Course Technology/Cengage Learning - c-jump

advertisement
About the Presentations
• The presentations cover the objectives found in the
opening of each chapter.
• All chapter objectives are listed in the beginning of
each presentation.
• You may customize the presentations to fit your
class needs.
• Some figures from the chapters are included. A
complete set of images from the book can be found
on the Instructor Resources disc.
Security Awareness
Chapter 1
Introduction to Security
Objectives
After completing this chapter, you should be able to
do the following:
• Describe the challenges of securing information
• Define information security and explain why it is
important
• Identify the types of attackers that are common
today
• List the basic steps of an attack
• Describe the steps in a defense and a
comprehensive defense strategy
Security Awareness, 3rd Edition
3
Challenges of Securing Information
• No single simple solution to protecting computers
and securing information
• Different types of attacks
• Difficulties in defending against these attacks
Security Awareness, 3rd Edition
4
Today’s Security Attacks
• Typical monthly security newsletter
– Malicious program was introduced in the
manufacturing process of a popular brand of digital
photo frames
– E-mail claiming to be from the United Nations (U.N.)
‘‘Nigerian Government Reimbursement Committee’’
is sent to unsuspecting users
– ‘‘Booby-trapped’’ Web pages are growing at an
increasing rate
– Mac computers can be the victim of attackers
Security Awareness, 3rd Edition
5
Today’s Security Attacks (cont’d.)
• Security statistics
– 45 million credit and debit card numbers stolen
– Number of security breaches continues to rise
– Recent report revealed that of 24 federal
government agencies overall grade was only ‘‘C-’’
Security Awareness, 3rd Edition
6
Table 1-1 Selected security breaches involving
personal information in a three-month period
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
7
Difficulties in Defending Against
Attacks
•
•
•
•
Speed of attacks
Greater sophistication of attacks
Simplicity of attack tools
Quicker detection of vulnerabilities
– Zero day attack
• Delays in patching products
• Distributed attacks
• User confusion
Security Awareness, 3rd Edition
8
Difficulties in Defending Against
Attacks (cont’d.)
Figure 1-1 Increased sophistication of attack tools
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
9
Difficulties in Defending Against
Attacks (cont’d.)
Figure 1-2 Menu of attack tools
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
10
Difficulties in Defending Against
Attacks (cont’d.)
Table 1-2 Difficulties in defending against attacks
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
11
What Is Information Security?
• Understand what information security is
• Why is information security important today?
• Who are the attackers?
Security Awareness, 3rd Edition
12
Defining Information Security
• Security
– State of freedom from a danger or risk
• Information security
– Tasks of guarding information that is in a digital
format
– Ensures that protective measures are properly
implemented
– Protect information that has value to people and
organizations
• Value comes from the characteristics of the
information
Security Awareness, 3rd Edition
13
Defining Information Security (cont’d.)
• Characteristics of information that must be
protected by information security
– Confidentiality
– Integrity
– Availability
• Achieved through a combination of three entities
– Products
– People
– Procedures
Security Awareness, 3rd Edition
14
Defining Information Security (cont’d.)
Figure1-3 Information security components
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
15
Defining Information Security (cont’d.)
Table 1-3 Information security layers
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
16
Information Security Terminology
• Asset
– Something that has a value
• Threat
– Event or object that may defeat the security
measures in place and result in a loss
– By itself does not mean that security has been
compromised
• Threat agent
– Person or thing that has the power to carry out a
threat
Security Awareness, 3rd Edition
17
Information Security Terminology
(cont’d.)
• Vulnerability
– Weakness that allows a threat agent to bypass
security
• Exploiting the security weakness
– Taking advantage of the vulnerability
• Risk
– Likelihood that a threat agent will exploit a
vulnerability
– Some degree of risk must always be assumed
– Three options for dealing with risk
Security Awareness, 3rd Edition
18
Information Security Terminology
(cont’d.)
Table 1-4 Security information terminology
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
19
Understanding the Importance of
Information Security
• Preventing data theft
– Theft of data is one of the largest causes of financial
loss due to an attack
– Affects businesses and individuals
• Thwarting identity theft
– Identity theft
• Using someone’s personal information to establish
bank or credit card accounts that are then left unpaid
• Leaves the victim with debts and ruins their credit
rating
– Legislation continues to be enacted
Security Awareness, 3rd Edition
20
Understanding the Importance of
Information Security (cont’d.)
