Sign Mississippi Banking Permission Slip Secure

Industry sign banking mississippi permission slip secure

all right good morning everyone hope everyone's having a great day today thanks for coming it's bad weather attendance of course um never really was required but it's even less required than it ever was so just a quick update on that i got a couple questions about it i want to make sure the attendance policy is clear to everyone so in banner i've already marked everyone present for every class meeting um so you know regardless of whether you attend or don't attend whether you watch the video where you don't watch the video you're marked present i'm not doing anything with attendance whatsoever it's not for bonus points it's not for your grade it's not for anything you know i was under the impression and this is my bad by the way i was under the impression that i was required to take attendance turns out that's not the case i'm only encouraged to take attendance so since it's just an encourage and not a requirement it's gonna mark everyone present so i hope that's okay with everyone i can't imagine anyone being upset because again it doesn't negatively affect anyone um so is that clear to everyone so again if you're going banner you should see you don't have any unexcused absences regardless of how many times you attend or don't attend um so yeah that's basically all there is to say there you do have the option to attend however you wish to you can attend in person every day at least every day we meet that's certainly free to do so but beyond that if you want to continue to follow the hybrid schedule you can if you want to attend only virtually you can do that as well so nothing like that's really changed it's just i'm making it official that anyone who wishes to attend every class period is certainly free to do so there's plenty of seats in here you know so don't worry about that if that's something to be worried about but beyond that you know i certainly encourage you to make your decision however you see best fit it's no big deal to me so certainly want to make that uh give you the freedom to kind of decide how you want to attend so with that out of the way we're going to be covering a lot of the basics of chapter 4 today so this class is going to be all about the fundamentals of information security next class on tuesday we'll pick up and do some risk analysis examples as well as some other more uh more practical examples so today's more theoretical next class is gonna be more practical so that out of the way i'm just gonna go ahead and jump into this specifically we'll be covering information security we'll be talking about some various threats to information security we're talking about some basic protective measures as well as some controls so this is a managerial class of course this is going to focus on how we can approach this from a managerial perspective so we're not going to cover so much in-depth technological details just given the nature of what this class is so one of the first concepts that's important to understand about information security is called the cia triad and this really kind of can help organizations shape why they have information security in the first place there's three major goals they're up here confidentiality integrity and availability so when we think about this we first want to make sure that we have availability of the resources now availability refers to uptime it's not to be confused with available to only the correct people we don't deal with making sure it's available only to the correct people until we get to confidentiality so availability is simply making sure that the information is accessible to everyone confidentiality is making sure that the information is not accessible to people who it should not be accessible to so for example imagine you're a bank would you want anyone in the public to be able to see a full list of your customers social security numbers hopefully the answer to that is no but with availability you'd want it to be available availability is not concerned with who can access it it's just concerned with it can be accessed so we think of confidentiality as who it is accessible to and then lastly we want to consider integrity so going back to the example of social security numbers we want to ensure not only that they're accessible and that they're only accessible to the correct people not accessible to the incorrect people we also want to make sure they're correct what could be some of the consequences of an incorrect social security number for a bank i'll list a couple so one big consequence could be what if someone earns interest and we attribute that interest to someone who did not earn the interest now i'm not saying we attribute it to a different account i'm saying we for tax purposes we submit to the irs that this social security number earned this amount of interest that could cause problems on someone's taxes so we want to avoid that sort of situation and want to ensure that we have a records that are accurate they're correct they're updated uh all that sort of stuff so these are the three major goals any policy we implement we want to ensure that it is going to help our organization not only to focus on one of these but focus on all three so we want to want to engage in a policy that is going to affect integrity in a positive way but if it negatively impacts confidentiality that could be a big concern so we want to keep that in mind and consider all three in any sort of policy discussion on information security so with that out of the way we kind of established what the goals of information security are let's talk about some of the components you know how do we best ensure that we're meeting those cia triad so first i'm going to talk about exposure so exposure is simply going to be damage that could result if some sort of threat takes place so imagine we're a firm we have our social security database let's say that for whatever reason we determined that we have a hundred thousand dollar loss potential that is our exposure then when we talk about the threat itself we're talking about the danger of the exposure so