Directory UMM :Networking Manual:computer_network_books:

(1)

Security+ Guide to Network

Security Fundamentals, Third

Edition

Chapter 1

(2)

Objectives

• Describe the challenges of securing information

• Define information security and explain why it is

important

• Identify the types of attackers that are common

today

• List the basic steps of an attack

• Describe the five steps in a defense

(3)

Challenges of Securing Information

• There is no simple solution to securing information

• This can be seen through the different types of

attacks that users face today

(4)

Today’s Security Attacks

• Typical warnings:

– A malicious program was introduced at some point in the manufacturing process of a popular brand of digital photo frames

– Nigerian e-mail scam claimed to be sent from the U.N. – “Booby-trapped” Web pages are growing at an

increasing rate

– A new worm disables Microsoft Windows Automatic Updating and the Task Manager

(5)

Today’s Security Attacks (continued)

• Typical warnings: (continued)

– The Anti-Phishing Working Group (APWG) reports that the number of unique phishing sites continues to

increase

– Researchers at the University of Maryland attached four computers equipped with weak passwords to the Internet for 24 days to see what would happen

(6)

Today’s Security Attacks (continued)

• Security statistics bear witness to the continual success of attackers:

– TJX Companies, Inc. reported that over 45 million

customer credit card and debit card numbers were stolen by attackers over an 18 month period from 2005 to 2007 – Table 1-1 lists some of the major security breaches that

occurred during a three-month period

– The total average cost of a data breach in 2007 was $197 per record compromised

(7)

(8)

Difficulties in Defending against

Attacks

• Difficulties include the following:

– Speed of attacks (now faced with zero-day attacks) – Greater sophistication of attacks

– Simplicity of attack tools

– Attackers can detect vulnerabilities more quickly and more readily exploit these vulnerabilities

– Delays in patching hardware and software products – Most attacks are now distributed attacks, instead of

(9)

(10)

(11)

(12)

What Is Information Security?

(13)

Defining Information Security

• Security can be considered as a state of freedom from a danger or risk

– This state or condition of freedom exists because protective measures are established and maintained

• _{Information security}

– The tasks of guarding information that is in a digital format

– Ensures that protective measures are properly implemented

(14)

Defining Information Security

(continued)

• Information security is intended to protect

information that has value to people and

organizations

– This value comes from the characteristics of the information:

• Confidentiality

• Integrity

• Availability

(15)

(16)

(17)

Defining Information Security

(continued)

• A more comprehensive definition of information security is:

– That which protects the integrity, confidentiality, and availability (CIA)

of information on the devices that

store, manipulate (process), and

(18)

Information Security Terminology

•

Asset

– Something that has a value (examples?)

•

Threat

– An event or object that may defeat the security

measures in place and result in a loss (examples?)

•

Threat agent

– A person or thing that has the power to carry out a threat (examples?)

(19)

Information Security Terminology

(continued)

•

Vulnerability

– Weakness that allows a threat agent to bypass

security (i.e. configuration errors or software “bugs”)

•

Risk

– The likelihood, or probability, that a threat agent will exploit a vulnerability

(20)

(continued)

• Impact must then be calculated

(21)

(continued)

• Would the Loss of

stereo really be the threat – or the

impact? • If it is the

impact, what then is the threat?

(22)

Information Security Terminology

Loss of USB Thumb Drive with PII Example

Asset Threat Threat

(23)

Loss of USB Thumb Drive with PII Example

Asset Threat Threat

Agent Vulnerability Impact Mitigation

Customer

Data Loss or theft of equipment with data

Employee or

theif USBs are easily lost or misplaced. Data is in plain text on the drives.

Loss of PII results in heavy fines and loss of customer confidence (loss of sales)

Enable encryption on all drives

(24)

(25)

Understanding the Importance of

Information Security

• Preventing data theft

– Security is often associated with theft prevention – The theft of data is one of the largest causes of

financial loss due to an attack

– Individuals are often victims of data thievery

• Thwarting identity theft

– Identity theft involves using someone’s personal information to establish bank or credit card accounts

(26)

Understanding the Importance of

Information Security (continued)

• Avoiding legal consequences

– A number of federal and state laws have been enacted to protect the privacy of electronic data

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• The Sarbanes-Oxley Act of 2002 (Sarbox, or SOX)

• The Gramm-Leach-Bliley Act (GLBA)

• USA Patriot Act (2001)

• The California Database Security Breach Act (2003)

(27)

Understanding the Importance of

• Maintaining Productivity

(28)

Understanding the Importance of

• Foiling cyberterrorism

– Cyberterrorism

• Attacks by terrorist groups using computer technology and the Internet

– Utility, telecommunications, and financial services companies are considered prime targets of

(29)

Who Are the Attackers?

• The types of people behind computer attacks are

generally divided into several categories

(30)

Hackers

• Hacker

– Generic sense: anyone who illegally breaks into or attempts to break into a computer system – Narrow sense: a person who uses advanced

computer skills to attack computers only to expose security flaws

• Although breaking into another person’s computer system is illegal

– Some hackers believe it is ethical as long as they do not commit theft, vandalism, or breach any confidentiality

– Q: What is the difference between a “Cracker” and a “Hacker”

– Q: What is the difference between White hat hacking and black hat hacking?

