ITSY 2430 - Chapter Guide 01

advertisement
ITSY 2430 - Chapter Guide 01
Introduction to Security
Lecture Notes
v9781428340664
Prof. Michael P. Harris
Overview
This chapter introduces security fundamentals that form the basis of the Security+
certification. It begins by examining the current challenges in computer security and
why it is so difficult to achieve. It then describes information security in more detail
to see why it is important. Next, the chapter looks at who is responsible for these
attacks and what are the fundamental defenses against attackers. Finally, it explores
the types of computer security careers for IT professionals and introduces the
CompTIA Security+ certification.
Chapter Objectives






Describe the challenges of securing information
Define information security and explain why it is important
Identify the types of attackers that are common today
List the basic steps of an attack
Describe the five steps in a defense
Explain the different types of information security careers and how the Security+
certification can enhance a security career
Challenges of Securing Information
There is no simple solution to securing information. This can be seen through the different
types of attacks that users face today, as well as the difficulties in defending against these
attacks.
Today’s Security Attacks
1. Typical security warnings:
a. A malicious program was introduced at some point in the manufacturing
process of a popular brand of digital photo frames.
b. A Nigerian e-mail scam claimed to be sent from the U.N.
c. “Booby-trapped” Web pages are growing at an increasing rate.
d. A new worm disables Microsoft Windows Automatic Updating and the Task
Manager.
e. Apple has issued an update to address 25 security flaws in its operating
system OS X.
f. The Anti-Phishing Working Group (APWG) reports that the number of unique
phishing sites continues to increase.
g. Researchers at the University of Maryland attached four computers equipped
with weak passwords to the Internet for 24 days to see what would happen.
These computers were hit by an intrusion attempt on average once every 39
seconds.
Ch. 01 - Security+ Guide to Network Security Fundamentals, 3rd Edition
Page 2 of 7
2. Security statistics bear witness to the continual success of attackers:
a. TJX Companies, Inc. reported that over 45 million customer credit card and
debit card numbers were stolen by attackers over an 18 month period from
2005 to 2007.
b. Table 1-1 lists some of the major security breaches that occurred during a
three-month period.
c. The total average cost of a data breach in 2007 was $197 per record
compromised.
d. A recent report revealed that of 24 federal government agencies, the overall
grade was only “C−”.
Tip
Phishing Web sites are well known for suddenly appearing and then disappearing to
reduce the risk of being traced. The average time a site is online according to the
APWG (Anti-Phishing Working Group) is only four days (www.antiphishing.org).
Tip
The US-CERT security bulletin is available at www.us-cert.gov/cas/bulletins/.
Difficulties in Defending against Attacks
1.
2.
3.
4.
Speed of attacks
Greater sophistication of attacks
Simplicity of attack tools (see Figures 1-1 and 1-2)
Attackers can detect vulnerabilities more quickly and more readily exploit
these vulnerabilities
5. Delays in patching hardware and software products
6. Most attacks are now distributed attacks, instead of coming from only one
source
7. User confusion
What Is Information Security?
1. Security can be defined as a state of freedom from a danger or risk that exists
because protective measures are established and maintained.
2. Information security is the tasks of guarding information that is in a digital format.
It ensures that protective measures are properly implemented. Information security
cannot completely prevent attacks or guarantee that a system is totally secure.
3. Information security is intended to protect information that has value to people and
organizations. That value comes from the characteristics (CIA) of the information:
a. Confidentiality
b. Integrity
c. Availability
4. Information security is achieved through a combination of these three entities. See
Figure 1-3 and Table 1-3.
5. A more comprehensive definition of Information Security is that which protects the
Confidentiality, Integrity, and Availability of information on the devices that store,
manipulate, and transmit the information through products, people, and procedures.
Ch. 01 - Security+ Guide to Network Security Fundamentals, 3rd Edition
Tip
Page 3 of 7
The Confidentiality, Integrity, and Availability of information is known as CIA.
Information Security Terminology
1. Define the following information security terms:
a. Asset
b. Threat
c. Threat agent
d. Vulnerability
2. See Figure 1-4 and Table 1-4 to illustrate the terminology above.
Understanding the Importance of Information Security
1. The main goals of information security are to prevent data theft, thwart identity
theft, avoid the legal consequences of not securing information, maintain
productivity, and foil cyberterrorism.
2. Security is often associated with theft prevention. The theft of data is one of the
largest causes of individual and corporate financial loss due to an attack.
3. Identity theft involves using someone’s personal information to establish bank or
credit card accounts that are then left unpaid, leaving the victim with the debts and
ruining their credit rating.
4. A number of federal and state laws have been enacted to protect the privacy of
electronic data, including the following:
a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
b. The Sarbanes-Oxley Act of 2002 (Sarbox)
c. The Gramm-Leach-Bliley Act (GLBA)
d. USA Patriot Act (2001)
e. The California Database Security Breach Act (2003)
f. Children’s Online Privacy Protection Act of 1998 (COPPA)
Tip
In 2008, California extended its data breach notification law (e.) to encompass
incidents including electronic medical and health insurance information.