we're talking about the specific danger itself that's going to be the threat and then lastly when we talk about vulnerability all that's saying is the likelihood so the possibility that the exposure and the threat transpire into an actual incident now i'm not going to have this any of these three terms where you're going to distinguish them on the test because they're quite similar that'd be pretty tricky of me i'm not trying to be tricky on the exams uh but just kind of keep that in mind so you know you can think about imagine there's a situation where there are two people one of the person uh was mad at the other person so uh maybe there's a situation where they did something to the other one doesn't really matter so the vulnerability is how likely the person a gets punched in the face by person b that's the vulnerability uh the exposure would be the punch itself you know and then the threat is the damage that would transpire from said punch so again you don't have to worry about uh distinguishing between these two they're quite related and in fact in practice a lot of these terms are probably going to be used interchangeably anyway so i think it'd be kind of silly to worry about how to distinguish between them but let's kind of talk about what influences vulnerability so in other words what we're saying is how do we know how likely something is to take place and this is a list of five things there's a there's really an infinite amount of things that could influence vulnerability but these are some of the five basic things so first most organizations are going to have some sort of a wireless network and what's the problem with the wireless network well there's not necessarily any inherent problems but depending upon the configuration of it if it's left open to the public or it's left open to non-secure devices then it could certainly lead to a situation where someone can easily sniff the network they can certainly obtain information they're not supposed to lots of different attacks based upon that and you also have to consider that networks by definition they're standards we have of course the ieee 802 standards regarding networks so what does that mean that means that pretty much any device is theoretically able to access the network assuming that it follows the standard so that means that there's not going to be any security through obscurity because any device pretty much can access it very easily i've been going beyond that we also have a consideration of well someone could hypothetically get the data but can they do anything with it well you know imagine we had a customer database let's say the customer database has every piece of customer information we have so we have a hundred thousand customers let's say the entirety of our customer database is one gigabyte so this is not necessarily the largest vulnerability factor ever but is it expensive to purchase one gigabyte worth of storage it's not it's quite inexpensive so that's certainly going to be something that factors in now imagine if that same customer database instead took up 100 terabytes 100 terabytes is going to cost a couple thousand dollars to store so certainly that's going to be cost prohibitive to some uh organization but not all so i wouldn't focus necessarily exclusively on the cost of data storage when determining vulnerability it's in the textbook that's kind of the logic behind it though uh increased ease of hacking certainly lots of tools are publicly available you can watch tutorials you can read tutorials it's quite simple for a lot of the lower level sort of hacking incidents that you could do it's not very difficult so the fact that it's not difficult means there's going to be enhanced likelihood of them occurring if they were more difficult you would anticipate fewer people having the skills fewer people having the interest whatever the case may be you would anticipate having a lower risk there organized crime nation states this is something that could be a little bit controversial to discuss but i think it goes without saying that there are certainly some nations that dislike other nations and as such there could be the possibility of certain nations attacking other nations uh infrastructure uh we see this with things like the stux network where i believe israel is accused of attacking uh some of the infrastructure in the middle east again it's accusations i'm not saying it happened or did not happen but that's an example of an organized nation-state attack allegedly of course then you know another vulnerability factor is lack of management support so as we've talked about in this course management support is really crucial for the success of any sort of project any sort of policy really anything within an organization because if management doesn't support something it means you're not getting resources it means you're not getting time allocated to the fulfillment of whatever you set out to do so in security imagine if management refused to purchase anything that would aid the security of an organization you would anticipate that would increase the vulnerability of the firm accordingly so those are just five basic vulnerability factors these are not the only ones there are certainly many others and these are just five of the common ones so let's go through a little bit more and talk about some specific types of threats so there's really going to be three major types of threats that we're going to discuss so the first you'll be external so an external threat as the name implies it's going to be perpetrated by people outside the organization so this could be people in another country could be people in the same country but bottom line is they're not associated with your organization uh contrast a little bit with internal threats internal threats as the name would apply internal to the organization it could be a disgruntled employee i could even be an employee who's not disgruntled but accidentally does something that's still a threat it doesn't matter whether it's intentional or unintentional although that is of course a distinction within internal threats is was it intentional was it unintentional and then