INT 1010 05-1.pdf

Introduction to Information Technology
5.1. Issues in Computing: IS Security
INT-1010
Prof C
Luis R Castellanos
1
05
Issues in Computing

2
POTUS 18

3
How long was the 100
Years War?
a) 100 years
b) 116 years
c) 132 years
d) 150 years

4. Software
4
Previous Chapter:
Overview of Computer Software
System Software
Application Software
Open Source Software
Cloud computing
Windows, MacOs,
Linux, Android, iOS
Computer
Software
Operating
Systems
FAT, NTFS, exFAT
ext2, ext3, ext4, XFS
HFS+, APFS
FAT32, ext3, ext4
File
Systems
Upload & Download
Downloading
Files
File Explorer, Tabs &
Ribbons, Shortcuts
File
Management

5

6
As computing and networking resources
have become more and more an integral
part of business, they have also become a
target of criminals.
Organizations must be vigilant with the
way they protect their resources.
The same holds true for us personally: as
digital devices become more and more
intertwined with our lives, it becomes
crucial for us to understand how to
protect ourselves.

7
Information systems have had an impact
far beyond the world of business.
New technologies create new situations
that we have never dealt with before.
How do we handle the new capabilities
that these devices empower us with?
What new laws are going to be needed to
protect us from ourselves?

8
✓ Describe what information systems
ethics means;
✓ Explain what a code of ethics is and
describe the pros and cons;
✓ Define intellectual property and
explain the protections provided by
copyright, patent, and trademark;
✓ Describe the challenges that
information technology brings to
individual privacy.
Objectives

9
This chapter has three topics:
Information
Systems Security
Ethical and Legal
Implications of
Information Systems
Windows Security

INT-1010
Prof C
Luis R Castellanos
2022
10
05.1
Issues in Computing:
Information Systems Security

11
Information
Systems Security
Authentication
and Identification
Information
Security Triad
Mobile
Security

12
Authentication
and
Identification
Information Systems
Security

13
Authentication is the process of verifying
whether someone (or something) is, in fact,
who (or what) it is declared to be.
According to the National Institute of
Standards and Technology authentication
is defined as “verifying the identity of a user,
process, or device, often as a prerequisite to
allowing access to resources in an information
system".
Notice that this definition does not restrict
authentication to human users.
It includes processes or devices.

14
The ways in which someone may be
authenticated fall into four categories,
based on what is known as the factors of
authentication: something the user
knows, something the user has, something
the user is, and somewhere the user is.
Each authentication factor covers a range
of elements used to authenticate or verify
a person's identity prior to being granted
access, approving a transaction request,
signing a document or other work
product, granting authority to others, and
establishing a chain of authority.

15
Security research has determined that for a positive authentication, elements
from at least 2, and preferably all 3, of the main factors should be verified.
The four factors (classes) and some of the elements of each factor are:

16
Knowledge: Something the user knows (e.g., a password,
partial password, passphrase, personal identification
number (PIN), challenge-response (the user must answer a
question or pattern), security question).
Ownership or possession: Something the user possesses
(e.g., wrist band, ID card, security token, implanted device,
cell phone with a built-in hardware token, software token, or
cell phone holding a software token).

17
Inherence: Something the user is or does (e.g.,
fingerprint, retinal pattern, DNA sequence (there are
assorted definitions of what is sufficient), signature, face,
voice, unique bio-electric signals, or other biometric
identifiers).
Location: Somewhere the user is (e.g. connection to a
specific computing network or using a GPS signal to identify
the location).

18
Multi-factor authentication is an
electronic authentication method in which
a computer user is granted access to a
website or application only after
successfully presenting two or more pieces
of evidence (or factors) to an
authentication mechanism: knowledge
(something only the user knows),
possession (something only the user has),
and inherence (something only the user is).
It protects the user from an unknown
person trying to access their data such as
personal ID details or financial assets.

