Please enable JavaScript.
Coggle requires JavaScript to display documents.
1.6 Systems Security - Coggle Diagram
1.6 Systems Security
Threats posed to networks
Denial of Service Attack
- Loss of access to service for customers
Lost revenue
Lower productivity
Damage to reputation
Data interception and Theft
- Theft of data and usernames and passwords compromised, allowing unauthorised access
Disclosure of corporate data
Brute-force attacks
- Theft of data and access to corporate systems
SQL Injection
- Contents of databases can be outputted revealing private data
Data in databases can be amended or deleted
New rogue records can be added to the database
Phishing
- Gain access to high value corporate data. Accessing a victim's account to withdraw money or purchase merchandise
Open bank accounts, credit cards, cashing illegitimate cheques
Financial services can blacklist a company, resulting in a bad reputation
People as a weak point
- Not installing operating system updates
Not keeping antimalware up to date
Not locking doors to computer rooms
Not logging off or locking their computers
Leaving printouts on their desks
Writing passwords down on sticky notes and attaching them to computers
Sharing passwords
Losing memory sticks/laptops
Not applying security to wireless networks and not encrypting data
Malware
- Files are deleted, become corrupt and are encrypted
Computers crash, reboot, spontaneously and slow down
Internet connections become slow
Keyboard inputs are logged and sent to hackers
Poor network Policy
- Data protection policy is poor and acceptable use agreements
Permission set to access servers, files system and databases
Network managers who understand, identify and actively protect against vulnerabilities
Identifying and preventing vulnerabilities
Data Interception and Theft
- Staff training; use of passwords, locking computers, logging off, use of portable media
Using virtual networks
Network forensics
Encryption
Brute-Force Attacks
- Network lookout policy; locks account after 3 attempts
Using progressive delays
Staff training (using effective passwords with symbols, letters, numbers and mixed case)
Using challenge response, e.g. I am not a bot and reCAPTCHA
Phishing
- Staff training: awareness of spotting fake emails and websites
Staff training: not disclosing personal or corporate information
Staff training: disabling browser pop-ups
Strong security software
SQL Injection
- Validation on input boxes and using parameter queries
Setting database permissions
Penetration testing
Malware
- Strong security software (firewall, spam filter, anti-virus, anti-spyware, anti-spam)
Enabling OS security and software updates
Staff training: being cautious of opening email attachments and downloading software
Backup files regularly onto removable media
Denial of Service
- Strong firewall and packet filters on routers
Configuring web servers
Auditing, logging and monitoring of systems
Forms of Attack
Brute-Force Attack
- A trial and error method of attempting passwords and pin numbers. Automated software is used to generate a large number of consecutive guesses. E.g. trying every word in the dictionary.
Data Interception and Theft
- The unauthorised act of stealing computer based information from an unknown victim with the intent of compromising privacy or obtaining confidential information.
Phishing
- The fraudulent practice of sending emails, appearing to be from reputable companies in order to induce individuals to reveal personal information. For e.g. to find passwords and credit card numbers.
SQL Injection
- A technique used to view or change data in a database by inserting additional code into a text input box, creating a different search string. E.g. Smith OR ==
Malware
- Software which is specifically designed to disrupt, damage or gain unauthorised access to a computer system. E.g. viruses, worms, trojan horses, ransomware, spyware, adware, scareware.