Free Essay

Common Information Security Threats

In:

Submitted By adubdaonly
Words 1269
Pages 6
The purpose of this paper is to identify three information security threats, potential risks, and the related vulnerabilities to an organization. We will go in depth to identify these harmful threats and describe each potential risk an organization may have to endure. We will also discuss three major information security threats dealing with SunTrust Bank. SunTrust bank headquartered in Atlanta, Ga operates 1,497 branches and over 2, 200 ATMs in the South and some in the North. SunTrust bank has over $175 billion in assets in the US and the money is increasing even more. The major assets that SunTrust has invested needs to be fully protected against potential information security threats from people trying to steal money or do harm to the organization. One of the major threats that SunTrust bank and other banks have to be cautious of is distributed-denial-of-service attacks or DDoS. A DDoS attack is designed for an attack on a single target by a group of compromised system infecting the target with a Trojan. There are two types of attacks associated with DDoS attacks, which are network-centric and application layer attack. There are two types of DDos attacks a network centric attack which overloads a service by using up bandwidth and an application-layer attack which overloads a service or database with application calls (Rouse, 2013). The most well known DDoS attack was committed by the Izz ad-Din al-Zassan Cyber fighters in 2012. These attacks were distributed in two phases: First phase they only attacked top-tier banks and the second phase they attacked credit unions and mid-tier banks. SunTrust was one of these banks and suffered intermittent outages and caused the website to suffer outages and glitches. The DDoS attack caused the servers at SunTrust to over load and this caused the site to be inaccessible in some parts of the country and at different times throughout the day. The cause of attack was in protest of a YouTube movie that was posted on YouTube that the group deemed offensive to their culture. The fighters issued a statement to take down the video immediately and that would be the simplest solution but the United States would still be punished, because of the insult. This caused some people to panic and scramble to try to prevent this attack from happening.
Another threat SunTrust has to worry about is Zeus attacks, also known as Zbot. This malware toolkit gives the user the ability to create its own individual Trojan horse. The unique ability of the Zeus Trojan is that it remains dormant and allows the user to add fields on forms at a browser level. Meaning the end user will be on a legitimate site filling out information that the criminal can see and steal suing the information to drain bank accounts. The Mobile Zeus was created to attack mobile phone, which then can attack mobile banking accounts to steal mTAN codes from bank users. mTAN codes are the mobile Transaction Number used for some banks as a onetime password. Similar to Zeus for PC they steal the information and passwords to gain access, which in this case is the mTAN code. The code would be sent to the Zitmo-infected handset, which immediately forwarded it to the malicious user’s number, who would then use the stolen mTAN to authenticate the transaction (Maslennikov, 2014). This Trojan is becoming increasingly popular and SunTrust should inform its customers of such attacks, so they can better protect themselves. SunTrust and users needs to install software specifically for these mobile Trojans, such as Kapersky Internet Security-Multi-Device and Kapersky PURE. Mobile users can also download this software on their phones to help prevent these attacks.
Another threat SunTrust has to worry about is phishing. Phishing is a way to acquire someone’s information over the internet by deception. There are many techniques that are used for phishing and come in many forms, such as email, SMS phishing, spear phishing, web based delivery, links, key loggers, and Trojan horses are some of the techniques of phishing. Email or spear fishing is a fraudulent email that targets a specific organization is an attempt to gain unauthorized data. The email asks the employee to log into a bogus page that requests the employee’s user name and password or click on a link that will download spyware or other malicious programming (Rouse, 2011). Once an attacker has the information he or she can use the information to steal your money. Web based delivery, also known as man-in-the-middle is more sophisticated than the other techniques involving the original website and the phishing system. When the user puts in their information the attackers gathers the user information without them ever knowing anything.
SMS phishing or smishing is an email scam that comes in a short message service, also known as a text message that directs the user to visit a website or call a phone number, which then the user may provide his or her confidential information, such as passwords or credit card information. When the user provides the information the attacker retrieves it and uses the information. Email phishing is probably the most common phishing scam. This phishing scam involves the attacker sending large quantities of the same email to users, asking them to fill out personal information. The emails depending on the attacker may ask you to verify the account, ask you to update your account information, or send a link for you to click to have access to a new service. A key logger is a type of malware that can be used on computers and mobile phone to identify the user inputs from the keyboard they are using. The attacker then deciphers the information and gains access to the confidential information.
Threats and vulnerability combine to make up of the risk-management process and can cause an organization to lose millions of dollars if not identified and handled properly. An organization should know the value of its asset that it’s protecting. Otherwise the organization may spend more money to protect it then what the asset is worth. Threats and vulnerabilities can occur from computer codes, intentional or unintentional from employees, or natural factors. Creating a table and listing all threat type, the actual threat, vulnerability, and the exposed risk can help show the organization the relationship of threats, vulnerabilities, and the risk associated with them. The legal requirement of protecting data is followed by the Data Protection Act 1988. DPA 1988 is an act created by the United Kingdom Parliament explaining the ways information can be legally used and handled. DPA 1988 is broken into six parts with 16 notes called schedules. The parts explain the ways data can be handled by whoever has the data, the rights of the subject, and all special exemptions. Schedules explain parts in a more detailed fashion and list all legal interpretations and contingencies. Ethical is pertaining to morals and how an individual or group deals with some form of knowledge. The ethical requirement is not to share, exploit, or bribe people of their data that you may have of theirs for money or any other malicious act. Regulatory is to regulate and control how the data is kept.

