2.5.1 Information System Security
2.5.1 Information System Security
2.5.1 Information System Security
Security
Information System Security
Today most of the IS are connected to internet.
Piggy Backing
Why Information Security???
Cookies
Cross Site Scripting (XSS)
SPAM
Denial Of Service (DOS)/ DDOS
Virus / Worms/ Trojans
Spyware / Adware
Phishing
Spoofing … … … … … … … … . . Etc.
Elements of Information Security
Three basic elements of Information Security.
Confidentiality
Integrity
Availability
Confidentiality
Vulnerability
• It is the weakness within a system. It is the degree of
exposure in view of threat.
Threat
• A threat is a possible event that can damage or harm an
Information System.
Countermeasures
• It is a set of actions implemented to prevent threats.
Information System Security
Human Error
Natural Disasters
Political Disasters
Information System Security
Computer Crime / Abuse
Computer Viruses
A code that performs malicious act.
Can insert itself into other programs in a system.
Worm is a virus that can replicate itself to other systems
using network.
Biggest threat to personal computing.
Trojan Horse
A program that performs malicious or unauthorized acts.
Distributed as a good program.
May be hidden within a good program.
Information System Security
Denial of Service (DoS)
Making system unavailable to legitimate users.
Impersonation
Assuming someone else’s identity and enjoying his
privileges.
Salami Technique
Diverting small amount of money from a large number of
accounts maintained by the system.
Small amounts go unnoticed.
Spoofing
Configuring a computer to assume some other computers
identity.
Information System Security
Scavenging
Unauthorized access to information by searching through
the remains after a job is finished.
Dumpster diving
Data Leakage
Various techniques are used to obtain stored data
SQL injection
Error Outputs
Wiretapping
Tapping computer transmission lines to obtain data.
Theft of Mobile Devices
Information System Security
Myths, rumors and hoaxes
Created by sending false emails to as many people as
possible.
These may have significant impact on companies, their
reputation and business.
Asset
Something of value to the organization
Actor / Attacker
Who or what may violate the security requirement
Motive
Deliberate or accidental
Access
How the attacker will access the asset.
Classification of Threats
Types of
assets
Hardware
Software
Information
Systems
People
Classification of Threats
Classify Assets
Hidden Costs
Difficult to calculate
Cost of damaged reputation
Loss of faith by customers, bankers or vendors
Information System Security
The aim of the information system security is to protect
organization assets.
Detective Controls
Detect a security breach or incident
Corrective Controls
These control detect any error or incident and correct it.