The document discusses security risks, threats, and vulnerabilities that can impact IT infrastructure. It defines key related terms and describes common types of threats like malware, hardware/software failures, and hackers. The document also outlines typical vulnerabilities in different domains and security countermeasures used to mitigate risks and shrink the information security gap.

1. © 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Fundamentals of Information
Systems Security
Unit 2
Aplicação de contramedidas de
segurança para mitigar ataques
maliciosos

2. Page 2Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Learning Objective
Describe how malicious attacks, threats, and
vulnerabilities impact an IT infrastructure.

3. Page 3Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Key Concepts
§Attacks, threats, and vulnerabilities in a
typical IT infrastructure
§Common security countermeasures
typically found in an IT infrastructure
§Risk assessment approach to securing an
IT infrastructure
§Risk mitigation strategies to shrink the
information security gap

4. Page 4Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com
DISCOVER: CONCEPTS

5. Page 5Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Definitions
§Risk: Probability that an intentional or
unintentional act will harm resources
§Threat: Any accidental or intentional event
that negatively impacts company resources
§Vulnerability: Inherent weakness that may
enable threats to harm system or networks
Risks, threats, and vulnerabilities affect
confidentiality, integrity, and availability (CIA).

6. Page 6Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Atividade Maliciosa por País

7. Page 7Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Types of Threats
§Malicious software
§Device failure
§Application failure
§Natural disaster
§Intrusive cracker

8. Page 8Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Types of Vulnerabilities
§Insecure servers or services
§Exploitable applications and protocols
§Unprotected system or network resources
§Traffic interception and eavesdropping
§Lack of preventive and protective measures
against malware or automated attacks

9. Page 9Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Vulnerabilidades comuns nos 7 domínios

10. Page 10Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Alvos de ameça nos 7 domínios

11. Page 11Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com

12. Page 12Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com

13. Page 13Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Quem sou eu?

14. Page 14Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Identify the Criminal
Criminal Profile #1
§Victimizes people through unsolicited
e-mail messages to get victim’s money
§Does not rely on intrusive methods to
commit crimes
§Is motivated by financial gain

15. Page 15Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Golpista da Internet

16. Page 16Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Identify the Criminal (Continued)
Criminal Profile #2
§Enters systems without permission to raise
awareness of security issues
§Does not work for the company or its
clients
§Does not intend harm, just tries to be
“helpful”
§Is motivated by impulse

17. Page 17Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Gray-hat hacker

18. Page 18Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Identify the Criminal (Continued)
Criminal Profile #3
§Engages in illegal black market
transactions on the Internet
§Traffics drugs, weapons, or banned
materials
§Is motivated by financial gain

19. Page 19Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Terrorists or traffickers

20. Page 20Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Identify the Criminal (Continued)
Criminal Profile #4
§Enters systems without permission to take
advantage of security issues
§Does not work for the company or its
clients
§Does not intend to help, only wants to
cause harm
§Is motivated by peer acceptance

21. Page 21Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Black-hat hacker or cracker

22. Page 22Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Identify the Criminal (Continued)
Criminal Profile #5
§Intrudes upon systems to verify and
validate security issues
§Works for the company or one of its clients
§Does not intend harm, just tries to be
“helpful”

23. Page 23Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
White-hat hacker

24. Page 24Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com© 2012 Jones and Bartlett Learning, LLC www.jblearning.com
Summary
§Threats are controllable.
§Risks are manageable.
§Vulnerabilities are unavoidable.
§All of these negatively affect the CIA
triad.
§Not all threats are intentional.