Why there is a Need for

Information Security?
Infosec-IS3A
To prevent data breaches
A data breach is an incident where information is stolen or taken
from a system without the knowledge or authorization of the
system’s owner. A small company or large organization may suffer
a data breach.
Stolen data may involve sensitive, proprietary, or confidential
information such as credit card numbers, customer data, trade
secrets, or matters of national security.
To prevent data breaches
Most data breaches are attributed to hacking or malware attacks. Other frequently
observed breach methods include the following:
● Insider leak: A trusted individual or person of authority with access privileges
steals data.

● Payment card fraud: Payment card data is stolen using physical skimming
devices.

● Loss or theft: Portable drives, laptops, office computers, files, and other physical
properties are lost or stolen.
Most data breaches are attributed to hacking or malware attacks. Other frequently
observed breach methods include the following:

● Unintended disclosure: Through mistakes or negligence, sensitive data is

exposed.

● Unknown: In a small of number of cases, the actual breach method is

unknown or undisclosed
Phases of a Data Breach
Phases of a Data Breach

● Research

The attacker, having picked a target, looks for weaknesses to exploit: employees,
systems, or the network. This entails long hours of research on the attacker’s part
and may involve stalking employees’ social media profiles to find what sort of
infrastructure the company has.

● Attack

Having scoped a target’s weaknesses, the attacker makes initial contact either through
a network-based or social attack.
Phases of a Data Breach

In a network-based attack, the attacker exploits weaknesses in the target’s

infrastructure to instigate a breach. These weaknesses may include, but are
not limited to SQL injection, vulnerability exploitation, and/or session hijacking.

In a social attack, the attacker uses social engineering tactics to infiltrate the
target network. This may involve a maliciously crafted email sent to an
employee, tailor-made to catch that specific employee’s attention. The email
can phish for information, fooling the reader into supplying personal data to the
sender, or come with a malware attachment set to execute when downloaded.
Phases of a Data Breach

● Exfiltrate

Once inside the network, the attacker is free to extract data from
the company’s network. This data may be used for either blackmail
or cyberpropaganda. The information an attacker collects can also
be used to execute more damaging attacks on the target’s
infrastructure.
Best Practices
For Enterprises

● Patch systems and networks accordingly. IT administrators should

make sure all systems in the network are patched and updated to prevent
attackers from exploiting vulnerabilities in unpatched or outdated
software.

● Educate and enforce. Inform your employees about the threats, train
them to watch out for social engineering tactics, and introduce and/or
enforce guidelines on how to handle a threat if encountered.
Best Practices
● Implement security measures. Create a process to identify
vulnerabilities and address threats in your network. Regularly perform
security audits and make sure all of the systems connected to your
company network are accounted for.

● Create contingencies. Put an effective disaster recovery plan in place. In

the event of a data breach, minimize confusion by being ready with
contact persons, disclosure strategies, actual mitigation steps, and the
like. Make sure that your employees are made aware of this plan for
proper mobilization once a breach is discovered.
Best Practices
For Employees

● Keep track of your banking receipts. The first sign of being compromised is
finding strange charges on your account that you did not make.

● Don’t believe everything you see. Social engineering preys on the gullible.
Be skeptical and vigilant.

● Be mindful of what you share on social media. Don’t get carried away. If
possible, don’t reveal too much about yourself on your profile.
Best Practices
● Secure all your devices. These devices include laptops, mobile devices, and
wearables. Ensure that they are protected by security software that is always
updated.

● Secure your accounts. Use a different email address and password for each of
your accounts. You may opt to use a password manager to automate the process.

