Fundamentals of Information Systems Security

Module 1  White Hat – Ethical hackers.

Introduction to Information Security  Black Hat – Malicious hackers.
 The Internet has evolved into a global network with over 5  Gray Hat – Hackers with mixed intentions.
billion users.  Script Kiddies – Inexperienced attackers.
 Cyber threats affect businesses, governments, and
individuals. Mitigation Strategies
 Security professionals play a vital role in protecting data and  Implement security awareness training.
IT infrastructure.  Strong authentication (e.g., multi-factor authentication).
Risks, Threats, and Vulnerabilities  Apply security policies and access controls.
 Unauthorized access and data breaches are major concerns.  Conduct regular security audits and risk assessments.
 Cyberattacks impact national security and economic Understanding Data Breaches
stability.  Occurs when unauthorized individuals access confidential
 Protection strategies involve layered security approaches. data
The CIA Triad (Principles of Information Security)  Can lead to identity theft and financial fraud
 Confidentiality – Restricts access to authorized users only.  Organizations must implement strong security measures
 Integrity – Prevents unauthorized data modification. Importance of Cybersecurity
 Availability – Ensures reliable access to data when needed.  Protects personal and organizational data.
Seven Domains of IT Security  Prevents financial losses.
 User Domain – Responsibilities of end-users in security.  Ensures national security.
 Workstation Domain – Device security policies.  Reduces cyber threats and vulnerabilities.
 LAN Domain – Protection of internal networks. Principles of IT Security
 LAN-to-WAN Domain – Firewall and perimeter security.  Authentication - Verifying user identity
 WAN Domain – Secure external network communications.  Authorization - Granting appropriate access rights
 Remote Access Domain – Secure access via VPNs.  Accounting - Tracking user activities and changes
 System/Application Domain – Securing databases and Developing a Cybersecurity Policy
applications.  Establish clear security guidelines
Common Cyber Threats  Implement employee training programs
 Phishing Attacks – Fake emails and websites trick users into  Regularly update security protocols
providing sensitive information. Often used to steal  Conduct routine security audits
passwords, credit card details, and personal data. Avoid Network Security Basics
clicking on unknown links  Use firewalls and intrusion detection systems
 Malware & Ransomware – Encrypts files and demands  Encrypt sensitive data
ransom/payment.  Implement strong password policies
 Denial of Service (DoS) Attacks – Floods networks with  Monitor network traffic for suspicious activities
excessive traffic. Causes disruptions and slows down Cybersecurity in Cloud Computing
networks.  Protects data stored in cloud services.
 Social Engineering – Psychological manipulation to gain  Threats: data breaches, misconfigurations, insider threats.
access to users into revealing information.  Use encryption and strong access controls.
 Zero-Day Exploits – Attacks on unknown vulnerabilities. No Cybersecurity Best Practices
immediate fixes available.  Avoid clicking on suspicious links.
 Insider Threats – Security risks from employees or partners.  Use multi-factor authentication (MFA).
Can be intentional or accidental.  Keep software updated.
Types of Hackers  Regularly back up critical data.
Fundamentals of Information Systems Security
 Implement strong password policies. Cybersecurity Awareness Training
Developing a Strong Password Policy - Use long, complex  Educating employees and users about security risks
passwords with a mix of characters. Avoid using the same password  Regular training reduces human errors
across multiple sites. Consider using a password manager  Phishing simulations help users recognize threats
Cryptography and Encryption - Protects data by converting it Forensic Investigation in Cybersecurity
into unreadable formats. Common encryption methods: AES, RSA,  Analyzing cyberattacks to trace attackers
SHA. Ensures confidentiality and data integrity  Helps in legal actions against cybercriminals
Multi-Factor Authentication (MFA) - Adds extra security layers  Uses tools like digital forensics software and log analysis
beyond passwords. Common methods: SMS codes, authentication
apps, biometrics. Reduces the risk of unauthorized access. Threat Intelligence and Monitoring
Mobile Security - Smartphones are common targets for  Collecting data on potential cyber threats
cybercriminals. Threats: Malware, phishing, unsecured Wi-Fi. Use  Proactive defense against attacks
strong passwords and keep devices updated.  Security teams use threat intelligence tools to track
IoT Security Challenges - Internet of Things (IoT) devices are cybercriminal activities
often vulnerable. Risks: Unauthorized access, data leaks, botnet Cyber Insurance
attacks. Secure IoT devices with firmware updates and network  Helps businesses recover from cyber attacks
segmentation.  Covers financial losses, legal fees, and reputational damage
Artificial Intelligence in Cybersecurity  Not a replacement for strong cybersecurity measures
 AI helps detect and prevent cyber threats Incident Response Team (IRT)
 Machine learning identifies suspicious activities  Dedicated team handles cybersecurity incidents
 Attackers also use AI to enhance cyber attacks  Quick response reduces damage from attacks
Ethical Hacking and Penetration Testing  Includes IT, legal, PR, and risk management professionals
 Simulated cyberattacks to test security defenses Incident Response Planning
 Helps organizations identify weaknesses  Identify security breaches quickly.