lastly we have hybrid threats so hybrid threats are going to be typically where you have some sort of insider within the organization but the bulk of the work is going to be done by typically outside parties so these are three major ones uh of course then we also have internet threats so internet threats comprise many categories uh typically we're going to see these transpire as things like malware we're going to talk more about specific types of malware in a couple slides denial of service which of course we think about denial of service what is that going to affect on the cia triad if we're not able to access a resource it's going to affect the availability so if the information is not available that's going to be a problem we think about malware malware could really do any of the three most likely it would affect confidentiality but in practice we can certainly see malware that you know uses excessive system resources and prevents the legitimate access or availability of resources we could of course also see malware that affects the integrity of files there's really no limit to what malware could do in terms of that and then lastly of course unauthorized access so that's just simply someone accessing the system that they don't have authority or authorization rather to access so pretty straightforward there but we're not limited to just things that are man-made so we can certainly look beyond that and see that there's a lot of things that we don't necessarily directly control uh natural disasters are particularly uh problematic from a perspective of availability and that they can disrupt the availability they can keep employees from entering an office physically they can keep a system from getting power that can keep a system from getting network connectivity things like floods you know hopefully we don't see any flooding today but there's a lot of rain that could certainly keep people from attending something physical because it could be dangerous would you risk your life for a system hopefully the answer is no but you certainly could if you wanted to many people choose to not so any sort of storm earthquake earthquakes pretty notorious for things like fires fires could be another serious problem so of course we'd want to have systems in place to mitigate fires of course we'll talk about that in a little bit but if we have a data center do we just want to put a standard uh water-based fire sprinkler system in no we wouldn't because that would uh certainly cause some issues with the availability of the system if it ever goes off all the information is likely going to be lost so instead we want to use some sort of a gas base like halon or some other similar gas to where we can then ensure that the information it's not going to be compromised if the event of the uh you know some fire something causes it to go off or it could just accidentally go off certainly not uncommon for sprinkler head to get uh affected in some adverse way and then to have a release uh some other man-made disasters we just talked about fires you want to make sure you prevent them uh it's like smokey the bear says only you can prevent fires i don't know where that leaves me i guess i can't do anything about preventing fire i always found that kind of a funny little statement there but it's not that funny uh power outages you know again you can have some sort of a generator but you know if you have a generator it's important to ensure that it's properly maintained has proper amounts of fuel all that sort of stuff especially otherwise is a generator without fuel going to be very useful to you i can't imagine it would cut cables it's not uncommon i think a couple years back at mississippi state there was a case where i think it was a backhoe or something was digging and cut a fiber optic line you know internet was out for a couple days so unfortunate but that could certainly happen so any sort of outage like that can certainly affect the availability of a system and potentially even the integrity of the system as well hen we're going to talk a little bit more about internal threats so these previous were mostly going to be external although you could argue that a fire is probably more internal given the fact that it's probably started by something inside the organization uh but not all the time so uh you know things like what do employees do well they can do lots of things uh theft of assets so if we had a physical computer and it had information on it that we needed as an organization what if someone just walks away with it we no longer have that information assuming that's the only copy that we had so some potential mitigating steps would be things like physical access controls having backups and certainly those sorts of things can be very advantageous for a firm to employ illegal copying or at least not necessarily illegal but unauthorized copying of records this is a very interesting ethical discussion that's very common in the sales industry at least stereotypically common in sales for a an employee upon departure to copy their sales contacts now is that ethical or unethical really depends upon your definition of ethics but it's generally viewed in the business community as unethical to do so because it's generally presumed that the contacts you make as a sales associate for one company belong to the company as opposed to the individual now i'm not here to say whether something's right or wrong it's really for you to kind of determine for yourself unauthorized access kind of similar to unauthorized copying only this is going to be a little bit different so a couple years back there was actually a case where i believe uh at least a dozen possibly more uh nurses at a chicago hospital were fired for unauthorized access of a particular uh patient's medical records so it's certainly something that can happen they were not directly assigned to that patient yet they accessed a certain uh patient's medical records and they got themselves fired so it could certainly be a bad thing to do certainly violated privacy of the patient and it also violated the company policies so the company policy state you're only supposed to access