REFERENCES
Rouse, M. (2013). distributed denial-of-service-attack. Retrieved from http://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack

Maslennikov, D. (2011). Zeus-in-the-Middle- Facts and Theories. Retrieved from http://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Th qeories

Rouse, M. (2011). Spear Fishing. Retrieved from
http://searchsecurity.techtarget.com/definition/spear-phishing

Similar Documents

Free Essay

Common Information Security Threat

...Common Information Security Threat Name School Class   Common Information Security Threat There are hundreds and thousands of different organizations in the world and many of them have similar threats that an organization in the Casino & Resort industry would face. The Casino & Resort industry faces Information Technology threats across the board from external attacks on their website, internal attacks, and data corruption or misuse of data. The majority of companies that exist today would face these same risks due to the use of internet and trying to make everything more convenient for the customer. Computer viruses are an issue for all companies in the world because either they use information systems within their own business or they do business with companies that use information systems. The Resort & Gaming industry deals a tremendous amount with information systems from their Hotel Management System, Ticketing System, Casino System, Point of Sale System, and Food and Beverage System. Not everyone realizes the different systems an organization uses much less the risks that they face. In a twenty-four hour period it is not uncommon for the enterprise anti-virus solution to clean over a thousand threats. These threats could come from email, websites, removable storage devices, or other entry points. Distributed Denial of Service (DDoS) attacks are something that people have to worry about who host websites. DDoS attacks are internet based attacks which flood a system...

Words: 1066 - Pages: 5

Premium Essay

Common Information Security Threats

...Common Information Security Threats to Fundraising Organizations Klay C. Kohl CMGT/400 May 19, 2015 Robert Quintin Common Information Security Threats to Fundraising Organizations Introduction The advantages for fundraising organizations when integrating donor databases with their website are endless. Moreover, the security risk considerations from accessing online databases are an exponentially higher risk. These risks exist whether they are a small fundraising organization comprised mostly of volunteers or a Fortune 500 corporation. These risks fortunately, can be greatly reduced, and often, as in many cases, eliminated altogether when information security concerns are a priority in the design, implementation, and maintenance of the organizations offline access portal. In this article, we’d like to address some common security risks associated with database transactions online, discuss common technology behind these interactions, and describe controls that can be taken to mitigate the risks involved. Security concerns and the SDLC The system development life cycle (SDLC) commences with the initiation phase of the system planning process, continuing through system acquisition, development, implementation, and maintenance. Specific decisions about security must be made in each of these phases to assure that the system is secure.  During this initiation phase, organizations conduct a preliminary...

Words: 1404 - Pages: 6

Premium Essay

Common Information Security Threats

...Common Information Security Threats NAME CMGT400 – Intro to Information Assurance and Security DATE INSTRUCTOR Common Information Security Threats Information is one of the biggest and most important assets an organization has. This information is what drives a company, such as Bank of America, to be profitable and retain a customer’s trust. Without the customer’s trust, an organization will lose those customers, and therefore will be unsuccessful. So, in order to manage information securely, a risk assessment of all data storage devices and data transmitters should be produced to weigh the potential risks involved, the vulnerabilities of the risks, the impact the risks may cause, and the mitigation needed to safeguard any threats from occurring. The most well known, and one of the biggest threats to information loss are undoubtedly viruses, Trojan horses, and worms. These threats are no longer only considered childish annoyances as they once were. They can cause serious damage to an organization whether it’s financially, or to their reputation. Often referred to as malware, which means malicious code, these programs infect information systems that can replicate at a rapid rate by exploiting vulnerabilities in a computer’s operating system or network. These malicious tools can be used to steal company data, destroying information completely, or bringing down an entire corporation to its knees. In addition to malware, Distributed Denial of Service (DDoS) attacks...

