UNIT 7 - ORGANISATIONAL SYSTEMS SECURITY

Lesson 3 - Damage to or destruction of systems or information

Last Session

Accidental damage to or destruction of systems or information:

fires and other natural disasters

Power variations

This Session

Damage to or destruction of systems or information:

malicious damage (internal and external causes)

Information security:

confidentiality

integrity and completeness of data

availability of data as needed

New threats reported everyday

Typo-squatting, doppleganger domains

E.g. Goggle.com

30% of Fortune 500 susceptible

Email Based Attack Vectors catch-all email account (passive)

120,000 individual emails (or 20 gigabytes of data) in 6 months, trade secrets, business invoices, employee PII, network diagrams, usernames and passwords,

second attack vector involves social engineering

godaigroup.net

godaigroup.net/free-doppelganger-domain-scan/

Man in the MailBox (MITMB)

Malicious Damage Several famous malicious computer programs:

the Morris worm released in 1988,

the MBDF virus

the Pathogen virus

the Melissa virus

the Anna worm

By 2002 these were the ONLY cases where a person had been convicted; over a dozen were arrested in 2004. In May 2014 over 100 people world-wide were arrested in connection with one piece of malware (The Guardian)

http://www.theguardian.com/technology/2014/may/19/fbi-arrests-100-hackers-blackshades-rat-backdoor-malware

Malicious damage: - task

For your selected incident find out and report back to the group:

When was it released? What did it do? Where did it originate? Who was responsible? How much damage was

caused? What was the punishment? What OS(s) did it attack?

Morris wormthe MBDF virusthe Pathogen virusthe Melissa virusthe Anna wormGoner wormBlaster

Rapid propogation

How long do you think a new computer was estimated to have as ‘survival time’ before being infected (using XP, 2004)?

Data from the Register, 19th Aug 2004

How long do you think it took the Slammer worm to scan all 4 billion IP addresses following its release in February 2005?

Ronald Standler

Malicious Damage

The first computer virus for Microsoft DOS was apparently written in 1986

Brain virus

NO computer system is immune from attack

http://www.linuxinsider.com/story/62275.html malware

Threats to E-Commerce

Website defacement – crackers seek out script or version vulnerabilities in servers and website coding. Then edit site to include: Graffiti-type ‘tags’ Political statements Religious statements Childish statements Explicit or inappropriate images

Meta-refresh tags to forward visitors to spoof sites (phishing).

Denial of Service or Distributed Denial of Service

Technical Errors

Seldom a cause for concern

Regular maintenance of equipment will contain most of these errors

Human Errors

one of the biggest sources of errors in any complex system.

poorly designed human-computer interface (HCI).

human beings - fail-safe in an otherwise automated system. boredom when they are usually not needed for normal operation, panic when an unusual situation occurs, stress levels are raised, and

lives are at stake.

The HCI must give appropriate feedback to the operator to allow him or her to make well informed decisions based on the most up to date information on the state of the system.

High false alarm rates will make the operator ignore a real alarm condition.

System designers must insure that the HCI is easy and intuitive for human operators to use, but not so simple that it lulls the operator into a state of complacency and lowers his or her responsiveness to emergency situations.

Computer Theft

This is physical removal of a computer system

Seldom happens

Good example:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9056058

http://www.datacenterknowledge.com/archives/2007/12/08/oceans-11-data-center-robbery-in-london/

Portable devices more at risk

Computer Theft

Of course people leave computers lying about http://www.bbc.co.uk/news/uk-scotland-glasgow-

west-18955798 (2000)

http://news.bbc.co.uk/1/hi/uk/1279584.stm (2012)

“The unencrypted laptop contains sensitive details of 8.63 million people plus records of 18 million hospital visits, operations and procedures.” (2011)Read more: http://www.thesun.co.uk/sol/homepage/news/3637704/Missing-Laptop-with-86million-medical-records.html#ixzz26picYml9

Counterfeit Goods

FACT – case studies

Information Security

protecting information and information systems from:

unauthorized access

Use

Disclosure

Disruption

modification

destruction

Information Security

The terms information security, computer security and information assurance are frequently incorrectly used interchangeably.

These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information

Information Security

Task

Consider the different types of risk:

How is each of them related to the key strands of Information Security?

Confidentiality

Integrity

Availability

Counterfeit Goods Clothes, drink, food, music, films, software, websites

etc

Infringement of copyright

Damage to reputation and future sales of genuine manufacturer

Copyright, Designs & Patents Act 1988

Counterfeit Goods – effects on the customer

Customer disappointment

Possible damage to customer equipment – e.g. Malware contained on DVD’s, software

Illegal downloading -> legal process, heavy fine, loss of computer; traceable through IP address

Health effects – e.g. Counterfeit hardware may cause fires

Wider impact on society – often used to fund other criminal or terrorist activities

Confidentiality Who can see the information? Who can update the information? How long should the information be stored? How often should it be checked to make sure it is

up-to-date and accurate? What information can be stored? What systems should be used to store the

information? How often do you review the above? Data Protection Act 1998

http://www.legislation.gov.uk/ukpga/1998/29/contents

Integrity and completeness of data Critical

Errors cause damage to individuals and organisations

Medical, credit, police,

Need to review - ask customer, person involved.

Availability of Data

Who can access?

When can they access?

User rights, password access

Legal aspects

Which laws are relevant to Information Security?

Task – 15 mins

Find evidence (newspaper articles etc) to show the main impact of these acts:

Data Protection Act 1998

Computer Misuse Act 1990

Freedom of Information Act 2000

Copyright, Designs and Patents Act 1988

Assignment 1

Know your threats

P1 - Explain the impact of different types of threat on an organisation.

M1 - Discuss information security.

P1 - Explain the impact of different types of threat on an organisation.

Leaflet:

Type of threat,

example of each

Consequences to business

6 types of threat are listed on the brief

Variety of consequences are suggested –other consequences can be included

~ 3 sides of A4

Discuss information security

Relate strands to threats in task 1.

Confidentiality

Integrity and completeness of data

Access to data

Include legal aspects:

Computer Misuse Act 1990,

Data Protection Act 1998,

Copyright, Designs and Patents Act 1988