medical records of people you're associated with the care of you know kind of beyond that though doesn't have to be something intentional there's certainly a lot of unintentional acts that an employee can do that would compromise the security of an organization so imagine some example of bypassing security so let's say that an organization has a policy that says every five minutes if there's no activity on a workstation it gets logged out so how could someone get around that well they can wiggle the mouse every four minutes for someone and they could stay logged in now a problem with doing that is the work system could be unintended for those four minutes certainly violates the intent of the policy yet it doesn't violate the practice of the policy so in that regard it could be considered a threat then lastly data entry errors let's say someone enters information incorrectly what could that do well it could lead to a loss in revenue i imagine you enter someone's address incorrectly you never send them an invoice that's money lost um you know imagine that you enter uh banking information incorrectly that's money loss of course it could go beyond that as well but those are some common examples of why dead entry errors are a problem for organizations now how can they get around data entry areas well in practice there's not really going to be a perfect way to do so common approaches would be things like validating to make sure that the input is in fact a legal address so that could at least mitigate it to some degree of course i think the post office has an api that firms can use just to kind of make sure that the address is recognized by usps and provide suggestions if it's not but you know by and large we could also do things like this validating the input to make sure that a phone number is in fact a 10 digit number or if we're talking about other countries that has a country code so lots of different examples there any questions so far well as always feel free to jump in with any questions i'm happy to address them but some more potential threats associated with employees so things like using a weak password so if one employee inside of an organization let's just say that any employee within an organization can access the same data you have 100 employees 99 of them are using a strong password one of them is using password one two three exclamation mark it only takes one account to get compromised to access an organization from the inside so having strong password policies can be a good thing but people can still get around them by doing uh something like what i just suggested with that password so you know certainly that could be a problem uh lack of knowledge is training it's very common for organizations to employ things like sata technology or not instead of technology just sata security education and training awareness it's very common to have to go through due to training may be interesting maybe it's not but certainly that's something that could transpire and at least to some degree mitigate that social engineering attacks these are quite common uh particularly they're more targeted so it could be a situation where an employee has access to information someone impersonates them they have some sort of a fake emergency whatever the case may be it's not uncommon to see this transpire then any sort of other human error you know humans are not perfect i'll use myself as an example i thought i had to take attendance turns out i don't that's human error you know i apologize for any issues that may have caused but you know mostly i don't think it caused any major issues there so um you know that's certainly something that could take place though i've got a quick little video here uh i'm gonna mute it it does have a little bit of language in there but it's still a funny example of an internal threat that i'm gonna play so let me just mute it all right i think i'm unmuted now and i'm back so uh that's a funny scene if you get a chance to watch office space and you haven't i'd certainly recommend it but what's happening inside that scene is they're basically creating a program that will and pro in theory is supposed to take just a little bit of the uh remaining decimal so if they had let's say a transaction that was for 10 32 cents but then there was something beyond that they would just take whatever's beyond that put it into account in practice they had a rounding error that actually ended up with them receiving quite a bit more than they anticipated so that's theft certainly doing something like that is something that will cost you organization lots of money certainly going to be an internal employee threat each of those three employees up there were internal to the organization they wrote the application and then they uh installed it so again i do apologize for not having any audio with that video i just didn't want to have any sort of uh foul language that was being uh spoken or sung rather so just keep that in mind um but that's kind of what was going on inside the video i think you can make an argument that it's a little bit funnier without the audio anyway maybe it is maybe it's not but then beyond that we've talked about employees let's talk more about the system itself so uh if we have any sort of software on that could be authorized or unauthorized the software itself could cause us problems so if we have a system that has software installed maybe it's our erp application for example let's say that it has a bug that incorrectly handles decimals so maybe it rounds up when it should run down maybe it doesn't handle the comma the same whatever the case may be let's just say that it has some inaccurate information in it that's going to lead to problems with data integrity if our data doesn't have integrity it's pretty much useless to us so generally speaking we want to avoid that sort of issue of course we could also have any sort of malware which we're going to talk about a couple slides here but the idea is that the malware of course could lead to things like information being released that we didn't intend to that could certainly cause an organization problem so of course beyond the