SetNo11
advertisement
Security+ Guide to Network Security Fundamentals Chapter 1 المدرس :اياس القواسمة البريد االلكتروني eyasa@usa.net : الهاتف 0564569838: رقم المكتب2152 : Learning Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network security Determine the factors involved in a secure network strategy Understanding Network Security Network security Process by which digital information assets are protected Goals Maintain integrity Protect confidentiality Assure availability Understanding Network Security Security ensures that users: Perform only tasks they are authorized to do Obtain only information they are authorized to have Cannot cause damage to data, applications, or operating environment Security Threats Identity theft Privacy concerns Wireless access To Offset Security Threats Integrity Confidentiality Assurance that data is not altered or destroyed in an unauthorized manner Protection of data from unauthorized disclosure to a third party Availability Continuous operation of computing systems Quiz: Give real example for each information Security principles ? • Examples of Information Security Fundamental Principles: – – – Confidentiality: Exam questions prior to exam must hidden from students. Integrity: Students grades must not be modified by students. Availability: Student schedules system must be online and available during the beginning of the semester. Information Security Layers Security Vulnerabilities for Sale Anyone can buy attack tools to take over computers Examples of Security Breaches Difficulties in Defending against Attacks Information Security Terminology Asset Threat Something that has a value An event or object that may defeat the security measures in place and result in a loss Threat agent A person or thing that has the power to carry out a threat Information Security Terminology Vulnerability Exploit Weakness that allows a threat agent to bypass security Takes advantage of a vulnerability Risk The likelihood that a threat agent will exploit a vulnerability Realistically, risk cannot ever be entirely eliminated Information Security Terminology (continued) Information Security Terminology (continued) Security Ramifications: Costs of Intrusion Causes of network security threats 1. 2. 3. 4. Technology weaknesses Configuration weaknesses Policy weaknesses Human error Ramifications: تشعبات 1-Technology Weaknesses TCP/IP Operating systems Network equipment 2-Configuration Weaknesses Unsecured accounts System accounts with easily guessed passwords Mis-configured Internet services Unsecured default settings Mis-configured network equipment Trojan horse programs Vandals ( )المخربين Viruses 3- Policy Weaknesses Lack of a written security policy Politics High turnover Concise access controls not applied Software and hardware installation and changes do not follow policy Proper security Nonexistent disaster recovery plan 4- Human Error Accident Ignorance Workload Dishonesty Impersonation ( )التمثيل Disgruntled employees ( )الموظفين الساخطين Snoops ( )يتطفل Denial-of-service attacks Goals of Network Security Achieve the state where any action that is not expressly permitted is prohibited Eliminate theft Determine authentication Identify assumptions Control secrets Creating a Secure Network Strategy Address both internal and external threats Define policies and procedures Reduce risk across across perimeter security, the Internet, intranets, and LANs Creating a Secure Network Strategy Human factors Know your weaknesses Limit access Achieve security through persistence Develop change management process Remember physical security Perimeter ( )محيطsecurity Control access to critical network applications, data, and services Creating a Secure Network Strategy Firewalls Prevent unauthorized access to or from private network Create protective layer between network and outside world Replicate network at point of entry in order to receive and transmit authorized data Have built-in filters Log attempted intrusions and create reports Creating a Secure Network Strategy Web and file servers Access control Ensures that only legitimate traffic is allowed into or out of the network Passwords PINs Smartcards Creating a Secure Network Strategy Change management Document changes to all areas of IT infrastructure Encryption Ensures messages cannot be intercepted or read by anyone other than the intended person(s) Creating a Secure Network Strategy Intrusion detection system (IDS) Provides 24/7 network surveillance Analyzes packet data streams within the network Searches for unauthorized activity Simplicity Information security is by its very nature complex Complex security systems can be hard to understand, troubleshoot, and feel secure about As much as possible, a secure system should be simple for those on the inside to understand and use Complex security schemes are often compromised to make them easier for trusted users to work with Keeping a system simple from the inside but complex on the outside can