19
Inherent

20
Authentication takes place when someone tries
to log into a computer resource (such as a
network, device, or application).
The resource requires the user to supply the
identity by which the user is known to the
resource, along with evidence of the
authenticity of the user's claim to that identity.
Simple authentication requires only one such
piece of evidence (factor), typically a password.
For additional security, the resource may
require more than one factor—multi-factor
authentication, or two-factor authentication in
cases where exactly two pieces of evidence are
to be supplied.
20

21
The use of multiple authentication
factors to prove one's identity is based
on the premise that an unauthorized
actor is unlikely to be able to supply the
factors required for access.
If in an authentication attempt, at least
one of the components is missing or
supplied incorrectly, the user's identity
is not established with sufficient
certainty and access to the asset (e.g., a
building, or data) being protected by
multi-factor authentication then
remains blocked.

22

23
Mutual authentication or two-
way authentication (not to be
confused with two-factor
authentication) refers to two parties
authenticating each other at the
same time in an authentication
protocol.
It was previously referred to as
“mutual entity authentication,” as
two or more entities verify the
others' legality before any data or
information is transmitted.

24
Mutual authentication is a desired
characteristic in verification schemes that
transmit sensitive data, in order to ensure
data security.
Mutual authentication is found in two types
of schemes: username-password-based
schemes and certificate-based schemes, and
these schemes are often employed in the
Internet of Things (IoT).
Writing effective security schemes in IoT
systems can become challenging, especially
when needing schemes to be lightweight and
have low computational costs.

25
Mutual authentication is a crucial security
step that can defend against many adversarial
attacks, which otherwise can have large
consequences if IoT systems (such as e-
Healthcare servers) are hacked.
In scheme analyses done of past works, a lack
of mutual authentication had been
considered a weakness in data transmission
schemes.

26

27
A password, sometimes called a
passcode, is a memorized secret,
typically a string of characters, usually
used to confirm a user's identity.
Password
According to NIST:
"the secret is memorized by a party called the
claimant while the party verifying the identity of
the claimant is called the verifier.
When the claimant successfully demonstrates
knowledge of the password to the verifier
through an established authentication protocol,
the verifier is able to infer the claimant's
identity".

28
In general, a password is an arbitrary
string of characters including letters,
digits, or other symbols. If the
permissible characters are constrained
to be numeric, the corresponding secret
is sometimes called a personal
identification number (PIN).
Despite its name, a password does not
need to be an actual word; indeed, a
non-word (in the dictionary sense) may
be harder to guess, which is a desirable
property of passwords. A memorized
secret consisting of a sequence of words
or other text separated by spaces is
sometimes called a passphrase. A
passphrase is similar to a password in
usage, but the former is generally longer
for added security.

29
The easier a password is for the owner
to remember generally means it will
be easier for an attacker to guess.
However, passwords that are difficult
to remember may also reduce the
security of a system because
a) users might need to write down or
electronically store the password,
b) users will need frequent password resets
c) users are more likely to re-use the same
password across different accounts.
Choosing a secure and
memorable password
Similarly, the more stringent the
password requirements, such as "have
a mix of uppercase and lowercase
letters and digits" or "change it
monthly", the greater the degree to
which users will subvert the system.
Others argue longer passwords
provide more security (e.g., entropy)
than shorter passwords with a wide
variety of characters.

30

31

32
J Yan et al (and others) found that
passwords based on thinking of a
phrase and taking the first letter of
each word are just as memorable as
naively selected passwords, and just
as hard to crack as randomly
generated passwords.
Combining two or more unrelated
words and altering some of the letters
to special characters or numbers is
another good method, but a single
dictionary word is not.
Having a personally designed
algorithm for generating obscure
passwords is another good method.
My dad was born in 1970!
Figuratively Speaking?
F1gur471v3ly5p34k1ng?
Mdwbi1970!

