CHAPTER 17

Information Security:
Barbarians
at the Gateway (and Just
about Everywhere Else)
 Introduction

• Security breaches
• Factors that can amplify a
firm’s vulnerability of a
breach:
• Personnel issues
• Technology problems
• Procedural factors
• Operational issues
• Constant vigilance
regarding security needs to
be:
• Part of one’s individual skill
set.
Tenets of Information Systems Security
Why is This Happening? Who’s Doing it?
And What’s Their Motivation?

CYBERWARFA
EXTORTION ESPIONAGE
RE

PROTEST
TERRORISM PRANKSTERS
HACKING

INTELLECTUAL
REVENGE PROPERTY
THEFT
 Malicious Activity on the Rise

• Examples of the malicious attacks are

everywhere
• Data breaches occur in both public and private
sectors
• In 2013, China was top country of origin for
cyberattacks, at 41 percent
• United States was second at 10 percent
What Are You Trying to Protect?

Customer data
IT and network infrastructure
Intellectual property
Finances and financial data
Service availability and productivity
Reputation
 Why is This Happening? Who’s Doing it?
And What’s Their Motivation? (cont’d)

• Account theft and illegal funds transfer.

• Some hackers steal data for personal use.
• Data harvesters sell to cash-out fraudsters.
• data harvesters: Cybercriminals who infiltrate
systems and collect data for illegal resale.
• cash-out fraudsters: Criminals that purchase assets
from data harvesters to be used for illegal financial
gain. They might buy goods using stolen credit
cards or create false accounts.
• Stealing personal or financial data.
 Why is This Happening? Who’s Doing it?
And What’s Their Motivation? (cont’d)
• Compromising computing assets for use in
other crimes.
• Botnets send spam, launch click fraud efforts
or stage distributed denial of service (DDoS)
attacks.
• botnets: Hordes of surreptitiously infiltrated
computers, controlled remotely.
• distributed denial of service (DDoS) attacks:
Shutting down websites with a crushing load of
seemingly legitimate requests.
 Stuxnet: A New Era of Cyberwarfare

• Stuxnet may be the most notorious known act of

cyberwarfare effort to date.
• Infiltrated Iranian nuclear facilities and reprogramed
the industrial control software operating hundreds of
uranium-enriching centrifuges.
• What happens if the code spread to systems
operated by peaceful nations or systems controlling
critical infrastructure that could threaten lives if
infected?
• Despite these precautions, other malicious code that
appears to have a common heritage with Stuxnet has been
spotted on systems outside of Iran.
• Stuxnet showed it’s now possible to destroy critical i
 Is Your Government Spying on You?

• Government surveillance came under scrutiny

when a former CIA employee and NSA contractor,
Edward Snowden, gathered over 1.7 million digital
documents from US, British, and Australian
agencies and began leaking them to the press.
• Disclosures revealed several US government
agencies had data-monitoring efforts far more
pervasive than many realized.
• XKeyscore, allows the collection of data on
“nearly everything a user does on the
Internet.” 
 Is Your Government Spying on You?

• Under US law, the NSA is required to

obtain a warrant from the Foreign
Intelligence Surveillance Court (or FISA)
when specifically targeting surveillance in
the United States.
• US technology firms have also complained
that the actions of surveillance agencies
have put them at a disadvantage, with
customers. 
 “Hacker”: Good or Bad?

• hacker: A term that may be applied to either 1)

someone who breaks into a computer, or 2) to a
particularly clever programmer.
• white hat hackers: Uncover computer weaknesses
without exploiting them.
• Contribute to improving system security.
• black hat hackers: Computer criminals who exploit a
system’s weakness for personal gain.
• hacktivists: Protester seeking to make a political point
by leveraging technology tools, often through system
infiltration, defacement, or damage.
• Griefers or trolls are malicious pranksters.
Potential Information System Security
Weaknesses
• https://www.youtube.com/watch?v=pL9q2lOZ1Fw
&t=153s
 User and Administrator Threats

• Bad apples
• Rogue employees who steal secrets, install malware,
or hold a firm hostage.
• Social engineering
• Con games that trick employees into revealing
information or performing other tasks that
compromise a firm.
• phishing: Cons executed using technology, in
order to acquire sensitive information or trick
someone into installing malicious software.
• spoofed: Email transmissions and packets that
 User and Administrator Threats (cont’d)

• zero-day exploits: New attacks that haven’t

been clearly identified and haven’t been
incorporated into security screening systems.
• Passwords
• Most users employ inefficient and insecure
password systems.
• Solutions for building a better password:
• biometrics: Measure and analyze human body
characteristics for identification or authentication.
• multi-factor authentication: When identity is proven by
presenting more than one item for proof of credentials.
 Technology Threats (Client and Server Software,
Hardware, and Networking)

• Malware seeks to compromise a

computing system without permission.
• Methods of infection:
• Viruses: Infect other software or files.
• Worms: Take advantage of security
vulnerability to automatically spread.
• Trojans: Attempt to sneak in by
masquerading as something they’re not.
 Technology Threats (Client and Server Software,
Hardware, and Networking) (cont’d)
• Botnets or zombie networks: Used in click fraud,
sending spam, to decipher accounts that use
CAPTCHAs.
• CAPTCHAs: Scrambled character images to thwart
automated account setup or ticket buying attempts.
• Malicious adware: Installed without full user
consent or knowledge, later serve unwanted
advertisements.
• Spyware: Monitors user actions, network traffic,
or scans for files.
• Keylogger: Records user keystrokes.
 Technology Threats (Client and Server Software,
Hardware, and Networking) (cont’d)

