University Information Security Awareness Report: An Overview

Verified

Added on 2021/09/14

AI Summary

This report provides a comprehensive overview of information security awareness, addressing various threats and countermeasures. It begins by defining targeted attacks, including those exploiting applications (Cross-Site Scripting, SQL Injection, LDAP Injection, and XML Injection) and operating systems (phishing, 0day attacks, and port attacks). The report also highlights industry-specific attacks and emphasizes the crucial role of education in fostering security awareness among employees. Key countermeasures, such as password policies, locking computers, attachment security, and strategies to combat phishing and social engineering, are discussed in detail. The report underscores the importance of a multi-faceted approach to security, combining technical measures with employee training to mitigate risks and protect organizational assets.

Running head: INFORMATION SECURITY AWARENESS
Information Security Awareness
Name of the Student
Name of the University
Author’s Note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1
INFORMATION SECURITY AWARENESS
Table of Contents
6. Most attacks are targeted........................................................................................................2
Targeted by application..........................................................................................................2
Targeted by OS targeted via phishing, 0day and ports..........................................................3
Targeted as an industry..........................................................................................................3
7. Everyone is responsible for security......................................................................................4
Education is key to security...................................................................................................4
8. Countermeasures....................................................................................................................4
Passwords...............................................................................................................................4
Locking computers.................................................................................................................5
Attachments............................................................................................................................5
Phishing..................................................................................................................................5
Social engineering..................................................................................................................5
References..................................................................................................................................6

2
INFORMATION SECURITY AWARENESS
6. Most attacks are targeted
Targeted by application
The targeted attack is the specific attack, which seeks into systems for breaching the
various security measures of any particular organization (Crossler et al.). The initial attacks
are conducted for the purpose of gaining access to the network or computer and is eventually
followed by the proper exploits that are designed for causing harm to the organizational
resources and also for stealing data. The disruption of the services is the most common form
of such attack. These attacks are often targeted by the applications. The major attacks that are
targeted by application are as follows:
i) Cross Site Scripting: This is the type of computer security threat, which is found in
the web applications (Von Solms and Van Niekerk). This XSS attack subsequently enables
the hackers in injecting the client side scripts to web pages that are viewed by the other users.
The cross site scripting threat might be utilized by the attackers for the purpose of bypassing
the access controls.
ii) SQL Injection: This is the of code injection and is utilized for attacking the data
driven applications, where the vulnerable SQL statements could be inserted into the entry
field for proper execution. The security vulnerability is exploited within the software of
application (Peltier). These attacks enable the attackers for spoofing the identities, tampering
the existing data and hence causing repudiation issues.
iii) LDAP Injection: This is the attacking technique that is utilized for exploiting the
websites, which construct the statements of LDAP from the user supplied inputs. The
querying or the manipulation of the directory services is stopped by these types of attacks
(Siponen, Mahmood and Pahnila). This particular application attack often becomes
vulnerable for the organization.