33
Leet, or leetspeak, is a method of
typing words using
alternate characters.
Letters are replaced with numbers
or symbols that closely resemble
them.
For example, the letter "a" might
be replaced with the @ symbol
and the letter "E" might be
replaced with the number 3.
leet
l337
apple
@pp13
https://techterms.com/definition/leet

34
In 2013, Google released a list of the most
common password types, all of which are
considered insecure because they are too
easy to guess (especially after researching an
individual on social media):
• The name of a pet, child, family member,
or significant other
• Anniversary dates and birthdays
• Birthplace
• Name of a favorite holiday
• Something related to a favorite sports
team
• The word "password"

35
(2020)

36
(2021)

37

38
A strong password is hard to detect
both by humans and by the computer.
Two things make a password stronger:
1. a larger number of characters (and the
more characters, the stronger the
password),
2. mixing numeric digits, upper and lower
case letters, and special characters ($, #,
etc.).
Passwords are typically case-sensitive,
so a strong password contains letters
in both uppercase and lowercase.
Strong Password A strong password is not a word that
can be found in a dictionary or the
name of a person, character, product,
or organization, significantly different
from your previous passwords, and
easy for you to remember but difficult
for others to guess.
Consider using a memorable phrase
like "6MonkeysRLooking^".

39
An alternative to limiting the rate at
which an attacker can make guesses
on a password is to limit the total
number of guesses that can be made.
Password can be disabled, requiring a
reset, after a small number of
consecutive bad guesses (let’s say 3 or
5); and the user may be required to
change the password after a larger
cumulative number of bad guesses
(let´s say 30).
Limits on the # of password guesses
Attackers may conversely use
knowledge of this mitigation to
implement a denial of service
attack against the user by
intentionally locking the user out of
their own device; this denial of service
may open other avenues for the
attacker to manipulate the situation to
their advantage via social engineering.

40
A brute force attack is a hacking method that uses
trial and error to crack passwords, login credentials,
and encryption keys.
It is a simple yet reliable tactic for gaining
unauthorized access to individual accounts and
organizations’ systems and networks.
The hacker tries multiple usernames and passwords,
often using a computer to test a wide range of
combinations, until they find the correct login
information.
Brute force

41

42

43

44
Identification
Identification is basically the process of someone
claiming to be a specific person. They can identify
themselves as “Pat”, show an id card of some type
of card with a name on it, or have an email
address showing their name.
In the current context of online transactions,
users “identify” themselves by providing a name,
an email address, or phone number to a web
request.
For example, using a process of identification
alone, as long as a buyer has the card’s proper
information that is associated with the card being
used, the user is pretty much accepted as is.

45
A business that allows identification by
itself is essentially saying, "We have no
reason to doubt that you are indeed the
person you claim to be", despite having not
independently verified if the information is
truthful.
It’s like asking, “Who are you?” and simply
accepting whatever answer is given.
For transactions where there is not a lot at
stake, like registering for a class or
checking out a book, simply having
someone declare their identity without
providing any verification may be good
enough.

46
It is becoming more and more frequent that
identification alone is adequate. It’s like having
a username without a password.
So how can we determine the person is who
they say they are? That’s where verification
comes in.

47
Verification
Verification goes beyond the basic question, “Who
are you?”
Identity verification goes the extra mile and asks,
“Are you really who you say you are?” the response
needs to provide, a high degree of confidence that,
the answer is accurate.
The most accurate way to verify someone's identity
is to request and validate more than one form of
identification against the person standing in front of
you, with at least one of them being a photo ID.
A driver's license, a valid passport, or military photo
identification are some forms of identification.

48
Verifying someone’s identity to a high degree of
certainty takes effort.
At a time when service providers want to provide
a “frictionless” onboarding process, some may
cut corners and require a low barrier to entry.
Typical social media accounts, for example, only
ask new users to provide a name, email address,
username, and password.
A phone number may be thrown in there for good
measure.
Depending on the organization and the level of
assurance needed, a university ID or other non-
government issued identification card may
suffice for one form of ID.
Mr Peabody
ID 123456
01/01/2000
06/04/2025

49
Identity verification in the electronic sense
also called identity "proofing" or "vetting",
is used to confirm an identity where the
individual is not standing before you to
show some sort of picture ID.
In these cases, most organizations require
a real-time process that validates the
personal information provided by the
individual.
Apply for an online bank account, though,
and you may be expected to provide a
social security number, photo ID or
passport, and proof of your current
address.

