - Compromised sites unknowingly distribute malware to visitors through malicious third party ads
- New York Times and other major sites have experienced this (Vonage scam distributing fake antivirus example)
Push Button Hacking - Automated tools probe for vulnerabilities and launch attacks, lowering the bar for criminal hackers - A $700 toolkit infected over 15,000 Italian users in a week, showing the potential impact of easy-to-use tools
So in summary, the main vulnerabilities are in users and their passwords, applications that are not coded securely, networks that are not properly monitored and restricted, devices left open to malware through jailbreaking or outdated software, careless handling of sensitive data, and failure to use encryption for protection. Attackers use social engineering, default software exploits, automated tools, and carelessness or lack of security knowledge to access systems and data. Strong user practices around passwords, keeping all software up to date, using encryption and VPNs, secure disposal, and constant network monitoring are all important defenses. (All quotes and examples are from the given text) Taking Action to Improve Information Security Understanding Vulnerabilities - Organizations information assets are at risk from users/administrators, hardware/software, networking systems, and physical threats. (Page 22)
- Social engineering and phishing try to trick users into providing information. Tools can help identify phishing but it remains dangerous. (Page 22) - Malware like viruses, worms, and trojans infect systems and can spy, use resources for crime, steal assets, destroy property, serve ads. (Page 22)
- Poor programming like SQL injection expose vulnerabilities. Developers must design with security in mind. (Page 22)
Securing Transmissions
- Websites use public/private key encryption to securely transmit financial info. The public key
encrypts data but only the private key can decrypt it. (Page 23)
- HTTPS and a closed padlock icon mean the site uses encryption. Double clicking the padlock displays the certificate authority verifying the site's identity. (Page 23)
Improving Personal Security
- Be cautious online, avoid suspicious links/files, verify anything suspicious. Don't use public devices for sensitive info. (Page 24) - Stay vigilant against social engineering from any interaction. (Page 24)
- Keep software and systems updated to address vulnerabilities. (Page 24)
- Use security software like antivirus, firewalls, malware scanners, and antiphishing tools. (Page 24)
- Secure settings like passwords, home networks, encrypted drives, remote wiping, auto-fill disabling. (Page 25) - Use strong, unique passwords and don't reuse or save them insecurely. (Page 25)
- Wipe devices before disposal and back up your data regularly on and off site. (Page 25)
Organizational Security - Follow frameworks like ISO 27000 for security best practices. (Page 26)
- Comply with regulations like HIPAA, GLBA, COPPA, FISMA based on your industry. (Page 26)
- Outsourcing compliance isn't enough, security must be organizational priority. (Page 26)
- Heartland breach of 100 million cards shows risks of only compliance. (Page 27)
Improving Organizational Security
- Perform risk assessments to understand vulnerabilities. (Page 28) - Create security policies and educate all employees in roles and responsibilities. (Page 28)
- Implement controls like access controls, encryption, firewalls, IDS/IPS, patching, auditing. (Page 28-29)
- Designate security team to continuously monitor, respond to incidents, and improve practices. (Page 29) Information Security Notes
Compliance vs Security
- A firm can be compliant with regulations and frameworks but still not be secure. Compliance is
about meeting requirements but does not guarantee security. (Page 29)
- "Compliance does not equal security. Heartland was complaint, but a firm can be compliant and
not be secure." (Page 29) - Key aspects of security:
- Education of all employees
- Regular audits to check for vulnerabilities
- Enforcement of policies and procedures with consequences for violations
A Multifaceted Approach
- Security requires expertise across technical, policy and people dimensions - Operations for day-to-day monitoring
- R&D to understand threats and solutions
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
- Governance teams on broader strategy
- Representation from legal, HR, PR etc. (Page 30)
- Processes include education, training, and awareness for all employees - "We can't keep the Internet safe with antivirus software alone” (Page 30)
- Strong policies must be enforced with audits and penalties (Page 30)
- Development processes must integrate security from the start (Page 31) What to Protect
- Most organizations don't know what assets need protection or where data is located (Page 31)
- Conduct risk assessments to understand vulnerabilities and risks (Page 31)
- Consider likelihood of attacks and costs of prevention versus losses in deciding investments (Page 31)
Technical Defenses
- Patching systems quickly for known vulnerabilities (Page 32)
- Lock down hardware, network, partners, and systems with controls (Pages 32-33) - Deploy tools like firewalls, IDS, honeypots, blacklists, and whitelists (Page 33)
- Continuous auditing, logging, and monitoring (Page 33)
- Have disaster recovery and business continuity plans (Page 33)
So in summary, a holistic, multifaceted approach is needed considering people, processes, technology and ensuring compliance does not substitute for real security. It is an ongoing process, not a one-time fix.