32677_01 6/29/2004 7:58:4 Page 1 C H A P 1 T E R O N E INFORMATION SECURITY FUNDAMENTALS I f you could somehow visit rural America from 50 years ago, you would probably notice how open and unrestricted everything seemed to be. Front doors to homes were left unlocked while the occupants visited friends out of town. Windows were Copyright © 2005 by Course Technology. All rights reserved.This publication 1 is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:35:39 Page 2 2 Chapter 1 Information Security Fundamentals propped open on warm summer nights as children slept. Complete strangers were invited into homes for a meal and a place to stay. Flying on a commercial airliner, although not commonplace, involved little more than walking onto the plane. Little thought needed to be given to individual security. Since then, our world has changed significantly. Our homes and apartments are locked tight. Strangers are shunned.A visit to the airport to catch a plane has become an ordeal: we park our cars far from the terminal, have our luggage x-rayed for weapons, walk through metal detectors, and present photo identification cards every step of the way—all this before we even board the airplane. Ours has become the age of wariness and watchfulness. Just as a changing world has affected the security of our daily lives, so too has it dramatically changed how we use and maintain computers and networks. Ten years ago, firewalls, intrusion-detection systems (IDSs), antivirus software, and operating system updates were rare. Today, the national evening news might open with a story on the latest worldwide computer virus attack. Our e-mail in-boxes are constantly scanned for suspicious attachments that might contain a harmful virus. Computer network managers work overtime to build the latest security defenses and keep them up-to-date. Computer attacks via the Internet are ever present, making computer security one of our prime concerns. The demand for information technology (IT) professionals who know how to protect networks and computers from attacks is at an all-time high.Today businesses and organizations require employees and prospective employees to demonstrate that they are familiar with computer security practices. Many organizations use the CompTIA Security+ certification to verify security competence. As the most widely recognized vendor-neutral security certification, Security+ has become the security foundation for IT professionals. This chapter introduces the fundamentals of Security+ network security. It begins by examining the current challenges in network security.You will see why network security is important and learn to define information security and the terminology that it uses.You will also explore the CompTIA Security+ certification for IT professionals, and survey the types of careers open in the information security field. IDENTIFYING THE CHALLENGES FOR INFORMATION SECURITY The challenge of keeping networks and computers secure has never been greater.A number of trends illustrate why security is becoming increasingly difficult.These include: ■ Speed of attacks—With modern tools at their disposal, attackers can quickly scan systems to find weaknesses and then launch attacks with unprecedented speed. For example, in 2003, the Slammer worm infected 75,000 computers in the first 11 minutes after it was released, and infections doubled every 8.5 seconds.At its peak, Slammer was scanning 55 million computers per second looking for a computer to infect. Later that year, the Blaster worm infected 138,000 computers in its first four hours and eventually infected over 1.4 million computers. Many tools can now initiate new attacks without any human intervention, increasing their speed. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:35:40 Page 3 Identifying the Challenges for Information Security 3 ■ Sophistication of attacks—Security attacks are becoming more complex. Some attacker tools vary their behavior so the same attack appears differently each time, making detection very difficult.Attackers now use protocols such as the Hypertext Transfer Protocol (HTTP) to send data or commands to attack computers, making it difficult to distinguish an attack from legitimate network traffic. ■ Faster detection of weaknesses—The number of newly discovered system vulnerabilities doubles annually, making it more difficult for software developers to keep pace updating their products. One of the looming fears is the increasing number of day zero attacks. While most attacks take advantage of vulnerabilities that someone has already uncovered, a day zero attack occurs when an attacker discovers and exploits a previously unknown flaw. Providing no warning, a day zero attack can be especially crippling to networks and computers because the attack runs rampant while time is spent trying to identify the vulnerability. ■ Distributed attacks—Attackers can now use hundreds or thousands of computers in an attack against a single computer or network.This “many against one” approach makes it impossible to stop an attack by identifying and blocking the source. ■ Difficulties in patching—One of the primary defenses against attacks is applying patches, software that repairs security flaws and other problems in an application or operating system. However, managing patches and knowing which ones to install can be difficult. Most attacks have been successful because users did not apply patches that had been released long before the attack occurred. Table 1-1 shows the interval between the release of a patch to address a security weakness and an attack exploiting that particular weakness. The Gartner Group estimates that by 2006 more than 30% of attacks worldwide will be day zero attacks, or attacks that occur before a vulnerability is discovered or a fix is available. To apply the concepts in this topic, see Hands-On Project 1-1 at the end of this chapter. