Site Loader

IT Security & Cybercrime
By
TumsifuElly, PhD.
University of Dar esSalaam Business School(UDBS)

Outline
?Introduction
?A Conceptual IT System
?IT Security in a Nutshell
?IT Security Risks, Threats and Vulnerabilities
?Why Worry about IT Security and Cybercrime
?Conclusion and the Way Forward

Introduction
?Every progressive organization is governed by a
Corporate Strategy.
?IT Governance is part and parcel of Corporate Strategy.
?IT Security is an integral part of IT Governance.
?Therefore, Corporate Strategy, IT Governance, and IT
Security are inseparable elements.
?Cybercrime is a form of crime where the Internet or
computers are used as a medium to commit crime.

Intro cont’d
Success in today’s fast paced global economy requires:
?Precision, agility and speed
?Org. must quickly respond to changing
market demands, and make timely decisions
with impact on success or failure of the bus
?Real time communication, = position a real
time org above the rest call for IT use

Intro cont’d
?Important things in deploying IT within modern bus.
enterprise are:
?Strategic info systems plan (SISP) and
?Information security policy (ISP)
?SISP-ensures new systems and technologies are
deployed in a way that will support orgs’ strategic
goals
?SISP key obj = identify opportunities to exploit info,
??major challenge: is on quality in timeliness,
accuracy, completeness, confidence in source,
reliability and appropriateness of the info.

Prelude cont’d
?Most org cant meet quality requirements
due to security breaches
?ISP –provide framework to ensure sys
are devopd and operated in a secure
manner
?The two must be aligned for better
results
•?Are IS security problems a result of poor design?

Deliberate!!
Your Greatest Strength is
Your Greatest weakness
?You are connected with others through a
modem or LAN
?You have an international presence
?Your partners can collaborate through
computers
?You have access to your partners’ system
and the reciprocal
?Your employees can work form home

For the purpose of ISS the following
definitions apply:
Security: sense of minimizing the vulnerability
Of assets and resources (anything of value)
?Vulnerability –any weakness that could
be exploited to violate systems or info it
contains
?Threat = a potential violation of security

A Conceptual IT System
Macro View of a Conceptual IT System

A Conceptual IT System (2)
Generalised Model of an IT System

A Conceptual IT System (3)
Technology as part of an IT System

A Conceptual IT System (4)
A non exhaustive List of Data and Information

A Conceptual IT System (5)
People as Part of the IT System

A Conceptual IT System (5)
People include:
1. Insiders (i.e. staff, temporary staff, consultants)
2. Outsiders with access to the inside (i.e. partners, suppliers, customers)
3. Outsiders with some knowledge about the inside (i.e. ex –
staff, ex -consultants)
4. Outsiders with certain motivation to launch attacks against your organization (competitors, hackers, industrial
espionages, other attackers)

IT Security in a Nutshell
IT security is all about controlling access to information assets to ensure:
?Confidentiality –ensuring that information is
accessible only to those authorized to have access to
it.
– The property that information is not made available or
disclosed to unauthorized indv. entities or processes
?Safeguarding the privacy of personnel
information/ data
?Protection of Intellectual property Rights

Security cont’d
?Accountability: the property that ensures the action of an
entity may be traced uniquely to the entity
?Integrity –safeguarding the accuracy and completeness of
information and processing methods.
?the property that data has not been altered or destroyed in
an unauthorized manner
?Safeguarding accuracy and completeness of data
and information
?Ensuring statutory, regulatory ; contractual security
requirements are met in all aspects

Security cont’d
?Availability –ensuring that authorized users have
access to information and associated assets when
required.
?The property of being accessible and usable upon
demand by an authorized entity
?Faster recovery of bus critical resources from
major disasters/ failure

Security cont’d
?Repudiation: Denial by one of the entities
involved in a communication of having
participated in all or part of communication
?Security audit: independent review ;
examination of sys annals and activities to
test adequacy in control, for policy
compliance, detect security breaches and
suggest changes in policy, controls and
procedures

Security Goals
Integrity
Confidentiality
Availability
Accoun
tability

Resources and assets to protect
*The list is wide-ranging
*Be sure the list is exhausted
?Information and data (may include software,
passive data such as passwords)
?Equipments and facilities (hardware etc)
?Communication and data processing
services
?Human beings (employees)