5. Cleaning up after an attack diverts resources such as time and money away from
normal activities. See Table 1-5.
6. Cyberterrorism can be defined as attacks by terrorist groups using computer
technology and the Internet. Utility, telecommunications, and financial services
companies are considered prime targets of cyberterrorists.
Who Are the Attackers?
The types of people behind computer attacks are generally divided into several categories.
These include hackers, script kiddies, spies, employees, cybercriminals, and cyberterrorists.
Hackers
1. The term hacker in a generic sense means anyone who illegally breaks into or
attempts to break into a computer system. In a more narrow sense, hacker means a
person who uses advanced computer skills to attack computers only to expose
security flaws.
Ch. 01 - Security+ Guide to Network Security Fundamentals, 3rd Edition
Page 4 of 7
2. Although breaking into another person's computer system is illegal, some hackers
believe it is ethical as long as they do not commit theft, vandalism, or breach any
confidentiality.
Tip
Security vulnerabilities, however, can be exposed in ways other than attacking
another computer without the owner's consent, and most security professionals would
not refer to themselves as hackers.
Script Kiddies
1. Script kiddies as unskilled users that want to break into computers to create damage.
They download automated hacking software (scripts) from Web sites and use it to
break into computers.
2. Script kiddies are sometimes considered more dangerous than hackers. They tend to
be computer users who have almost unlimited amounts of leisure time, which they
can use to attack systems.
Spies
1. A computer spy as a person who has been hired to break into a computer and steal
information.
2. Spies are hired to attack a specific computer or system that contains sensitive
information. Their goal is to break into that computer or system and take the
information without drawing any attention to their actions.
3. Spies, like hackers, possess excellent computer skills.
Script Kiddies
1. Script kiddies as unskilled users that want to break into computers to create damage.
They download automated hacking software (scripts) from Web sites and use it to
break into computers.
2. Script kiddies are sometimes considered more dangerous than hackers. They tend to
be computer users who have almost unlimited amounts of leisure time, which they
can use to attack systems.
Employees
1. One of the largest information security threats to a business actually comes from an
unlikely source: its employees.
2. Some of the reasons an employee would break into their company's computer,
include:
a. An employee might want to show the company a weakness in their security
b. Disgruntled employees may be intent on retaliating against the company
c. Industrial espionage
d. Blackmailing
Cybercriminals
1. Cybercriminals are a loose-knit network of attackers, identity thieves, and financial
fraudsters. They are described as more highly motivated, less risk-averse, better
funded, and more tenacious than hackers.
Ch. 01 - Security+ Guide to Network Security Fundamentals, 3rd Edition
Page 5 of 7
2. Many security experts believe that cybercriminals belong to organized gangs of young
and mostly Eastern European attackers. See Table 1-6.
3. Cybercriminals have a more focused goal that can be summed up in a single word:
money.
4. Cybercrime as targeted attacks against financial networks, unauthorized access to
information, and the theft of personal information.
5. Financial cybercrime is often divided into two categories:
a. Trafficking in stolen credit card numbers and financial information
a. Using spam to commit fraud
Tip
Cybercriminals often meet in online "underground" forums that have names like
DarkMarket.org and theftservices.com. The purpose of these meetings is to trade
information and coordinate attacks around the world.
Cyberterrorists
1. The motivation of cyberterrorists may be defined as ideology, or attacking for the
sake of their principles or beliefs.
2. Goals of a cyberattack may be:
a. to deface electronic information and spread misinformation and propaganda
b. to deny service to legitimate computer users
c. to commit unauthorized intrusions into systems and networks that result in
critical infrastructure outages and corruption of vital data.
Tip
Cyberterrorists are considered the attackers that should be feared the most,
for it is almost impossible to predict when or where an attack may occur.
Attacks and Defenses
1. Although there are a wide variety of attacks that can be launched against a computer
or network, the same basic steps are used in most attacks.
2. Protecting computers against these steps in an attack calls for five fundamental
security principles.
Steps of an Attack
The five steps that make up an attack:
1. Probe for information
2. Penetrate any defenses
3. Modify security settings
4. Circulate to other systems
5. Paralyze networks and devices
Defenses against Attacks
Although multiple defenses may be necessary to withstand an attack, these
defenses should be based on five fundamental security principles: layering,
limiting, diversity, obscurity, and simplicity.
Ch. 01 - Security+ Guide to Network Security Fundamentals, 3rd Edition
Page 6 of 7
Layering ― (DiD) Defense-in-Depth
1. Information security must be created in layers (DiD) Defense in Depth.
2. One defense mechanism may be relatively easy for an attacker to circumvent.
Instead, a security system must have layers, making it unlikely that an attacker
has the tools and skills to break through all the layers of defenses.
3. A layered approach can also be useful in resisting a variety of attacks. Layered
security provides the most comprehensive protection.
Limiting
1. Limiting access to information reduces the threat against it.
2. Only those who must use data should have access to it. In addition, the amount of
access granted to someone should be limited to what that person needs to know.
