describing the challenges of securing information
TRANSCRIPT
IT Security AwarenessOctober 26, 2010Madison College
Chapter 1Introduction to Security
Kit Kat
• The origins of the 'Kit Kat' brand stem back to 1911
• The original four-finger bar was developed after a worker at the Rowntree York Factory put a suggestion in a recommendation box for a snack that "a man could take to work in his pack up".
Kit KatKit Kat bar launched on the 29th of August,
1939, under the title of 'Rowntree's Chocolate
Crisp' (priced at 2p), and was sold in London
and throughout Southern England.
The Hershey Company has a licence to
produce Kit Kat bars in the United States
which dates from 1969, when Hershey
executed a licensing agreement for both the
Kit Kat and the Rolo with Rowntree
Security Awareness, 3rd Edition 4
Objectives
After completing this chapter, you should be able to do the following:•Describe the challenges of securing information•Define information security and explain why it is important•Identify the types of attackers that are common today•List the basic steps of an attack•Describe the steps in a defense and a comprehensive defense strategy
Challenges of Securing Information
• No single simple solution to protecting computers and securing information
• Different types of attacks
• Difficulties in defending against these attacks (Speed, Greater Sophistication, Simplicity, Delays in Patching, User Confusion)
Security Awareness, 3rd Edition 5
Today’s Security Attacks• Typical monthly security newsletter
– Malicious program was introduced in the manufacturing process of a popular brand of digital photo frames
– E-mail claiming to be from the United Nations (U.N.) ‘‘Nigerian Government Reimbursement Committee’’ is sent to unsuspecting users
– ‘‘Booby-trapped’’ Web pages are growing at an increasing rate
– Mac computers can be the victim of attackers
Security Awareness, 3rd Edition 6
Today’s Security Attacks (cont’d.)• Security statistics
– 45 million credit and debit card numbers stolen
– Number of security breaches continues to rise
– Recent report revealed that of 24 federal government agencies overall grade was only ‘‘C-’’
Security Awareness, 3rd Edition 7
Security Awareness, 3rd Edition 8
Table 1-1 Selected security breaches involving personal information in a three-month period
Course Technology/Cengage Learning
Difficulties in Defending Against Attacks• Speed of attacks• Greater sophistication of attacks• Simplicity of attack tools• Quicker detection of vulnerabilities
– Zero day attack• Delays in patching products• Distributed attacks• User confusion
Security Awareness, 3rd Edition 9
Difficulties in Defending Against Attacks (cont’d.)
Security Awareness, 3rd Edition 10
Figure 1-1 Increased sophistication of attack toolsCourse Technology/Cengage Learning
Difficulties in Defending Against Attacks (cont’d.)
Security Awareness, 3rd Edition 11
Figure 1-2 Menu of attack tools
Course Technology/Cengage Learning
Difficulties in Defending Against Attacks (cont’d.)
Security Awareness, 3rd Edition 12
Table 1-2 Difficulties in defending against attacks
What Is Information Security?• Understand what information
security is
• Why is information security important today?
• Who are the attackers?
Security Awareness, 3rd Edition 13
Defining Information Security
• Security – State of freedom from a danger or risk
• Information security – Tasks of guarding information that is in a
digital format– Ensures that protective measures are
properly implemented– Protect information that has value to people
and organizations• Value comes from the characteristics of
the information
Security Awareness, 3rd Edition 14
Defining Information Security (cont’d.)• Characteristics of information that must be
protected by information security– Confidentiality– Integrity– Availability
• Achieved through a combination of three entities– Products– People– Procedures
Security Awareness, 3rd Edition 15
Defining Information Security (cont’d.)
Security Awareness, 3rd Edition 16
Figure1-3 Information security componentsCourse Technology/Cengage Learning
Defining Information Security (cont’d.)
Security Awareness, 3rd Edition 17
Table 1-3 Information security layers
Course Technology/Cengage Learning
Information Security Terminology• Asset
– Something that has a value• Threat
– Event or object that may defeat the security measures in place and result in a loss
– By itself does not mean that security has been compromised
• Threat agent – Person or thing that has the power to carry
out a threat
Security Awareness, 3rd Edition 18
Information Security Terminology (cont’d.)
• Vulnerability – Weakness that allows a threat agent to
bypass security• Exploiting the security weakness
– Taking advantage of the vulnerability• Risk
– Likelihood that a threat agent will exploit a vulnerability
– Some degree of risk must always be assumed
– Three options for dealing with riskSecurity Awareness, 3rd Edition 19
Information Security Terminology (cont’d.)
Table 1-4 Security information terminology
Security Awareness, 3rd Edition 20
Course Technology/Cengage Learning
Understanding the Importance of Information Security
• Preventing data theft– Theft of data is one of the largest causes of
financial loss due to an attack– Affects businesses and individuals
• Thwarting identity theft– Identity theft
• Using someone’s personal information to establish bank or credit card accounts that are then left unpaid
• Leaves the victim with debts and ruins their credit rating
– Legislation continues to be enacted
Security Awareness, 3rd Edition 21
Understanding the Importance of Information Security (cont’d.)