● Do not open emails from unfamiliar senders. When in doubt, delete

suspicious-looking emails without opening it. Always try to verify who the sender is
and the contents of the email before opening any attachment.
To check for compromised credentials and broken authentication

Data breaches and other cyber attacks are usually a result of lax
authentication, weak passwords, and poor certificate or key
management. Companies often struggle with assigning
permissions to appropriate users or departments, resulting in
identity theft.
To avoid account hijacking
Phishing, fraud, and software exploitations are still very
common. Companies relying on cloud services are especially
at risk because they are an easy target for cybercriminals,
who can eavesdrop on activities, modify data and manipulate
transactions. These third-party applications can be used by
attackers to launch other attacks as well.
To mitigate cyber threats from malicious insiders

An existing or former employee, a cunning business partner, a

system administrator or an intruder can destroy the whole
information infrastructure or manipulate data for their own purpose.
Therefore, it is the responsibility of an organization to take effective
measures to control the encryption process and keys. Effective
monitoring, logging, and auditing activities are extremely important
to keep everything under control.
Information Security Policy
An Information Security Policy (ISP) is a set of rules that guide
individuals when using IT assets. Companies can create information
security policies to ensure that employees and other users follow
security protocols and procedures. Security policies are intended to
ensure that only authorized users can access sensitive systems and
information.
What policies should you include?

Your policies will depend on your organisation’s needs, so it’s

impossible to say which ones are mandatory.
■ Remote access
If employees are permitted to work remotely – or if you give
them the option of checking their work emails in their spare time
– you will need a remote access policy.
What policies should you include?

The policy will therefore need to set out the

organisation’s position on accessing the network
remotely. It might, for instance, say that remote access
is forbidden, that it can only be done over VPN, or that
only certain parts of the network should be accessible
remotely.
 Password management

Your password policy should acknowledge the risks that come

with poor credential habits and establish means of mitigating the
risk of password breaches.
But unless employees secure these accounts with strong passwords,
criminal hackers will be able to crack them in seconds.
Organisations must mitigate this risk by creating strict rules on
what constitutes an acceptable password.
 Acceptable use
Managers often worry about staff doing non-work-related activities
during office hours. However, they should be more concerned about
what employees are doing than when they’re doing it.
But they should draw the line at activities that could affect the organisation’s
security, like visiting dodgy websites, installing potentially insecure apps or sharing
work information with people who don’t work at the organisation.

You can prevent much of the risk by blocking certain websites. However, this isn’t a
fool-proof system, so you should also include a policy prohibiting employees from
visiting any site that you deem unsafe.
ACTIVITY (25mins)
In your three years of stay in DLSL, what Information Security Policy will you be
proposing? List down at least 5 policies as guide in following security protocols
and procedures.
Top Information Security Threats
Unsecure or Poorly Secured Systems
The speed and technological development often leads to compromises
in security measures.
In other cases, systems are developed without security in mind, and
remain in operation at an organization as legacy systems.
Organizations must identify these poorly secured systems, and
mitigate the threat by securing or patching them, decommissioning
them, or isolating them.
Top Information Security Threats
Social Media Attacks
Many people have social media accounts, where they often unintentionally
share a lot of information about themselves. Attackers can launch attacks
directly via social media, for example by spreading malware via social media
messages, or indirectly, by using information obtained from these sites to
analyze user and organizational vulnerabilities , and use them to design an
attack.
Top Information Security Threats
Social Engineering
Social engineering involves attackers sending emails and messages that trick users into
performing actions that may compromise their security or divulge private information.
Attackers manipulate users using psychological triggers like curiosity, urgency or fear.

Because the source of a social engineering message appears to be trusted, people are more
likely to comply, for example by clicking a link that installs malware on their device, or by
providing personal information, credentials, or financial details.

Organizations can mitigate social engineering by making users aware of its dangers and
training them to identify and avoid suspected social engineering messages. In addition,
technological systems can be used to block social engineering at its source, or prevent users
from performing dangerous actions such as clicking on unknown links or downloading
unknown attachments.
Top Information Security Threats
Malware on Endpoints
Organizational users work with a large variety of endpoint devices, including desktop
computers, laptops, tablets, and mobile phones, many of which are privately owned
and not under the organization’s control, and all of which connect regularly to the
Internet.

A primary threat on all these endpoints is malware, which can be transmitted by a

variety of means, can result in compromise of the endpoint itself, and can also lead to
privilege escalation to other organizational systems.