3. Some ways to limit access are technology-based, while others are procedural.
What level of access should users have? The best answer is the least amount necessary
to do their jobs, and no more.
Tip
Diversity
1. Layers must be different (diverse) so that if attackers penetrate one layer, they
cannot use the same techniques to break through all other layers.
2. Using diverse layers of defense means that breaching one security layer does not
compromise the whole system.
Obscurity
1. An example of obscurity is not revealing the type of computer, operating system,
software, and network connection that a computer uses. An attacker who knows
that information can more easily determine the weaknesses of the system.
2. Obscuring information can be an important way to protect information.
Simplicity
1. Information security is by its very nature complex. Complex security systems can
be hard to understand, troubleshoot, and feel secure about.
2. As much as possible, a secure system should be simple for those on the inside to
understand and use. Complex security schemes are often compromised to make
them easier for trusted users to use. Keeping a system simple from the inside but
complex on the outside can sometimes be difficult but reaps a major benefit.
Surveying Information Security Careers & the Security+ Certification
1. Today, businesses and organizations require employees and even prospective
applicants to demonstrate that they are familiar with computer security practices.
2. Many organizations use the CompTIA Security+ cert to verify security competency.
Ch. 01 - Security+ Guide to Network Security Fundamentals, 3rd Edition
Page 7 of 7
Types of Information Security Jobs
1. Information Assurance (IA) as a superset of information security, including security
issues that do not involve computers.
2. IA covers a broader area than just basic technology defense tools and tactics. It also
includes reliability, strategic risk management, and corporate governance issues such
as privacy, compliance, audits, business continuity, and disaster recovery.
3. IA is interdisciplinary and individuals who are employed in it may come from
different fields of study.
4. Information Security (InfoSec), also called computer security, involves the tools and
tactics to defend against computer attacks. Information security does not include
security issues that do not involve computers.
CompTIA Security+ Certification
1. CompTIA Security+ (2008 Edition) cert is the premiere vendor-neutral credential.
2. The Security+ exam is internationally recognized foundation-level validation of
security skills & knowledge used by organizations & security pros around the world.
3. The skills & knowledge measured by the Security+ exam are derived from industrywide Job Task Analysis (JTA). The six domains covered by the Security+ exam are
Systems Security, Network Infrastructure, Access Control, Assessments and Audits,
Cryptography, and Organizational Security.
Key Terms:
























availability Ensures that data is accessible to authorized users.
California Database Security Breach Act A state act that requires disclosure to California residents if a breach of
personal information has or is believed to have occurred.
Children’s Online Privacy Protection Act (COPPA) A U.S. federal act that requires operators of online services or
Web sites directed at children under the age of 13 to obtain parental consent prior to the collection, use, disclosure,
or display of a child’s personal information.
confidentiality Ensures that only authorized parties can view the information.
cybercrime Targeted attacks against financial networks, unauthorized access to information, and the theft of
personal information.
cybercriminals A loose-knit network of attackers, identity thieves, and financial fraudsters that are more highly
motivated, less risk-averse, better funded, and more tenacious than hackers.
cyberterrorism Attacks by cyberterrorists that could cripple a nation’s electronic and commercial infrastructure.
exploit To take advantage of a vulnerability.
Gramm-Leach-Bliley Act (GLBA) A U.S. federal act that requires private data to be protected by banks and other
financial institutions.
hacker (1) Anyone who illegally breaks into or attempts to break into a computer system; (2) A person who uses
advanced computer skills to attack computers but not with malicious intent.
Health Insurance Portability and Accountability Act (HIPAA) A U.S. federal act that requires healthcare enterprises
to guard protected health information.
identity theft Using someone’s personal information, such as a Social Security number, to establish bank or credit
card accounts that are then left unpaid, leaving the victim with the debts and ruining their credit rating.
information assurance (IA) A superset of info security including security issues that do not involve computers.
information security The tasks of guarding information that is in a digital format, protects the integrity,
confidentiality, and availability of information on the devices that store, manipulate, and transmit the information
through products, people, and procedures.
integrity Ensures that information is correct and no unauthorized person or malicious software has altered that data.
risk The likelihood that a threat agent will exploit a vulnerability.
Sarbanes-Oxley Act (Sarbox) A U.S. federal act that enforces reporting requirements and internal controls on
electronic financial reporting systems.
script kiddie An unskilled user who downloads automated attack software to attack computers.
signature-based defense A method that identifies malware by matching it to an antivirus signature file.
spy A person who has been hired to break into a computer and steal information.
threat An event or action that may defeat the security measures in place and result in a loss.
USA Patriot Act A U.S. federal act that broadens the surveillance of law enforcement agencies to enhance the
detection and suppression of terrorism.
vulnerability A weakness that allows a threat agent to bypass security.
zero day attack An attack that occurs when an attacker discovers and exploits a previously unknown flaw, providing
“zero days” of warning.
Download