Threats to IT Assets - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Threats to IT Assets

Description:

Identify the major attack routes to the corporate office ... Hoaxes. E-mail. Faxes. Regular mail. Countermeasures. Security policy ... – PowerPoint PPT presentation

Number of Views:157
Avg rating:3.0/5.0
Slides: 34
Provided by: nate189
Category:

less

Transcript and Presenter's Notes

Title: Threats to IT Assets


1
Chapter 3
  • Threats to IT Assets

2
Objectives
  • In this chapter, you will
  • Describe general categories of attacks
  • Identify the major attack routes to the corporate
    office
  • Identify the major attack routes to the corporate
    IT environment
  • Develop a threat taxonomy

3
Categories of Attacks
  • Intentional vs. Unintentional
  • Intentional
  • Active
  • Passive

4
Attacks on the Corporate Office Physical
Security
  • Theft
  • Computer equipment
  • Office equipment
  • Data
  • Countermeasures
  • Guards
  • Cameras
  • Badge readers
  • Alarm systems

5
Attacks on the Corporate Office Physical
Security
  • Damage
  • Computer equipment
  • Office equipment
  • Data
  • Countermeasures
  • Guards
  • Cameras
  • Badge readers
  • Alarm systems

6
Attacks on the Corporate Office Physical
Security
  • Service disruption
  • Electricity
  • HVAC
  • Telecom / Network cabling
  • Countermeasures
  • Guards
  • Cameras
  • Badge readers
  • Alarm systems

7
Attacks on the Corporate Office Physical
Security
  • Unauthorized access to systems
  • System console
  • System equipment
  • Desktops / laptops
  • Countermeasures
  • Console passwords
  • System locks
  • Screensaver passwords
  • Badge readers

8
Attacks on the Corporate Office Physical
Security
  • Unauthorized access to information
  • Printed information
  • Open windows / doors that allow for eavesdropping
  • Information on media
  • Countermeasures
  • Proper destruction
  • Cover windows in sensitive areas
  • Badge readers

9
Attacks on the Corporate Office Employees
  • Social engineering
  • Phone calls
  • In-person visits
  • E-mail
  • Countermeasures
  • Security policy
  • Education

10
Attacks on the Corporate Office Employees
  • E-mail attachments
  • Malware
  • Countermeasures
  • Antivirus software
  • E-mail filtering
  • Education

11
Attacks on the Corporate Office Employees
  • Hoaxes
  • E-mail
  • Faxes
  • Regular mail
  • Countermeasures
  • Security policy
  • Approved communication vehicles
  • Education

12
Attacks on the Corporate Office Employees
  • Malicious Web sites
  • Malware
  • Countermeasures
  • Antivirus software
  • Web filtering software
  • Education

13
Attacks on the Corporate Office Information
Aggregation
  • Trash
  • Classified information
  • Usernames and passwords
  • Project information
  • Countermeasures
  • Proper destruction of sensitive information

14
Attacks on the Corporate Office Information
Aggregation
  • Phone lists
  • Employee names
  • Contact information
  • Organizational roles
  • Countermeasures
  • Restrict availability of information

15
Attacks on the Corporate Office Information
Aggregation
  • Newsgroups
  • Technical information
  • System architecture
  • Employee names
  • E-mail addresses
  • Countermeasures
  • Avoid posting to newsgroups
  • Avoid using company e-mail addresses
  • Avoid discussing sensitive information

16
Attacks on the Corporate Office Information
Aggregation
  • Conversations
  • Eavesdropping
  • Information brokers
  • Countermeasures
  • Avoid discussing sensitive information outside of
    work
  • Education

17
Attacks on the Corporate Office Information
Aggregation
  • Cell phones
  • Eavesdropping on conversations
  • Countermeasures
  • Avoid discussing sensitive information on cell
    phones

18
Attacks on the Corporate Office Information
Aggregation
  • Pagers
  • Eavesdropping on pages
  • Countermeasures
  • Avoid sending sensitive information

19
Attacks on the Corporate Office Information
Aggregation
  • Covert channels
  • Storage
  • Timing
  • Countermeasures
  • Resource utilization monitoring
  • File permissions

20
Attacks on the Corporate IT Environment Phone
Attacks
  • Voice mail
  • Eavesdropping of voice messages
  • Countermeasures
  • Strong passwords
  • Frequent password changes

21
Attacks on the Corporate IT Environment Phone
Attacks
  • Phone switches
  • Phone bandwidth theft
  • Control over phone switching
  • Countermeasures
  • System software updates
  • Strong passwords
  • Frequent password changes
  • Restrict connections

22
Attacks on the Corporate IT Environment Phone
Attacks
  • War dialing
  • Connect to network via listening modem(s)
  • Countermeasures
  • Restrict incoming analog lines
  • Restrict use of modems

23
Attacks on the Corporate IT Environment Malware
  • ActiveX / JavaScript
  • Macros
  • Trojan horses
  • Viruses
  • Worms
  • Zombies

24
Attacks on the Corporate IT Environment Malware
  • Countermeasures
  • Antivirus software
  • Patching operating systems and applications
  • E-mail filtering
  • Web filtering
  • Use of firewall to restrict network traffic

25
Attacks on the Corporate IT Environment System
Attacks
  • Password cracking
  • Guessing user passwords
  • Guessing application / service account passwords
  • Guessing administrative passwords
  • Countermeasures
  • Strong password policies
  • Frequent password changes
  • Patching

26
Attacks on the Corporate IT Environment System
Attacks
  • Software bugs
  • Buffer overflows
  • Countermeasures
  • Patching
  • Remove unnecessary services and applications

27
Attacks on the Corporate IT Environment System
Attacks
  • Port scanners
  • Active ports
  • Determine running services and applications
  • Countermeasures
  • Patching
  • Remove unnecessary services and applications
  • Firewalls

28
Attacks on the Corporate IT Environment System
Attacks
  • E-mail
  • Bombing
  • Relaying
  • Spoofing
  • Countermeasures
  • Patching
  • Block relays
  • Configure e-mail server for proper authentication

29
Attacks on the Corporate IT Environment System
Attacks
  • SQL injection
  • Database data manipulation
  • Database data enumeration
  • Countermeasures
  • Input validation
  • Patching

30
Threat Taxonomy
31
Threat Taxonomy
  • Source
  • Effect
  • Method
  • Threat components
  • Authorization
  • Target
  • Damage

32
Summary
  • Providing a secure physical environment is the
    first step in ensuring that company information
    is safe.
  • Unless all company employees are effectively
    educated, social engineering is often a
    successful method for breaking into company
    systems.
  • By aggregating information from trash, Web sites,
    press releases, and public conversations, an
    attacker can form a picture of sensitive
    information.
  • Attackers can steal information from voice
    mailboxes containing sensitive company data, or
    they can break into PBX switches to steal phone
    resources.
  • Passive attack methodologies include viruses,
    worms,Trojan horses, and a variety of other
    malicious codes.

33
Summary
  • Regardless of the network-based defenses in
    place, system attacks are serious business, and
    constant vigilance must be maintained to thwart
    attacks at the system level.
  • In addition to the operating systems and
    application software that present vulnerabilities
    for the attacker, network protocols can also be
    manipulated.
  • A threat taxonomy is a categorization that
    affords security professionals the ability to
    organize and classify threats to computer systems
    and networks.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Threats to IT Assets" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!