sometimes be difficult but reaps a major benefit Who Are the Attackers? The types of people behind computer attacks are generally divided into several categories Hackers Script kiddies Spies Employees Cybercriminals Cyberterrorists The NSA Hacker Gary McKinnon hacked into NASA and the US Military He was looking for evidence about UFOs Hackers Hacker Although breaking into another person’s computer system is illegal Anyone who illegally breaks into or attempts to break into a computer system Some hackers believe it is ethical as long as they do not commit theft, vandalism, or breach any confidentiality Ethical Hacker Has permission from the owner to test security of computers by attacking them Script Kiddies Unskilled users Download automated hacking software (scripts) from Web sites and use it to break into computers Image from ning.com Spies Computer spy A person who has been hired to break into a computer and steal information Excellent computer skills Employees The largest information security threat Motives An employee might want to show the company a weakness in their security Disgruntled employees may be intent on retaliating against the company Industrial espionage Blackmailing Cybercriminals A loose-knit network of attackers, identity thieves, and financial fraudsters More highly motivated, less risk-averse, better funded, and more tenacious than hackers Many security experts believe that cybercriminals belong to organized gangs of young and mostly Eastern European attackers Cybercriminals have a more focused goal that can be summed up in a single word: money Cybercriminals Cybercrime Targeted attacks against financial networks, unauthorized access to information, and the theft of personal information Financial cybercrime is often divided into two categories Trafficking in stolen credit card numbers and financial information Using spam to commit fraud Cyberterrorists Their motivation may be defined as ideology, or attacking for the sake of their principles or beliefs Goals of a cyberattack: To deface electronic information and spread misinformation and propaganda To deny service to legitimate computer users To commit unauthorized intrusions into systems and networks that result in critical infrastructure outages and corruption of vital data Security Tradeoffs Security COST Ease of use Functionality Steps of an Attack The five steps that make up an attack Probe for information Penetrate any defenses Modify security settings Circulate to other systems Paralyze networks and devices Defenses against Attacks Although multiple defenses may be necessary to withstand an attack These defenses should be based on five fundamental security principles: Layering Limiting Diversity Obscurity Simplicity Layering Information security must be created in layers One defense mechanism may be relatively easy for an attacker to circumvent Instead, a security system must have layers, making it unlikely that an attacker has the tools and skills to break through all the layers of defenses A layered approach can also be useful in resisting a variety of attacks Layered security provides the most comprehensive protection Limiting Limiting access to information reduces the threat against it Only those who must use data should have access to it In addition, the amount of access granted to someone should be limited to what that person needs to know Some ways to limit access are technologybased, while others are procedural Diversity Layers must be different (diverse) If attackers penetrate one layer, they cannot use the same techniques to break through all other layers Using diverse layers of defense means that breaching one security layer does not compromise the whole system Obscurity الغموض INFORMATION SECURITY CAREERS AND THE SECURITY+ CERTIFICATION Surveying Information Security Careers and the Security+ Certification Today, businesses and organizations require employees and even prospective applicants To demonstrate that they are familiar with computer security practices Many organizations use the CompTIA Security+ certification to verify security competency CompTIA Security+ Certification The CompTIA Security+ (2008 Edition) Certification is the premiere vendor-neutral credential The Security+ exam is an internationally recognized validation of foundation-level security skills and knowledge Used by organizations and security professionals around the world The skills and knowledge measured by the Security+ exam are derived from an industrywide Job Task Analysis (JTA) CompTIA Security+ Certification (continued) The six domains covered by the Security+ exam: Systems Security, Network Infrastructure, Access Control, Assessments and Audits, Cryptography, and Organizational Security Quiz: What Information security protect ? • Information Security protects – – – the integrity, confidentiality, and availability of information on the devices which store, manipulate, and transmit the information through products, people and procedures
