Module 1: Chapter 2 : Secure Information System

Learning objectives:

➢ State four reasons why computer incidents have become so prevalent

➢ Identify four classes of perpetrators mostly likely to initiate to initiate a cyberattack
➢ Define the term attach vendor
➢ Identify at least three commonly used attack vendor
➢ Identify five cyber threats that pose a serious threat for organizations
➢ Identify five consequences of a successful cyberattack
➢ Identify five federal laws that address computer crime.
Why learn about secure information systems?

Confidential business and private customer and employer information must be safeguarded, and the
systems must be protected against malicious acts of theft or disruption.

Why computer incidents are so prevalent?

➢ Increasing complexity increases vulnerability

➢ Bring your own devise policies (BYOD)
➢ Use of software with known vulnerabilities
➢ Increasing sophistication of those who would do harm
Perpetrators Most Likely to Initiate a Cyberattack

attack vector: The technique used to gain

unauthorized access to a device or a
network.
Cyberattacks that pose Serious threats

ransomware: Malware that stops you from using your computer or accessing your data until you meet
certain demands
distributed denial-of-service (DDoS) attack: A cyberattack in which a malicious hacker takes over
computers via the internet and causes them to flood a target site with demands for data and other small
tasks
botnet: A large group of computers controlled from one or more remote locations by hackers without the
knowledge or consent of their owners.
data breach: The unintended release of sensitive data or the access of sensitive data by unauthorized
individuals.
cyberespionage: The deployment of malware that secretly steals data in the computer systems of
organizations

cyberterrorism: The intimidation of government or civilian population by using information technology to

disable critical national infrastructure (e.g., energy, transportation, financial, law enforcement, emergency
response) to achieve political, religious, or ideological goals.
Consequences of a Successful Cyberattack

direct impact : This is the value of the assets (cash, inventory, equipment, patents, copyrights,
trade secrets, data) stolen or damaged due to the cyberattack

business disruption A successful cyberattack may make it impossible for the organization to operate in
an effective manner for several hours or days
Recovery cost It may take people from the IS organization and business areas days or weeks to repair
affected systems and recover lost or compromised data. Resources will need to be drawn from their
normal work

Legal consequences There is the prospect of monetary penalties for businesses that fail to comply with data
protection legislation

Reputation damage A successful cyberattack can erode the trust your organization has established with
your customers, suppliers, business partners, and shareholders
CIA security triad: Confidentiality, integrity, and availability form the
basis of the CIA security triad

Confidentiality ensures that only those individuals with the proper

authority can access sensitive data such as employee personal data,
customer and product sales data, new product development plans,
and marketing strategies.

Integrity ensures that data can be changed only by

authorized individuals so that the accuracy, the consistency,
and the trustworthiness of the data are guaranteed.

Availability ensures that the data can be accessed when and where
needed, including during
times of disaster recovery operations.
Implementing CIA at the Organizational Level

Security Strategy
Implementing CIA security at the organizational level requires a risk-based security strategy with an active
governance process to minimize the potential impact of any security incident and to ensure business continuity
in the event of a cyberattack.

Risk Assessment is the process of assessing security-related risks to an organization’s computers and
networks from both internal and external threats

disaster recovery plan: A documented process for recovering an organization’s business information
system assets—including hardware, software, data, networks, and facilities—in the event of a disaster
such as a flood, fire, or electrical outage.
business continuity plan: A document that includes an organization’s disaster recovery plan, occupant
emergency evacuation plan, continuity of operations plan, and an incident management plan
Eight steps that must be taken to perform a thorough security risk assessment include:

(1) identify the set of IT assets that are most critical,

(2) identify the loss events that could occur,
(3) assess the frequency of events or likelihood of each potential threat,
(4) determine the impact of each threat,
(5) determine how to mitigate each threat,
(6) assess the feasibility of implementing the mitigation options,
(7) perform a cost-benefit analysis, and
(8) make the decision on whether or not to implement a particular countermeasure
mission-critical processes: Business processes that are essential to continued operations and goal
attainment.

failover: Another approach to backup when a key component is no longer functioning; applications and
other programs are automatically switched over to a redundant server, network, or database to prevent an
interruption of service.

security policy: Defines an organization’s security requirements, as well as the controls and sanctions
needed to meet those requirements.

security audit: A process that enables the organization to identify its potential threats, establish a
benchmark of where it is, determine where it needs to be, and develop a plan to meet those needs

Regulatory Standards Compliance – standards and guidelines “how” the organization will comply
Security Dashboard
- to provide a comprehensive display of all key performance indicators related to an organization’s security
defenses, including threats, exposures, policy compliance, and incident alerts.