50
The stakes associated with a bank account are
much greater than those with a TikTok account,
therefore the verification requirements are more
stringent.
In fact, in the financial sector alone, there are
numerous regulatory acts to prevent fraudsters
from setting up false bank accounts, laundering
money, and other unseemly criminal activities.
The compliance mandates associated with these
regulations are not satisfied by traditional
verification methods, which is why businesses are
beginning to make a shift to pairing a customer’s
identity information with one of their biometric
markers at the point of onboarding.

51
Information
Systems Security
Authentication
and Identification
Information
Security Triad
Mobile
Security

52
Information
Security Triad:
Confidentiality, Integrity,
Availability (CIA)
Information Systems
Security

53
The Information Security Triad, also
known as the CIA triad, is a guide for
organizations.
This guide helps them make policies to
protect information security.
In this context, the CIA means the
following:
• Confidentiality – set of rules that limit
access to information
• Integrity – the assurance that the
information is reliable and correct
• Availability – a guarantee of reliable
access to the information

54
Confidentiality
When protecting information, we want
to be able to restrict access to those
who are allowed to see it; everyone else
should be disallowed from learning
anything about its contents.
This is the essence of confidentiality.
For example, federal law requires that
universities restrict access to private
student information.
The university must be sure that only
those who are authorized have access
to view the grade records.

55
Integrity
Integrity is the assurance that the
information being accessed has not been
altered and truly represents what is
intended.
Just as a person with integrity means what
he or she says and can be trusted to
consistently represent the truth,
information integrity means information
truly represents its intended meaning.
Information can lose its integrity through
malicious intent, such as when someone
who is not authorized makes a change to
intentionally misrepresent something.

56
An example of this would be when a
hacker is hired to go into the
university’s system and change a
grade.
Integrity can also be lost
unintentionally, such as when a
computer power surge corrupts a file
or someone authorized to make a
change accidentally deletes a file or
enters incorrect information.

57
Availability
Information availability is the third part of the CIA triad.
Availability means that information can be accessed and
modified by anyone authorized to do so in an appropriate
timeframe.
Depending on the type of information, an appropriate
timeframe can mean different things.
For example, a stock trader needs information to be
available immediately, while a salesperson may be happy to
get sales numbers for the day in a report the next morning.
Companies such as Amazon.com will require their servers to
be available twenty-four hours a day, seven days a week.
Other companies may not suffer if their web servers are
down for a few minutes once in a while.

58
Tools for Information Security
In order to ensure the confidentiality, integrity,
and availability of information, organizations can
choose from a variety of tools.
Each of these tools can be utilized as a part of an
overall information-security policy.
• Access Control
• Encryption
• Backups
• Firewalls
• Intrusion Detection Systems
• Physical Security
• Security Policies

59
Access control
Access control determines which users are
authorized to read, modify, add, and/or
delete information
• For each information resource that an
organization wishes to manage, a list of
users who have the ability to take specific
actions can be created. This is an access
control list or ACL.
• With RBAC (role based access control),
instead of giving specific users access
rights to an information resource, users are
assigned to roles and then those roles are
assigned access.

60
Encryption
Encryption is a process of encoding data upon
its transmission or storage so that only
authorized individuals can read it.
This encoding is accomplished by a computer
program, which encodes the plain text that
needs to be transmitted; then the recipient
receives the ciphertext and decodes it
(decryption).
The sender and receiver need to agree on the
method of encoding so that both parties can
communicate properly.

61
Backups
Not only should the data on the corporate
servers be backed up, but individual
computers used throughout the organization
should also be backed up.
• An organization should make a full
inventory of all of the information that
needs to be backed up and determine the
best way to back it up.
• Regular backups of all data
• Offsite storage of backup data sets
• Test of data restoration

62
Firewalls
A firewall can exist as hardware or software
(or both).
A hardware firewall is a device that is
connected to the network and filters the
packets based on a set of rules.
A software firewall runs on the operating
system and intercepts packets as they arrive
at a computer.
A firewall protects all company servers and
computers by stopping packets from outside
the organization’s network that does not meet
a strict set of criteria.