 Ethical hackers follow legal and professional guidelines  Contain and mitigate risks.
Cybersecurity Laws and Regulations  Notify affected individuals or organizations.
 General Data Protection Regulation (GDPR) – Protects user  Review and improve security measures.
privacy. Zero Trust Security Model
 Health Insurance Portability and Accountability Act (HIPAA) –  Trust no one, verify every access request
Secures healthcare data.  Limits access to only necessary users and devices
 Federal Information Security Management Act (FISMA) – Sets  Enhances security across networks and applications
US government security standards. The Future of Cybersecurity
 Children’s Internet Protection Act (CIPA) – Protects minors  AI-driven threat detection.
online.  Automation in security systems.
 Sarbanes-Oxley Act (SOX) – Requires public companies to  Stronger privacy regulations.
secure financial data and enforce internal controls to  Enhanced user awareness and training.
prevent fraud.
 Gramm-Leach-Bliley Act (GLBA) – Ensures financial
institutions protect customers' personal information and
disclose security policies.
 Family Educational Rights and Privacy Act (FERPA) – Protects
student education records and limits access to unauthorized
individuals.
Fundamentals of Information Systems Security
 Store-and-forward - Acceptable delay in transmitting
communication
Module 2
Social Media Mediums
The Internet of
Facebook VoIP
Things Is
Twitter IM chat
LinkedIn Audio conference Changing How IoT’s Impact on Humans
Pinterest Video conference We Live  Health monitoring and updating
Google+ Collaboration  Home security and smart home control systems
Instagram Digital Media  Online family member calendars
 Near real-time tracking and monitoring via GPS
 Online banking, bill paying, and financial transactions
 Online e-commerce purchases
IoT’s Impact on Business
 Retail stores
 Virtual workplace
Drivers for Internet of Things (IoT)  Remote sensors
 IP-based networking  Traffic-monitoring applications B2C
 Connectivity  service delivery model
 Smaller and faster computing  “Anything as a Service” IoT applications
 Cloud computing Evolution from Bricks and Mortar to E-Commerce
 Data analytics  E-commerce
Evolution of IoT  Sale of goods and services on the Internet
 Internet service providers (ISPs)  Business-to-consumer (B2C)
 Radio frequency identification (RFID)  Customers purchase goods and services directly from their
 Application service providers (ASPs) website
 Software as a Service (SaaS)  Business-to-business (B2B)
How the Internet and TCP/IP Transform Our Lives  Businesses conduct sales with other businesses
 The transition to a Transmission Control Protocol/Internet  Payment Card Industry Data Security Standard (PCIDSS)
Protocol (TCP/IP) world changed our way of life.  Protects private customer data
 People, families, businesses, educators, and government all  Internet business challenges:
communicate differently than they did before.  Growing the business through the Internet
 Nearly everyone has easy access to the Internet  Changing an existing conventional business into an e-business
IoT’s Impact on Human and Business Life  Building secure and highly available websites and e-commerce
 The Internet has changed our day-to-day lives portals
 Personally  Building a web-enabled customer-service strategy
 Socially  Finding new customers with Internet marketing
 Professionally E-business Strategy Elements
 Use the Internet to:  E-commerce solution
 Check weather, news, and social media sites at home  Internet marketing strategy
 Check business emails at work  E-customer service-delivery strategy
Store-and-Forward vs. Real-Time Communications  Payment and credit card transaction processing
 Real-time - Occurs instantaneously Why Businesses Must Have an Internet and IoT Marketing
Strategy
Fundamentals of Information Systems Security
 Must remain competitive Security Challenges of IT Devices
 Bricks-and-mortar business model out of date in global market  Deployed in large quantities (such as sensors or consumer
 Customers require continuous access to information, products, items)
and services  Not maintained or updated devices allow vulnerabilities
 Upgrades can be difficult to distribute and deploy
 No owner visibility of how the device connects to the Internet
IP Mobility  Not physically secure
 Personal communication devices and mobile phones are  Capture readings and measurements in the open
powerful
 Cell phones are used to extend mobility
 Mobile phones, smartphones, and PDAs match the power and
flexibility of small computers
 Tablets, smartphones, and netbooks fill need for lightweight Privacy Challenges
portable devices  Privacy policy statement.
