security awareness: applying practical security in your world chapter 1: introduction to security

Security Awareness: Applying Security Awareness: Applying Practical Security in Your Practical Security in Your

WorldWorld

Chapter 1: Introduction to SecurityChapter 1: Introduction to Security

ObjectivesObjectives

Define security and list the three basic goals of security

Explain why information security is important

List the six categories of individuals who break into computers

Security Awareness: Applying Practical Security in Your World 3

Objectives (continued)Objectives (continued) Describe the types of attacks on computers that

can occur

Explain how to safeguard a system

Explain the big picture in information security


Introduction to SecurityIntroduction to Security Security A state of freedom from a danger or

risk

Information security Process of protecting a computer (or network of computers) from harmful attacks

Three basic goals of information security:

Integrity Confidentiality Availability


Three Goals of Information Three Goals of Information SecuritySecurity

Integrity Data correct and unaltered

Confidentiality Data only accessible to authorized parties

Availability Authorized users allowed immediate access to the

data

Main goal: MINIMIZE RISKS


Why Information Security Is Why Information Security Is ImportantImportant

Prevent Data Theft Single largest cause of financial loss due to a

security breach

Thefts most commonly include proprietary business information Industrial espionage

Individuals can also suffer from data theft


Why Information Security Is Why Information Security Is Important (continued)Important (continued)

Protect Intellectual Property Illegal copying or distribution deprives creator or

owner of compensation for their work (See Figure 1-1 and 1-2) Electronic formats easy and cheap to copy

Digital rights management (DRM) technologies

Digital watermarks Physical copy protectionSoftware keys Activation code


Protect Intellectual PropertyProtect Intellectual Property

Figure 1-1


Protect Intellectual Property Protect Intellectual Property (continued)(continued)

Figure 1-2



Thwart Identity Theft About 3.4% of Americans have been victims of

identity theft Average 609 hours and $1500 out-of-pocket expenses

to repair damage



Avoid Legal Consequences—federal and state laws include: HIPAA

Sarbox

GLBA

USA Patriot Act

COPPA

California Database Security Breach Act



Foil Cyberterrorism Cyberterrorism Attacks by terrorist group(s)

using computer technology Can damage or disable electronic and commercial

infrastructure

Most targets are not government-owned or operated: security procedures difficult to prescribe and enforce



Maintain Productivity Resources diverted for “clean-up” activities

(See Table 1-1)

Spam: unsolicited e-mail messages cost time Viruses and worms can be attached


Attacker ProfilesAttacker Profiles Hackers

Crackers

Script kiddies

Spies

Employees

Cyberterrorists


How Attackers AttackHow Attackers Attack Social Engineering

Trickery and deceit used rather than technical skill

Difficult to defend against because it relies on human nature and not on computer systems

Strongest defense: Strict company policies


How Attackers Attack How Attackers Attack (continued)(continued)

Scanning Locating a vulnerable computer to break into Port scanning

War driving (See Figure 1-3)



Sniffing Listening to and analyzing traffic on a network Requires access to the wired network (or

information about the wireless network) and special software

Sniffing output can reveal passwords and usernames


How Attackers Attack (continued)How Attackers Attack (continued)



Software Vulnerabilities “Bugs” are errors in the programming code or logic of a computer program Buffer overflow (See Figures 1-5 and 1-6) is one of

the preferred attack methods for virus authors


How Attackers Attack (continued)How Attackers Attack (continued)



Malicious Code Virus

Attaches to other programs

Spreads by exchanging files or e-mail (See Table 1-3)



Malicious Code (continued) Worm

Similar in nature, but different from viruses:

Worms can travel alone

Self-executing

Logic Bombs Computer programs triggered by specific events



Spyware Hardware or software that spies on what the user is doing without their knowledge Keystroke logger

(See Figure 1-7)

Software that records and reports user activities


Safeguarding a System Safeguarding a System

Identifying, Analyzing and Controlling Risks

Risk management Systematic process of identifying, analyzing and controlling risks

Risk assessment Process of evaluating risks


Safeguarding a System (continued)Safeguarding a System (continued)

Authentication, Access Control, and Accounting Restricting who can use the resource

and what they are allowed to do

Authentication Verifies, confirms and validates the person requesting access to a resource

Access Control Limits what an authorized user can do

Accounting Provides a historical record (audit trail)


Safeguarding a System Safeguarding a System (continued)(continued)

Formalized Security Policy Tying it all together Outlines the importance of security to the

organization

Establishes Policy’s goals

How the security program is organized

Who is responsible at various levels

Sketches out details


Information Security: The Big Information Security: The Big PicturePicture

Data at the center

Layeredprotection around it:

PRODUCTSPEOPLEPROCEDURES


SummarySummary

Security is a state of freedom from a danger or a risk. Information security protects the equipment and

information stored on it.

There are three basic goals of information security: Integrity

Confidentiality

Availability of data


Summary (continued)Summary (continued)

Reasons why information security is important: Protect data from theft

Prevent loss of productivity

Curb theft of intellectual property

Ensure compliance with law and avoid legal consequences

Thwart personal identity theft

Counter cyberterrorism


Summary (continued)Summary (continued)

Six categories of attackers—all have different motives: Hackers

Crackers

Script kiddies

Spies

Employees

Cyberterrorists


Summary (continued)Summary (continued) Five categories of attacks:

Social engineering

Scanning and sniffing

Software vulnerabilities

Malicious code

Spyware


Summary (continued)Summary (continued) Three steps to securing a system:

Risk management—

Identify bad things that can happen to it

Authentication, access control and accounting—

Restrict who can legitimately use it

Security policy—

Plan of action tying it all together

security awareness: applying practical security in your world chapter 1: introduction to security

Documents