Protection of Information Assets

•It addresses the key components that ensure

confidentiality, integrity and availability of
information assets.
•It covers the evaluation of design, implementation
and monitoring of logical and physical access
controls
Key Elements of Information Security Management

Senior Management Commitment & Support.

Policies and Procedures
Governance & Ownership
Security Awareness and Education
Monitoring & Compliance
Incident Handling & Response

2
Inventory & Classification of Information

Clear and distinct identification of the

asset.
Its relative value to the organization.
Its location
Its security/risk classification
Its asset group (where the asset forms part
of a larger information system)
Its owner
Its designated custodian

3
System Access Permission

It usually refers to a technical privilege like the ability

to read, create, modify or delete a file or data, execute
a program or open or use an external connection.
Computer Crime Issues and Exposures
 Financial loss
 Loss of credibility or Competitive edge
 Blackmail/Industrial Espionage/Organized Crime
 Disclosure of confidential, Sensitive or embarrassing information
 Hackers
 Crackers
 Employees (Authorized or unauthorized)
 IS Personnel
 End Users
 Former Employees
 Interested or Educated Outsiders
 Part-time and temporary personnel
 Third Parties
 Accidental Ignorant

5
Security Incident Handling and
Response
 Planning & Preparation
 Detection
 Initiation
 Recording
 Evaluation
 Containment
 Eradication
 Escalation
 Response
 Recovery
 Closure
 Reporting
 Post-incident Review
 Lessons Learned

6
Trojan Horses/Backdoors
It involves hiding malicious, fraudulent code in an
authorized or falsely authorized computer
program. This hidden code will be executed
whenever the authorized program is executed.

7
Viruses
The insertion of malicious program code into other executable code
that can self-replicate and spread from computer to computer, via
sharing of removable computer media, transfer of logic over
telecommunication lines or direct link with an infected machine/code.

8
Worms
Destructive programs that may destroy data or use up tremendous
computer and communication resources but do not replicate like
viruses.

9
Spyware
Malware, similar to viruses, such as keystroke loggers and system
analyzers, that collects potentially sensitive information, such as credit
card numbers, bank details etc. from the host, and transmits the
information to the originator when an online connection is detected.

10
Denial of Service (DoS) Attack
Disrupts or completely denies service to legitimate users, networks, systems or
other resources. The intent of any such attack usually is malicious in nature and
often takes little skill because the requisite tools are readily available.

11
War Driving
Involves receiving wireless data from a laptop (ideally while driving) and
cracking the encryption controls to gain access or to simply eavesdrop the
information being transferred over the wireless communication link

12
Piggy Backing
The act of following an authorized person through a secured door or
electronically attaching to an authorized telecommunications link to intercept
and possibly alter transmissions

13
Social Engineering
Social engineering is the human side of breaking into a computer system. It
relies on interpersonal relations and deception. Organizations with strong
technical security countermeasures, such as authentication processes,
firewalls and encryption, may still fail to protect their information systems.
This may happen if an employee unknowingly gives away confidential
information (e.g., passwords and IP addresses) by answering questions over
the phone with someone they do not know or replying to an e-mail from an
unknown person. Some examples of social engineering include
impersonation through telephone call, dumpster diving and shoulder
surfing.

14
Phishing
One particular form of attack about which users should be warned is
phishing. This normally takes the form of an e-mail, though it may be a
personal or telephone approach, pretending to be an authorized person or
organization legitimately requesting information. It may be a bank asking
for confirmation of the users access codes to their Internet banking service,
warning that failure to respond will result in future access being denied.
The unsuspecting users provide the information and find that their bank
account has been cleared of funds.

15
Type of Authentication
One Factor Authentication
(Something you know)
Two Factors Authentication
(Something you have)
Three Factor Authentication
(Something you are)

16
Type of Biometrics
1. Palm
2. Hand Geometry
3. Iris
4. Retina
5. Fingerprint
6. Face
7. Signature Recognition
8. Voice Recognition

17