Mobile Users and Bring Your Own Device (BYOD)  Definition of data, metadata, or analytical data use and rights.
 Employees and contractors use their own personal devices to  Ability for a user to provide consent to a manufacturer’s or
connect to network at office application service provider’s privacy policy statement.
Issues with Mobile Computing  Determine the domain of privacy.
• Network • Usability • Security Interoperability and Standards
Mobile Applications  Internet Engineering Task Force (IETF) ensures interoperability
 Limited web browsers can’t run some traditional applications and standards can be pursued for IoT solutions.
 Bad interface design causes application failure on mobile  Interoperability has significant financial impacts if not properly
devices addressed.
 Many users from multiple domains found uses for mobile  Goal is to bring the cost of IoT devices and supporting
applications applications down so they are affordable.
 Medical applications were a good fit for mobile applications Interoperability and Standards Challenges
 4G & 5G networks provide true IP communications.  Some manufacturers want to design and deploy proprietary IoT
 Mobile IP enables users to: devices and solutions.
o Move between LAN segments and stay connected without  Cost factors to implement functional, operational, technical, and
interruption. security capabilities into IoT devices and applications.
o Maintain a connection to the network as long as the mobile  Time-to-market risk.
device stays within network coverage  Technology outdated risk
New Challenges Created by the IoT  A void in interoperability and standards for IoT devices can
 Security: How do you keep the bad guys out if you enable the create an environment of bad IoT devices
IoT for your personal and professional life? Legal and Regulatory Issues
 Privacy: How do you protect your family’s identity and privacy  Proper handling and protection of sensitive data
data from theft or unauthorized access that can lead to identity  Privacy data subject to privacy laws of state you live in as well
theft? as state that the IoT hosting company resides in
 Interoperability and standards: How well do IoT  IoT vendor or solutions provider required to adhere to security
manufacturers and ASP developers ensure that devices control requirements and data protection laws
communicate securely? Legal and Regulatory IoT Questions
 Legal and regulatory compliance  Who is collecting data?
 E-commerce and economic development issues  Who is collecting behavior patterns?
Fundamentals of Information Systems Security
 Are they selling this data?  White-hat hacker: Also called an ethical hacker, is an
 Do they have the right to sell it? information systems security professional who has authorization
 Is there liability associated with the data? to identify vulnerabilities and perform penetration testing.
E-Commerce and Economic Development Issues  Difference between white-hat hackers and black-hat hackers is
 Infrastructure resources that white-hat hackers will identify weaknesses for the purpose
 Foundational investments of fixing them, and black-hat hackers find weaknesses just for
 Technical and industry development the fun of it or to exploit them.
 Policy and regulatory definitions  Gray-hat hackers: is a hacker with average abilities who may
one day become a black-hat hacker but could also opt to
become a white-hat hacker.
o A hacker who will identify but not exploit discovered
Module 3 - Malicious Attacks, Threats, and Vulnerabilities vulnerabilities, yet may still expect a reward for not disclosing
Malicious Activity on the Rise the vulnerability openly.
 Examples of the malicious attacks are everywhere  Cracker: Has a hostile intent, possesses sophisticated skills,
 Data breaches occur in both public and private sectors and may be interested in financial gain. Crackers represent the
 In 2013, China was top country of origin for cyberattacks, at 41 greatest threat to networks and information resources.
percent Attack Tools
 United States was second at 10 percent  Vulnerability scanners
What Are You Trying to Protect? o Software program that is used to identify and, when
 Customer data— Name, address, phone, Social Security possible, verify vulnerabilities on an IP host device.
number (SSN), date of birth, cardholder data, protected health o Common Vulnerabilities & Exposure (CVE).
care information.  Password crackers
 IT assets and network infrastructure— Hardware, software, o The purpose is to uncover a forgotten or unknown password.
and services. o Use brute-force password attack to gain unauthorized
 Intellectual property—Sensitive data such as patents, source access to a system or recovery of passwords.
code, formulas, or engineering plans.  Keystroke loggers
 Finances and financial data—Bank accounts, credit card o Type of surveillance software or hardware that can record to
data, and financial transaction data. a log file every keystroke a user makes with a keyboard.
