CIS 2337 Fundamentals of Information Security
advertisement
CIS 2337 Fundamentals of Information Security Agenda 3. Introductions Syllabus Assignments / Labs 4. Introduction to Information Security 1. 2. CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 2 1 CIS 2337 Fundamentals of Information Security Introductions Brian Compton blcompton@gmail.com Always put CIS2337 in the subject line of emails!!! 832.409.3711 Always leave a message! • • • • • • 15+ Years in IT B.A. in Organizational Leadership M.S. in Technology PM & InfoSec PMP and ITIL Certifications Currently: Director of Enterprise Technology at Leo A Daly When I’m not being an IT Geek…. CIS 2337 Fundamentals of Information Security Syllabus, Assignments, Labs • • • • Syllabus / Schedule Labs • Lab 1 assigned today, due class #3 • Acceptable Use Policy Team Presentation • 10 minute security awareness presentation • 10 teams • Peer review part of presentation grade Quizzes • • 3 Random! Blackboard • Will be posting information, assignment • submissions and grades Communicate announcements CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 9 2 CIS 2337 Fundamentals of Information Security CIS 2337 Fundamentals of Information Security What is Security? How do you define security? How does this apply to Information? Information is power. CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 11 3 CIS 2337 Fundamentals of Information Security Secure A system is secure when: It does what it is supposed to do, and only what it is supposed to do . . . The Internet was never designed to be secure, it was intended to be an open and flexible means of connecting nodes and networks across any physical or political boundary. CIS 2337 Fundamentals of Information Security 12 Core Components: People Process Technology People Technology CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security Process 13 4 CIS 2337 Fundamentals of Information Security InfoSec Objectives: CIA Three objectives of InfoSec: CIA •Confidentiality •Integrity •Availability Also includes •Authorization •Non-repudiation •Auditability CIS 2337 Fundamentals of Information Security 14 Principles of Information Security 3. Absolute security does not exist CIA Defense in Depth 4. People make bad security decisions 1. 2. CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 15 5 CIS 2337 Fundamentals of Information Security The Security Problem • Fifty years ago, computers and data were uncommon. • Computer hardware was a high-value item and security was mainly a physical issue. • Now, personal computers are ubiquitous and portable, making them much more difficult to secure physically. • Computers are often connected to the Internet. • The value of the data on computers often exceeds the value of the equipment. CIS 2337 Fundamentals of Information Security 16 Security Problem Cont. • Electronic crime can take a number of different forms, but the ones we will examine here fall into two basic categories: 1. Crimes in which the computer was the target 2. Incidents in which a computer was used to perpetrate the act CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 17 6 CIS 2337 Fundamentals of Information Security Security Incidents • The Morris Worm (November 1988) • Citibank and Vladimir Levin (June–October 1994) • Kevin Mitnick (February 1995) • Zappos.com (2012) • The Melissa Virus (March 1999) • RSA (Spring 2011) • Facebook – ongoing privacy issues • The Love Letter Virus (May 2000) • The Code Red Worm (2001) • Adil Yahya Zakaria Shakour (August 2001– May 2002) • The Slammer Worm (2003) • Sony Online Entertainment (2011) • Conficker (2008–2009) • Fiber Cable Cut (2009) CIS 2337 Fundamentals of Information Security 18 Threats to Security • Internal vs. external • Elite hackers vs. script kiddies • Unstructured threats to highly structured threats CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 19 7 CIS 2337 Fundamentals of Information Security Viruses and Worms • It is important to draw a distinction between the writers of malware and those who release it. • Viruses have no useful purpose. (REALLY??) • Viruses and worms are the most common problem that an organization faces. • Antivirus software and system patching can eliminate the largest portion of this threat. • Viruses and worms generally are non-discriminating threats. • Viruses are easily detected and generally not the tool of choice for highly structured attacks. CIS 2337 Fundamentals of Information Security 20 Malware • Viruses and worms are just two types of malware threats. • The term “malware” comes from “malicious software.” • Malware is software that has a nefarious purpose, designed to cause problems to an individual (for example, identity theft) or your system. CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 21 8 CIS 2337 