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 1 32677_01 6/28/2004 13:35:40 Page 4 4 Chapter 1 Table 1-1 Information Security Fundamentals Delay between patches and attacks Attack Name Impact of Attack Date Patch First Issued Date Attack Began Bugbear Infected more than 2 million computers Unleashed 7,000 attacks per day as an e-mail distributed denial-of-service (DDoS) worm Spread 12 variants in the first 12 months of activity Found in more than 40 countries Infected 7.2% of computers worldwide Spread worldwide in 30 minutes Infected almost half a million computers Doubled the number of infections every 8.5 seconds Doubled the number of infections every 37 minutes Infected more than 1.4 million computers 5/16/01 9/30/02 Days between Patch and Attack 502 5/16/01 6/22/02 402 5/16/01 06/01/02 381 5/16/01 4/17/02 336 5/16/01 4/17/02 336 10/17/00 9/18/01 336 5/16/01 11/24/01 192 7/24/02 1/25/03 185 6/18/01 7/19/01 31 7/16/03 8/11/03 26 Yaha Frethem ELKern Klez Nimda Badtrans SQL Slammer Code Red Blaster These trends have resulted in security attacks growing at an alarming rate.The Computer Emergency Response Team (CERT) security organization compiles statistics regarding the number of reported incidents of attacks. Table 1-2 shows the explosive growth of these incidences. Table 1-2 Year 1988 1990 1992 1994 1996 1998 Number of reported incidences Reported Incidences 6 252 773 2,340 2,573 3,734 Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:35:41 Page 5 Defining Information Security Table 1-2 5 Number of reported incidences (continued) Year 2000 2001 2002 2003 Reported Incidences 21,756 52,658 82,094 137,529 The increased challenge of computer security can be illustrated by an attack released in late 2003. Posing as an official e-mail software security update from Microsoft, a malicious program prompted users with “Yes” or “No” buttons to agree to install an update. Regardless of which choice users made, the malicious software was installed on their computer. It launched whenever Windows was started and then detected and disabled antivirus software or other Windows security features that could be used to disable it. To apply the concepts in this topic, see Hands-On Projects 1-2, 1-3, and 1-4 at the end of this chapter. DEFINING INFORMATION SECURITY In a general sense, security is defined as a state of freedom from danger or risk. For example, a nation’s security depends on its military having the strength to protect its citizens from a hostile outside force.The nation enjoys this state of freedom because protective measures are established and maintained. However, the mere existence of an army does not guarantee that a nation will never be attacked. Attacks from powerful outside forces can come at anytime. The goal of national security is to defend against these inevitable attacks so that the nation itself does not collapse. The term information security describes the tasks of guarding digital information, which is typically processed by a computer (such as a personal computer), stored on a magnetic or optical storage device (such as a hard drive or DVD), and transmitted over a network (such as a local area network or the Internet).To create a more precise definition of information security, consider the goals of information security and how they are accomplished. First, information security ensures that protective measures are properly implemented. Just as with national security, information security cannot completely prevent attacks or guarantee that a system is totally secure. Rather, information security creates a defense that attempts to ward off attacks and prevents the collapse of the system when an attack occurs. Thus, information security is protection. Second, information security is intended to protect information. Information must be protected because it has value, and that value comes from the characteristics of the information. Three of the characteristics of information that must be protected by information security are: Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 1 32677_01 6/28/2004 13:35:41 Page 6 6 Chapter 1 Information Security Fundamentals 1. Integrity—Integrity ensures that the information is correct and that no unauthorized person or malicious software program can or has altered that data. 2. Confidentiality—Confidentiality ensures that only authorized parties can view information. 