Information Security Challenges for

Organizations
 Introduction

• Factors that can amplify a firm’s

vulnerability of a security breach:
• Personnel issues
• Technology problems
• Procedural factors
• Operational issues
• Constant vigilance regarding security
needs to be:
• Part of one’s individual skill set.
Source: Song_about_Summer/[Link]
• A key component in an organization’s
culture.
 A Look at the Target Hack

• Hackers installed malware in Target’s security and

payments system.
• 40 million credit cards stolen and additional personal info
on 70 million consumers exposed.
• Breach was followed by the firms largest ever decline in
transactions, falling profits, scores of lawsuits, and the
CEO’s ouster.
• Target had software security from FireEye:
• Warnings were ignored on several occasions—had the
warnings been heeded, the firm could have prevented the
data theft. Source: Light Studio
• Even worse, the firm’s security software has an option to Design/[Link]

automatically delete malware as it’s detected but Target’s

security team had turned that function off.
 Why Is This Happening? Who Is Doing it? And
What’s Their Motivation?
• Account theft and illegal funds transfer
• Stealing personal or financial data
• Compromising computing assets for use in other crimes
• Extortion
• Intellectual property theft
• Espionage
• Cyberwarfare
• Terrorism
• Pranksters
• Protest hacking (hacktivism)
• Revenge (disgruntled employees)
 Why Is This Happening? Who Is Doing it? And
What’s Their Motivation? (cont’d)
• data harvesters: Cybercriminals who infiltrate systems and collect
data for illegal resale.
• cash-out fraudsters: Criminals that purchase assets from data
harvesters to be used for illegal financial gain. They might buy goods
using stolen credit cards or create false accounts.
• botnets: Hordes of surreptitiously infiltrated computers, controlled
remotely.
• distributed denial of service (DDoS) attacks: Shutting down
websites with a crushing load of seemingly legitimate requests.
 Why Is This Happening? Who Is Doing it? And
What’s Their Motivation? (cont’d)
• Corporate espionage might be performed by insiders, rivals, or even
foreign governments.
• Spies breached the $300 billion U.S. Joint Strike Fighter project.
• Hackers infiltrated security firm RSA, stealing data keys used in the firm’s
commercial authentication devices.
• Google has identified China as the nation of origin for a series of hacks targeting
the Google accounts of diplomats and activists.
 Why Is This Happening? Who Is Doing it? And
What’s Their Motivation? (cont’d)

• hacktivists: Protester seeking to

make a political point by leveraging
technology tools, often through system
infiltration, defacement, or damage.
• Griefers or trolls are malicious
pranksters.

Source: Studio_G/[Link]
 Stuxnet: A New Era of Cyberwarfare

• Stuxnet may be the most notorious known act of cyberwarfare effort to

date.
• Infiltrated Iranian nuclear facilities and reprogramed the industrial control software
operating hundreds of uranium-enriching centrifuges.
• What happens if the code spread to systems operated by peaceful nations or
systems controlling critical infrastructure that could threaten lives if infected?
• Despite precautions, other malicious code that appears to have a common heritage
with Stuxnet has been spotted on systems outside of Iran.
• Stuxnet showed that with computers at the heart of so many systems,
it’s now possible to destroy critical infrastructure without firing a shot.
 Is Your Government Spying on You?

• Government surveillance came under scrutiny

when a former CIA employee and NSA contractor,
Edward Snowden, gathered over 1.7 million
digital documents from U.S., British, and
Australian agencies and began leaking them to
the press.
• Disclosures revealed several U.S. government
agencies had data-monitoring efforts far more
pervasive than many realized.
• XKeyscore, allows the collection of data on “nearly
everything a user does on the Internet.”
 Is Your Government Spying on You? (cont’d)

• Under U.S. law, the NSA is required to obtain a warrant from the
Foreign Intelligence Surveillance Court (or FISA) when specifically
targeting surveillance in the United States.
• U.S. technology firms have also complained that the actions of
surveillance agencies have put them at a disadvantage, with
customers looking for alternatives free of the tarnished perception of
having provided private information to authorities.
 “Hacker”: Good or Bad?

