About the Presentations • The presentations cover the objectives found in the opening of each chapter. • All chapter objectives are listed in the beginning of each presentation. • You may customize the presentations to fit your class needs. • Some figures from the chapters are included. A complete set of images from the book can be found on the Instructor Resources disc. Security Awareness Chapter 1 Introduction to Security Objectives After completing this chapter, you should be able to do the following: • Describe the challenges of securing information • Define information security and explain why it is important • Identify the types of attackers that are common today • List the basic steps of an attack • Describe the steps in a defense and a comprehensive defense strategy Security Awareness, 3rd Edition 3 Challenges of Securing Information • No single simple solution to protecting computers and securing information • Different types of attacks • Difficulties in defending against these attacks Security Awareness, 3rd Edition 4 Today’s Security Attacks • Typical monthly security newsletter – Malicious program was introduced in the manufacturing process of a popular brand of digital photo frames – E-mail claiming to be from the United Nations (U.N.) ‘‘Nigerian Government Reimbursement Committee’’ is sent to unsuspecting users – ‘‘Booby-trapped’’ Web pages are growing at an increasing rate – Mac computers can be the victim of attackers Security Awareness, 3rd Edition 5 Today’s Security Attacks (cont’d.) • Security statistics – 45 million credit and debit card numbers stolen – Number of security breaches continues to rise – Recent report revealed that of 24 federal government agencies overall grade was only ‘‘C-’’ Security Awareness, 3rd Edition 6 Table 1-1 Selected security breaches involving personal information in a three-month period Course Technology/Cengage Learning Security Awareness, 3rd Edition 7 Difficulties in Defending Against Attacks • • • • Speed of attacks Greater sophistication of attacks Simplicity of attack tools Quicker detection of vulnerabilities – Zero day attack • Delays in patching products • Distributed attacks • User confusion Security Awareness, 3rd Edition 8 Difficulties in Defending Against Attacks (cont’d.) Figure 1-1 Increased sophistication of attack tools Course Technology/Cengage Learning Security Awareness, 3rd Edition 9 Difficulties in Defending Against Attacks (cont’d.) Figure 1-2 Menu of attack tools Course Technology/Cengage Learning Security Awareness, 3rd Edition 10 Difficulties in Defending Against Attacks (cont’d.) Table 1-2 Difficulties in defending against attacks Course Technology/Cengage Learning Security Awareness, 3rd Edition 11 What Is Information Security? • Understand what information security is • Why is information security important today? • Who are the attackers? Security Awareness, 3rd Edition 12 Defining Information Security • Security – State of freedom from a danger or risk • Information security – Tasks of guarding information that is in a digital format – Ensures that protective measures are properly implemented – Protect information that has value to people and organizations • Value comes from the characteristics of the information Security Awareness, 3rd Edition 13 Defining Information Security (cont’d.) • Characteristics of information that must be protected by information security – Confidentiality – Integrity – Availability • Achieved through a combination of three entities – Products – People – Procedures Security Awareness, 3rd Edition 14 Defining Information Security (cont’d.) Figure1-3 Information security components Course Technology/Cengage Learning Security Awareness, 3rd Edition 15 Defining Information Security (cont’d.) Table 1-3 Information security layers Course Technology/Cengage Learning Security Awareness, 3rd Edition 16 Information Security Terminology • Asset – Something that has a value • Threat – Event or object that may defeat the security measures in place and result in a loss – By itself does not mean that security has been compromised • Threat agent – Person or thing that has the power to carry out a threat Security Awareness, 3rd Edition 17 Information Security Terminology (cont’d.) • Vulnerability – Weakness that allows a threat agent to bypass security • Exploiting the security weakness – Taking advantage of the vulnerability • Risk – Likelihood that a threat agent will exploit a vulnerability – Some degree of risk must always be assumed – Three options for dealing with risk Security Awareness, 3rd Edition 18 Information Security Terminology (cont’d.) Table 1-4 Security information terminology Course Technology/Cengage Learning Security Awareness, 3rd Edition 19 Understanding the Importance of Information Security • Preventing data theft – Theft of data is one of the largest causes of financial loss due to an attack – Affects businesses and individuals • Thwarting identity theft – Identity theft • Using someone’s personal information to establish bank or credit card accounts that are then left unpaid • Leaves the victim with debts and ruins their credit rating – Legislation continues to be enacted Security Awareness, 3rd