63
Firewall Software Firewall Hardware

64
Intrusion Detection Systems
An IDS does not add any additional security; instead, it provides the
functionality to identify if the network is being attacked.
An IDS can be configured to watch for specific types of activities and then alert
security personnel if that activity occurs.
An IDS also can log various types of traffic on the network for analysis later.
An IDS is an essential part of any good security setup.

65
Physical Security
Physical security is the protection of
the actual hardware and networking
components that store and transmit
information resources.
To implement physical security, an
organization must identify all of the
vulnerable resources and take
measures to ensure that these
resources cannot be physically
tampered with or stolen.
These measures include the following:
• Locked doors
• Physical intrusion detection
• Secured equipment
• Environmental (temp) monitoring
• Employee training

66
Security Policies
According to the SANS Institute, a good policy
is
“a formal, brief, and high-level statement or plan that
embraces an organization’s general beliefs, goals,
objectives, and acceptable procedures for a specified
subject area.”
Policies require compliance; failure to comply
with a policy will result in disciplinary action.
A policy does not lay out the specific technical
details, instead it focuses on the desired
results.
A security policy should be based on the
guiding principles of confidentiality, integrity,
and availability.

67
Usability
When looking to secure information resources,
organizations must balance the need for security with
users’ need to effectively access and use these
resources.
If a system’s security measures make it difficult to use,
then users will find ways around the security, which
may make the system more vulnerable than it would
have been without the security measures!
Take, for example, password policies.
If the organization requires an extremely long
password with several special characters, an employee
may resort to writing it down and putting it in a
drawer since it will be impossible to memorize.

68
Personal Information Security
Some measures that each of us, as individual
users, can take to secure our computing
technologies.
There is no way to have 100% security, but there
are several simple steps we, as individuals, can
take to make ourselves more secure.
• Keep your software up to date.
Whenever a software vendor determines that
a security flaw has been found in their
software, they will release an update to the
software that you can download to fix the
problem. Turn on automatic updating on
your computer to automate this process.

69
• Install antivirus software and keep it
up to date. There are many good antivirus
software packages on the market today,
including free ones.
• Back up your data. Just as organizations
need to back up their data, individuals need
to as well. And the same rules apply: do it
regularly and keep a copy of it in another
location. One simple solution for this is to set
up an account with an online backup service,
such as Mozy or Carbonite, to automate your
backups, or storage applications as Dropbox,
OneDrive, Google Drive.

70
• Be smart about your connections. You
should be aware of your surroundings. When
connecting to a Wi-Fi network in a public
place, be aware that you could be at risk of
being spied on by others sharing that
network. It is advisable not to access your
financial or personal data while attached to a
Wi-Fi hotspot. You should also be aware that
connecting USB flash drives to your device
could also put you at risk. Do not attach an
unfamiliar flash drive to your device unless
you can scan it first with your security
software.

71
• Secure your accounts with two-
factor authentication. Most e-
mail and social media providers now
have a two-factor authentication
option. The way this works is simple:
when you log in to your account from
an unfamiliar computer for the first
time, it sends you a text message
with a code that you must enter to
confirm that you are really you. This
means that no one else can log in to
your accounts without knowing your
password and having your mobile
phone with them.

72
• Make your passwords long,
strong, and unique. For your
personal passwords, you should follow
the same rules that are recommended
for organizations. Your passwords
should be long (eight or more
characters) and contain at least two of
the following: upper-case letters,
numbers, and special characters. You
also should use different passwords
for different accounts, so that if
someone steals your password for one
account, they still are locked out of
your other accounts.

73
• Be suspicious of strange links
and attachments. When you
receive an e-mail, tweet, or Facebook
post, be suspicious of any links or
attachments included there. Do not
click on the link directly if you are at
all suspicious. Instead, if you want to
access the website, find it yourself
and navigate to it directly.