• Avoiding legal consequences– Federal and state laws that protect the privacy of
electronic data• The Health Insurance Portability and
Accountability Act of 1996 (HIPAA)• The Sarbanes-Oxley Act of 2002 (Sarbox)• The Gramm-Leach-Bliley Act (GLBA)• USA Patriot Act (2001)• The California Database Security Breach Act
(2003)• Children’s Online Privacy Protection Act of
1998 (COPPA)
Security Awareness, 3rd Edition 22
Understanding the Importance of Information Security (cont’d.)
• Maintaining productivity– Lost wages and productivity during an attack
and cleanup– Unsolicited e-mail message security risk
• U.S. businesses forfeit $9 billion each year restricting spam
• Foiling cyberterrorism– Could cripple a nation’s electronic and
commercial infrastructure– ‘‘Information Security Problem’’
Security Awareness, 3rd Edition 23
Who Are the Attackers?
• Divided into several categories– Hackers– Script kiddies– Spies– Employees– Cybercriminals– Cyberterrorists
Security Awareness, 3rd Edition 24
Hackers• Debated definition of hacker
– Identify anyone who illegally breaks into or attempts to break into a computer system
– Person who uses advanced computer skills to attack computers only to expose security flaws
• ‘‘White Hats’
Security Awareness, 3rd Edition 25
Script Kiddies
• Unskilled users
• Use automated hacking software
• Do not understand the technology behind what they are doing
• Often indiscriminately target a wide range of computers
Security Awareness, 3rd Edition 26
Spies• Person who has been hired to break into a
computer and steal information• Do not randomly search for unsecured
computers• Hired to attack a specific computer or system• Goal
– Break into computer or system – Take the information without drawing any
attention to their actions
Security Awareness, 3rd Edition 28
Employees• Reasons for attacks by employees
– Show company weakness in security– Retaliation– Money– Blackmail– Carelessness
Security Awareness, 3rd Edition 29
Cybercriminals• Loose-knit network of attackers, identity thieves,
and financial fraudsters• Motivated by money• Financial cybercrime categories
– Stolen financial data– Spam email to sell counterfeits and
pornography
Security Awareness, 3rd Edition 30
Cybercriminals (cont’d.)
Security Awareness, 3rd Edition 31
Table 1-6 Eastern European promotion of cybercriminals
Course Technology/Cengage Learning
Cyberterrorists
• Motivated by ideology
• Sometimes considered attackers that should be feared most
Security Awareness, 3rd Edition 32
Attacks and Defenses
• Same basic steps are used in most attacks
• Protecting computers against these steps– Calls for five fundamental security
principles
Security Awareness, 3rd Edition 33
Steps of an Attack• Probe for information
• Penetrate any defenses
• Modify security settings
• Circulate to other systems
• Paralyze networks and devices
Security Awareness, 3rd Edition 34
Figure 1-5 Steps of an attack
Security Awareness, 3rd Edition 35
Defenses Against Attacks
• Layering– If one layer is penetrated, several more layers
must still be breached– Each layer is often more difficult or
complicated than the previous– Useful in resisting a variety of attacks
• Limiting– Limiting access to information reduces the
threat against it– Technology-based and procedural methods
Security Awareness, 3rd Edition 36
Defenses Against Attacks (cont’d.)• Diversity
– Important that security layers are diverse– Breaching one security layer does not
compromise the whole system• Obscurity
– Avoiding clear patterns of behavior make attacks from the outside much more difficult
• Simplicity– Complex security systems can be hard to
understand, troubleshoot, and feel secure about
Security Awareness, 3rd Edition 37
Building a Comprehensive Security Strategy• Block attacks
– Strong security perimeter• Part of the computer network to which a
personal computer is attached
– Local security important too
• Update defenses– Continually update defenses to protect
information against new types of attacks
Security Awareness, 3rd Edition 38
Building a Comprehensive Security Strategy (cont’d.)• Minimize losses
– Realize that some attacks will get through security perimeters and local defenses
– Make backup copies of important data– Business recovery policy
• Send secure information– ‘‘Scramble’’ data so that unauthorized eyes
cannot read it– Establish a secure electronic link between the
sender and receiver
Security Awareness, 3rd Edition 39
Summary
• Attacks against information security have grown exponentially in recent years
• Difficult to defend against today’s attacks• Information security definition
– That which protects the integrity, confidentiality, and availability of information
• Main goals of information security – Prevent data theft, thwart identity theft, avoid
the legal consequences of not securing information, maintain productivity, and foil cyberterrorism
Security Awareness, 3rd Edition 40
Summary (cont’d.)
• Several types of people are typically behind computer attacks
• Five general steps that make up an attack
• Practical, comprehensive security strategy involves four key elements
Security Awareness, 3rd Edition 41