software itself we could have hardware problems so imagine there was physical theft we've talked about that you're losing your data that way you know not only do you no longer have the data it could also cause your organization problems if the data is released without authorization it could be legal consequences it could be loss of a competitive advantage certainly those are going to be the two primary problems there then of course we also have the issue of physical spying you know beyond something being physically stolen what if someone's uh spies in a physical fashion so examples this could be like a key logging device where every keystroke every mouse movement anything like that to be recorded and sent off somewhere or it's going to be recorded and picked up at some point certainly anything like that unauthorized cameras you could certainly imagine how those could be problematic you know imagine they're collecting pin information or even worse yet imagine they're inside of a location where a camera would be uh for that lack of a better term it'd be inappropriate that would certainly be a potential to open up an organization to liabilities it could certainly lead to lots of damage something to that effect so generally speaking it's not just about the software it's also about the hardware then of course we want to shift gears a little bit you know a lot of these so far have been maybe in deliberate or accidental there's also deliberate threats you know certainly we've talked about a few espionage and trespass very common within the corporate industry to have corporate espionage you know spying on another organization maybe trying to get trade secrets maybe trying to get intellectual property anything like that can certainly be a problem for an organization to deal with now of course how does an organization handle that sort of thing well it depends on the organization but in general you don't want to ensure that any sort of information that's very secure is kept secure you want to have it accessible to as few people as possible so that's going to ensure that it has confidentiality or at least the best amount of confidentiality that it can achieve information extortion this is pretty common nowadays with things like ransomware applications where there will be some information stored and someone will encrypt it in such a way that the company is no longer able to access their own information demand durants and for the decryption of it sabotage or vandalism uh that could certainly be something quite common with a disgruntled employee maybe they could dislike their organizations so much to take a uh some sort of baseball bat or something like that and they damage a physical piece of hardware there's also another office scene i don't have it in here from office space if you remember the printer scene you know they take the printer to a field and they start beating it with the baseball bat quite a humorous scene if you get a chance to watch it theft of equipment we've talked about that identity theft that could certainly also be a problem as well imagine your organization isn't trusted with data and they don't do the bare basics to protect it uh what's that going to cost your organization it's going to open it up to liability it's going to cause potential uh regulatory problems you could certainly run into problems where if you're not complying with existing regulations you can get fines you could have the establishment of new regulations that you have to comply with that's going to be costly as well so certainly anything like that you want to avoid to the degree possible such that you're not opening yourself up to unnecessary financial harm i compromise this intellectual property we've covered that as well basically you just want to make sure that you're having the intellectual property available to as few people as possible to prevent the likelihood that any of those people who it's available to will use it against you software attacks we're going to talk about that alien software we're going to cover that as well in a couple slides supervisory control and data acquisition attacks this is going to be important for things that are going to be some sort of industrial control system common example this would be like a water treatment plant but it goes beyond that you know any sort of uh public utility it's gonna be example uh but beyond that also anything like uh a manufacturing plan so they have this very critical infrastructure and if that's attacked people could uh have physical harm you know it's certainly something we wouldn't want to see happen so it's very important to have these sort of uh preventative measures in place to prevent any sort of uh disruption of service or even worse so then of course cyber terrorism is cyber warfare we kind of talked about that already as well okay i wasn't sure exactly where this malware slide was but i knew it was in here somewhere uh so certainly there's lots of different types of malware so malware is just going to be any sort of malicious application that's written with the intent of causing harm in some way shape or form this harm could be anything from disrupting service to um you know basically stealing all the data so most basic application that we're going to talk about is gonna be a virus so computer virus is gonna be something that's gonna be installed by some user action and it could do really anything that is programmed to typically speaking it's going to disrupt service in some way but it could also do things like send information to a third party something like that now this contrasts a little bit with worm so a worm it's going to be an application that's going to be installed for some vulnerability and it's going to be self-replicating so typically speaking this is going to happen in a large network environment where it's going to be utilizing some vulnerability that has yet to be patched on the network for whatever reason so that's certainly something to uh be concerned with if that's your job to be concerned with it trojan horse is simply going to be an application that masquerades itself as a legitimate application so it's possible you could