Words: 1137 - Pages: 5

Premium Essay

Common Information Security Threats Paper

...Common Information Security Threats Paper Courtney Gardner CMGT/400 2-25, 2013 Terry Green Common Information Security Threats Paper The growing number of security treats an organization faces from day to day grows substantially as each day passes. Even the failed attempts to access secure data bear fruit of some kind in the form of another vulnerability being discovered or a different tactic is used that the company wasn’t prepared for. One organization that can’t afford not to be prepared is the Chase Bank organization. This financial institution is very accustomed to fending off skilled cyber thieves. It gets hit every day by thousands if not tens of thousands of attacks on their infrastructure and networks I will discuss three major threats that Chase faces DDoS attacks, Mobile Banking and Phishing. Transferring funds out of users' accounts is a major security treat they face. This can be achieved many ways which makes it an active job for the security admins of banks. Online banking has opened the banks to a wide variety of vulnerabilies that much be patched or mitigated to the lowest degree possible. Being the victim of a DDoS attack is always a possibility for Chase as they contact a large amount of online tractions and overseas money handling. Attackers can employee DDoS attacks, or distributed denial of service attacks, named for denial of customer service by aiming large capacities of network traffic to a website until it forced to or collapse. To help combat...

Words: 1188 - Pages: 5

Premium Essay

Common Information Security Threats for Colleges

...Common Information Security Threats for Colleges CMGT/400 August 11, 2014 Common Information Security Threats Technologic advances occur at a rapid pace, with new devices coming out at frequent intervals. These new devices are appealing to college students who want to do everything as quickly and easily as possible. Because of the numerous smartphones, tablets, and laptops used by students and employees, college campuses face various security issues from mobile devices that connect to the network, often unintentionally. Identification of Threats There are many threats a network faces when the IT department allows students to connect to the network or Internet using mobile devices. Some threats affect the campus network only, while other threats directly affect students or employees. For the campus network, threats include Social media vulnerabilities, Unauthorized access to employee or student information, and Email attacks (phishing) For students, the main threat comes from identity theft, often a result of inappropriate practices connected to social media and email attacks. Often, attacks to a college network occur because of unintentional and misguided errors from students. Information Vulnerabilities Students use mobile devices, ranging from smartphones to tablets to laptops, to access class schedules, grades, email, and social network sites. Many devices have the capability to store user ID’s and passwords but personal security measures...

Words: 1428 - Pages: 6

Free Essay

Upload

...Fundamentals of Information Systems Security Lesson 1 Information Systems Security Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 1 Learning Objective  Explain the concepts of information systems security (ISS) as applied to an IT infrastructure. Fundamentals of Information Systems Security - Contact: hieuld2@fpt.edu.vn Page 2 Key Concepts  Confidentiality, integrity, and availability (C-I-A) concepts  Layered security solutions implemented for the seven domains of a typical IT infrastructure  Common threats for each of the seven domains  IT security policy framework  Impact of data classification standard on the seven domains Fundamentals of Information Systems Security - Contact: hieuld2@fpt.edu.vn Page 3 DISCOVER: CONCEPTS Fundamentals of Information Systems Security - Contact: hieuld2@fpt.edu.vn Page 4 Introducing ISS ISS Information Systems Information Fundamentals of Information Systems Security - Contact: hieuld2@fpt.edu.vn Page 5 The C-I-A Triad Fundamentals of Information Systems Security - Contact: hieuld2@fpt.edu.vn Page 6 Confidentiality Personal Data and Information • Credit card account numbers and bank account numbers • Social security numbers and address information Intellectual Property • Copyrights, patents, and secret formulas • Source code, customer databases...

Words: 1090 - Pages: 5

Premium Essay

Fkfk

...Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 3 1 1/6/2013 DISCOVER: CONCEPTS Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 4 Introducing ISS ISS Information Systems Information Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 5 The A-I-C Triad Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 6 2 1/6/2013 Confidentiality Personal Data and Information • Credit card account numbers and bank account numbers • Social security numbers and address information Intellectual Property • Copyrights, patents, and secret formulas • Source code, customer databases, and technical specifications National Security • Military intelligence • Homeland security and government-related information © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fundamentals of Information Systems Security Page 7 Integrity Maintain valid, uncorrupted, and accurate information. User names and passwords Patents and copyrights Source code Diplomatic...

