information systems security. introduction sharon garcia unm graduate student masters of...

Information Systems Security

Introduction

Sharon Garcia• UNM Graduate Student• Masters of Accountancy-Information

Assurance Track• Information Systems Security Course

Project

Why Does ISS Matter?

• To some extent everyone creates and uses technology.

• It matters because all information that is generated has economic potential.

• This information can be collected, organized, and turned into something more than it originally started as.

http://www.wired.co.uk/news/archive/2013-02/05/weakness-in-tsl-protocol/viewgallery/293669

Facebook…

• Signing up for Facebook does not “cost” you anything… or does it?

• Facebook makes money in different ways but mainly from advertising.

• Instead of charging you a fee for the service they offer they record your personal information, along with all the other information you generate and sell that information to external vendors.

So… Why do Facebook’s profits matter?

• If Facebook is compromised, their profits are directly affected.

• In other words, when it’s users’ accounts are compromised they lose money. Tons of money.

http://money.cnn.com/2012/02/02/technology/thebuzz/

Facebook, other companies, and the United States government, all need employees who can detect vulnerabilities in their information systems.

• Programmers• Data Analysts• Web Designers• Network Administrators• Forensic Analysts

What Type Of Technologies and Techniques Do They Use in ISS?

• A Whole Ton.• Cryptography, Steganography,

Redundancy, Network Safety and Password Protections (Policies and Procedures), Data Analytics (Benford’s Law), and on and on.

Cryptography

• Heartbleed affects potentially two-thirds of systems on the Internet

• “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.” –www.heartbleed.com

• What is SSL and OpenSSL?

Cryptography• You’ve definitely heard of

this… but not by this name.• Encryption takes data and

translates it into something that is undecipherable unless you have the “key” that will translate it back into the original data.

Cryptography Example

http://en.wikipedia.org/wiki/Cryptography

Question for You

What are some ways that Heartbleed can be stopped?

Steganography• Steganography has been used for

hundreds of years.• ZeusVM Trojan – stole property from

approximately “70 enterprises and agencies across 14 countries.” - http://www.crn.com.au/

Steganography

• Uses something to hide something in…

• Enables a user to hide a message, picture, or audio file, within a picture or audio file…

• What?

http://www.giuseppe-arcimboldo.org/Winter-(L'Inverno).html

Steganography Example

• I want to send my best friend a message without anyone knowing that I sent it to her. I could write a message, hide it within a picture using steganography software, and then send her the picture with the message inside it. My best friend would then have to use the same program to extract the message from the picture.

Question For You

What was the name of the Malware that attacked

approximately 70 enterprises in 14 countries?

Redundancy (Backups)

• Dropped your laptop?• Spilled soda on your computer?• Dog chewed through the power cord while

you were working on an assignment?

• Hopefully you saved your work somewhere else than on the device you were using!

Redundancy

• Dividing a computer’s disk drives in ways that allow for data to be spread across them. This lets the data exist in multiple places at once in the event that one disk crashes, gets hacked, catches fire, or worse.

Redundancy Example• RAID 0, RAID 1, RAID 2…

http://en.wikipedia.org/wiki/File:RAID_6.svg

Question For You

What are some other ways you can protect your data?

Network Safety and Password Protections (Policies and Procedures)

• You are only as strong (or safe) as your weakest link.

• Policies and Procedures ensure that everyone on the network utilizes the same method to protect against vulnerabilities and threats.

Policies and Procedures

Question For You

What is considered a “strong” password?

Forensic Analytics

• Using the data generated to find inconsistencies that may expose unethical, fraudulent, or criminal activities.

• Benford’s Law• Microsoft Excel, Microsoft

Access, IDEA, Qlickview

Forensic Analytics Example

• Benford’s Law

http://www.isaca.org/Journal/Past-Issues/2011/Volume-3/Pages/Understanding-and-Applying-Benfords-Law.aspx

Question For You

What is the equation for Benford’s Law?

Conclusion

• There are many different types of ISS that exist.

• White Hats and Black Hats.• Use technology safely.

Questions?