download an application install it everything could look good but maybe it has some additional component that is malicious in nature so it's going to be quite common if you're downloading software from untrusted sources for example back door so back door attack would be something where the device or software that you have has some sort of a by design has access that is not known to the person who purchases so this is common in a lot of physical devices where there's a sort of a master account associated with things and it's done by the manufacturer so you know what happens is the manufacturer is able to access the account and you don't even necessarily know the account is there this was a couple years back there was some cameras that were found out to have a back door associated with them such that the manufacturer located in china was able to access the live feed from the cameras and uh since the united states federal government has banned those certain brands that were associated with that from use in any federal property so certainly that can be a big problem you know imagine if uh certainly someone who is hostile towards you was able to view all the cameras inside an organization and not only that you have to remember you know cameras have a physical feed but many security cameras have an audio feed as well so that could certainly be even worse than just having a video feed you know so that's certainly something to consider there uh logic bomb so logic bombs are basically just going to be applications or some sort of uh not even sort of a full application some sort of code that at some point has some sort of trigger that will be met so typically this is going to be some sort of a time frame so maybe it's going to be four weeks after installing it will do what it's set ou to do it'll basically deploy the payload but it could also be something where after so many hours of being on whatever the case may be there's some condition that's going to be eventually fulfilled and then it will do what it's set out to do so ransomware we've talked about that today a little bit basically it's just an application that forcefully encrypts a specified range of files could be the entire hard drive could be the documents folder it really depends on the ransomware application itself but what it does is it then demands a payment for in exchange for the decryption key and if you don't have a backup you may not be able to decrypt any of the files on the system of course depending on the resume application some of them use better encryption than others and you may be able to decrypt the files without having any sort of a physical key or not a physical there's no physical key i'm saying without having the decryption key and then lastly spyware as the name would imply this is going to be applications that are designed to basically send information about a user's habits about what they do anything like that to a third party any questions about these all right so you know there are other types of software attacks as well though certainly they're not going to be an application that's installed or run but things like a basic phishing attack so phishing attack of course is going to be any sort of uh communication typically this is thought of as an email but it could be other communications as well where the intent is to impersonate a legitimate authority and to then obtain maybe user credentials maybe payment information whatever the case may be you're obtaining some information by deception uh spear fishing's a little bit different uh it's still similar to fishing only the difference between spear fishing and fishing is that in spear fishing it's a targeted approach so maybe you have access to a company's records and you can see who their actual customers are and you could even put legitimate information about their account number uh basically all you're doing is you're making a more targeted phishing attack uh and then an even more targeted example of a fishing attack is whaling so in wailing what you're doing you're not only targeting people you're targeting high-level people typically this could be things like c-level executives it could be things like top government officials whatever the case may be that would be an example of a whaling attack where basically you're wanting to get the top-level credentials for an organization uh eavesdropping to be a physical way of uh obtaining information but basically all you're doing is you're listening to a conversation you're not a member of now of course there's different types of views dropping there's physical ears dropping there's also electronic each dropping so you know of course in many states there's gonna be a one-party consent law for audio recording meaning that if you're a party of a conversation you can record it without informing the other person some states require uh two-party or all-party consent that's only a handful of states again this is not legal advice or anything but certainly if you're not a part of the conversation at all it's going to be eavesdropping it could be punished by you know some certainly legal consequences there so you'd want to avoid that and then lastly of course shoulder surfing so shoulder surfing is simply looking at information that you're not uh you know supposed to be looking at basically so imagine there was someone in this classroom not saying there is but someone was scrolling through a facebook feed and someone behind them thinks that's an interesting facebook feed i'm going to look at it that's shoulder surfing i really straight forward so basically for eavesdropping of course how can you mitigate that you cannot say information in public that you wouldn't want people to hear so you know for example if you had something confidential you wouldn't want to take the phone call in the middle of class because i could guarantee you pretty much everyone's going to be eavesdropping including me so that'd be a bad thing to do shoulder surfing you know make sure that you're not viewing information you want to want other people to see inside of public you know of course if you wanted to you could get a privacy screen but that's