Skip to content

Information Security

1. What are some common security threats?

  • Virus
    • A malicious program that spreads from computer to computer and corrupts user data.
    • It replicates itself and gets attached with another application or file.
  • Worm
    • A malicious program that finds a weak spot in a computer on a network and spreads throughout the network.
    • Worms do not need a host system and can spread between systems and networks without user action, whereas a virus requires users to execute its code
  • Trojan Horses
    • A program that purports to perform a useful function (and may do so) but certainly performs malicious functions
  • Zombies
    • A common use of Trojan Horses
    • Establishes a large number of processors, scattered around the Internet, that are under central or timed control (hence ‘zombies’)
    • These are referred to as a Botnet
    • They can be used to: – perform DDoS (Distributed Denial of Service) attacks – send spam
  • Distributed denial-of-service attack (DDoS)
    • attacks from multiple computers that flood a Web site with so many requests for service that it slows down or crashes.
    • DDoS extortion can pay $10k+

Three top security threats for businesses 1. Malware恶意软件, or malicious software, is any program or file that is intentionally harmful to a computer, network or server. 2. Ransomware勒索软件: Malware that encrypts user’s files with demands that a user pay to regain control of their data and/or device. 3. Phishing钓鱼软件: is a type of social engineering attack which occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email or instant message.

2. What are some examples of cyber attacks?

  • MITM: Man-in-the-Middle Attack
  • Denial-of-Service (DoS) attack: floods a Web site with so many requests for service that it slows down or crashes, Objective is to prevent legitimate customers from using Web site
  • SQL Injection Attacks: Inject malicious SQL code into an application, allowing the attacker to view or modify a database.
    • Access sensitive data, Execute admin tasks on the database
  • Stuxnet: Infiltrated Iranian nuclear facilities and reprogramed the industrial control software operating hundreds of uraniumenriching centrifuges
  • Zero-day exploits: New attacks that haven’t been clearly identified and haven’t been incorporated into security screening systems.

3. Who’s Doing it? And What’s Their Motivation?

  • Data harvesters sell to cash-out fraudsters.
    • Data harvesters: Cybercriminals who infiltrate systems and collect data for illegal resale.
    • Cash-out fraudsters: Criminals that purchase assets from data harvesters to be used for illegal financial gain. They might buy goods using stolen credit cards or create false accounts. User and Administrator Threats
  • Bad apples
    • – Rogue employees who steal secrets, install malware, or hold a firm hostage.
  • Social engineering
    • – Con games that trick employees into revealing information or performing other tasks that compromise a firm.
    • – Dumpster diving: Combing through trash to identify valuable assets.
    • – Shoulder surfing: Gaining compromising information through observation.
  • Phishing: Cons executed using technology, in order to acquire sensitive information or trick someone into installing malicious software.
    • – Spoofing: Email transmissions and packets that have been altered to forge or disguise their origin or identity.

4. What Are Some Protection Methods?

Information Security Foundations - Confidentiality – allowing only authorized subjects to view sensitive data - Integrity – maintaining the accuracy and trustworthiness of data - Availability – insuring data is available when and where it is needed for business operations

Methods of Authentication: Tokens, Crypto, Passwords, Biometrics

Security Model![[Screen Shot 2024-05-06 at 15.48.59.png]] Symmetric Cryptography: The same key is used for encryption and decryption - eg. Twisted Path Cipher - problem with Symmetric Key systems: Distributing the secret key - solution - Public Key Systems - Public Key Cryptography - Scenario 1: – Public key is used to encrypt messages – Only the owner of the corresponding private key can decrypt the message providing confidentiality - Scenario 2: – Private key is used to encrypt messages – Anyone with corresponding public key can decrypt the message – This provides proof of who owns the private key – This is used for digital signatures

Biometric security: 3-factor - 1. What you know (password) 2. What you have (card of some sort) 3. Who you are (biometric)

What are Some Good Organizational Best Practices?