• hacker: A term that may be applied to either 1) someone who breaks

into a computer, or 2) to a particularly clever programmer.
• white hat hackers: Someone who uncovers computer weaknesses
without exploiting them.
• Contribute to improving system security.
• Share their knowledge in hopes that security will be improved.
• black hat hackers: Computer criminals.
• Bad guys, also called “crackers.”
Potential Information System Security
Weaknesses
 User and Administrator Threats

• Bad apples
• Rogue employees who steal secrets, install malware, or hold a firm hostage.
• Social engineering
• Con games that trick employees into revealing information or performing other
tasks that compromise a firm.
• Sampling of methods employed in social engineering:
• Impersonating senior management, investigators, or staff.
• Identifying a key individual by name or title as a supposed friend.
• Making claims with confidence and authority.
• Baiting someone to add, deny, or clarify information that can help an attacker.
• Using harassment, guilt, or intimidation.
• Using an attractive individual to charm others into gaining info, favors, or access.
• Answering bogus surveys.
 User and Administrator Threats (cont’d)

• phishing: Cons executed

using technology, in order to
acquire sensitive information
or trick someone into installing
malicious software.
• spoofed: Email transmissions
and packets that have been
altered to forge or disguise
their origin or identity.
 Social Media: A Rising Security Threat

• zero-day exploits: New attacks that haven’t been clearly identified and
haven’t been incorporated into security screening systems.
• The technical openness of many social media efforts can also create
problems if schemes aren’t implemented properly.
• Social media can also be a megaphone for loose lips, enabling a
careless user to broadcast proprietary information to the public domain.
 User and Administrator Threats (cont’d)

• Passwords
• Most users employ inefficient and insecure
password systems.
• Some sites force users to change
passwords regularly, but this often results in
insecure compromises (users only make
minor tweaks).
• Building a better password:
• biometrics: Measure and analyze human
body characteristics for identification or
authentication.
Source: Bloomicon/[Link]
• multi-factor authentication: When identity
is proven by presenting more than one item
for proof of credentials.
 Technology Threats (Client and Server Software,
Hardware, and Networking)
• Malware seeks to compromise a computing system without permission.
• Methods of infection:
• Viruses: Infect other software or files.
• Worms: Take advantage of security vulnerability to automatically spread.
• Trojans: Attempt to sneak in by masquerading as something they’re not.
• Goals of malware
• Botnets or zombie networks: Used in click fraud, sending spam, executing
“dictionary” password cracking attempts, and to decipher accounts that use
CAPTCHAs: Scrambled character images to thwart automated account setup or
ticket buying attempts.
• Malicious adware: Installed without full user consent or knowledge, later serve
unwanted advertisements.
 Technology Threats (Client and Server Software,
Hardware, and Networking) (cont’d)
• Goals of malware (cont’d)
• Spyware: Monitors user actions, network traffic, or scans for files.
• Keylogger: Records user keystrokes.
• Screen capture: Records pixels that appear on a user’s screen to identify
proprietary information.
• Card skimmer: Captures data from a card’s magnetic strip.
• RAM scraping or storage scanning software: Malicious code that scans for
sensitive data.
• Ransomware: Malware that encrypts user’s files with demands that a user pay to
regain control of their data and/or device.
• Blended threats: Attacks combining multiple malware or hacking exploits.
 Technology Threats (Client and Server Software,
Hardware, and Networking) (cont’d)

• Compromising poorly designed software

• SQL injection technique targets sloppy programming practices that do not validate
user input.
• SQL injection and other application weaknesses are particularly problematic
because there’s not a commercial software patch or easily deployed piece of
security software that can protect a firm.
• Related programming exploits go by names such as:
• Cross-site scripting attacks
• Buffer overflow vulnerabilities
• HTTP header injection
 Push-Button Hacking

• Push-button hacking are tools designed to easily automate attacks.