typically not going to happen because it's not going to make your image look as nice even if you're sitting directly in front of it it's also going to be costly it's not going to be very effective anyway so those are basically the uh sort of kind of uh edging the gap between a physical attack and a software tag these are kind of hybrid in that way let's talk about how we can mitigate some of these physical attacks though so we talked about locks having locks is not enough making sure they're in use properly is going to be a lot more beneficial you know i always find that uh not funny because i don't want to laugh at people being victims of crime but you know certainly it's it's a problem when people get robbed and they say well how'd they enter the house well the front door was unlocked well that's not going to do you much good doesn't matter what type of lock you have if it's not going to be used so certainly making sure that you use not only having locks but using them in the appropriate fashion and then of course beyond that if you want to protect a property not just a building uh you could use things like some sort of a gate some sort of fence you know something to that degree to prevent unauthorized entry to a property so it can be very common for things like high-end research labs really anything where that level of physical security would be needed uh of course human security guards now they're not going to be perfect but they can certainly act as a deterrent to unauthorized physical access of a space then of course using things like id cards probably going to be very beneficial to use things for that lock that use automatic id cards because let's say an employee leads and you have an organization of 100 000 people uh let's say you fire one person are you going to want to issue a new key every time you fire one person i can't imagine you would an organization of 100 000 people someone's getting canned every day so certainly if you have an id card and that's how people enter or leave a facility that's going to be a lot easier to replace because all you have to do disable the access to that one specific id card to be a much easier way to um you know certainly run a business so access controls so when you think about how do we actually go through the process of accessing a system so there's me three steps so first we have identification saying who is wanting the access so that's going to be things like a username it could be things like a name if it's a physical uh thing whatever the case is you're saying who is actually doing that that's the identity then you have authentication so you're saying not only do i want to actually uh be this person how do i prove i'm this person so we use things like a password we can use things like biometric devices you know fingerprint i scan you know palm print certainly any of those things could be a way to verify an identity and then beyond that we want to authorize so not only have we made sure that the person is who they say they are we then will take a step further and actually give them the access so that last step if we don't do that last step we don't have any availability so thinking back to cia trad we want to make sure that we have not only confidentiality and integrity but also availability so in the authorization step we of course grant them the access that they have access to uh talking a little bit more about communication controls here at a basic level you know we talked about there could be threats with a wireless network or any network so how can we mitigate that well here's a non-exclusive list but there's certainly some very commonly employed devices or software to ensure the confidentiality remains intact for organizations network so the person can be a basic firewall so pretty much every corporation is likely going to be using some sort of a firewall it could be software based it could be hardware based but the concept is is that we're having control over what information flows through a network and what information does not now this is also going to have other uses for things like employee monitoring so the firewalls applications are typically going to do things like monitor which employees are accessing which external resources that can be good or bad i'm not here to say but from an employee's standpoint something to be mindful of from a corporation standpoint something to know and to ensure it's being used if that's what your organization wishes then of course the demilitarized zone to be a little bit different so what that's saying is we have some public part of our network typically we're going to host things that are going to be external so if we had a corporate website we would put that inside of a demilitarized zone such that we have free access to it you know anyone basically in the public can access the demilitarized zone but we don't let them breach that demilitarized zone so they can't access anything that's internal to our organization so that's really all it's saying there you know of course the famous demilitarized zone think about the uh you know certainly we have the two koreas north south korea and between the two there's a demilitarized zone it's the same concept uh meaning that you know well i guess in that case you can't really freely travel between the two but in this case uh you can't freely travel between the demilitarized zone and the uh you know the standard internal network so think about it in that way and of course we have anti-malware systems so uh you know typically these could be referred to as an antivirus system but we're talking about at the corporate level it's not good enough to have an application that runs on every system we want to have an application that runs on every system that not only uh removes malware and prevents it from being run in the first place but that also notifies a central authority it could be an information security team it could be your i.t team whatever the case may be we want to then ensure that we look at the physical hardware we inspect the software on it and ensure that there is no sort of actual breach of information so that central reporting is a very uh important