Developing Appropriate

Information Security Measures

for an Organisation

UMI DISM 2016: Presented By Brian Jjuuko M

brian.jjuuko@gmail.com
0776 058 255

OBJECTIVES

1.
2.

Understand & Define Information Security

3.

Comprehend the history of computer security and how it evolved into

information security

4.
5.
6.
7.
8.

Understand why information systems need protection (from

destruction, error, and abuse)

Define the Scope of an Organization's Security

Understand the key terms and concepts of information security
Identify Potential Security Threats to an Organisation
Establish some Solutions to the Security Threats faced by Organisations
Overview of the Tools available to mitigate Security Threats being used
today

9. Outline the phases of the security systems development life cycle

10.Understand the roles of professionals involved in information security
within an organization

What is Information Security?

Information security: a well-informed sense of assurance that the

information risks and controls are in balance. Jim Anderson, Inovant
(2002)

Protection of information systems against unauthorized access to or

modification of information, whether in storage, processing or transit, and
against the denial of service to authorized users or the provision of service
to unauthorized users, including those measures necessary to detect,
document, and counter such threats. The U.S. Governments National
Information Assurance Glossary

Do information systems need

protection?
1. Confidentiality: No data or information shall be disclosed to any

person within or outside the organization, other than the persons who
are authorized to use that data.
2. Integrity: No data/information or programs shall be allowed to be
modified by anyone without proper authority.
3. Availability: All Information Systems including hardware,
communication networks, software applications and the data they hold
shall be available to users at all times to carry out business activities.

History of Info-Sec

1946 John William Mauchly designs the first all-electronic computer, the ENIAC.

1975 The era of the personal computer begins with the release of the Altair 8800, which uses the 8080
microprocessor. The following year, the Apple I is released by Steve Wozniak and Steve Jobs; the Apple I is built
on a 6502 processor.

1976 Data Encryption Standard is approved for the first time.

1951 The Remington Rand Corporation unveils the UNIVAC (Universal Automatic Computer).
1962 The ARPAnet begins life as a paper architecture and, under the leadership of the Department of Defenses
Advanced Research Project Agency (ARPA), grows into a small network intended to promote the sharing of
supercomputers among researchers in the United States.

1982 Apple computer viruses versions 1, 2, and 3 are found in-the-wild.

Xerox PARCs Jon Hepps and John Shock create internal worms for distributed computation. The worms get out
of control and force the shutdown of multiple systems.

1983 Fred Cohen, known as the father of contemporary computer virology, demonstrates a virus-like program at
a computer security seminar at Lehigh University; a year later, he formally introduces the term computer virus
to the world.

1985 The first PC virus is created. Named Brain, the virus is a boot viruses and, for the first time, uses stealth
techniques. Brain originated in Pakistan.

1988 Robert Morris, 22, launches the Internet Worm. It spreads to 6,000 computers, 1/10 of all computers on the
Internet. He is sentenced to three years probation, 400 hours of community service, and a $10,000 fine.

1998 Carl-Fredrik Neikter releases the Netbus Trojan tool, which allows hackers to obtain remote access to
infected machines.

1999 The Melissa virus is released and spreads rapidly worldwide. The virus infects Word documents and emails
itself to everyone in the MS Outlook address book, shutting down email servers.

2000 DoS attacks shut down Yahoo!, Buy.com, Amazon, eBay, and CNN. Yahoo! estimates that its three-hour
outage cost the company as much as 5 percent of its weekly ad revenue. A 16-year-old hacker from Canada
pleads guilty to launching the attacks.

Why are Systems Vulnerable?

Why Safe-Guard Systems?

1. Efforts to Setup, Maintain, Prevent & Correct Information
Security cost time and money!
2. Espionage and Business Secrets as well as Continuity
Planning
3. New and more Sophisticated Attacks are being created
everyday
4. Need to keep up with the current InfoSec Trends
5. Legal & Regulatory Conformity

NOTE:

There were on
average over eight
million phishing
attempts per day
during the latter half
of 2005 (Symantec)
The California
legislature found
that spam cost
United States

Existing Threats & Vulnerabilities:

1.Phishing
An attempt to acquire sensitive data, such as passwords
and credit card details, by masquerading as a trustworthy
person or business in an electronic communication.
Typically carried out using email or an instant message

Points to
bad IP
Address!

2.Keystroke Logging:
Keystroke logging (often called keylogging) is a diagnostic used
in software development that captures the user's keystrokes
Highly useful for law enforcement and espionage
Used to obtain passwords or encryption keys and thus bypassing
other security measures
Widely available on the internet and can be used by anyone for
the same purposes
3.Internet
bot :

Also known as web robots, are automated internet

applications controlled by software agents.
These bots interact with network services intended for
people, carrying out monotonous tasks and behaving in a
humanlike manner (i.e., computer game bot) Bots can
gather information, reply to queries, provide
entertainment, and serve commercial purposes.
Botnet - a network of "zombie" computers used to do

4. Adware, Spyware, Malware:

Advertising-supported software is any software

package which automatically plays, displays, or downloads

advertising material to a computer after the software is
installed on it or while the application is being used.
Adware is software integrated into or bundled with a
program, typically as a way to recover programming
development costs through advertising income

Spyware- A broad category of software designed to

intercept or take partial control of a computer's operation

without the informed consent of that machine's owner or
legitimate user. In simpler terms, spyware is a type of
program that watches what users do with their computer
and then sends that information over the internet.
Malware- A Hostile, intrusive, or annoying software or
program code ("malicious" + "software) Includes
computer viruses, worms, trojan horses, bots, spyware,
adware, etc. Software is considered malware based on the

5. Spam:

Spamming is the abuse of electronic messaging systems

to send unsolicited, undesired bulk messages

Spam media includes:

E-mail Spam (most widely recognized form)
IM (instant messaging) Spam
Usenet Newsgroup Spam
Web Search Engine Spam
Spam in Blogs
Mobile-Phone Messaging Spam

6. Denial of Service (DoS & DDoS)

7. Man-in-the-Middle Attacks
8. Trojans & Worms
9. Vandalism
10. Social Engineering
11. Exploits & Zero-Day attacks
12. Brute-Force attacks
ETC

What Can We Do?

Security Assessment

Identify areas of risk

Identify potential for security breaches, collapses
Identify steps to mitigate

Security Application

Expert knowledge (train, hire, other)

Multi-layered Approach (there is no single solution)
Policies and Procedures

Not just for the geeks!

Security Awareness
Security Training at all levels (external and/or internal)
Continuing education and awareness not a one-time shot!
Make it part of the culture

Key Takeaways:

Objective of InfoSec is Confidentiality, Integrity and Availability

protect your systems and your data

Threats are numerous, evolving, and their impact is costly

Security should be applied in layers (road blocks)
Security Awareness at all levels must be maintained
Failure to Secure is an Opportunity to Fail

QUESTIONS?

Feedback:
0776 058 255
brian.jjuuko@gmail.com