(31)

Script Kiddies

•

Script kiddies

– Want to break into computers to create damage – Unskilled users

– Download automated hacking software (scripts) from Web sites and use it to break into computers

• They are sometimes considered more dangerous

than hackers

(32)

Spies

• Computer spy

– A person who has been hired to break into a computer and steal information

• Spies are hired to attack a specific computer or system that contains sensitive information

– Their goal is to break into that computer or

system and take the information without drawing any attention to their actions

(33)

Employees

• One of the largest information security threats to a

business actually comes from its employees

• Reasons

– An employee might want to show the company a weakness in their security

– Disgruntled employees may be intent on retaliating against the company

(34)

Cybercriminals

•

Cybercriminals

– A loose-knit network of attackers, identity thieves, and financial fraudsters

– More highly motivated, less risk-averse, better funded, and more tenacious than hackers

• Many security experts believe that cybercriminals

belong to organized gangs of young and mostly

Eastern European attackers

(35)

(36)

Cybercriminals (continued)

•

Cybercrime

– Targeted attacks against financial networks,

unauthorized access to information, and the theft of personal information

• Financial cybercrime is often divided into two

• Goals of a cyberattack:

– To deface electronic information and spread misinformation and propaganda

– To deny service to legitimate computer users

(38)

Attacks and Defenses

• Although there are a wide variety of attacks that can

be launched against a computer or network

– The same basic steps are used in most attacks

(39)

Steps of an Attack

• The five steps that make up an attack

– Probe for information – Penetrate any defenses – Modify security settings – Circulate to other systems

(40)

(41)

Defenses against Attacks

• Although multiple defenses may be necessary to

withstand an attack

– These defenses should be based on five fundamental security principles:

• Protecting systems by layering • Limiting

(42)

Layering

• Information security must be created in layers

• One defense mechanism may be relatively easy for

an attacker to circumvent

– Instead, a security system must have layers, making it unlikely that an attacker has the tools and skills to break through all the layers of defenses

• A layered approach can also be useful in resisting a

variety of attacks

(43)

Limiting

• Limiting access to information reduces the threat

against it

• Only those who must use data should have access

to it

– In addition, the amount of access granted to someone should be limited to what that person needs to know

(44)

Diversity

• Layers must be different (diverse)

– If attackers penetrate one layer, they cannot use the same techniques to break through all other layers

• Using diverse layers of defense means that

(45)

Obscurity

• An example of obscurity would be not revealing the type of computer, operating system, software, and network connection a computer uses

– An attacker who knows that information can more easily determine the weaknesses of the system to attack it

(46)

Simplicity

• Information security is by its very nature complex

• Complex security systems can be hard to

understand, troubleshoot, and feel secure about

• As much as possible, a secure system should be

simple for those on the inside to understand and use

• Complex security schemes are often compromised

to make them easier for trusted users to work with

(47)

Surveying Information Security

Careers and the Security+ Certification

• Today, businesses and organizations require

employees and even prospective applicants

– To demonstrate that they are familiar with computer security practices

(48)

Types of Information Security Jobs

•

Information assurance (IA)

– A superset of information security including security issues that do not involve computers

– Covers a broader area than just basic technology defense tools and tactics

– Also includes reliability, strategic risk management, and corporate governance issues such as privacy, compliance, audits, business continuity, and disaster recovery

(49)

Types of Information Security Jobs

(continued)

• Information security, also called computer security

– Involves the tools and tactics to defend against computer attacks

– Does not include security issues that do not involve computers

• Two broad categories of information security

positions

(50)

(51)

CompTIA Security+ Certification

• The CompTIA Security+ (2008 Edition) Certification

is the premiere vendor-neutral credential

• The Security+ exam is an internationally recognized

validation of foundation-level security skills and

knowledge

– Used by organizations and security professionals around the world

• The skills and knowledge measured by the

(52)

CompTIA Security+ Certification

(continued)

• The six domains covered by the Security+ exam:

– Systems Security, Network Infrastructure, Access

(53)

Other Stuff

• Join Organizations and get certified:

– ISSA – Student Memberships $30

www.issa.org

– IAPP – student memberships $50, become CIPP/G certified

– Start a computer club at NVCC (participate in the CCDC!!!)

– ISC2 – Associate of (ISC)² - pass SSCP exam www.isc2.org

• Read Books and Magazines:

• Hackin9

• 2600 Magazine

• Everything else you can get your hands on

• Pay attention to your personal life and

activities so you can get a security clearance, companies and agencies DO NOT hire

(54)

(55)

IAPP

• SEEKING PRIVACY SCHOLARS

Each year, the IAPP awards Privacy Academy scholarships to outstanding college students who may be interested in entering the field of privacy and data protection. Up to five students will receive scholarships to attend this year's

Privacy Academy, which takes place in Baltimore, MD, next month. Do you know of a motivated full-time college student who would like the chance to attend, learn, network and

have one-on-one time with a professional mentor? If so, please let them know about this valuable opportunity.

(56)

Summary

• Attacks against information security have grown

exponentially in recent years

• There are several reasons why it is difficult to defend

against today’s attacks

• Information security may be defined as that which

protects the integrity, confidentiality, and availability of

information on the devices that store, manipulate,

(57)

Summary (continued)

• The main goals of information security are to prevent

data theft, thwart identity theft, avoid the legal

consequences of not securing information, maintain

productivity, and foil cyberterrorism

• The types of people behind computer attacks are

generally divided into several categories

• There are five general steps that make up an attack:

probe for information, penetrate any defenses, modify

security settings, circulate to other systems, and

(58)

Summary (continued)