Words: 1526 - Pages: 7

Free Essay

Security Week 4 Case Study

...Security Threats And Attacks Week 4 Case Study Dustin Soria Security Threats And Attacks Week 4 Case Study Dustin Soria 2014 2014 Recent statistics show that a large percentage of people have the idea that computer security is an issue that only affects organizations. Many people believe that, at a personal level, there is little that one can have to do with their information especially because they don’t see if someone will need their information. In contrast, there is a lot of useful information that a third party may obtain from a personal computer that the user may not even realize. For instance, a user may have sensitive information that would lead to his or her private life, secrets, or even important financial information. Such information can be used by attackers to monitor their internet activities, whether they are logged into their own personal computer on a local network, or even the internet. The victim’s sensitive information can be sold over the internet, or even to third parties such as advertisers and criminals among others. As such, it is important that serious security measures are taken to protect one’s personal computer from such security issues. There are numerous security threats that can be on a personal computer. One of the most common threats is a Virus. A Virus is a piece of software that can replicate itself and infect a computer without the permission or knowledge of the user. A Virus can only spread when it is transmitted by a user...

Words: 796 - Pages: 4

Premium Essay

Lab 24 Science

...1 Performing Reconnaissance and Probing using Common Tools 2 Performing a Vulnerability Assessment 3 Enabling Windows Active Directory and User Access Controls 4 Using Group Policy Objects and Microsoft Baseline Security Analyzer for Change Control 5 Performing Packet Capture and Traffic Analysis 6 Implementing a Business Continuity Plan 7 Using Encryption to Enhance Confidentiality and Integrity 8 Performing a Web Site and Database Attack by Exploiting Identified Vulnerabilities 9 Eliminating Threats with a Layered Security Approach 10 Impementing an Information Systems Security Policy# Lab Title 1 Performing Reconnaissance and Probing using Common Tools 2 Performing a Vulnerability Assessment 3 Enabling Windows Active Directory and User Access Controls 4 Using Group Policy Objects and Microsoft Baseline Security Analyzer for Change Control 5 Performing Packet Capture and Traffic Analysis 6 Implementing a Business Continuity Plan 7 Using Encryption to Enhance Confidentiality and Integrity 8 Performing a Web Site and Database Attack by Exploiting Identified Vulnerabilities 9 Eliminating Threats with a Layered Security Approach 10 Impementing an Information Systems Security Policy# Lab Title 1 Performing Reconnaissance and Probing using Common Tools 2 Performing a Vulnerability Assessment 3 Enabling Windows Active Directory and User Access Controls 4 Using Group Policy Objects and Microsoft Baseline Security Analyzer for Change Control 5 Performing Packet...

Words: 426 - Pages: 2

Premium Essay

Risk Management Plan

...Introduction: Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance. Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization’s information and information systems, along with organizational resilience given known threat information. This necessitates: • Maintaining situation awareness of all systems across the organization; • Maintaining an understanding of threats and threat activities; • Assessing all security controls; • Collecting, correlating, and analyzing security-related information; • Providing actionable communication of security status across all tiers of the organization; and • Active management of risk by organizational officials. Purpose: The purpose of this guideline is to assist organizations in the development of an ISCM strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities, visibility...

Words: 4395 - Pages: 18

Premium Essay

Meow Investments Meow Documents

...Unit Plans Unit 1: Information Systems Security Fundamentals Learning Objective  Explain the concepts of information systems security (ISS) as applied to an IT infrastructure. Key Concepts  Confidentiality, integrity, and availability (CIA) concepts  Layered security solutions implemented for the seven domains of a typical IT infrastructure  Common threats for each of the seven domains  IT security policy framework  Impact of data classification standard on the seven domains Reading  Kim and Solomon, Chapter 1: Information Systems Security. Keywords Use the following keywords to search for additional materials to support your work:  Data Classification Standard  Information System  Information Systems Security  Layered Security Solution  Policy Framework ------------------------------------------------- Week 1 Assignment (See Below) * Match Risks/Threats to Solutions * Impact of a Data Classification Standard Lab * Perform Reconnaissance & Probing Using ZenMap GUI (Nmap) * Page 7-14 in lab book. Project (See Below) * Project Part 1. Multi-Layered Security Plan ------------------------------------------------- Unit 1 Assignment 1: Match Risks/Threats to Solutions Learning Objectives and Outcomes  You will learn how to match common risks or threats within the seven domains of a typical IT infrastructure with solutions and preventative actions...