- The purpose of a security dashboard is to reduce the effort required to monitor and identify threats in
time to take action
Authentication Methods

To maintain a secure network, an organization must authenticate users attempting to access the network by
requiring them to enter a something they know (e.g., username and password); something they possess (e.g., a
smart card); or pass a biometric check.
biometric authentication: The process of verifying your identity using your physiological measurements
(fingerprint, shape of your face, shape of your hand, vein pattern, your iris, or retina) or behavioral
measurements (voice recognition, gait, gesture, or other unique behaviors).

firewall: A system of software, hardware, or a combination of both that stands guard between an
organization’s internal network and the internet, and limits network access based on the organization’s
access policy.

next-generation firewall (NGFW): A hardware- or software-based network security system that can
detect and block sophisticated attacks by filtering network traffic dependent on the packet contents.

Routers - networking device that connects multiple networks together and forwards data packets from one
network to another.
encryption: The process of scrambling messages or data in such a way that only authorized
parties can read it.

encryption key: A value that is applied (using an algorithm) to a set of unencrypted text
(plaintext) to produce encrypted text that appears as a series of seemingly random characters
(ciphertext) that is unreadable by those without the encryption key needed to decipher it.

transport layer security (TLS): A communications protocol or system of rules that ensures
privacy between communicating applications and their users on the internet.

Proxy Servers and Virtual Private Networks

A proxy server serves as an intermediary between a Web browser and another server on the Internet that
makes requests to Web sites, servers, and services on the Internet
Implementing CIA at the Application Level

➢ Authentication methods
➢ User Roles and Accounts
➢ Data Encyrption

Implementing CIA at the End-User Level

Security education, authentication methods, antivirus software, and data encryption must all be in place to protect
what is often the weakest link in the organization’s security perimeter—the individual user. The importance of
these end-user level security measures cannot be overly emphasized.

Security Education
Creating and enhancing user awareness of security policies is an ongoing security priority for companies.

Authentication Methods

Antivirus Software - installed on each user’s personal computer to scan a computer’s memory and disk drives
regularly for viruses

virus signature: Code that indicates the presence of a specific virus

Data Encryption
Implementing Safeguards Against Attacks by Malicious Insiders
Detection of a CyberAttack

Intrusion detection system (IDS): Software and/or hardware that monitors system and network
resources and activities and notifies network security personnel when it detects network traffic that
attempts to circumvent the security measures of a networked computer environment.
Knowledge-based
intrusion detection systems contain information about specific attacks and system vulnerabilities and
watch for attempts to exploit these vulnerabilities, such as repeated failed login attempts or recurring
attempts to download a program to a server. When such an attempt is detected, an alarm is triggered.

A behavior-based intrusion detection system understands normal behavior of a system and its users
because it collects reference information by various means.
Response

Incident Notification - A key element of any response plan is to define who to notify and who not
to notify in the event of a computer security incident.

Protection of Evidence and Activity Logs

An organization should document all details of a security incident as it works to resolve the incident.
Documentation captures valuable evidence for a future prosecution and provides data to help during the
incident eradication and follow-up phases.

The incident response plan/ containment should clearly define the process for deciding if an attack is dangerous
enough to warrant shutting down or disconnecting critical systems from the network.

Eradication - refers to the process of completely removing or eliminating a threat, vulnerability, or malicious
entity from an information system or network.
Incident Follow-up
Using a Managed Security Service Provider (MSSP)
Keeping up with computer criminals—and with new laws and regulations can be daunting for organizations.
Criminal hackers are constantly poking and prodding, trying to breach the security defenses of organizations.

managed security service provider (MSSP) , is a company that monitors, manages, and maintains computer and
network security for other organizations. MSSPs include such companies as AT&T, Computer Sciences Corporation,
Dell SecureWorks, IBM, Symantec, and Verizon. MSSPs provide a valuable service for IS departments drowning in
reams of alerts and false alarms coming from virtual private networks (VPNs); antivirus, firewall, and intrusion
detection systems; and other security-monitoring systems. In addition, some MSSPs provide vulnerability scanning
and Web blocking and filtering capabilities
computer forensics: A discipline that combines elements of law and computer science to identify, collect,
examine, and preserve data from computer systems, networks, and storage devices in a manner that
preserves the integrity of the data gathered so that it is admissible as evidence in a court of law.
Activity 2 : Business-Driven Decision-Making exercise
Submit via LMS on or before 05 September 2024

It appears that someone is using your firm’s corporate directory—which includes job titles and
email addresses—to contact senior managers and directors via email. The email requests that the
recipient click on a URL, which leads to a Web site that looks as if it were designed by your
human resources organization. Once at this phony Web site, the employees are asked to confirm
the bank and account number to be used for electronic deposit of their annual bonus check.

You are a member of the IS Security unit.

How should you respond to this threat?