0% found this document useful (0 votes)
36 views32 pages

IT and Cyber Module 2

This document discusses information technology and cybersecurity. It defines information technology as tools used to process and work with information, often involving computer and communication technologies. Cybersecurity involves protecting information systems and data from unauthorized access. Key aspects of cybersecurity include confidentiality, integrity and availability of information. Vulnerabilities, threats, risks and exposures are also discussed, as well as approaches to security implementation and common security controls.

Uploaded by

venus camposano
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
36 views32 pages

IT and Cyber Module 2

This document discusses information technology and cybersecurity. It defines information technology as tools used to process and work with information, often involving computer and communication technologies. Cybersecurity involves protecting information systems and data from unauthorized access. Key aspects of cybersecurity include confidentiality, integrity and availability of information. Vulnerabilities, threats, risks and exposures are also discussed, as well as approaches to security implementation and common security controls.

Uploaded by

venus camposano
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 32

IT and Cyber

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
What is Information Technology?

Information Technology is a set of tools that helps you work with


information and perform tasks related to information processing.
The term information technology implies that you are using
technology as a set of tools to work with information.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
What is Information Technology?
Information Technology (IT) describes any technology that helps to produce,
manipulate, store, communicate, and/or disseminate information
You can work with information in a variety of forms – text, image, sound, and
video.
IT typically involves Computer Technology and Communication Technology

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Information Security

Information security: protecting information (data) and


information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction.
Information Security management is a process of
defining the security controls in order to protect the
information assets.

C.I.A. triangle
∙ Confidentiality, integrity, and availability
∙ Video: http://www.youtube.com/watch?v=j8FT9WqmuDY

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Information Security Fundamentals

• Necessary tools for information security:


policy, awareness, training, education,
technology

• Please read a summary at:


https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Informa
tion_Security_and_Risk_Management

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
The Elements of Security
Vulnerability

It is a software, hardware, or procedural weakness that


may provide an attacker the open door he is looking
for to enter a computer or network and have
unauthorized access to resources within the
environment.

Vulnerability characterizes the absence or weakness of


a safeguard that could be exploited.

E.g.: a service running on a server, unpatched


applications or operating system software,
unrestricted modem dial-in access, an open port on a
firewall, lack of physical security etc.
THIS MATERIAL IS BASED UPON WORK
SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Threat

Any potential danger to information or systems.


A threat is a possibility that someone (person, s/w)
would identify and exploit the vulnerability.
The entity that takes advantage of vulnerability is
referred to as a threat agent. E.g.: A threat agent
could be an intruder accessing the network through
a port on the firewall

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Risk
Risk is the likelihood of a threat agent taking advantage
of vulnerability and the corresponding business
impact.
Reducing vulnerability and/or threat reduces the risk.
E.g.: If a firewall has several ports open, there is a
higher likelihood that an intruder will use one to access
the network in an unauthorized method.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Exposure

An exposure is an instance of being exposed to losses


from a threat agent.

Vulnerability exposes an organization to possible


damages.

E.g.:If password management is weak and password


rules are not enforced, the company is exposed to the
possibility of having users' passwords captured and
used in an unauthorized manner.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Countermeasure or Safeguard

It is an application or a s/w configuration or h/w or a procedure that


mitigates the risk.

∙ E.g.: strong password management, a security guard, access control mechanisms


within an operating system, the implementation of basic input/output system (BIOS)
passwords, and security-awareness training.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
An Example: The Relation Between the
Security Elements
 If a company has antivirus software but does not keep the virus
signatures up-to-date, this is vulnerability. The company is
vulnerable to virus attacks.
 The threat is that a virus will show up in the environment and
disrupt productivity.
 The likelihood of a virus showing up in the environment and
causing damage is the risk.
 If a virus infiltrates the company's environment, then vulnerability
has been exploited and the company is exposed to loss.
 The countermeasures in this situation are to update the
signatures and install the antivirus software on all computers

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Approaches to Information Security
Implementation: Bottom-Up Approach

 The lower-end team comes up with a security


control or a program without proper management
support and direction.
 It is oft considered less effective as it lacks a
number of critical features:
Participant support
Organizational staying power

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Approaches to Information Security
Implementation: Top-Down Approach

The initiation, support, and direction comes from the top


management and work their way through middle management
and then to staff members.

Treated as the best approach but seems to based on the I get


paid more therefor I must know more about everything type of
mentality.

Ensures that the senior management who are ultimately


responsible for protecting the company assets is driving the
program.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Three Types of Security Controls

Administrative Controls
Developing and
publishing of
Screening of
policies, standards,
personnel.
procedures, and
guidelines.

Conducting Implementing
security-awareness change control
training, and procedures.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Three Types of Security Controls

Technical or Logical Controls

Implementing
Password and
and maintaining
resource
access control
management.
mechanisms.