Words: 1409 - Pages: 6

Free Essay

Test One

...Committees June 2015 INSIDER THREATS DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems GAO-15-544 June 2015 INSIDER THREATS DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems Highlights of GAO-15-544, a report to congressional committees. Why GAO Did This Study What GAO Found Since 2010, the United States has suffered grave damage to national security and an increased risk to the lives of U.S. personnel due to unauthorized disclosures of classified information by individuals with authorized access to defense information systems. Congress and the President have issued requirements for structural reforms and a new program to address insider threats. The Department of Defense (DOD) components GAO selected for review have begun implementing insider-threat programs that incorporate the six minimum standards called for in Executive Order 13587 to protect classified information and systems. For example, the components have begun to provide insider-threat awareness training to all personnel with security clearances. In addition, the components have incorporated some of the actions associated with a framework of key elements that GAO developed from a White House report, an executive order, DOD guidance and reports, national security systems guidance, and leading practices recommended by the National Insider Threat Task Force. However, the components...

Words: 17616 - Pages: 71

Premium Essay

Lot2 Task 3

...industry best practices to protect against this type of information asset vulnerability. 426.4.3: System Hacking - The graduate evaluates various network system hacking counter-techniques. 426.4.5: Hacking Web Servers - The graduate identifies known web server vulnerabilities and demonstrates industry best practices to protect against this type of threat. 426.4.6: Web Application Vulnerabilities - The graduate identifies common web application vulnerabilities and uses industry best practices to protect against this type of threat.   Introduction:   Maintaining a proactive approach on security requires that an organization perform its own hacking footprinting to see how much information is available to potential hackers. Some organizations do this using internal staff; however, it is much more common to see organizations hire external security consultants to perform these types of security reviews. This allows a truly unbiased outsider to attempt to gather as much information as possible to formulate an attack.   Assume that you have been selected as the security consultant to perform a comprehensive security review for an organization of your choosing. Ensure that the organization that you select has a public website that you can access and at least one web application that you can use for this task. You will review the security of the organization’s website and any related web applications and consider security risks such as structured query language (SQL) injection...

Words: 1868 - Pages: 8

Premium Essay

Hgfhg

...Threats to Information Security and it’s Measures Abstract Security is a branch of computer technology known as information security as applied to computers and networks. The objective of online security includes protection of information and property from theft, corruption, or threats attack, while allowing the information and property to remain accessible and productive to its intended users. The term online system security means the collective processes and mechanisms by which sensitive and valuable information and services are protected from publication, tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events respectively. The basic aim of this article is to Prevention against unauthorized security Attack and Threats. Introduction Computer technology is more and more ubiquitous; the penetration of computer in society is a welcome step towards modernization but society needs to be better equipped to grapple with challenges associated with technology. New hacking techniques are used to penetrate in the network and the security vulnerabilities which are not often discovered create difficulty for the security professionals in order to catch hackers. The difficulties of staying up to date with security issues within the realm of IT education are due to the lack of current information. The recent research is focused on bringing quality security training combined with rapidly changing technology. Online networking security is to provide...

Words: 1669 - Pages: 7

Free Essay

Cisc Test

...Test 4 1. Security is not simply a technology issue, it is a business issue. Discuss Security's days as just a technical issue are done. It is becoming a central concern for leaders at the highest level of many organizations and governments, transcending national borders. Customers are demanding it as worries about privacy, the protection of personally identifiable information, and identity theft grow. Business partners, suppliers, and vendors are requiring it from one another, particularly when providing mutual network and information access. Networked efforts to steal competitive intelligence and engage in extortion are becoming more prevalent. Security breaches and data disclosure increasingly arise from criminal behavior motivated by financial gain. 2. Suppose your business had an e-commerce Web site where it sold goods and accepted credit card payments. Discuss the major security threats to this website and their potential impact. What can be done to minimize these threats? E-commerce utilizes internal networks that interface with the World Wide Web. The nature of this kind of business, introduces internal and external risks to both the website and the business systems to which it is connected too. An E-commerce website can be faced some security threats that have to be addressed, to avoid any losses and intrusions. E-commerce websites are vulnerable to fraud from internal and external sources. Fraud incidents include credit card fraud, which exposes the website...

Words: 967 - Pages: 4