Fundamentals of Information Security Intruders • Hacking is the act of deliberately accessing computer systems and networks without authorization. • Hackers are individuals who conduct this activity. • Hacking is not what Hollywood would have you believe. • Unstructured threats are conducted over short periods of time (lasting at most a few months), do not involve a large number of individuals, have little financial backing, and are accomplished by insiders or outsiders who do not seek collusion with insiders. CIS 2337 Fundamentals of Information Security 22 Insiders • Insiders are more dangerous in many respects than outside intruders because they have the access and knowledge necessary to cause immediate damage to an organization. • Attacks by insiders are often the result of employees who have become disgruntled with their organization and are looking for ways to disrupt operations. • It is also possible that an “attack” by an insider may be an accident and not intended as an attack at all. CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 23 9 CIS 2337 Fundamentals of Information Security Criminal Organizations • As financial transactions over the Internet increased, criminal organizations followed the money. • Fraud, extortion, theft, embezzlement, and forgery all take place in an electronic environment. • A structured threat is characterized by a greater amount of planning, longer time to conduct the attack, and more financial backing than in an unstructured attack. CIS 2337 Fundamentals of Information Security 24 Information Warfare • • • • Computer and information assets are critical to countries The information / systems infrastructure is a legitimate target for unfriendly nations Same can be said of terrorist organizations Information warfare is an example of a highly structured attack CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 25 10 CIS 2337 Fundamentals of Information Security Security Trends • • • • Moved away from large mainframe server architecture to numerous small servers and workstations As the level of sophistication of attacks increased, the level of knowledge necessary to exploit vulnerabilities has decreased. (Automated tools) Ave. loss due to theft of proprietary info: $5.69 million in 2007 Ave. loss due to financial fraud: $21.12 million in 2007 CIS 2337 Fundamentals of Information Security 26 Security Trends Cont. Four types of attacks are on the rise: 1. Unauthorized access 2. Theft/loss of proprietary information 3. Misuse of web applications 4. DNS attacks CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 27 11 CIS 2337 Fundamentals of Information Security Avenues of Attack • There are two general reasons a particular system is attacked: • It is specifically targeted. • It is a target of opportunity. • Equipment may be targeted because of the organization it belongs to or for political reasons. • These attacks are decided before the software or equipment of the target is known. • A hacktivist is a hacker who uses their skills for political purposes. CIS 2337 Fundamentals of Information Security 28 Avenues of Attack Cont. • Targets of opportunity – attacks are conducted against a site that has software vulnerable to a specific exploit. In these instances, the attackers are not targeting the organization, instead they are targeting a vulnerable device that happens to belong to the organization. (scanners) • Targeted attacks – specifically targeted attacks generally are more difficult and take more time than targets of opportunity. CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 29 12 CIS 2337 Fundamentals of Information Security Types of Attacks • If successful, an attack may produce one or more of the following: – Loss of confidentiality – information is disclosed to individuals not authorized to see it. – Loss of integrity – information is modified by individuals not authorized to change it. – Loss of availability – information or the system processing it are not available for use by authorized users when they need the information. CIS 2337 Fundamentals of Information Security 30 Why Security is Hard It is all about the details •Technology •Information •Threats The playing field continually changes •Technology •Information •Threats Many times Security involves Change •Change is a burden – why us? Security is viewed as a Cost CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 31 13 CIS 2337 Fundamentals of Information Security 2012 Forecast 1. Malicious Android apps will increase 2. Utilities will get hacked, again 3. Election year! E-voting hijinx 4. People will continue to overshare (Facebook, Twitter, etc…) 5. Hacktivism will continue & increase (Anonymous) Source: c|net news CIS 2337 Fundamentals of Information Security Lesson 1 Introduction to Information Security 32 14