Summary of Information Security Weaknesses ![[Screen Shot 2024-05-06 at 16.16.35.png]] Organizational Practices 1. Implement Security Policies & Incident Response Plans 2. Implement Safeguards 1. – Administrative Safeguards 2. – Technical Safeguards 3. – Physical Safeguards 3. Conduct Vulnerability Assessments 1. – Penetration Testing 2. – Internal & External 3. – Wireless Penetration Testing 4. – Social Engineering Exercises 4. Educate 1. – Awareness Training 2. – Certification

Ethical and Social Considerations of IS

PAPA framework

  • Privacy
    • Choice: right to select the desired level of access to personal information —
    • Consent: the need to provide definitive assent to use of personal information —
    • Control: the right to access one's personal information
    • What information must a person reveal about oneself to others? (E.g., an ex-con or someone on parole)
    • What information should others be able to access about you – with or without your permission? What safeguards exist for your protection? (e.g., convicted child molesters
  • Accuracy
    • Data quality
    • Who is responsible? Who is accountable?
    • In some countries correcting data errors is required by law
  • Property
    • Intellectual property: Ownership of a work or invention that is the result of creativity for which one may apply for a patent, copyright, trademark, etc.
    • Copyright (a form of IP): Legal protection for the expression of an idea, song, movie. It means that no-one can use your material without your permission.
    • Net Neutrality: The principle that Internet service providers should enable access to all content and applications regardless of the source, and without favoring or blocking particular products or websites.
    • Who owns information?
    • Who owns the channels of distribution, and how should they be regulated?
  • Accessibility
  • Stockholder Theory states that the primary responsibility of a company is to its shareholders and its main goal should be to maximize shareholder wealth.
  • Stakeholder Theory argues that a company should create value for all stakeholders, not just shareholders.
  • Social Contract suggests a business should contribute to the welfare of the society in which it operates, as it benefits from operating within that society.

![[Screen Shot 2024-05-06 at 16.45.27.png]]

Sustainability, Innovation & Disruptive Technologies

Sustainability

  • def: the creation and maintenance of conditions under which humans and nature can exist in productive harmony to support present and future generations
  • 3 pillars: Social, Environmental and Economic (People, Planet, and Profit.)
  • The social aspect of sustainability focuses on balancing the needs of the individual with the needs of the organization
  • Environmental sustainability occurs when processes, systems and activities reduce the environmental impact of an organizations facilities, products and operations.
  • In an economic sense, business need to make profit, but their operations should not create social or environmental issues that would harm the long-term success of the company.
    • Consumers are now selective about products. If you focus on social and environmental issues, profitability will often follow.

Innovation & Disruption

  • Innovation = Ideation + Implementation
  • Incremental Innovation: Building on past successes. They make existing products better, faster or cheaper in the eyes of the customer by offering new features and functions. ![[Screen Shot 2024-05-06 at 16.55.21.png]]
  • Disruptive innovation creates new markets or significantly alter existing ones.
  • Trends effecting innovation - Rapid improvements in technology
    • Moore’s Law, named for Intel’s co-founder Gordon Moore, says that computer processing power doubles about every 18 months.
  • The Characteristics of Disruptive Technology
    1. They come to market with a set of performance attributes that existing customers don’t value. (E.g., the digital camera)
    2. Over time the performance attributes improve to the point where they invade established markets. (Death of Kodak)
    3. Firms tend to fail because:
      • They fail to see disruptive innovations as a threat
      • Startups amass expertise quickly

Blockchain Technology

  • A Peer-Peer (P-P) Distributed System is one where each entity can directly do transactions with another entity in the system
    • We need an intermediary for most transactions (usually banks)
  • A blockchain is a decentralized and distributed digital ledger
  • Bitcoin is a token that serves as decentralized digital currency (crypto)
    • – It is recorded in a blockchain.
    • – No central bank or single administrator
    • – Can be sent from user to user on the peer-to-peer bitcoin network without the need for intermediaries.
    • – Transactions are verified by network nodes through cryptography
    • – Bitcoins are created as a reward for a process known as mining.