Traditional antivirus software is insufficient to block all modern forms of malware, and
more advanced approaches are developing to securing endpoints, such as endpoint
detection and response (EDR).
Top Information Security Threats
Lack of Encryption
Encryption processes encode data so that it can only be decoded by users
with secret keys. It is very effective in preventing data loss or corruption in
case of equipment loss or theft, or in case organizational systems are
compromised by attackers.

Unfortunately, this measure is often overlooked due to its complexity and lack
of legal obligations associated with proper implementation. Organizations are
increasingly adopting encryption, by purchasing storage devices or using
cloud services that support encryption, or using dedicated security tools.
Top Information Security Threats
Security Misconfiguration

Enterprise grade platforms and cloud services have security features, but these
must be configured by the organization. Security misconfiguration due to
negligence or human error can result in a security breach. Another problem is
“configuration drift”, where correct security configuration can quickly become out of
date and make a system vulnerable, unbeknownst to IT or security staff.

Organizations can mitigate security misconfiguration using technological platforms

that continuously monitor systems, identify configuration gaps, and alert or even
automatically remediate configuration issues that make systems vulnerable.
Active and Passive Attacks
Information security is intended to protect organizations against
malicious attacks.
There are two primary types of attacks: active and passive.
Active attacks are considered more difficult to prevent, and the
focus is on detecting, mitigating and recovering from them.
Passive attacks are easier to prevent with strong security
measures.
Active and Passive Attacks
Active Attack
An active attack involves intercepting a communication or message and altering it for
malicious effect. There are three common variants of an active attacks:
● Interruption—the attacker interrupts the original communication and creates new,
malicious messages, pretending to be one of the communicating parties.
● Modification—the attacker uses existing communications, and either replays them
to fool one of the communicating parties, or modifies them to gain an advantage.
● Fabrication—creates fake, or synthetic, communications, typically with the aim of
achieving denial of service
● (DoS). This prevents users from accessing systems or performing normal
operations.
Active and Passive Attacks
Passive Attack

● In a passive attack, an attacker monitors, monitors a system and

illicitly copies information without altering it. They then use this
information to disrupt networks or compromise target systems.
● The attackers do not make any change to the communication or the
target systems. This makes it more difficult to detect. However,
encryption can help prevent passive attacks because it obfuscates the
data, making it more difficult for attackers to make use of it.
The Data Privacy Act of 2012 (Philippines)
is a 21st century law to address 21st century crimes and
concerns. It (1) protects the privacy of individuals while ensuring
free flow of information to promote innovation and growth; (2)
regulates the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of personal data;
and (3) ensures that the Philippines complies with international
standards set for data protection through National Privacy
Commission (NPC).
The right to be informed
Under R.A. 10173, your personal data is treated almost literally in the same way as
your own personal property. Thus, it should never be collected, processed and stored
by any organization without your explicit consent, unless otherwise provided by law.
Information controllers usually solicit your consent through a consent form. Aside from
protecting you against unfair means of personal data collection, this right also requires
personal information controllers (PICs) to notify you if your data have been
compromised, in a timely manner.
As a data subject, you have the right to be informed that your personal data will be, are
being, or were, collected and processed.
The Right to be Informed is a most basic right as it empowers you as a data subject to
consider other actions to protect your data privacy and assert your other privacy rights.
 Philippine DPA at a glance: four principles
The Philippine DPA is based on four General Data Privacy Principles –
Transparency, Legitimate Purpose, Proportionality, and Accountability. These
principles should govern the way organisations collect, use, and store personal
data.

Transparency entails organisations being clear with data

subjects, or an individual whose personal information is being
processed, about the purpose of collection and processing of
personal data.
 Philippine DPA at a glance: four principles

Personal information controllers should also have a legitimate purpose

for processing.
This means that data should be processed fairly and lawfully.
The purpose of data processing should fall under one of these criteria to
be legitimate – to comply with a legal obligation, to perform a contract
obligation, to protect the vital interest of the data subject, to protect
public interest, to fulfill a legitimate business interest, or if the data
subject has given his consent.
 Philippine DPA at a glance: four principles
Proportionality, on the other hand, prohibits Personal Information Controllers
and Processors (PICs and PIPs) from excessive collection, processing, and
storage of data. Personal data must be used only according to the declared
purpose.