3. Availability—Although a secure computer must restrict access attempts by unauthorized users, it must still make the data available to allow authorized users immediate access. It is these three characteristics of information that information security attempts to safeguard. Thus information security protects the integrity, confidentiality, and availability of information. Information security involves more than protecting the information itself. The third objective of information security is illustrated in Figure 1-1. The center of the diagram shows what needs to be protected, which is information. Because this information is stored on computer hardware, manipulated by software, and transmitted by communications, each of these areas must also be protected. Thus, information security protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information. Finally, information security is achieved through a combination of three entities. Returning to Figure 1-1, information, hardware, software, and communications are protected in three successive layers. The innermost layer consists of the products that provide the necessary security. These products can be as basic as door locks or as complicated as intrusiondetection systems and firewalls.They form the physical security around the data.The next layer is people.Without people implementing and properly using the security products, the data can never be protected.The final layer consists of procedures, which include the plans and policies established by an organization to ensure that people correctly use the products. These three layers interact with each other.The procedures tell the people how to use the products to protect the information. Thus, information security protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures. UNDERSTANDING THE IMPORTANCE OF INFORMATION SECURITY Information security is important to businesses and individuals because it can prevent data theft, avoid the legal consequences of not securing information, maintain productivity, foil cyberterrorism, and thwart identify theft. The following sections discuss these reasons in more detail. Preventing Data Theft Security is often associated with theft prevention. Drivers install security systems on their cars to prevent the cars from being stolen. The same is true with information security: Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:35:42 Page 7 Understanding the Importance of Information Security 7 s (organizational sec dure urit e c y) Pro sonnel secu r e p ( e l p r i o t e y ) P cts (physical securit u d y) Pro Communications Confidentiality Integrity Information Availability Hardware Figure 1-1 Software Information security components businesses often cite preventing data theft as the primary goal of information security. Data theft involves stealing proprietary business information such as research for a new drug or a list of customers that competitors are eager to acquire. The theft of data is the single largest cause of financial loss due to a security breach. In the latest Federal Bureau of Investigation (FBI) annual Computer Crime and Security Survey, more than 500 U.S. businesses lost an average of about $6.5 million each because of data theft. Several businesses reported that data theft resulted in losses exceeding $50 million. Of the companies included in the FBI survey, the estimated total annual loss due to data theft was more than $170 million. The actual figure of estimated loss could be much higher than $170 million considering that some businesses might have been reluctant to report losses because of the bad publicity it could generate. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 1 32677_01 6/28/2004 13:35:42 Page 8 8 Chapter 1 Information Security Fundamentals Data theft is not limited to businesses. Individuals can likewise be victims of data thievery. The number of reported incidents of credit card numbers stolen from Internet computers continues to soar, with one bank reporting losses from the fraudulent use of online credit card information approaching $4 million annually. One of the most important objectives of information security is to protect important business and personal data from theft. Because of its high dollar impact, some industry experts consider the prevention of data theft as the most important job of information security. Avoiding Legal Consequences In recent years, a number of federal and state laws have been enacted to protect the privacy of electronic data. Businesses that fail to protect data may face serious penalties. Some of these laws include the following: ■ The Health Insurance Portability and Accountability Act of 1996 (HIPAA)—Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare enterprises must guard protected health information and implement policies and procedures to safeguard it, whether it be in paper or electronic format. HIPAA has two parts.Title I protects health insurance coverage for workers and their families. Title II simplifies health insurance administration by putting a government agency in charge of national standards for electronic healthcare transactions and national identifiers for healthcare providers and employers.Those who wrongfully disclose individually identifiable health information with the intent to sell it can be fined up to $250,000 and spend 10 years in prison. ■ The Sarbanes-Oxley Act of 2002 (Sarbox)—As a reaction to a rash of corporate fraud, the Sarbanes-Oxley Act (Sarbox) is an attempt to fight corporate corruption. Sarbox covers the corporate officers, auditors, and attorneys of publicly traded companies. Stringent reporting requirements and internal controls on