Edition 20 Understanding the Importance of Information Security (cont’d.) • Avoiding legal consequences – Federal and state laws that protect the privacy of electronic data • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) • The Sarbanes-Oxley Act of 2002 (Sarbox) • The Gramm-Leach-Bliley Act (GLBA) • USA Patriot Act (2001) • The California Database Security Breach Act (2003) • Children’s Online Privacy Protection Act of 1998 (COPPA) Security Awareness, 3rd Edition 21 Understanding the Importance of Information Security (cont’d.) • Maintaining productivity – Lost wages and productivity during an attack and cleanup – Unsolicited e-mail message security risk • U.S. businesses forfeit $9 billion each year restricting spam • Foiling cyberterrorism – Could cripple a nation’s electronic and commercial infrastructure – ‘‘Information Security Problem’’ Security Awareness, 3rd Edition 22 Who Are the Attackers? • Divided into several categories – – – – – – Hackers Script kiddies Spies Employees Cybercriminals Cyberterrorists Security Awareness, 3rd Edition 23 Hackers • Debated definition of hacker – Identify anyone who illegally breaks into or attempts to break into a computer system – Person who uses advanced computer skills to attack computers only to expose security flaws • ‘‘White Hats’ Security Awareness, 3rd Edition 24 Script Kiddies • Unskilled users • Use automated hacking software • Do not understand the technology behind what they are doing • Often indiscriminately target a wide range of computers Security Awareness, 3rd Edition 25 Spies • Person who has been hired to break into a computer and steal information • Do not randomly search for unsecured computers • Hired to attack a specific computer or system • Goal – Break into computer or system – Take the information without drawing any attention to their actions Security Awareness, 3rd Edition 26 Employees • Reasons for attacks by employees – – – – – Show company weakness in security Retaliation Money Blackmail Carelessness Security Awareness, 3rd Edition 27 Cybercriminals • Loose-knit network of attackers, identity thieves, and financial fraudsters • Motivated by money • Financial cybercrime categories – Stolen financial data – Spam email to sell counterfeits and pornography Security Awareness, 3rd Edition 28 Cybercriminals (cont’d.) Table 1-6 Eastern European promotion of cybercriminals Course Technology/Cengage Learning Security Awareness, 3rd Edition 29 Cyberterrorists • Motivated by ideology • Sometimes considered attackers that should be feared most Security Awareness, 3rd Edition 30 Attacks and Defenses • Same basic steps are used in most attacks • Protecting computers against these steps – Calls for five fundamental security principles Security Awareness, 3rd Edition 31 Steps of an Attack • • • • • Probe for information Penetrate any defenses Modify security settings Circulate to other systems Paralyze networks and devices Security Awareness, 3rd Edition 32 Figure 1-5 Steps of an attack Course Technology/Cengage Learning Security Awareness, 3rd Edition 33 Defenses Against Attacks • Layering – If one layer is penetrated, several more layers must still be breached – Each layer is often more difficult or complicated than the previous – Useful in resisting a variety of attacks • Limiting – Limiting access to information reduces the threat against it – Technology-based and procedural methods Security Awareness, 3rd Edition 34 Defenses Against Attacks (cont’d.) • Diversity – Important that security layers are diverse – Breaching one security layer does not compromise the whole system • Obscurity – Avoiding clear patterns of behavior make attacks from the outside much more difficult • Simplicity – Complex security systems can be hard to understand, troubleshoot, and feel secure about Security Awareness, 3rd Edition 35 Building a Comprehensive Security Strategy • Block attacks – Strong security perimeter • Part of the computer network to which a personal computer is attached – Local security important too • Update defenses – Continually update defenses to protect information against new types of attacks Security Awareness, 3rd Edition 36 Building a Comprehensive Security Strategy (cont’d.) • Minimize losses – Realize that some attacks will get through security perimeters and local defenses – Make backup copies of important data – Business recovery policy • Send secure information – ‘‘Scramble’’ data so that unauthorized eyes cannot read it – Establish a secure electronic link between the sender and receiver Security Awareness, 3rd Edition 37 Summary • Attacks against information security have grown exponentially in recent years • Difficult to defend against today’s attacks • Information security definition – That which protects the integrity, confidentiality, and availability of information • Main goals of information security – Prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorism Security Awareness, 3rd Edition 38 Summary (cont’d.) • Several types of people are typically behind computer attacks • Five general steps that make up an attack • Practical, comprehensive security strategy involves four key elements Security Awareness, 3rd Edition 39