• Network threats—the network itself is a source of compromise.
• Physical threats
• dumpster diving: Combing through trash to identify valuable assets.
• shoulder surfing: Gaining compromising information through observation.
• Eavedropping, such as efforts to listen into or record conversations, transmissions or
keystrokes.
• Firms might fall victim to various forms of eavesdropping:
• Efforts to listen into or record conversations, transmissions, or keystrokes.
• Device hidden inside a package might sit inside a mailroom or a worker’s physical inbox.
• Can be accomplished via compromised wireless or other network connections, malware
keylogger or screen capture programs.
 The Encryption Prescription

• encryption: Scrambling data using a code, thereby hiding it from

SCRAMBLING DATA USING A CODE, THEREBY HIDING
those who do not have the unlocking key.
IT FROM THOSE WHO DO NOT HAVE THE
• key: Code that unlocks encryption.
UNLOCKING KEY
• brute-force attacks: Exhausts all possible password combinations to
break into an account.
• Deploying encryption dramatically lowers the potential damage from
lost or stolen laptops, or from hardware recovered from dumpster
diving.
 How Do Websites Encrypt Transmissions?

• public key encryption:

SCRAMBLING
Two key system usedDATA
for USING A CODE, THEREBY HIDING
IT FROM THOSE WHO DO NOT HAVE THE
securing electronic
transmissions. UNLOCKING KEY
• certificate authority:
Trusted third party that
provides authentication
services in public key
encryption schemes.
 Taking Action as a User

• Tips for users:

• Surf smart.
• Stay vigilant.
• Stay updated.
• Stay armed—install a full suite of security software.
• Be settings smart—secure home networks and encrypt hard drives.
• Regularly update passwords.
• Be disposal smart.
• Regularly back up your system.
• Check with your administrator.
 Taking Action as an Organization

• Follow frameworks, standards, and compliance.

• ISO27k or ISO 27000 series provides “a model for establishing, implementing,
operating, monitoring, reviewing, maintaining, and improving an Information
Security Management System.”
• Compliance requirements: Legal or professionally binding steps that must be
taken.
• Education, audit, and enforcement
• Functions of research and development:
• Understanding emerging threats and updating security techniques.
• Working on broader governance issues.
• Employees should:
• Know a firm’s policies and be regularly trained.
• Understand the penalties for failing to meet their obligations.
• Audits include real-time monitoring of usage, announced audits, and surprise
spot-checks.
 Taking Action as an Organization (cont’d)

• What needs to be protected and how much is enough?

• Firms should avoid:
• Spending money targeting unlikely exploits.
• Underinvesting in methods to thwart common infiltration techniques.
• Risk assessment team: Consider vulnerabilities and countermeasure
investments.
• Lobbying for legislation that imposes severe penalties on crooks helps:
• Raise adversary costs.
• Lower one’s likelihood of becoming a victim.
 Taking Action as an Organization—
Technology’s Role
• Patches: Software updates that plug existing holes.
• Lock down hardware:
• Prevent unapproved software installation.
• Force file saving to hardened, backed-up, and monitored servers.
• Re-image hard drives of end-user PCs.
• Disable boot capability of removable media.
• Prevent Wi-Fi use and require VPN encryption for network transmissions.
• Lock down networks:
• firewalls: Control network traffic, block unauthorized traffic.
• intrusion detection systems: Monitor network use for hacking attempts and
take preventive action.
• honeypots: Tempting, bogus targets meant to lure hackers.
 Taking Action as an Organization—
Technology’s Role (cont’d)
• Lock down networks: (cont’d)
• blacklists: Deny the entry of specific IP addresses and other entities.
• whitelists: Permit communication only with approved entities or in an approved
manner.
• Lock down partners:
• Insist on partner firms being compliant with security guidelines and audit them
regularly.
• Lock down systems:
• Audit for SQL injection and other application exploits.
• Use access controls to control data access on a need-to-know basis.
• Use recording, monitoring, and auditing to hunt for patterns of abuse.
• Maintain multiple administrators to jointly control key systems.
 Taking Action as an Organization—
Technology’s Role (cont’d)

• Have failure and recovery plans:

• Firms should have provisions in
place that plan for the worst.
• Broad awareness of infiltration:
• Reduces organizational stigma in
coming forward.
• Allows firms and technology
providers to share knowledge on
the techniques used by
cybercrooks.

Source: Profit_Image/[Link]