 Service availability and productivity—The ability of computing  Protocol Analyzers (Sniffers):
services and software to support productivity for humans and o Software program that enables a computer to monitor and
machinery. capture network traffic, whether on a LAN or a wireless
 Reputation—Corporate compliance and brand image. network.
Whom Are You Trying to Catch?  Port Scanners
 Black-hat hacker: Tries to break IT security and gain access to o A tool used to scan IP host devices for open ports that have
systems with no authorization in order to prove technical been enabled.
prowess.  OS Fingerprint Scanners
o Black-hat hackers generally develop and use special o A software program that allows an attacker to send a
software tools to exploit vulnerabilities. variety of packets to an IP host device, hoping to determine
o May exploit holes in systems but generally do not attempt the target device’s operating system (OS) from the
to disclose vulnerabilities they find to the administrators of responses.
those systems. What Is a Security Breach?
Fundamentals of Information Systems Security
 Any event that results in a violation of any of the C-I-A security WIRETAPPING
tenets. Active • Between-the-lines wiretapping • Piggyback-entry
 Some security breaches disrupt system services on purpose. wiretapping
 Some are accidental and may result from hardware or software Passive • Also called sniffing
failures. ▪ Between-the-lines wiretapping
Activities that Cause Security Breaches - This type of wiretapping does not alter the messages sent by
Denial of Service Attack (DoS Attack) the legitimate user but inserts additional messages into the
- A coordinated attempt to deny service by occupying a computer communication line when the legitimate user pauses.
to perform large amounts of unnecessary tasks ▪ Piggyback-entry wiretapping
• Logic attacks • Flooding attacks - This type of wiretapping intercepts and modifies the original
- Protect using message by breaking the communications line and routing the
• Intrusion prevention system (IPS) • Intrusion detection message to another computer that acts as a host.
system (IDS) BACKDOOR
- Attacks launched using • Hidden access included by developers.
• SYN flood • Smurfing • Attackers can use them to gain access.
 Smurf Attack - A network attack in which forged Internet DATA MODIFICATIONS
Control Message Protocol (ICMP) echo request packets are sent Data that is:
to IP broadcast addresses from remote locations to generate • Purposely or accidentally modified
DoS attacks. • Incomplete
 Smurfing - A DoS attack that uses a directed broadcast to • Truncated
create a flood of network traffic for the victim computer. Additional Security Challenges
DoS Attack Protection ❑ Spam - is unwanted email.
Intrusion detection system (IDS): ❑ Spim - consists of instant messages or IM chats.
 An IDS security appliance examines IP data streams for
common attack and malicious intent patterns.
 IDSs are passive, going only so far as to trigger an alarm, but ❑ Hoaxes
they will not actively block traffic • Hoax an act intended to deceive or trick the receiver.
Intrusion prevention system (IPS)
• In this context, hoaxes normally travel in email messages.
 An IPS does the same thing as an IDS but can block IP data
• Often, these messages contain warnings about devastating
streams identified as malicious.
new viruses.
 IPSs can end the actual communication session, filter by source
❑ Cookies
IP addresses, and block access to the targeted host.
• To help a web server track a user’s history, web browsers
Distributed Denial of Service Attack (DDoS Attack)
allow the web server to store a cookie on the user’s hard
 Overloads computers and prevents legitimate users from
drive.
gaining access.
• A cookie is simply a text file that contains details gleaned
 More difficult to stop than a DoS attack because DDoS
from past visits to a website.
originates from different sources.
RISK
Unacceptable Web Browsing
- Probability that something bad is going to Risk happen to an
 Define acceptable web browsing in an acceptable use policy
asset.
(AUP).
THREAT
 Unacceptable use can include:
o Unauthorized users searching files or storage directories.
- Any action that can damage or compromise an asset.
o Users visiting prohibited websites.
VULNERABILITIES
Fundamentals of Information Systems Security
- An inherent weakness that may enable threats to harm system VIRUS
or networks. - Attaches itself to or copies itself into another program on a
Risks, Threats, Vulnerabilities computer.
 Threats exploit vulnerabilities, which creates risk. - Tricks the computer into following instructions not intended by
 You cannot eliminate risk. the original program developer.
 You can minimize the impact of threats. - Infects a host program and may cause that host program to
 You can reduce the number of vulnerabilities. replicate itself to other computers.
 Minimizing threats and reducing vulnerabilities lessens WORM
overall risk. - A self-contained program that replicates and sends copies of
 Threats, risks, and vulnerabilities negatively impact the CIA itself to other computers without user input or action.
triad. - Does not need a host program to infect.