Security Attacks

Security Attacks
?Interruption: This is an attack on availability
?Interception: This is an attack on confidentiality
?Modification: This is an attack on integrity
?Fabrication: This is an attack on authenticity

Security Risks, Threats ; Vulnerability

Possible threats
?Threat taxonomy:
1.Authorized users: personnel engaged in
supporting operations become threats
when exceed their privileges and
authorities and when commit errors
2.Unauthorized users: can be anyone, not
engaged in supporting operations
•Interrupt productivity of the sys, or operation by
design
3.Environmental factors: fire, floods

Threats cont’d
Threats can also classified as
?accidentalor intentional or may be
active or passive
?Accidental threats: those that exists with
no deliberate intent e.g. sys
malfunctions, software bugs

Threats cont’d
?Intentional: range from casual examination
using easily available monitoring tools to
sophisticated attacks using special systems
knowledge
?Passive threats: if realized would not result
in any modification to any info contained in
sys, sys operation or state
?Active threats: results to alteration of info,
system state, or operation

Techniques used
?Physical: physical penetration, use
physical means to gain entry,
?Personnel: subverting of personnel
authorizing degree of access and privilege
(operators, system-analysts,
programmers etc) can be recruited by
threat agents, or may be dissatisfied or
motivated to mount attack

Techniques cont’d
?Hardware: using hardware to subvert
or deny use of system
?Software:
?Procedural: lack or inadequacy
controls or failure to adhere to existing
control by authorized or unauthorized
users. Eg former employees retaining
and using valid passwords

Attack-Reasons
?Destruction of information and/ or
resources
?Modification of information
?Theft, removal or loss of info and/ or
resources
?Disclosure of info
?Interruption of services

Counter measures
Risks and threats assessment (RTA) 1st
step
?Identify specific threats against which
protection is required
?A sys may be vulnerable in may ways
but few of them are exploitable (attacker
lacks the opportunity or the results
doesn’t justify the effort and risk of
detection)

RTA cont’d
RTA may include:
?Identifying the vulnerabilities of the sys
?Analyzing the likelihood of threats aimed at
exploiting these vulnerabilities
?Assessing the consequences if @ threat to be
successfully carried out
?Estimating the cost of @ attack
?Costing out potential counter measures
?Selecting the security mechanisms that are justified

Counter measures cont’d
* Non technical measures, such as insurance coverage, can be effective to
technical security
* Perfect technical security, like perfect physical security is not possible
Obj. is to make the cost of an attack high enough to reduce the risk to acceptable
level

Counter measures cont’d
Services to confront threats:
?Authentication: source is as claimed
?Access control: authorized vs unauthorized
use
?Data confidentiality: render info unavailable
to unauthorized indvs, processes , entities
or procedures
?Data integrity: not altering/ destroying data
in unauthorized manner

Services to confront threats:
?Non repudiation: keeping audit annals
and logs to ascertain communications

Counter measures cont’d
Security policy (SP):
?Should focus attention on aspects of a
situation that the highest level of
authority considers should receive
attention
?State what is and is not permitted in the
field of security during the operation of
the sys in question
?Stets the topmost level of a security
specification

Security policy (SP):
?IS security policy typically include:
?Statements of goals
?Objectives
?Belief ethics and responsibilities
?And means of achieving these
(procedures)

Security policy cont’d
SP components:
?Depends on the concept of authorized
deeds
?Threats involve notion of authorized or
unauthorized behavior
?A generic SP might say:
?Info must not be given to, accessed by, or
permitted to be inferred by, nor may any resource
be used by, those not appropriately authorized

Security machinery
?Sp may be implemented using various
mechanisms, singly, or in combination
?Classes of SP mechanisms:
•Prevention
•Detection
•Recovery
They overlap

Scope of SP policy
Scope of SP policy may include:
?Personal usage of IS –articulating indiv.
Employee’s rights and responsibilities
when using IS
?Disclosure of info: Highlights about any
restrictions with regard to disclosure or
use of info
?Physical security of infrastructure and
info resources:

Scope of SP policy cont’d
?Violation and breaches of security: steps to
be taken to recover from breach or violation
?Prevention of viruses and worms: virus
checking software, the use of attachments
?User access management: access to info
and bus process should be controlled
?Mobile computing: use of notebooks,
palmtops and laptops away from working
envr.