example not necessarily an example it's a very important component of any sort of anti-malware system for an organization to use certainly a large organization uh encryption so we talked about some potential downsides of encryption but it's also a good thing certainly if we're encrypting sensitive information such that only we the organization are able to access it that's going to have lots of good things imagine someone steals a computer or some device that has sensitive information on it if we employ encryption assuming it's good encryption they wouldn't be able to then do anything with it they wouldn't be able to read it in any way so that's certainly gonna be a very beneficial thing for us to do uh virtual private networking uh of course some of you probably familiar with it maybe uh basically the whole concept is that we have some sort of a way for companies if we're not at companies for employees of an organization to access resources from anywhere so they can access it as though they were on a physical location using a physical network only they don't have to be so this could be used for things like file storage file transfer um anything like that more commonly it's used for remote access you know people can promote access a machine that they have access to from anywhere in the world using a virtual private network uh then of course employee monitoring we've talked about that a good bit as well uh any questions so far again always feel free to jump in with any questions at any time um but of course we also want to talk a little bit about business continuity planning so we talked early on about some of these threats you know we have a fire can we prevent a forest fire well you know smokey the bear would say yes but as a company can we truly prevent a forest fire let's say lightning strikes yeah can we do anything to stop that i mean you might could make an argument that we could but for the most part you know natural disasters are things that we don't necessarily control fire is probably not the best example uh let's say can we prevent an earthquake i don't have any ways that all prevent an earthquake really of course we could make our buildings designed in such a way that we're not going to have any sort of uh building collapse from an earthquake but by and large we can't really do much to prevent the earthquake itself so even if our building is still standing if the roads around it are inaccessible then it doesn't really matter because employees aren't going to access the location anyway so the bottom line is we want to have some sort of a formally document that is going to allow us to say this is how we're going to operate in the event that we can't physically access a location this is how we're going to operate if a system is down you know all those sorts of things we've gone ahead and planned out various scenarios and that way whenever something does happen as it will invariably at some point we have something predefined we have a like more uh at least a larger chance of not having any sort of disruption in service or at least minimizing the disruption of service so basically all this document is saying is if something happens this is how we're going to respond and everyone has access to it so presumably everyone will be able to refer to it should some sort of disaster take place of course within this there's a discussion of you know various types of sites so you'll see up here i have hot sites warm sites and cold sites so all this is really saying is in a hot site we have not only all the hardware and software and everything already and stuff we basically could have a spare office fully equipped everything's up to date all the software we need everything that we need is already established it's like an empty office that's completely furnished now that contrasts with a cold site so inside of a cold site we have an empty office building no furniture no technology no software it's just an empty office building we could certainly use it but it would certainly take some time to get everything used and then instead of a warm site it's sort of a hybrid between the two so maybe we have some of the technology but not all the software loaded and up to date maybe we have furniture but not every single piece of furniture yes it's in between the cot and the cold side that makes sense so hot site has everything ready to go cold site has nothing ready to go but at least has a building and warm site has some combination of those two okay so another important discussion is auditing so inside of an information system audit we have lots of information being processed we have information that's being input we have information that's being output and we have information that's being processed somewhere in there so inside of an audit we're doing to make sure that all that process has integrity we don't want to have a situation where we have information flowing that is going to be adversely affected could be made incorrect at some point in the process what we're doing is we're looking for that and of course we do this internally or externally externally a lot of accounting firms particularly the big three are now providing is auditing services so if you're an accountant you may end up doing some of this if you're an is manager you may end up working for an accounting agency doing some of this it could certainly be something that you can do externally but also within the organization as well now it's very important to ensure that your organization uses something like a testing environment so if they're rolling out a new change they can easily see what that change will impact and it's very common to have a production environment maybe even several testing environments it's very common inside of modern organizations to do that both internally and externally so risk we're going to pick up a risk next class um yeah we'll just do that next class just kind of wrap up today though we covered information security we covered various threats associated with it we also covered various protections and various controls any questions about anything today all right well thanks for coming i hope you all have a great day