Information security is made up of
threats
vulnerabilities
safeguards
targets
Threats can be human or man-made.
Common crimes that results in unauthorized data disclosure are
pretexting
phishing
spoofing
sniffing
hacking
Spoofing involves altering header information, etc. to cause the recipient to trust an email they otherwise would not.
Data can be changed or lost during a natural disaster due to problems recovering data.
the two common types of spoofing are
email
IP
Incorrect data modification can be caused by
procedures not followed or incorrectly designed
improper internal controls on systems
system errors
faulty recovery actions after a disaster
Reasons a service can become faulty are
incorrect data modification
systems working incorrectly
procedural mistakes
programming errors
IT installation errors
Usurpation
denial of service (unintentional)
denial of service (intentional)
DDOS stands for
Loss of infrastructure can be caused by
human accidents
theft and terrorist events
a disgruntled or terminated employee
natural disaster
Advanced Persistent Threat (APT) or cyberwarfare
APT stands for
Data theft is most serious in large companies.
The four most common computer crimes in 2011 were
criminal activity against servers
viruses
code insertion
data loss on a user computer
Malware infection remains the most common type of attack experienced
Insider abuse of internet or email remains very high
IDS stands for
The number one rule in data privacy is "don't collect what you don't absolutely need"
A security policy must contain
what sensitive data may be stored
how sensitive data will be processed
what data can be shared with other organizations
how employees and others can obtain data about themselves
how employees and others can request changes to inaccurate data about themselves
What employees can do with their own mobile devices at work
what non-organizational activities an employee can take with employee-owned equipment
The five IS components are
hardware
software
data
procedures
people
Technical safeguards to involve hardware and software and include
identification and authorization
encryption
firewalls
malware protection
application design
Data safeguards includes
the definition of data rights and responsibilities
passwords
backup and recovery
physical security
Human safeguards involving procedures and people include
hiring practices
training
education
procedure design
administration
assessment
compliance
accountability
Identification and authentication are most often performed using a userid/password pair
Malware includes viruses, trojans, spyware, adware, keystroke loggers, erc.
SSL uses asymmetric encryption
SSL stands for
DMZ stands for
A common network design has servers exposed to the internet located between two firewalls in the DMZ.
Safeguards against malware include
using antivirus and antispyware programs
performing frequent scans
update malware definitions frequently
open email from known sources only
install software updates ASAP
browse only reputable internet neighbourhoods
SQL injection is the most common cause of data disclosure
SQL injections are successful when forms are poorly designed
Human safeguards to protect against security threats include
separation of duties
providing access based on concept of least privilege
classify data based on confidentiality and sensitivity
thorough hiring and screening practices
security awareness programs
friendly termination procedures
Security threats can be reduced through account administration by
having standards for account administration which include rules for modifying permissions and deletion of inactive accounts
requiring passwords be changed regularly
Help Desk policies regarding password resets etc.
All employees should be required to sign an access agreement form which states that they will follow company policies
Response plans for security incidents must be in place, just like disaster plans
A speedy response to any suspected security incident is essential
An Advanced Persistent Threat involves a multi-step attack usually targeted at a large business or government.