74

75

76

77
Information
Systems Security
Authentication
and Identification
Information
Security Triad
Mobile
Security

78
Mobile security
Information Systems
Security

79
As the use of mobile devices such as
smartphones and tablets proliferates,
organizations must be ready to address
the unique security concerns that the use
of these devices brings.
One of the first questions an
organization must consider is whether to
allow mobile devices in the workplace at
all.
Many employees already have these
devices, so the question becomes:
Should we allow employees to bring
their own devices and use them as part
of their employment activities?

80
Or should we provide the devices to our
employees?
Creating a BYOD (“Bring Your Own Device”)
policy allows employees to integrate themselves
more fully into their job and can bring higher
employee satisfaction and productivity.
In many cases, it may be virtually impossible to
prevent employees from having their own
smartphones or iPads in the workplace.
If the organization provides the devices to its
employees, it gains more control over use of the
devices, but it also exposes itself to the
possibility of an administrative (and costly)
mess.

81
Mobile devices can pose many unique
security challenges to an organization.
Probably one of the biggest concerns is
the theft of intellectual property.
For an employee with malicious intent,
it would be a very simple process to
connect a mobile device either to a
computer via the USB port, or wirelessly
to the corporate network, and download
confidential data.
It would also be easy to secretly take a
high-quality picture using a built-in
camera.

82
When an employee does have permission to access and save
company data on his or her device, a different security
threat emerges: that device now becomes a target for
thieves.
Theft of mobile devices (in this case, including laptops)
is one of the primary methods that data thieves use.

83
So what can be done to secure mobile
devices?
It will start with a good policy regarding
their use.
According to a 2013 SANS study,
organizations should consider
developing a mobile device policy that
addresses the following issues: use of the
camera, use of voice recording,
application purchases, encryption at
rest, Wi-Fi auto-connect settings,
Bluetooth settings, VPN use, password
settings, lost or stolen device reporting,
and backup.

84
Besides policies, there are several
different tools that an organization
can use to mitigate some of these
risks.
For example, if a device is stolen or
lost, geolocation software can help
the organization find it.
In some cases, it may even make
sense to install remote data-
removal software, which will
remove data from a device if it
becomes a security risk.

85

86
Knowledge, possession, inherent
and location & time are factors
of:
1. Identification
2. Authentication
3. Verification
4. Consistency
The ways in which someone may be authenticated
falls into four categories, based on what is known as
the factors of authentication

87
According to “Reader’s Digest”
and other sources, which was the
most used password until 2021:
1. qwerty
2. 111111
3. 123456
4. password

88
What is Identification?
1. a process or processes in place for a
user to prove that they are still that
person
2. simply having someone declare their
identity
3. is basically the process of someone
claiming to be a specific person
4. the process or action of verifying the
identity of a user or process.
Identify is simply having someone declare their identity.
“I’m Peter”.

89
What is Encryption?
1. process of decoding data upon its
reception
2. process of encoding data upon its
transmission or storage
3. process of agreement of the coding
method
4. process of sending the code key to the
users
Process of encoding data upon its transmission or storage
so that only authorized individuals can read it.

90
What does BYOD mean?
1. Backup Your Own Device
2. Bring Your Own Device
3. Buy Your Own Device
4. Build Your Own Device
Policy that allows you to bring your electronic devices to
your workplace.

91

Textbook
93
https://eng.libretexts.org/Courses/Prince_
Georges_Community_College/INT_1010%
3A_Concepts_in_Computing
Purchase of a book is not
required.

Professor C
94
castellr@pgcc.edu
eLearning Expert
BS in Systems Engineering
MS in Systems Engineering
HC Dr in Education
IT Professor | Spanish & GED Instructor
LCINT1010.wordpress.com
Presentation created in 01/2022.
Slides last updated on 08/2023

INT-1010
Prof C
Luis R Castellanos
95
05.1
Issues in Computing:
Information Systems Security

INT 1010 05-1.pdf

More Related Content

What's hot (20)

Similar to INT 1010 05-1.pdf (20)

More from Luis R Castellanos (20)

Recently uploaded (20)

INT 1010 05-1.pdf