Risks, Security, and Disaster Recovery
This week we explore the risks faced by information systems, the security
measures used to reduce some of these risks, and the choices that
have to be made when developing and implementing disaster recovery plans.
Objectives
- describe the primary goals of information security
- enumerate the main types of risks to information systems
- list the various types of attacks on networked systems
- describe the types of controls required to ensure data integrity
- describe the types of controls required to ensure uninterrupted operation
- outline the major concerns involved when developing a recovery plan
- explain the economic aspects of information security
Major goals of information security
- reduce the risk of systems and organizations ceasing operations
- ensure compliance with policies, laws, and regulations concerning security and privacy
- CIA triad: confidentiality, integrity, availability
- maintain information confidentiality
- ensure the integrity and reliability of data resources
- ensure the uninterrupted availability of data and online resources
Risks to hardware
- natural disasters: fire, flood, tornado, earthquake, hurricane, lightning
- accidents: construction cutting a power line or communications cable, animals
chewing through power or communications lines, squirrels making fatal
mistakes around transformers, vehicles hitting poles carrying electric or
communications lines, etc.
- downtime: the time during which resources are unavailable
- UPS: Uninterruptible Power Supply (these are almost always not true UPSs,
but battery backups with fast switchover times)
- blackout: total loss of electrical power
- brownout: reduction in voltage (can be much more dangerous for electronics than a blackout)
- vandalism: humans deliberately damaging or destroying resources
Risks to data and applications
- theft of data: may be for identity theft, corporate espionage, etc.
identity theft: using another person's credentials
- social engineering: using human weaknesses to gain access to confidential
information
- keystroke logging: intercepts keystrokes and either stores them or
sends them someplace on the Internet (very useful for stealing
usernames, passwords, account information, etc.)
- keylogger: hardware or software that performs keystroke logging
- phishing: fraudulent messages (typically emails) which lure recipients into
going to a fake website to try to get them to enter confidential information
- spear phishing: a version of phishing which uses personal information to make
the attack more direct and plausible
- vishing: similar to phishing, but the attack takes place using a fraudulent phone call
directing the person to call a malicious number where personal information will be gathered
- pharming: replacing a real website with an impostor to try to get people to
enter confidential information
- cyber terrorism: terrorist attacks on IT systems, usually done over the network
- data alteration: sometimes hard to notice. but can be very damaging
- data destruction: usually very noticeable, and can be alleviated somewhat
by having good backup procedures in place
- web defacement: basically vandalism, similar to graffiti, but can cost
businesses a lot in lost revenue
- tarpit: a host on the network designed to expect attacks and respond very
slowly, allowing the attacker to not get much done and spend enough time on the
machine to be tracked
- honeypot: a host on the network designed to lure attackers in so waiting
monitors can attempt to track the attacker
- honeytoken: a piece of data which is extremely unlikely to be accessed legitimately,
but which an attacker is likely to access; it has special monitoring to immediately
alert system administrators when it is accessed with information about where the
access request originated
- virus: software designed to spread from one computer to another based on something
a user does, such as open a file
- worm: software that can spread itself through a network without human intervention
- Trojan horse: a malicious program disguised as a potentially helpful or useful
program; the program may even appear to be carrying out useful tasks while the
malicious part of the code silently carries out its tasks or waits for the right
time to spring into action; Trojans are a form of virus
- logic bomb: a program where malicious code lies dormant waiting for a specific time or
set of conditions to become active and cause damage
- DoS (denial of service): prevents the use of online resources; often done by flooding
servers with so many requests that the servers can't handle legitimate traffic; can
also be done by locking out access to a server or application
- DDoS(distributed denial of service): a DoS attack where many computers are used to send
the flood of requests; the attacking computers are usually machines which have been
previously attacked and have malicious software waiting for commands from some other
machine on the Internet
- zombie: a zombie is a machine which has been attacked and has been infected with
malicious software which awaits commands to carry out DDoS attacks; the user is
usually unaware of the problem
- bot: the program installed on a zombie computer that is used to control the computer remotely
- hijacking: taking control of a computer or website without the owners consent;
zombies are hijacked computers
Remediation
- controls: constraints and restrictions imposed on users and systems to protect against
some of the potential risks
- some common controls are:
- data entry controls: to keep invalid data from entering the system, which may be
accidental or intentional
- program testing: to avoid internal program errors and reject invalid data, attempted
abuse of the program, and implement business and security policies
- backup: duplicating data, often to an external site, so it can be used in case the
original data is damaged or destroyed
- access controls: measures taken to ensure that only authorized people get access
to data; these measures include usernames and passwords
- biometric: a physical access control relying on measuring some physical aspect
of a user's body
- atomic transaction: a transaction that is guaranteed to not be only partially
recorded; it is either completely recorded or dropped; atomic transactions are
generally made up from a group of transactions
- audit trail: a recorded series of details which log transactions, times, and
people involved; can be used to find out where errors or abuses happened;
this helps deter abuses
Security measures
- firewall: hardware and/or software that blocks unauthorized access to a system; great
for stopping worms, but not much use against things like malicious email attachments and requested
downloads (which is why anti-virus software must also be used)
- proxy server: a machine that represents all the machines within a network to the
external world; this helps focus where security and other control measures are
most important
- DMZ: Demilitarized Zone; a network of computers which is attached to both the outside world
and the internal network of an organization, but which allows for access between the internal
network and the outside world to be controlled
- authentication: proving that someone is authorized for access, or is who they say they are
- encryption: translating a message into an unreadable form for all but the recipient (and
possibly the sender)
- decryption: translating ciphertext back into its original plaintext message
- plaintext: a message before it is encrypted (or after it is decrypted)
- ciphertext: a message which has been encrypted
- symmetric encryption: encryption where the encryption key and decryption key are the same
- private key encryption: a synonym for symmetric encryption
- asymmetric encryption: encryption where the encryption key and decryption key are
different; each participant has a public and a private key; someone can encrypt a message
using the recipient's public key, which only the recipient can decrypt using their private key
- public key encryption: a synonym for asymmetric encryption
- SSL: Secure Socket Layer; used widely for security on the Web; encrypts communication
- TLS: Transport Layer Security; encrypts communication; replacement for SSL
- HTTPS: secure version of HTTP
- digital signature: using asymmetric encryption, this is the rough equivalent of signing
a document with your signature
- message digest: a hash code using asymmetric encryption that helps authenticate a file as
being genuine and not tampered with; similar to a fingerprint
- digital certificate: a file that serves as a computer's ID card; it carries a system's
public key and identity
- certificate authority: an organization entrusted to issue digital certificates
- SSO: Single Sign-on; used so users only have to provide authentication credentials once
and then be accepted by every machine on that network
Business recovery plans
- also called disaster recover plans, business continuity plans, business resumption plans
- steps in developing a recovery plan
- obtain management's commitment to the plan
- establish a planning committee
- perform risk assessment and impact analysis
- prioritize recovery needs
- critical
- vital
- sensitive
- noncritical
- select a recovery plan
- select vendors
- develop and implement the plan
- test the plan
- continually test and evaluate