Security Awareness

Challenges of Securing Information

• No single simple solution to protecting computers and securing information

• Different types of attacks

• Difficulties in defending against these attacks

1

Today’s Security Attacks

• Typical monthly security newsletter– Malicious programs– E-mail attachments– ‘‘Booby-trapped’’ Web pages are growing at an

increasing rate– Mac computers can be the victim of attackers

2

Today’s Security Attacks (cont’d.)

• Security statistics– 45 million credit and debit card numbers stolen– Number of security breaches continues to rise

3

Difficulties in Defending Against Attacks

• Speed of attacks

• Greater sophistication of attacks

• Simplicity of attack tools

• Quicker detection of vulnerabilities– Zero day attack

• Delays in patching products

• Distributed attacks

• User confusion

4

Difficulties in Defending Against Attacks (cont’d.)

5

Difficulties in defending against attacks

Defining Information Security

• Information security – Tasks of guarding information that is in a digital

format– Ensures that protective measures are properly

implemented– Protect information that has value to people and

organisations• Value comes from the characteristics of the

information

6

Defining Information Security (cont’d.)

• Characteristics of information that must be protected by information security– Confidentiality– Integrity– Availability

• Achieved through a combination of three entities– Products– People– Procedures

7

Understanding the Importance of Information Security

• Preventing data theft– Theft of data is one of the largest causes of financial

loss due to an attack– Affects businesses and individuals

• Thwarting identity theft– Identity theft

• Using someone’s personal information to establish bank or credit card accounts

8

Who Are the Attackers?

• Divided into several categories– Hackers– Script kiddies– Spies– Employees– Cybercriminals– Cyberterrorists

9

Hackers

• Debated definition of hacker– Identify anyone who illegally breaks into or attempts

to break into a computer system– Person who uses advanced computer skills to attack

computers only to expose security flaws• ‘‘White Hats’

10

Script Kiddies

• Unskilled users

• Use automated hacking software

• Do not understand the technology behind what they are doing

• Often indiscriminately target a wide range of computers

11

Spies

• Person who has been hired to break into a computer and steal information

• Do not randomly search for unsecured computers

• Hired to attack a specific computer or system

• Goal – Break into computer or system – Take the information without drawing any attention to

their actions

12

Employees

• Reasons for attacks by employees– Show company weakness in security– Retaliation– Money– Blackmail– Carelessness

13

Cybercriminals

• Loose-knit network of attackers, identity thieves, and financial fraudsters

• Motivated by money

• Financial cybercrime categories– Stolen financial data– Spam email to sell counterfeits, etc.

14

Cyberterrorists

• Motivated by ideology

15

Attacks and Defences

• Same basic steps are used in most attacks

• Protecting computers against these steps– Calls for five fundamental security principles

16

Steps of an Attack

• Probe for information

• Penetrate any defences

• Modify security settings

• Circulate to other systems

• Paralyse networks and devices

17

Defences Against Attacks

• Layering– If one layer is penetrated, several more layers must

still be breached– Each layer is often more difficult or complicated than

the previous– Useful in resisting a variety of attacks

• Limiting– Limiting access to information reduces the threat

against it– Technology-based and procedural methods

18

Defences Against Attacks (cont’d.)

• Diversity– Important that security layers are diverse– Breaching one security layer does not compromise

the whole system

• Obscurity– Avoiding clear patterns of behavior make attacks

from the outside much more difficult

• Simplicity– Complex security systems can be hard to

understand, troubleshoot, and feel secure about

19

Building a Comprehensive Security Strategy

• Block attacks– Strong security perimeter

• Part of the computer network to which a personal computer is attached

– Local security important too

• Update defences– Continually update defenses to protect information

against new types of attacks

20

Building a Comprehensive Security Strategy (cont’d.)

• Minimise losses– Realise that some attacks will get through security

perimeters and local defenses– Make backup copies of important data– Business recovery policy

• Send secure information– ‘‘Scramble’’ data so that unauthorized eyes cannot

read it– Establish a secure electronic link between the

sender and receiver

21

Summary

• Attacks against information security have grown exponentially in recent years

• Difficult to defend against today’s attacks

• Information security definition– That which protects the integrity, confidentiality, and

availability of information

• Main goals of information security – Prevent data theft, thwart identity theft, avoid the

legal consequences of not securing information, maintain productivity, and foil cyberterrorism

22

Summary (cont’d.)

• Several types of people are typically behind computer attacks

• Five general steps that make up an attack

• Practical, comprehensive security strategy involves four key elements

23