3
INFORMATION SECURITY AWARENESS
iv) XML Injection: Another important and significant application attack is XML
injection. This is the technique of attack that is being utilized for the purpose of manipulation
as well as compromising the subsequent logic of any XML service and application (Peltier).
The specific injection of the unintended XML contents or the structures within the message
of the XML could substantially alter the intended logic of this application.
Targeted by OS targeted via phishing, 0day and ports
The operating system of the organization is often attacked by phishing, 0day and
posts.
i) Phishing: Phishing can be stated as the fraudulent attempt for the purpose of
obtaining sensitive information like usernames, passwords or credit card credentials for any
type of malicious reason. This is eventually done by disguising as the most trustworthy entity
within the electronic communications (Andress). The OS is attacked by phishing attack and
the information is gathered.
ii) 0Day Attacks: This is the type of vulnerability; through which the hackers could
exploit the OS for adversely affecting the programs, data and network.
iii) Port Attacks: In a port scan attack, the attacker launches the port scan for checking
whether the OS ports are open or not. The attacker send the packets to the machine and hence
destination port is changed. He gets the idea of the OS being used and thus exploiting is
easier.
Targeted as an industry
The industrial targeted attacks are those attacks, which target any specific industry
(Singh). The IT sector often gets distracted and disrupted by these attacks, since they are
unable to track these attacks easily and hence major vulnerabilities take place.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4
INFORMATION SECURITY AWARENESS
7. Everyone is responsible for security
Education is key to security
According to Safa, Rossouw and Steven, security awareness is extremely important
and significant for the employees or staffs of any organization. This type of awareness can be
stated as the knowledge as well as attitude of the members of the company about the basic
protection of the physical as well as informational assets or resources of that specific
company. Various nondisclosure agreements are effective in this case and two factor
authentication or password policies are also used. This type of training or education is
extremely vital for the organization for understanding the importance of security (Peltier).
Moreover, there is a major requirement for the proper handling of the sensitive and
confidential information within the physical form and by inclusion of destruction, marking,
storage and transmission, it becomes easier. These employees should also have the training
regarding security concerns of malware, social engineering and phishing and take necessary
actions for stooping them.
8. Countermeasures
Passwords
The most significant counter measure for stopping the various vulnerabilities for any
organization is by utilizing passwords. This password is the word or string of characters,
which is being utilized for the respective user authentication and proving identity or access
approval for gaining subsequent access to the resources (Singh). These passwords are kept as
secret and access is not allowed for everyone. Some of the passwords are formed from
several words and are termed as passphrases. All organizations comprise of a password
policy for their employees and clients.

5
INFORMATION SECURITY AWARENESS
Locking computers
Another important and noteworthy counter measure that is extremely effective for the
mitigation of any type of threat or vulnerability is the locking of computers or systems. This
type of locking could be done by either using passwords or by face recognition or fingerprint
recognition system (Crossler et al.). These are extremely effective in respect to other counter
measures.
Attachments
The attachments that are sent via emails or faxes should be checked beforehand, so
that the organizational assets are vulnerable to the IT threats or malware. Moreover, the
effective means of anti-spam technology would also be effective for identifying the spam
messages or mails.
Phishing
The implementation of spam filter is the most effective as well as efficient method of
protecting the organizational data or resources for stopping the phishing attacks. Moreover,
the systems should be kept upgraded with the latest security updates and patches (Andress).
The installation of an antivirus software and developing a security policy are yet other
techniques for stopping the phishing techniques.
Social engineering
The social engineering attacks like pretexting, baiting and many others could be
stopped by utilizing antivirus, antimalware and email filtering software. Moreover, the
employees should be trained properly and the security policies should be extremely clear for
them (Von Solms and Van Niekerk). Another effective method for stopping such
vulnerabilities is by limiting the access of confidential organizational information.

6
INFORMATION SECURITY AWARENESS
References
Andress, Jason. The basics of information security: understanding the fundamentals of
InfoSec in theory and practice. Syngress, 2014.
Crossler, Robert E., et al. "Future directions for behavioral information security
research." computers & security 32 (2013): 90-101.
Peltier, Thomas R. Information security fundamentals. CRC Press, 2013.
Peltier, Thomas R. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications, 2016.
Safa, Nader Sohrabi, Rossouw Von Solms, and Steven Furnell. "Information security policy
compliance model in organizations." Computers & Security 56 (2016): 70-82.
Singh, Gurpreet. "A study of encryption algorithms (RSA, DES, 3DES and AES) for
information security." International Journal of Computer Applications 67.19 (2013).
Siponen, Mikko, M. Adam Mahmood, and Seppo Pahnila. "Employees’ adherence to
information security policies: An exploratory field study." Information & management 51.2
(2014): 217-224.
Von Solms, Rossouw, and Johan Van Niekerk. "From information security to cyber
security." computers & security38 (2013): 97-102.