it security awareness overview

IT Security AwarenessJanuary 24, 2011Madison College

Chapter 1Introduction to Security

Security Awareness, 3rd Edition 2

Objectives

After completing this chapter, you should be able to do the following:•Describe the challenges of securing information•Define information security and explain why it is important•Identify the types of attackers that are common today•List the basic steps of an attack•Describe the steps in a defense and a comprehensive defense strategy

Challenges of Securing Information

• No single simple solution to protecting computers and securing information

• Different types of attacks

• Difficulties in defending against these attacks (Speed, Greater Sophistication, Simplicity, Delays in Patching, User Confusion)


Today’s Security Attacks• Typical monthly security newsletter

– Malicious program was introduced in the manufacturing process of a popular brand of digital photo frames

– E-mail claiming to be from the United Nations (U.N.) ‘‘Nigerian Government Reimbursement Committee’’ is sent to unsuspecting users

– ‘‘Booby-trapped’’ Web pages are growing at an increasing rate

– Mac computers can be the victim of attackers


Today’s Security Attacks (cont’d.)• Security statistics

– 45 million credit and debit card numbers stolen

– Number of security breaches continues to rise

– Recent report revealed that of 24 federal government agencies overall grade was only ‘‘C-’’



Table 1-1 Selected security breaches involving personal information in a three-month period

Course Technology/Cengage Learning

Difficulties in Defending Against Attacks• Speed of attacks• Greater sophistication of attacks• Simplicity of attack tools• Quicker detection of vulnerabilities

– Zero day attack• Delays in patching products• Distributed attacks• User confusion


Difficulties in Defending Against Attacks (cont’d.)


Figure 1-1 Increased sophistication of attack toolsCourse Technology/Cengage Learning



Figure 1-2 Menu of attack tools




Table 1-2 Difficulties in defending against attacks

What Is Information Security?• Understand what information

security is

• Why is information security important today?

• Who are the attackers?


Defining Information Security

• Security – State of freedom from a danger or risk

• Information security – Tasks of guarding information that is in a

digital format– Ensures that protective measures are

properly implemented– Protect information that has value to people

and organizations• Value comes from the characteristics of

the information


Defining Information Security (cont’d.)• Characteristics of information that must be

protected by information security– Confidentiality– Integrity– Availability

• Achieved through a combination of three entities– Products– People– Procedures


Defining Information Security (cont’d.)


Figure1-3 Information security componentsCourse Technology/Cengage Learning

Defining Information Security (cont’d.)


Table 1-3 Information security layers


Information Security Terminology• Asset

– Something that has a value• Threat

– Event or object that may defeat the security measures in place and result in a loss

– By itself does not mean that security has been compromised

• Threat agent – Person or thing that has the power to carry

out a threat


Information Security Terminology (cont’d.)

• Vulnerability – Weakness that allows a threat agent to

bypass security• Exploiting the security weakness

– Taking advantage of the vulnerability• Risk

– Likelihood that a threat agent will exploit a vulnerability

– Some degree of risk must always be assumed

– Three options for dealing with riskSecurity Awareness, 3rd Edition 17

Information Security Terminology (cont’d.)

Table 1-4 Security information terminology



Understanding the Importance of Information Security

• Preventing data theft– Theft of data is one of the largest causes of

financial loss due to an attack– Affects businesses and individuals

• Thwarting identity theft– Identity theft

• Using someone’s personal information to establish bank or credit card accounts that are then left unpaid

• Leaves the victim with debts and ruins their credit rating

– Legislation continues to be enacted


Understanding the Importance of Information Security (cont’d.)

• Avoiding legal consequences– Federal and state laws that protect the privacy of

electronic data• The Health Insurance Portability and

Accountability Act of 1996 (HIPAA)• The Sarbanes-Oxley Act of 2002 (Sarbox)• The Gramm-Leach-Bliley Act (GLBA)• USA Patriot Act (2001)• The California Database Security Breach Act

(2003)• Children’s Online Privacy Protection Act of

1998 (COPPA)


Understanding the Importance of Information Security (cont’d.)

• Maintaining productivity– Lost wages and productivity during an attack

and cleanup– Unsolicited e-mail message security risk

• U.S. businesses forfeit $9 billion each year restricting spam

• Foiling cyberterrorism– Could cripple a nation’s electronic and

commercial infrastructure– ‘‘Information Security Problem’’


Who Are the Attackers?

• Divided into several categories– Hackers– Script kiddies– Spies– Employees– Cybercriminals– Cyberterrorists


Hackers• Debated definition of hacker

– Identify anyone who illegally breaks into or attempts to break into a computer system

– Person who uses advanced computer skills to attack computers only to expose security flaws

• ‘‘White Hats’


Script Kiddies

• Unskilled users

• Use automated hacking software

• Do not understand the technology behind what they are doing

• Often indiscriminately target a wide range of computers


Spies• Person who has been hired to break into a

computer and steal information• Do not randomly search for unsecured

computers• Hired to attack a specific computer or system• Goal

– Break into computer or system – Take the information without drawing any

attention to their actions


Employees• Reasons for attacks by employees

– Show company weakness in security– Retaliation– Money– Blackmail– Carelessness


Cybercriminals• Loose-knit network of attackers, identity thieves,

and financial fraudsters• Motivated by money• Financial cybercrime categories

– Stolen financial data– Spam email to sell counterfeits and

pornography


Cybercriminals (cont’d.)


Table 1-6 Eastern European promotion of cybercriminals


Cyberterrorists

• Motivated by ideology

• Sometimes considered attackers that should be feared most


Attacks and Defenses

• Same basic steps are used in most attacks

• Protecting computers against these steps– Calls for five fundamental security

principles


Steps of an Attack• Probe for information

• Penetrate any defenses

• Modify security settings

• Circulate to other systems

• Paralyze networks and devices


Figure 1-5 Steps of an attack


Defenses Against Attacks

• Layering– If one layer is penetrated, several more layers

must still be breached– Each layer is often more difficult or

complicated than the previous– Useful in resisting a variety of attacks

• Limiting– Limiting access to information reduces the

threat against it– Technology-based and procedural methods


Defenses Against Attacks (cont’d.)• Diversity

– Important that security layers are diverse– Breaching one security layer does not

compromise the whole system• Obscurity

– Avoiding clear patterns of behavior make attacks from the outside much more difficult

• Simplicity– Complex security systems can be hard to

understand, troubleshoot, and feel secure about


Building a Comprehensive Security Strategy• Block attacks

– Strong security perimeter• Part of the computer network to which a

personal computer is attached

– Local security important too

• Update defenses– Continually update defenses to protect

information against new types of attacks


Building a Comprehensive Security Strategy (cont’d.)• Minimize losses

– Realize that some attacks will get through security perimeters and local defenses

– Make backup copies of important data– Business recovery policy

• Send secure information– ‘‘Scramble’’ data so that unauthorized eyes

cannot read it– Establish a secure electronic link between the

sender and receiver


Summary

• Attacks against information security have grown exponentially in recent years

• Difficult to defend against today’s attacks• Information security definition

– That which protects the integrity, confidentiality, and availability of information

• Main goals of information security – Prevent data theft, thwart identity theft, avoid

the legal consequences of not securing information, maintain productivity, and foil cyberterrorism


Summary (cont’d.)

• Several types of people are typically behind computer attacks

• Five general steps that make up an attack

• Practical, comprehensive security strategy involves four key elements


it security awareness overview

Technology

information security

threat security awareness

csecurity awareness

security weakness

security measures

security statistics

security awarenessjanuary

characteristics of information