Scope of SP policy cont’d
?Software development and maintenance: Sec
probs ~ errors, and oversights in soft dev.
security contols and procedures in new systems
?Internet access: personal browsing etc
?Encryption: secure communication in less
secured networks
?Contingency/ continuity planning: how to cope
with significant security breach natural disaster
etc plans must be written, tested, maintained,
and implemented

Policy cont
?IS policy must be implemented, up to
date and comprehensive
?It is a bedrock for auditing, assessment,
controls, training and legislation

Firewalls Firewalls
?A system or group of systems that enforce a
network access control policy
?Filter data pockets in and out of intended
target
?Strength relies on configuration
?Governs the flow of data into and out of LAN
?Separate a private network (LAN) from public
Internet

Virus Protection
?Latest versions
?Routine updating
?Screen all files , attachments
Others
Authentication- smartcard, password,
fingerprint, retina scan

Info security why?
?Sustenance of business
?Increase dependence on Info ; info sys
?Technology making it more and more
vulnerable
?Impact on reputation and enterprise
value resulting from IT failures

By info security we get:
?Quality of service
?Continuity of business operations
?Confidence of the clients, gvnt and
partners
?Competitive edge and growth
?Compliance with laws rules and
contracts

Disaster Recovery Planning
Ongoing process of:
?identifying recovery strategies,
?teams,
?procedures,
?and information,
to support the recovery of computing systems and supporting network
infrastructure during a disruption

Business Continuity Planning
On-going bus processes
?of developing and implementing strategies,
?teams,
?procedures,
?programs and response plans
for continuing critical business functions in event of a major bus disruption

Data and info backups
?A must for disaster recovery and bus
continuity
?Daily and periodic ( weekly) backups
?Stored off-site at least 20 miles away
and have 24/7 access

Selected threats
Hacker:
?someone able to manipulate the inner
workings of computers, information and
technology
?The act of penetrating a closed computer
system for knowledge and info contained
within
?Unauthorized use or attempts to circumvent
or bypass the security mechanisms of IS or
network

Selected threats cont’d
Cracker:
?Specific type of hacker who decrypts
password or breaks software copy
protection schemes

Selected threats cont’d
Computer virus:
?a string of malicious code that require host to
infect eg melissa
Computer worm
?Virus with enough malicious code to replicate
itself without a need of host eg. Code Red
Trojan horse (backdoors)
?a software that appears legitimate but contains
a second hidden fxn which can cause damage ,
games
?Allow remote users to gain access

Selected threats cont’d
Sniffing
?Data packets are intercepted in transit by
various software
Spoofing
?Acting on behalf of another person or
entity
?Data can be actively sniffed and
modified

End
Read about
?Encryption
?Intrusion detection systems

Budgeting for security precautions
?Remember the old saying, “Do not place all of your
eggs in one basket”?.
?This wisdom definitely applies to budgeting for your
IT security. Do not spend all of your budget on one
mode of protection.
?For example, it does little good to invest $15,000 in
fire-walling technology if someone can simply walk
through the front door and walk away with your
corporate server.

Budgeting for security precautions (2)
?The bottom line is to be creative.
?The further you can stretch your security budget, the
more precautions you can take.
?Security is a proactive expenditure, meaning that we
invest money in security precautions to avoid
spending additional money later playing for recovery
from a network disaster.
?The more precautions that can be taken, the less
likely disaster is to strike.

IT Security Challenges
IT security challenges include:
?Increased global exposure of Information Assets via the
Internet.
?Ubiquitous security threats and vulnerabilities
?Increased dependence on IT Systems without proper
strategies to deal with security issues
?Inadequacy of IT security awareness programs for end
users
?Lack of National level/Institutional Strategy for handling IT
Security and Cybercrime issues.

Conclusion and the Way Forward
?We need to have a national/institutional strategy for
handling IT security and cybercrime issues.
?Such a strategy should include security training and
awareness programmes to ensure that all users of IT
systems have the basics of security.
?Adopt International IT security Best Practices such as
ISO/IEC 27000 family of standards, is an Information
Security Management System (ISMS), and
?Adopt and customize BS 7799-3:2005 to come up with our
own TZ 7799 standard for Information security
management systems that is tailored to our own business
context.

Conclusion and the Way Forward
?It is imperative to note that a well-trained,
well-informed workforce is one of the most
powerful weapons in an information security
manager’s arsenal.

Thank You!
[email protected]

Post Author: admin