During our fourth week of class, we were asked to explain the importance of information and system security for individuals and organizations.
Keeping
information secure is vital for any person or company. If personal data is not secure, a person will
have to worry about have portions of their identity potentially stolen. If a company does not make sure that its data
is secure, then they will have to worry about many different factors that will
affect their customers, suppliers, employees, etc. When examining information security, there
are many different methods that can be used to gain access to data that would
be otherwise secured. In a previous
assignment, we used the ping and tracert
commands to determine the connectivity of different websites. These commands can also be used in nefarious ways to attack personal or commercial
technological infrastructure. In
addition to those two commands, there are many other different ways to attack
an information network. Two other
examples are social engineering and password cracking. An essential
factor of information security that often gets ignored is the physical security
of any hardware that may store potentially valuable data.
Using malicious software, a computer hacker can
use the ping command to overwhelm an information system. This type of attack is often called a
Distributed Denial of Service. This
attack stops people from accessing data sources on a network. The attack is initiated by using software to
send the ping command to a targeted server in quantities so large that the
networking hardware and software cannot keep up. DDoS attacks are often used to distract
companies from other methods of attack being deployed to their systems. Most companies used third-party services to monitor their network and help mitigate the
threat of DDoS attacks on their network.
Overall, there usually is not much damage that happens from a DDoS
attack. The most common symptom and
purpose of a DDoS attack is a service
disruption. That means the attackers are
hoping to stop a company’s customers from being able to do business with the
company. Other potential types of damage
can include loss of data, increased costs, or other types of damage. In order to
mitigate the threat of receiving a DDoS attack, a company needs to make sure
that their IT support is trained to recognize that a DDoS attack is happening. If the support staff does not recognize the signs,
they will not be able to stop the attack.
Another, more efficient method for
preventing DDoS attacks is to hire an external service provider who specializes
in DDoS attacks.
Another
type of computer security incident is social engineering. Social engineering attacks are focused on the
most significant weakness of any
information network, the people who are actually using the network. There are many different methods that can be
employed to facilitate a social engineering attack. One of the most common social engineering
attacks is to send a fake email from a company’s tech department requesting the
login credentials of a user. If deployed correctly, the email will appear
to be from a valid resource and the user will send them their login information. Another common social engineering method is
sending emails to a personal email address with a fake story that makes the
user believe that if they provide the requested information, they will receive
a large sum of money in their bank accounts.
This type of attack is usually used to gather the information needed to
attempt to steal the identity of a person.
Another type of social engineering is called a dead drop. This strategy is used by loading malicious
software onto a selection of USB storage drives. The drives are then “accidentally” dropped
outside of a targeted company’s doorway.
This type of attack can be very successful because a person’s curiosity
will usually have them plug the drive into their computer which will then allow
the malicious software into an information network. One way to mitigate this type of attack is to
use a computer policy that explicitly disables the USB ports on any computer
within an infrastructure. If the ports
are disabled, then the USB drive will not be able to deploy any malicious
software. Another much more significant way for a company to protect
their data is to ensure that their employees are attending regular information
security training. If protocols are not established or followed,
the network of a company will have a high risk of being attacked. The potential damage of a social engineering
attack can vary from as small as infecting one computer to infecting an entire
network with ransomware or potentially erasing all data located on any infected server.
A third type of information security attack is
password cracking. This type of attack
uses software to try multiple passwords for a set of login credentials until it
“guesses” the correct password. This
type of attack was much more prevalent in the past because users were not often
informed about needing to create a complex
password, and there also was not many programs that could detect password
cracking. The main function of a
password cracking attack is to gain access to
a network by using the login credentials of a user. As with social engineering, once a nefarious
person has unlimited access to your system, they can accomplish an extensive range of activities. The damage can range from as small as
compromising the data of a single computer to allowing a hacker to potentially delete any information that they can
find. There are many different
ways to protect from password cracking attacks.
First, a company can use software that will “lockout” a user account
once a specified number of bad login
attempts are completed. Once the user
account is locked, the person must contact their IT support to have the account
unlocked. A second method that is being employed more often is to enable
two-, three-, or more factored authentication.
This means that a user must use multiple different methods to prove
their authentication. Most often the second form of authentication is
established by asking security questions. However, a company can also issue out
software or hardware security tokens, such as RSA.
References
Vahid, F., & Lysecky, S. (2017). Computing technology for all.
Retrieved from zybooks.zyante.com/
Andress, J. (2014, December). The Basics of Information Security. Retrieved June 25, 2018, from
https://searchsecurity.techtarget.com/feature/The-Basics-of-Information-Security
Staff, T. (2017, May 19). The 7 Basic Principles of IT
Security. Retrieved June 25, 2018, from
https://www.techopedia.com/2/27825/security/the-basic-principles-of-it-security
Comments
Post a Comment