recommending information security measures
Post on 18-Jan-2015
241 Views
Preview:
DESCRIPTION
TRANSCRIPT
RECOMMENDING SECURITY MEASURES FOR INFORMATION SECURITY
RECOMMENDING SECURITY MEASURES FOR INFORMATION SECURITY
INFORMATION SECURITY INFORMATION SECURITY
Information Security is the practice of defending information from unauthorised access, use, disclosure, disruption, modification, recording or destruction.
Why Information Security?Why Information Security?
• Information is critical to any business and paramount to the survival of any organisation in today’s globalised digital economy.
• Governments, military, corporations, financial institutions, etc. amass huge confidential information about their employees, customers, research & financial status. Most of this information is stored on computers and transmitted across networks to other computers.
• Conventional warfare has been replaced by digital or cyber war. Rivals continue attempts to gain access to the adversaries information.
Some ExamplesSome Examples• Bradley Manning, US soldier: involved in the biggest
breach of classified data (7 Lakh Classified files, battlefield videos & diplomatic cables) in US History for providing files to Wikileaks.
• A hacker stole a database from South Carolina’s Deptt. Of Revenue, exposing 3.6 million Social Security numbers and 3.8 Lakh payment card records. More than 6.5 Lakh businesses were also compromised.
• As per recent article of Indiatimes: As India’s 108 bn $ IT Service industry is becoming the world’s favoured outsourcing centre, India is emerging as a top destination for cyber data theft.
Computer Security LossesComputer Security Losses
In 1980 a computer cracked a 3-character password within one
minute.
In 1980 a computer cracked a 3-character password within one
minute.
DID YOU KNOW?
In 2004 a computer virus infected 1 million computers within one hour.
In 1999 a team of computers cracked a 56-character password within one day.
REASONS FOR ATTACKSREASONS FOR ATTACKS
• Fraud: These attacks are after credit card numbers, bank accounts, passwords…anything of use of themselves or sell for profit
• Activism: Activists disagree with a particular political or social stance one takes, and want only to create chaos and embarrass the opponent organisation.
• Industrial Espionage: Specific proprietary information is targeted either in rivalry or to make profit.
FORMS OF THREATFORMS OF THREAT• Computer Viruses• Trojan Horse • Address Book Theft• Domain Name System Poisoning• Zombies (Enslaving of Computers), IP Spoofing
(Replicating IP adress)• Password grabbers• Network Worms• Hijacked Home Pages• Denial of Service attacks• Phishing • Identity theft
Top Three Security ThreatsTop Three Security Threats
• Malware (Malicious Software)
• Internet- Facing Applications
• Social Engineering
Social EngineeringSocial Engineering
Social Engineering is the art of deceptively influencing a person face to face, over the phone, via e mail, etc. to get the desired information. For an organisation with more than 30 employees one expert puts the success rate of social engineering at 100%.
For eg.- •Convincing an employees to share a company password over the phone or chat•Tricking someone into opening a malicious e mail attachment•Sending a “free” hardware that’s been pre- infected
TYPICAL SYMPTOMSTYPICAL SYMPTOMS
– File deletion
– File corruption
– Visual effects
– Pop-Ups
– Erratic (and unwanted) behavior
– Computer crashes
THREAT CONSEQUENCESTHREAT CONSEQUENCES
• Unauthorized Disclosure– exposure, interception, inference, intrusion
• Deception– masquerade, falsification, repudiation
• Disruption– incapacitation, corruption, obstruction
• Usurpation– misappropriation, misuse
Data Availabilit
y
Data Integrity
Data Confidentiality
Pillars of Information Security: CIAPillars of Information Security: CIA
CONFIDENTIALITYCONFIDENTIALITY
Preventing disclosure of information to unauthorised individuals or systems. For eg. A Credit Card transaction. The system attempts to enforce confidentiality by encrypting the card number during transmission from buyer to seller.
INTEGRITYINTEGRITY
Maintaining and assuring the accuracy and consistency of data over its entire life-cycle. This means the data cannot be modified in an unauthorised or undetected manner.
AVAILABILITYAVAILABILITY
The information must be available when it is needed, to ensure its utility. This means that the computing systems used to store and process the information, the security controls used to protect it , and the communication channels used to access it must be functioning correctly.
MEASURES FOR INFORMATION SECURITYMEASURES FOR INFORMATION SECURITY
Use a strong password• A strong password is the best way to protect yourself
against identity theft and unauthorized access to your confidential information.
Protect confidential information• Varied people have access to information that must not
be shared, including the password. Familiarize yourself with the applicable laws and policies which govern these records and act accordingly.
Make sure operating system and virus protection are up-to-date• This will avoid vulnerability to hackers and others looking
to steal information.
Use secure and supported applications• Any software you install has the potential to be exploited
by hackers, so be very careful to only install applications from a trusted source. The use of pirated software is illegal.
Be wary of suspicious e-mails• Don't become a phishing victim. Never click on a link in
an email; if you're tempted, cut and paste the url into your browser. That way, there's a good chance your browser will block the page if it's bad. And don't open email attachments until you've verified their legitimacy with the sender.
Store confidential information only on HSU servers• CDs, DVDs, and USB drives are all convenient ways to
store data; the trouble is, they're just as convenient for thieves as for you. Wherever possible, store confidential information in your network folder or other protected central space. If you must store confidential information locally, you must encrypt it and then delete it as soon as you no longer need it.
Back up your data … and make sure you can restore it• If your computer becomes infected, the hardware fails,
you may be unable to retrieve important information. So make sure your data is backed up regularly - and test that backup from time to time to make sure that the restore works correctly.
Protect information in all its forms• Protecting your digital data is important. But paper and
the human voice remain important elements of the security mix. Keep confidential printed information in locked file cabinets and shredded when no longer required. If you're talking about confidential information on the phone, take appropriate steps to ensure you're not overheard.
Learn to be security-aware• Being aware and alert to the environment can prevent any
disaster.
Important PointsImportant Points
• Classified documents should be kept in special filing cabinets, special vaults etc.
• It should be in the personal custody of the concern authorised official
• These should be kept locked when not in use.• These should be numbered and logged• When passing from one authorised person to the next , written
signed receipt should be taken.• Shouldn’t be taken out of premises ideally , otherwise they
should be sent only in sealed boxes in double sealed cover
• Never discuss office matters at public places• Do not carry home sensitive information• Do not use the phone to discuss sensitive information• Be careful of strangers • Wherever it is felt that something had happened, it
should be immediately discussed so as to initiate damage control exercises
Important Points
BASIC GUIDELINESBASIC GUIDELINES
• Do not take unusual precautions –this will attract attention – act normal
• Persons having the confidential information should be made personally responsible for protecting the same
• Security must be sensible or low profile• Security should be organised in depth
BASIC GUIDELINESBASIC GUIDELINES
• Enforce control of copies of documents • Proper control of waste paper and destruction• Check all meeting places for ‘bugs’• Be wary of consultants• Edit your journals• Nothing will remain secret, if more than two
persons share the same
Security Technologies UsedSecurity Technologies Used
top related