3 most common threats of information security
TRANSCRIPT
If you don’t want to help yourself,
no one can
Most common threats to
information security
ELSA ConferenceStrumica, 27.11.2008
If you don’t want to help yourself,
no one can
Contents
• Introduction
• What is an information security threat?
• Information security threats
• Internet security threats
• Most common threats, possible consequences and protection
• Top 10 internet threats
If you don’t want to help yourself,
no one can
Introduction
• Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
– through implementation of ISMS i.e. implementation of controls (policies and procedures)
– the CIA aspect - Confidentiality, Integrity and Availability
• Computer security is a branch of technology known as information security as applied to computers.
– ensuring the availability and correct operation of a computer system
If you don’t want to help yourself,
no one can
What is an information security threat?
• A threat is any circumstance or event with the
potential to harm an information system through
unauthorized access, destruction, disclosure,
modification of data, and/or denial of service.
• Threats can be:
– Natural or Human
– Deliberate or Accidental
If you don’t want to help yourself,
no one can
Information security threats
• People / employees
• Low awareness for information security aspects
• Advancing the IT infrastructure, networking and distributive working
• Improvement of complexity and effectiveness of hackers and viruses
• Electronic mail (e-mail)
• Fire, flood, earthquake
If you don’t want to help yourself,
no one can
Information Security Breaches Survey 2008 1/3
What type of breaches did UK business suffer?
If you don’t want to help yourself,
no one can
Information Security Breaches Survey 2008 2/3
How many UK businesses have disaster recovery
plans?
How many UK businesses have disaster recovery
plans?
If you don’t want to help yourself,
no one can
Information Security Breaches Survey 2008 3/3
How did UK businesses address the weakness that caused their worst
incident?
If you don’t want to help yourself,
no one can
Internet security threats
• Malware Threat
• Threats to the Security of E-mail
• SPAM Associated Threats
• Social Engineering Threat (Phishing)
If you don’t want to help yourself,
no one can
Most common internet threats, consequences and protection
Malware threats
If you don’t want to help yourself,
no one can
Malware threat
• Malware is software designed to destroy, steal private information or spy on a computer system without the consent of the user.
• Malwares - malicious codes, malicious programs or malicious software
• The most popular categories are Trojan Horses, viruses, adwares, spywares, spams, worms and root kits.
If you don’t want to help yourself,
no one can
Security and productivity threats posed by malware• Stolen user ID and passwords
• Unauthorized access to confidential information
• Loss of intellectual property
• Remote control of company’s PC
• Theft of customer data
• Reduced network performance and bandwidth
• Increased internet traffic and changes to browser homes pages and search engines
If you don’t want to help yourself,
no one can
Protection against malwares
• Good user education is vital in fighting against malwares
• Keep your operating system up to date by installing OS security fixes and program patches.
• Use firewall protection
• Install anti-spyware softwares
• Monitor logs for unusual traffic
If you don’t want to help yourself,
no one can
Most common internet threats, consequences and protection
E-mail threats
If you don’t want to help yourself,
no one can
Threats to the security of e-mail
• Disclosure of sensitive information
– Loss of confidentiality– Loss of integrity
• Exposure of systems to malicious code
• Denial-of-Service (DoS)
• Unauthorized accesses
If you don’t want to help yourself,
no one can
Countermeasures to e-mail security
• Secure the server to client connections
– POP, IMAP over ssh, SSL
– https access to webmail
– Protection against insecure wireless access
• Secure the end-to-end email delivery
– The PGPs of the world
– Still need to get the other party to be PGP aware
– Practical in an enterprise intra-network environment
If you don’t want to help yourself,
no one can
When using an e-mail
• Ensure you are addressing the right person prior to sending email
• Beware of e-mails from unknown parties (unsolicited e-mails)
• Do not open unsolicited emails
• Do not click on links in unsolicited emails
• Never respond to unsolicited emails
e.g. ‘You have won $1,000,000. Kindly send your bank details for crediting your account.’ These are scams also known as social
engineering attacks
If you don’t want to help yourself,
no one can
Precautions when using a e-mail
• Suspicious attachments must NOT be opened e.g. Executable files (with .exe, .com, .bat, .reg extensions)
• Regularly purge unnecessary emails (including emptying the ‘Deleted Items’) to free storage space
• Do not open/reply to spam messages
• Avoid registering unnecessarily to mailing lists
• Use properly configured & regularly updated spam filter, antivirus and antispyware software
• Use firewall as well
If you don’t want to help yourself,
no one can
Most common internet threats, consequences and protection
SPAM
If you don’t want to help yourself,
no one can
Security threats from SPAM
• SPAM provides a cover for spreading of:
– Viruses
– Worms
– Trojans
– Spyware
– Phishing
If you don’t want to help yourself,
no one can
Countermeasures
• Spam Filters
– MS Outlook, Outlook Express…(e.g. SPAMFight)
– Spamfighter for Outlook and Outlook express
• Antivirus
– AVG, Symantec, McAfee, F-Secure, VIRUSfighter….
• Antispyware
– McAfee Antispyware module, S&D , Ad-Adaware SE personal, SPYWAREfighter….
If you don’t want to help yourself,
no one can
Most common internet threats, consequences and protection
Social Engineering Threat (Phishing)
If you don’t want to help yourself,
no one can
Social Engineering
• Social engineering is the art of manipulating people into performing actions or divulging confidential information
“Employees without security awareness are security liabilities.”
Gartner Group, 2002
If you don’t want to help yourself,
no one can
Security threats from phishing
• Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication
• Use of Email messages and Web pages that are replicas of existing sites to fool users into submitting:
– personal,– financial or– password data
If you don’t want to help yourself,
no one can
Prevention
• Don't give out personal information
• Ensure you are on the right website with the right
web address
• Use anti-phishing software – IE7 and Mozilla,
McAfee, Firefox 2.0 (includes a form of anti - phishing technology)
Research shows that employees who are sensitive and knowledgeable about information security provide the
most cost-effective countermeasure against information security violations
If you don’t want to help yourself,
no one can
Top 10 internet threats
If you don’t want to help yourself,
no one can
TOP 10 threats
1. SPAM mail
2. Phishing mail
3. Wireless attack
4. Hacker attack
5. Web exploits
6. Adware
7. Viruses
8. Spyware/Trojans
9. Identity theft
10. Social engineering
If you don’t want to help yourself,
no one can
Conclusion
• Avoid giving unnecessary information online
(e.g. subscribing to a newsletter whereby your
personal details are requested)
• Be sure you are dealing with someone or a site
that you know and trust before giving out
personal information
• Use regularly updated antivirus and antispyware
software
• Use client filters or ISPs based filters