are you who the computer says you are? computers surround us. they impact almost every facet of our...
TRANSCRIPT
![Page 1: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/1.jpg)
Are you who the computer says you are?
Computers surround us. They impact almost every facet of our lives.
This causes the risk of too much information being “out there.”
Frauds, such as identity theft, are therefore possible.
Attempts to protect such data using technology are common and widely accepted.
However, hackers evolve their strategies. This causes additional information systems concerns.
![Page 2: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/2.jpg)
Control and Security of Target System
Target system: An information asset that should be protected from all types of risks.
Examples: The servers, operating system, e-mail application, customer database
Target system’s components: An operating system A database management system Information processing systems End-user systems
![Page 3: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/3.jpg)
Other Target System Characteristics Boundary
Information systems boundaries have progressively become more “porous,” especially in the Web environment.
Exposures from boundary arise due to: Links (interfaces) with other systems Nature, type, and timing of traffic Availability of connectivity with the target system
Communication Netcentric target systems have greater need for
communication. Need more communication lines. Verfication (authentication) of communicators is critical. Objectives of boundary protection needs to be balanced
with the objectives of controlled communication.
![Page 4: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/4.jpg)
Other Target System Characteristics
Location and spread Centralized systems are likely to have a well-defined
perimeter. Physical security of a centralized system is feasible and is
usually effective. Distributed systems are usually spread out, making
boundaries much more “porous.” Outsourcing of information systems
Some risks are shifted to the outsourcer. However, the company faces new risks. A careful risk-based evaluation of the outsourcing option is
essential before the management commits to this option.
![Page 5: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/5.jpg)
Risk Risk: Risk represents the possibility of a loss or harm to an
entity. An entity can be a person, an organization, a resource, a system,
or a group. In our case, the entity can be broadly characterized as a target
system (information assets). Risk exposures: A risk exposure represents all kinds of
possibilities of harm to an entity without regard to its likelihood. Not all exposures equally impact every entity. Therefore, risk is assessed in terms of those exposures that
have a high probability of affecting the target system. Risks (and exposures) can be emerging from within (internal
sources) or from outside the boundary of the organization (external).
Risks keep changing. Existing risks may gain strength or weaken, and new risks emerge.
![Page 6: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/6.jpg)
There are many factors causing changes in risk. Organizational factors
Business firms constantly change their organizational structures to reflect changed responsibility relationship.
Examples of change: merger, acquisition, downsizing, seeking new markets or products.
Environmental factors Businesses respond to changes in their environments. Examples of change: regulation, international trade laws and treaties,
economic cycles. Technological factors
Changes in IT are likely to affect risks. Examples of change: wireless networking, mobile computing, customers
transacting online. Sociological factors
Businesses are affected by sociological changes. Examples of change: networking, telecommuting, remote logins, single
parent homes, elderly care.
![Page 7: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/7.jpg)
Risk Management Risk management: A systematic approach to manage risk to a
target system. Risk appetite: An organization’s ability to accept risk. Approaches to risk management
Don’t own (disown) the risk Risk avoidance: A deliberate attempt to keep the target system away
from a specific risk. Example: Avoid travel by air. Own the risk
Risk reduction: Proactive measures to prevent a loss from occurring, or to limit losses. Example: Firewall installation to screen traffic.
Risk transfer: Transfer target system risk to some other entity. Example: outsourcing, subcontracting. Risk sharing: Entities facing identical exposure join together and pool their
resources. Example: Neighborhood watch groups, insurance. Risk retention: Management’s desire to accept risk. Example:
Leadership tram traveling on the same flight.
![Page 8: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/8.jpg)
Risk avoidance Risk retentionRisk transfer
Risk sharing
Risk reduction
Disown the risk Own the risk
Remainder of the risk
Risk management
![Page 9: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/9.jpg)
Security, Functionality, and Usability of Information Assets
Security: To protect systems and applications. Functionality: To be effective in delivering the
objectives for which systems and applications are designed.
Usability: To make systems and applications attractive (e.g., easy to use) to end users.
Trade offs among the three goals are very likely and balance needs to be achieved among the three objectives.
![Page 10: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/10.jpg)
Components of control systems
Security policy and practices Identification and authentication Access and authorization Information flow Availability and continuity Logs and trails Risk-based audit
![Page 11: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/11.jpg)
Identification and Authentication
Identification and authentication processes offer an assurance that we know the entities interacting with the system.
Authentication procedures can be progressively more rigorous depending on the need: First factor authentication – what do you know?
(e.g., password) Second factor authentication – what do you have?
(e.g., a token)
![Page 12: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/12.jpg)
Access and Authorization
Access means access to the system. Authorization defines what the user can do
with the system. Authorization to use various information
assets is dependent on the role of the user. User roles are inputs to determine user privileges with respect to the information assets (e.g., view or modify existing data in payroll database).