Security devices
Identification and
and
authentication
Configuration of
methods
the infrastructure.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Three Types of Security Controls

Physical Controls

Controlling individual Locking systems


access into the and removing
facility and different unnecessary floppy
departments or CD-ROM drives

Monitoring for
Protecting the
intrusion and
perimeter of the
Environmental
facility
controls

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Security Roles and Responsibilities

Levels of Responsibilities
Senior management and other levels of management
∙ Understand the vision of the company, the business goals, and the
objectives.
Functional management
∙ Understand how their individual departments work, what roles
individuals play within the company, and how security affects their
department directly.
Operational managers and staff. These layers are closer to the
actual operations of the company.
∙ Know detailed information about the technical and procedural
requirements, the systems, and how the systems are used.
∙ Understand how security mechanisms integrate into systems, how to
configure them, and how they affect daily productivity.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Information Security Project Team

A number of individuals with experience in technical


and/or nontechnical areas:
Security policy developers
Risk assessment specialists
Information security officer
Systems administrators
Security Administrator
Security Analyst
Data Custodian
End users

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Responsibilities of the Information Security
Officer
• Communicate Risks to Executive Management
• Budget for Information Security Activities
• Ensure Development of Policies, Procedures, Baselines,
Standards, and Guidelines
• Develop and Provide Security Awareness Program
• Understand Business Objectives
• Maintain Awareness of Emerging Threats and
Vulnerabilities
• Evaluate Security Incidents and Response
• Develop Security Compliance Program
• Establish Security Metrics
• Participate in Management Meetings
• Ensure Compliance with Government Regulations
• Assist Internal and External Auditors
• Stay Abreast of Emerging Technologies
THIS MATERIAL IS BASED UPON WORK
SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
CyberSecurity Awareness

http://www.youtube.com/watch?v=UIIY9AQSqbY&feature=endscreen&NR=1

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Importance of Cybersecurity Policy and Training

Organizations have been actively using security technologies - security can not
be achieved through technological tools alone.

People are often the weakest link in the security chain. A large percentage of
documented data breaches can be traced back to human error and employees’
misuse of IT assets.

A system is only as secure as the weakest link.

Effective cybersecurity in organizations depends on the compliance of security


policy of their employees.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Cybersecurity Policy

Cybersecurity starts with policy.

Does your organization have these policies?

How well-developed is your organization's cybersecurity policy?

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Tips for Developing Cybersecurity Policy

Make your security policies easy to understand.

∙ Many companies make ineffective attempts at teaching their


employees about company security policies

∙ Work with instructional designers and technical writers to write a


security policy your employees will read (and follow)

∙ Keep your security policy simple: each policy should be short


enough that people can read and interpret it within 10 minutes.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Tips for Developing Cybersecurity Policy
Your cybersecurity policy should be reviewed and
updated every six to twelve months. At that point,
your organization's cybersecurity team should get
together to address any new issues that have
arisen, review and adjust the policies.

Engage your employees (at least one


representative) from each business unit in your
policy development efforts, assuring that
everyone's concerns are adequately met.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Tips for Developing Cybersecurity Policy

Your policy must include consequences for noncompliance and an


oversight team that enforces these consequences

The cyber security policy should be included as part of the


employment agreement, and regular cyber security training should
be scheduled to make sure that employees understand the
cybersecurity policy.

Make your security policies available to everyone.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Cybersecurity Training

Annual security training for employees is not enough today!

Similar to updating hardware or operating systems, organizations need to


conduct “people patching” - consistently update employees with the latest
security vulnerabilities and train them on how to recognize and avoid them.

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Cybersecurity Training: Effective
Practices
Perform "live fire" training exercises, in which
employees undergo a simulated attack specific to
their job.
∙ An example of performing regular phishing tests:
- The IT team sends out a fake phishing email to all employees across the organization, and gauge how many people click on it.

- Then, break that data down by departments and types of messages, to tailor training to problem areas.
- If an employee clicks on a simulated phishing attempt, share the results with that person.
- Invite victims of the attack to share the lessons they learned with their peer groups

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Cybersecurity Training: Effective Practices

Get buy in from the top: have line items in the annual budget for people,
hardware, and software

Develop a formal, documented plan for cybersecurity training that is reviewed


and updated often with the latest information on attack vectors and other risks

Cybersecurity training should continue throughout the year, specific to each


employee's job.
∙ All new hires including part-time employees go through security training from day one.
∙ Train the top management and IT staff too!

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Cybersecurity Training: Effective Practices

Appoint a cybersecurity culture advocate in every department at the


organization. These advocates can act as an extension of the CISO and keep
employees trained and motivated.

Train employees to recognize different types of attacks

Reward employees that find malicious emails or malware, and share stories
about how employees helped thwart security issues

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Cybersecurity Training: Effective Practices

Make security training more personal


-People are more open to ideas presented to them if
the ideas directly affect them
-Employees will care more if you educate them about
protecting themselves from cyber criminals, their kids
from predators and their families from fraud.
-“There are 10,000 phishing websites out there. Here
is how to best protect your family.”

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Cybersecurity Training: Effective
Practices
Regularly test your employees’ current security knowledge:
∙ Have a quiz that will test their actions in example situations

∙ Follow up with employees on their test results. Show every employee their results
and how each compares with the average.

∙ Constant reinforcement and affirmation of progress will encourage your employees


to remain vigilant

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.
Cybersecurity Training: Effective
Practices
Raise awareness of your policies on a
routine basis and use a combination of
methods to keep a fresh approach that
employees will notice
- Sending reminders and helpful hints in a weekly/monthly email
- Providing visual aids about the policy or helpful hints in the workplace
- Showing policy-related Banner messages that appear during login; rotate the policy
message each month
- If an incident happens, give your employees a heads-up as soon as possible

THIS MATERIAL IS BASED UPON WORK


SUPPORTED BY THE NATIONAL SCIENCE
FOUNDATION UNDER GRANT NO. 1723635.

You might also like