THREAT TYPES - Is a standalone program.
Disclosure threats TROJAN HORSE
• Sabotage - Malware that masquerades as a useful program.
• Espionage - Trojans can:
Alteration threats • Hide programs that collect sensitive information.
• Unauthorized changes • Open backdoors into computers.
Denial or destruction threats • Actively upload and download files.
• DoS attack ROOTKIT
WHAT IS A MALICIOUS ATTACK? - Modifies or replaces one or more existing programs to hide
Fabrications - involve the creation of some deception in order to traces of attacks
trick unsuspecting users. - Many different types of rootkits
Interceptions - involves eavesdropping on transmissions and - Conceals its existence once installed
redirecting them for unauthorized use
- Is difficult to detect and remove
Interruptions - causes a break in a communication channel, which
SPYWARE
blocks the transmission of data.
- Type of malware that specifically threatens the confidentiality
Modifications - is the alteration of data contained in transmissions
of information
or files.

Types of Active Threats

Birthday attacks Man-in-the-middle
attacks
Brute-force password Masquerading
attacks
Dictionary password Social engineering COMMON TYPES OF ATTACKS
attacks ATTACKS ON AVAILABILITY:
IP address spoofing Phishing - These attacks impact access or uptime to a critical system,
Hijacking Phreaking application, or data.
Replay attacks Pharming ATTACKS ON PEOPLE:
WHAT IS A MALICIOUS SOFTWARE (MALWARE)? - These attacks involve using coercion or deception to get
Software that; Causes damage, Escalates security privileges, another human to divulge information or to perform an action
Divulges (discloses) private data, Modifies or deletes data
Fundamentals of Information Systems Security
(e.g., clicking on a suspicious URL link or opening an email IMPACT(Cost)
attachment from an unknown email address). - An exploited vulnerability results in an impact
ATTACKS ON IT ASSETS: RISK = Threat X Vulnerabilities
- These attacks include penetration testing, unauthorized
access, privileged escalation, stolen passwords, deletion of
data, or performing a data breach.
The following are TRUE Social Engineering Attacks:
Authority Shoulder surfing
Dumpster diving Vishing
Hoax Whaling
Impersonation
The following are
TRUE Wireless
Network Attacks:
Bluejacking Replay attacks RISK ASSESSMENT APPROACHES
Evil twin War chalking Quantitative Qualitative
IV attack War driving Numerically-Based Scenario-Based (Soft)
Packing sniffing (Hard) Data Data
Protecting Your Financial Data Scenario-Oriented
System with Firewalls Objective Subjective
 Firewall QUANTITATIVE RISK ASSESSMENT
Single loss expectancy (SLE)
- Program or dedicated hardware device
- Total loss expected from a single incident
- Inspects network traffic passing through it
Annual rate of occurrence (ARO)
- Denies or permits traffic based on a set of rules
- Number of times an incident is expected to occur in a year
Annual loss expectancy (ALE)
- Expected loss for a year
SLE X ARO = ALE
QUALITATIVE RISK ASSESSMENT
Probability
- Likelihood a threat will exploit a vulnerability
Impact
- Negative result if a risk occurs
Risk level = Probability X Impact
BCP (Business Continuity Plan)
- A plan designed to help an organization continue to operate
during and after a disruption
- Covers all functions of a business: IT systems, facilities, and
personnel
MODULE 4 - Generally includes only mission-critical systems
THREAT & VULNERABILITIES
- Is an opportunity to exploit a vulnerability DRP (Disaster Recovery Plan)
Fundamentals of Information Systems Security
- Includes the specific steps and procedures to recover from a
disaster
- Is part of a BCP
- Important terms: Critical business function (CBF) Maximum
acceptable outage (MAO) Recovery time objectives (RTO)
BIA (Business Impact Analysis)
- A study that identifies the CBFs and MAOs of a DRP Studies
include interviews, surveys, meetings, and so on.
- Identifies the impact to the business if one or more IT
functions fails
- Identifies the priority of different critical systems
Complying with CIA
 Assess for risks.
 Determine business impact.
 Create DRP and BCP.
ROLE OF COMPLIANCE LAWS ON BUSINESS OBJECTIVES
Sarbanes-Oxley Act (SOX)
Protects financial data from fraud.
Health Insurance Portability and Accountability Act (HIPAA)
- Secures patient health information.
Gramm-Leach-Bliley Act (GLBА)
- Safeguards consumer financial data.
Payment Card Industry Data Security Standard (PCI DSS)
- Protects credit card transaction data.