PICs and PIPs demonstrate accountability for the data entrusted to them by
implementing measures to secure the data, by retaining data only for as long as
is necessary, and by governing data sharing with third parties and data transfer
arrangements.
 The eight rights under the DPA

Aside from these four general principles, the DPA also specifies eight rights of data
subjects. Organisations should ensure that these rights are upheld as they collect,
use, and store the personal data of their customers or employees. These right
rights include:

1. The right to be informed

Data subjects should be informed that their personal data will be collected,
processed, stored. Consent should be obtained when necessary.

2. The right to access

Data subjects have the right to obtain a copy of the personal information that an
organisation may possess about them.
 The eight rights under the DPA

The right to object

Data subjects can object to processing if it is based on consent or legitimate

business interest.

4. The right to erasure or blocking

Data subjects have the right to withdraw or order the removal of their personal
data when their rights are violated.

5. The right to damages

Data subjects can claim compensation for damages due to unlawfully

obtained or unauthorised use of personal data.
 The eight rights under the DPA

The right to file a complaint

Data subjects can file a complaint with the National Privacy Commission if their
personal data was misused.

7. The right to rectify

Data subjects have the right to correct any inaccuracy in the personal data an
organisation possesses about them.

8. The right to data portability

Data subjects should be able to electronically move, copy or transfer the data an
organisation holds about them, facilitating free flow of information according to the
data subject’s preferences.
Top 10 Cybercrime Prevention Tips
1. Use Strong Passwords
Use different user ID / password combinations for different accounts and
avoid writing them down. Make the passwords more complicated by
combining letters, numbers, special characters (minimum 10 characters in
total) and change them on a regular basis.
2. Secure your computer o Activate your firewall
Firewalls are the first line of cyber defense; they block connections to
unknown or bogus sites and will keep out some types of viruses and
hackers.
Top 10 Cybercrime Prevention Tips
3. Be Social-Media Savvy
Make sure your social networking profiles (e.g. Facebook, Twitter, Youtube, MSN,
etc.) are set to private. Check your security settings. Be careful what information you
post online. Once it is on the Internet, it is there forever!
4. Secure your Mobile Devices
Be aware that your mobile device is vulnerable to viruses and hackers. Download
applications from trusted sources.
5. Install the latest operating system updates
Keep your applications and operating system (e.g. Windows, Mac, Linux) current with
the latest system updates. Turn on automatic updates to prevent potential attacks on
older software.
Top 10 Cybercrime Prevention Tips
6. Protect your Data
Use encryption for your most sensitive files such as tax returns or financial
records, make regular back-ups of all your important data, and store it in
another location.
7. Secure your wireless network
Wi-Fi (wireless) networks at home are vulnerable to intrusion if they are not
properly secured. Review and modify default settings. Public Wi-Fi, a.k.a. “Hot
Spots”, are also vulnerable. Avoid conducting financial or corporate
transactions on these networks.
Top 10 Cybercrime Prevention Tips
8. Protect your e-identity
Be cautious when giving out personal information such as your name, address,
phone number or financial information on the Internet. Make sure that websites
are secure (e.g. when making online purchases) or that you’ve enabled privacy
settings (e.g. when accessing/using social networking sites).
9. Avoid being scammed
Always think before you click on a link or file of unknown origin. Don’t feel
pressured by any emails. Check the source of the message. When in doubt, verify
the source. Never reply to emails that ask you to verify your information or confirm
your user ID or password.
Top 10 Cybercrime Prevention Tips
10. Call the right person for help
Don’t panic! If you are a victim, if you encounter illegal Internet content
(e.g. child exploitation) or if you suspect a computer crime, identity
theft or a commercial scam, report this to your local police. If you need
help with maintenance or software installation on your computer,
consult with your service provider or a certified computer technician.