![Page 13: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/13.jpg)
Availability and Continuity
To ensure that information assets are available at the time of their expected use.
Continuity of operations is dependent on availability of information assets.
Lack of availability could be temporary or long-term.
Lack availability can be caused by incidents or disasters.
![Page 14: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/14.jpg)
Logs and Trails
Logs reveal the sequence of events or activities taking place with respect to information processing.
Date and time stamp provide evidence of sequence of actions with respect to the systems resources.
Trails of transactions are generally formed as transaction logs. This allows for verification of transaction processing activities and for reconciliation of outputs of processing.
![Page 15: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/15.jpg)
Logical Constructs of Control Systems
Requisite variety Redundancy Granularity
Protocols and standards
Trust
![Page 16: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/16.jpg)
Redundancy
Many control and security measures employ redundancy to manage risk. Example: Back up copy of a program.
Redundancy creates inefficient utilization of resources.
However, in certain cases, redundancy may provide a cost-effective control measure.
![Page 17: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/17.jpg)
Granularity
Granularity is the level at which a security or control measure is implemented within a hierarchy of levels in a system.
Granularity is most visible in control and security measures with respect to access to information assets.
For a chosen level of granularity, it is necessary to provide requisite variety for every possible out-of-control situation.
![Page 18: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/18.jpg)
Protocols and Standards
Protocol means rules of behavior. Example: Protocols are widely used in network
communications field, including the Internet. The consistency provided by protocols allow
users, designers, and evaluators of information systems the same expectations.
An established protocol that becomes universally accepted over time is called a standard.
![Page 19: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/19.jpg)
Trust
Trust means relying on someone or something.
When a level of trust is assumed, but is violated, security (of process, software, or system) is compromised.
Therefore, it is important to evaluate the level of trust placed in people, processes, and systems.
![Page 20: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/20.jpg)
Comparing Trust with Security
Trustworthiness is a matter of degree, while security has two states (secured or not secured).
Security is in the view of the presenter; trusting is an act of the receiver.
Security is argued on the basis of assertions of characteristics of the target system; trust is a matter of judgment.
A system is considered secure, regardless of how, when, where, by whom it is used. Trust is viewed only within the context of use; it does not automatically transcent situations.
![Page 21: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/21.jpg)
Common Criteria Common Criteria (CC) is a framework that helps
develop and evaluate features that support information security objectives at various levels of assurance.
It establishes a method for the evaluation of security properties of IT products and systems.
Thus, it provides a standard for vendors of IT products and systems.
Security managers acquiring IT products and systems carefully consider the level of assurance provided by alternative products in making their purchase decisions.
![Page 22: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/22.jpg)
Implications for Assurance
Target of evaluation (TOE) may be any object (a process, component, resource, or a system).
The target is subject to a systematic evaluation to determine if it meets certain criteria.
Steps in the evaluation process: Understand the control environment. Determine what protections are planned and how security
objectives are set to achieve these protections. Test the target to verify if the security objectives are met. Evaluate the evidence to make a final judgment on secure
the TOE is.
![Page 23: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/23.jpg)
Information Assets
Risks
Risk Management Control Measures
Threats Vulnerabilities
Internal control objectives
Information Security Objectives
Frameworks for control and security
increase exploit
experience have
are mitigated by
are a part of
are exposed to
that are addressed by
to attain
using using
![Page 24: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/24.jpg)
Protecting Information Assets
It is necessary to protect information assets There is a potential for compromises of such assets.
There may be attacks on the information assets. There may be unintentional compromises of information assets.
Systems are subject to regulatory protection requirements.
Information Assets
Unintentional Compromises
Attacks
need protection
from
Regulatory Protection
RequirementsPrivacy
such as
should meet
Control and Security Measures
which require
To protect
![Page 25: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/25.jpg)
Vulnerabilities and Threats
Vulnerability: A weakness in the information assets that leads to risk.
Threat: The probability of an attack on the information asset.
Attack: A series of steps taken by an attacker to achieve an unauthorized result.
Threat agent: An entity, typically a person, who triggers a threat.
Countermeasure: An antidote or an action that dilutes the potential impact of a known vulnerability.
![Page 26: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/26.jpg)
Information Assets
Unintentional Compromises
Vulnerabilities Internal Sources External Sources
Threats
Attacks
result inon
have
from
result in add to or exploit
face
![Page 27: Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information](https://reader038.vdocuments.us/reader038/viewer/2022103100/56649f2c5503460f94c47a17/html5/thumbnails/27.jpg)
Information Assets
Risks
Risk Management Control Measures
Threats Vulnerabilities
Internal control objectives
Information Security Objectives
Frameworks for control and security
increase exploit
experience have
are mitigated by
are a part of
are exposed to
that are addressed by
to attain
using using