• Card skimmer: Captures data from a card’s

magnetic strip.
• RAM scraping or storage scanning software:
Malicious code that scans for sensitive data.
• Ransomware: Malware that encrypts user’s
files with demands that a user pay to regain
control of their data and/or device.
• Blended threats: Attacks combining multiple
malware or hacking exploits.
 Technology Threats (Client and Server Software,
Hardware, and Networking) (cont’d)

• Compromising poorly designed

software
• SQL injection technique targets sloppy
programming practices that do not
validate user input.
• Related programming exploits go by
names such as:
• Cross-site scripting attacks
• Buffer overflow vulnerabilities
•
 Push-button Hacking

• Push-button hacking are tools designed to

easily automate attacks.
• Network threats—the network itself is a
source of compromise.
• Physical threats
• dumpster diving: Combing through trash to identify
valuable assets.
• shoulder surfing: Gaining compromising
information through observation.
• Eavedropping, such as efforts to listen into or
record conversations, transmissions or
 The Encryption Prescription

• encryption:
SCRAMBLINGScrambling data
DATA USING A CODE, using
THEREBY a code,
HIDING
IT FROM THOSE WHO DO NOT HAVE THE UNLOCKING
thereby hiding it from KEY those who do not
have the unlocking key.
• key: Code that unlocks encryption.
• brute-force attacks: Exhausts all possible
password combinations to break into an
account.
 How do Websites Encrypt Transmissions?

• public key DATA

SCRAMBLING encryption: Two
USING A CODE, keyHIDING
THEREBY
system usedWHO
IT FROM THOSE forDOsecuring electronic
NOT HAVE THE UNLOCKING
transmissions. KEY

• certificate authority: Trusted third

party that provides authentication
services in public key encryption
schemes.
 Taking Action as a User

• Tips for users:

• Surf smart.
• Stay vigilant.
• Stay updated.
• Install a full suite of security
software.
• Secure home networks and
encrypt hard drives.
• Regularly update passwords.
• Be disposal smart.
• Regularly back up your
system.
• Cyber Crime Isn't About Computers: It's About
Behavior | Adam Anderson | TEDxGreenville
• https://www.youtube.com/watch?v=c_2Ja-OTmGc
 Taking Action as an Organization

• Follow frameworks, standards, and

compliance.
• ISO27k or ISO 27000 series: Establishing,
implementing, operating, monitoring,
reviewing, maintaining, and improving an
Information Security Management System.
• Compliance requirements: Legal or
professionally binding steps that must be
taken.
•
 Taking Action as an Organization

• Education, audit, and enforcement

• Functions of research and development:
• Understanding emerging threats and updating
security techniques.
• Working on broader governance issues.
• Employees should:
• Know a firm’s policies and be regularly trained.
• Understand the penalties for failing to meet their
obligations.
• Audits: Real-time monitoring of usage:
announced and surprise.
 Taking Action as an Organization (cont’d)

• What needs to be protected and how much is

enough?
• Firms should avoid:
• Spending money targeting unlikely exploits.
• Underinvesting in methods to thwart common
infiltration techniques.
• Risk assessment team: Consider vulnerabilities
and countermeasure investments.
• Lobbying for legislation that imposes severe
penalties on crooks helps:
• Raise adversary costs.
• Lower one’s likelihood of becoming a victim.
 Taking Action as an Organization—Technology’s Role

• Patches: Software updates that plug

existing holes.
• Lock down hardware:
• Prevent unapproved software installation.
• Force file saving to hardened, backed-up, and
monitored servers.
• Reimage hard drives of end-user PCs.
• Disable boot capability of removable media.
• Prevent Wi-Fi use and require VPN encryption
for network transmissions.
 Taking Action as an Organization—
Technology’s Role (cont’d)
• Lock down networks:
• firewalls: Control network traffic, block
unauthorized traffic.
• intrusion detection systems: Monitor network
use for hacking attempts and take preventive
action.
• honeypots: Tempting, bogus targets meant to
lure hackers.
• blacklists: Deny the entry of specific IP
addresses and other entities.
• whitelists: Permit communication only with
 Taking Action as an Organization—
Technology’s Role (cont’d)
• Lock down partners:
• Insist on partner firms being compliant with
security guidelines and audit them regularly.
• Use access controls to control data access on a
need-to-know basis.
• Use recording, monitoring, and auditing to hunt for
patterns of abuse.
• Maintain multiple administrators to jointly control
key systems.
• Lock down systems: Audit for SQL injection
and other application exploits.
 Taking Action as an Organization—
Technology’s Role (cont’d)
• Have failure and recovery plans:
• Employ recovery mechanisms to regain control
if key administrators are incapacitated or
uncooperative.
• Broad awareness reduces organizational
stigma in coming forward.
• Share knowledge on hacking techniques with
technology partners.