Risks, Security, and Disaster Recovery

This week we explore the risks faced by information systems, the security measures used to reduce some of these risks, and the choices that have to be made when developing and implementing disaster recovery plans.

Objectives

• describe the primary goals of information security
• enumerate the main types of risks to information systems
• list the various types of attacks on networked systems
• describe the types of controls required to ensure data integrity
• describe the types of controls required to ensure uninterrupted operation
• outline the major concerns involved when developing a recovery plan
• explain the economic aspects of information security

Major goals of information security

• reduce the risk of systems and organizations ceasing operations
• ensure compliance with policies, laws, and regulations concerning security and privacy
• CIA triad: confidentiality, integrity, availability
  • maintain information confidentiality
  • ensure the integrity and reliability of data resources
  • ensure the uninterrupted availability of data and online resources

Risks to hardware

• natural disasters: fire, flood, tornado, earthquake, hurricane, lightning
• accidents: construction cutting a power line or communications cable, animals chewing through power or communications lines, squirrels making fatal mistakes around transformers, vehicles hitting poles carrying electric or communications lines, etc.
• downtime: the time during which resources are unavailable
• UPS: Uninterruptible Power Supply (these are almost always not true UPSs, but battery backups with fast switchover times)
• blackout: total loss of electrical power
• brownout: reduction in voltage (can be much more dangerous for electronics than a blackout)
• vandalism: humans deliberately damaging or destroying resources

Risks to data and applications

• theft of data: may be for identity theft, corporate espionage, etc. identity theft: using another person's credentials
• social engineering: using human weaknesses to gain access to confidential information
• keystroke logging: intercepts keystrokes and either stores them or sends them someplace on the Internet (very useful for stealing usernames, passwords, account information, etc.)
• keylogger: hardware or software that performs keystroke logging
• phishing: fraudulent messages (typically emails) which lure recipients into going to a fake website to try to get them to enter confidential information
• spear phishing: a version of phishing which uses personal information to make the attack more direct and plausible
• vishing: similar to phishing, but the attack takes place using a fraudulent phone call directing the person to call a malicious number where personal information will be gathered
• pharming: replacing a real website with an impostor to try to get people to enter confidential information
• cyber terrorism: terrorist attacks on IT systems, usually done over the network
• data alteration: sometimes hard to notice. but can be very damaging
• data destruction: usually very noticeable, and can be alleviated somewhat by having good backup procedures in place
• web defacement: basically vandalism, similar to graffiti, but can cost businesses a lot in lost revenue
• tarpit: a host on the network designed to expect attacks and respond very slowly, allowing the attacker to not get much done and spend enough time on the machine to be tracked
• honeypot: a host on the network designed to lure attackers in so waiting monitors can attempt to track the attacker
• honeytoken: a piece of data which is extremely unlikely to be accessed legitimately, but which an attacker is likely to access; it has special monitoring to immediately alert system administrators when it is accessed with information about where the access request originated
• virus: software designed to spread from one computer to another based on something a user does, such as open a file
• worm: software that can spread itself through a network without human intervention
• Trojan horse: a malicious program disguised as a potentially helpful or useful program; the program may even appear to be carrying out useful tasks while the malicious part of the code silently carries out its tasks or waits for the right time to spring into action; Trojans are a form of virus
• logic bomb: a program where malicious code lies dormant waiting for a specific time or set of conditions to become active and cause damage
• DoS (denial of service): prevents the use of online resources; often done by flooding servers with so many requests that the servers can't handle legitimate traffic; can also be done by locking out access to a server or application
• DDoS(distributed denial of service): a DoS attack where many computers are used to send the flood of requests; the attacking computers are usually machines which have been previously attacked and have malicious software waiting for commands from some other machine on the Internet
• zombie: a zombie is a machine which has been attacked and has been infected with malicious software which awaits commands to carry out DDoS attacks; the user is usually unaware of the problem
• bot: the program installed on a zombie computer that is used to control the computer remotely
• hijacking: taking control of a computer or website without the owners consent; zombies are hijacked computers

Remediation

• controls: constraints and restrictions imposed on users and systems to protect against some of the potential risks
• some common controls are:
  • data entry controls: to keep invalid data from entering the system, which may be accidental or intentional
  • program testing: to avoid internal program errors and reject invalid data, attempted abuse of the program, and implement business and security policies
  • backup: duplicating data, often to an external site, so it can be used in case the original data is damaged or destroyed
  • access controls: measures taken to ensure that only authorized people get access to data; these measures include usernames and passwords
  • biometric: a physical access control relying on measuring some physical aspect of a user's body
  • atomic transaction: a transaction that is guaranteed to not be only partially recorded; it is either completely recorded or dropped; atomic transactions are generally made up from a group of transactions
  • audit trail: a recorded series of details which log transactions, times, and people involved; can be used to find out where errors or abuses happened; this helps deter abuses

Security measures

• firewall: hardware and/or software that blocks unauthorized access to a system; great for stopping worms, but not much use against things like malicious email attachments and requested downloads (which is why anti-virus software must also be used)
• proxy server: a machine that represents all the machines within a network to the external world; this helps focus where security and other control measures are most important
• DMZ: Demilitarized Zone; a network of computers which is attached to both the outside world and the internal network of an organization, but which allows for access between the internal network and the outside world to be controlled
• authentication: proving that someone is authorized for access, or is who they say they are
• encryption: translating a message into an unreadable form for all but the recipient (and possibly the sender)
• decryption: translating ciphertext back into its original plaintext message
• plaintext: a message before it is encrypted (or after it is decrypted)
• ciphertext: a message which has been encrypted
• symmetric encryption: encryption where the encryption key and decryption key are the same
• private key encryption: a synonym for symmetric encryption
• asymmetric encryption: encryption where the encryption key and decryption key are different; each participant has a public and a private key; someone can encrypt a message using the recipient's public key, which only the recipient can decrypt using their private key
• public key encryption: a synonym for asymmetric encryption
• SSL: Secure Socket Layer; used widely for security on the Web; encrypts communication
• TLS: Transport Layer Security; encrypts communication; replacement for SSL
• HTTPS: secure version of HTTP
• digital signature: using asymmetric encryption, this is the rough equivalent of signing a document with your signature
• message digest: a hash code using asymmetric encryption that helps authenticate a file as being genuine and not tampered with; similar to a fingerprint
• digital certificate: a file that serves as a computer's ID card; it carries a system's public key and identity
• certificate authority: an organization entrusted to issue digital certificates
• SSO: Single Sign-on; used so users only have to provide authentication credentials once and then be accepted by every machine on that network

Business recovery plans

• also called disaster recover plans, business continuity plans, business resumption plans
• steps in developing a recovery plan
  • obtain management's commitment to the plan
  • establish a planning committee
  • perform risk assessment and impact analysis
  • prioritize recovery needs
    • critical
    • vital
    • sensitive
    • noncritical
  • select a recovery plan
  • select vendors
  • develop and implement the plan
  • test the plan
  • continually test and evaluate