• Avoiding legal consequences
– Federal and state laws that protect the privacy of
electronic data
• The Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
• The Sarbanes-Oxley Act of 2002 (Sarbox)
• The Gramm-Leach-Bliley Act (GLBA)
• USA Patriot Act (2001)
• The California Database Security Breach Act
(2003)
• Children’s Online Privacy Protection Act of 1998
(COPPA)
Security Awareness, 3rd Edition
21
Understanding the Importance of
Information Security (cont’d.)
• Maintaining productivity
– Lost wages and productivity during an attack and
cleanup
– Unsolicited e-mail message security risk
• U.S. businesses forfeit $9 billion each year restricting
spam
• Foiling cyberterrorism
– Could cripple a nation’s electronic and commercial
infrastructure
– ‘‘Information Security Problem’’
Security Awareness, 3rd Edition
22
Who Are the Attackers?
• Divided into several categories
–
–
–
–
–
–
Hackers
Script kiddies
Spies
Employees
Cybercriminals
Cyberterrorists
Security Awareness, 3rd Edition
23
Hackers
• Debated definition of hacker
– Identify anyone who illegally breaks into or attempts
to break into a computer system
– Person who uses advanced computer skills to attack
computers only to expose security flaws
• ‘‘White Hats’
Security Awareness, 3rd Edition
24
Script Kiddies
• Unskilled users
• Use automated hacking software
• Do not understand the technology behind what
they are doing
• Often indiscriminately target a wide range of
computers
Security Awareness, 3rd Edition
25
Spies
• Person who has been hired to break into a
computer and steal information
• Do not randomly search for unsecured computers
• Hired to attack a specific computer or system
• Goal
– Break into computer or system
– Take the information without drawing any attention
to their actions
Security Awareness, 3rd Edition
26
Employees
• Reasons for attacks by employees
–
–
–
–
–
Show company weakness in security
Retaliation
Money
Blackmail
Carelessness
Security Awareness, 3rd Edition
27
Cybercriminals
• Loose-knit network of attackers, identity thieves,
and financial fraudsters
• Motivated by money
• Financial cybercrime categories
– Stolen financial data
– Spam email to sell counterfeits and pornography
Security Awareness, 3rd Edition
28
Cybercriminals (cont’d.)
Table 1-6 Eastern European promotion of cybercriminals
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
29
Cyberterrorists
• Motivated by ideology
• Sometimes considered attackers that should be
feared most
Security Awareness, 3rd Edition
30
Attacks and Defenses
• Same basic steps are used in most attacks
• Protecting computers against these steps
– Calls for five fundamental security principles
Security Awareness, 3rd Edition
31
Steps of an Attack
•
•
•
•
•
Probe for information
Penetrate any defenses
Modify security settings
Circulate to other systems
Paralyze networks and devices
Security Awareness, 3rd Edition
32
Figure 1-5 Steps of an attack
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
33
Defenses Against Attacks
• Layering
– If one layer is penetrated, several more layers must
still be breached
– Each layer is often more difficult or complicated than
the previous
– Useful in resisting a variety of attacks
• Limiting
– Limiting access to information reduces the threat
against it
– Technology-based and procedural methods
Security Awareness, 3rd Edition
34
Defenses Against Attacks (cont’d.)
• Diversity
– Important that security layers are diverse
– Breaching one security layer does not compromise
the whole system
• Obscurity
– Avoiding clear patterns of behavior make attacks
from the outside much more difficult
• Simplicity
– Complex security systems can be hard to
understand, troubleshoot, and feel secure about
Security Awareness, 3rd Edition
35
Building a Comprehensive Security
Strategy
• Block attacks
– Strong security perimeter
• Part of the computer network to which a personal
computer is attached
– Local security important too
• Update defenses
– Continually update defenses to protect information
against new types of attacks
Security Awareness, 3rd Edition
36
Building a Comprehensive Security
Strategy (cont’d.)
• Minimize losses
– Realize that some attacks will get through security
perimeters and local defenses
– Make backup copies of important data
– Business recovery policy
• Send secure information
– ‘‘Scramble’’ data so that unauthorized eyes cannot
read it
– Establish a secure electronic link between the
sender and receiver
Security Awareness, 3rd Edition
37
Summary
• Attacks against information security have grown
exponentially in recent years
• Difficult to defend against today’s attacks
• Information security definition
– That which protects the integrity, confidentiality, and
availability of information
• Main goals of information security
– Prevent data theft, thwart identity theft, avoid the
legal consequences of not securing information,
maintain productivity, and foil cyberterrorism
Security Awareness, 3rd Edition
38
Summary (cont’d.)
• Several types of people are typically behind
computer attacks
• Five general steps that make up an attack
• Practical, comprehensive security strategy involves
four key elements
Security Awareness, 3rd Edition
39
Download