electronic financial reporting systems are required. Corporate officers who willfully and knowingly certify a false financial report can be fined up to $5 million and serve 20 years in prison. ■ The Gramm-Leach-Bliley Act (GLBA)—Like HIPAA, the Gramm-Leach-Bliley Act (GLBA) protects private data. GLBA requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information. All electronic and paper containing personally identifiable financial information must be protected. The penalty for noncompliance for a class of individuals is up to $500,000. ■ USA PATRIOT Act (2001)—Passed shortly after the terrorist attack of September 11, 2001, the USA PATRIOT Act is designed to broaden the surveillance of law enforcement agencies so they can detect and suppress terrorism. Businesses, organizations, and even colleges must provide information, including records and documents, to law enforcement agencies under the authority of a valid court order, subpoena, or other authorized agency. These records include borrowed print Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:35:42 Page 9 Understanding the Importance of Information Security 9 material from a college library, Internet site access, and e-mail and telephone communications. The act also authorizes law enforcement to install electronic monitoring devices to assess computer and telephone usage.There are a variety of penalties for violating this act. ■ The California Database Security Breach Act (2003)—The California Database Security Breach Act is a state law covering any state agency, person, or company that does business in California. It requires businesses to inform California residents within 48 hours if a breach of personal information has or is believed to have occurred. It defines personal information as a name with a social security number, driver’s license number, state ID card, account number, credit card number, or debit card number and required security access codes. ■ Children’s Online Privacy Protection Act of 1998 (COPPA)—In November 1998, the U.S. Congress passed the Children’s Online Privacy Protection Act (COPPA) and directed the FederalTrade Commission (FTC) to establish rules for its implementation. COPPA requires operators of online services or Web sites designed for children under the age of 13 to obtain parental consent prior to the collection, use, disclosure, or display of a child’s personal information. The same requirements apply to general-audience sites and services when the operator actually knows that it is collecting, using, or disclosing a child’s personal information. COPPA also prohibits sites from limiting children’s participation in an activity unless they disclose more personal information than is reasonably necessary to participate. The penalties for violating these laws can be severe. Businesses and individuals must make every effort to keep electronic data secure from hostile outside forces to ensure compliance with these laws and avoid serious legal consequences. Maintaining Productivity After an attack on information security, clean-up efforts divert resources, such as time and money, away from normal activities. Employees cannot be productive and complete important tasks during an attack and cleanup because computers and networks cannot function properly. According to a Corporate IT Forum survey of major corporations, each attack costs a company an average of $213,000 in lost man-hours and related costs, while one-third of the corporations reported an average of more than 3,000 man-hours lost. Results from the latest Computer Crime and Security Survey, conducted with the FBI and the Computer Security Institute (CSI), indicate that virus attacks alone cost more than $27 million. The most expensive malicious attack on record, the 2000 Love Bug, cost an estimated $8.7 billion.Table 1-3 provides an estimate of the lost salary and productivity during a virus attack and cleanup for businesses with 100, 250, 500, and 1000 employees. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 1 32677_01 6/28/2004 13:35:42 Page 10 10 Chapter 1 Table 1-3 Number of Total Employees 100 250 500 1000 Information Security Fundamentals Cost of attacks Average Hourly Salary $25 $25 $30 $30 Number of Employees to Combat Attack 1 3 5 10 Hours Required to Stop Attack and Clean Up 48 72 80 96 Total Lost Salaries $4,066 $17,050 $28,333 $220,000 Total Lost Hours of Productivity 81 300 483 1,293 Spam, or unsolicited e-mail messages, was originally considered to be more of a nuisance than a security breach. However, because many computer attacks can be launched through e-mail messages, most network professionals now count spam as a security risk. Although you can take steps to restrict spam from entering your e-mail account, many unsolicited messages can still slip through.According to Ferris Research, spam now accounts for 30% of the total number of daily e-mail messages sent in the United States. Ferris estimates that U.S. businesses lose $9 billion each year in productivity as employees spend time trying to restrict spam and deleting spam from their e-mail accounts. By the year 2007, Ferris estimates that the percentage of spam e-mails will increase to more than 70% of the total e-mail messages sent. Foiling Cyberterrorism An area of growing concern among many defense experts are surprise attacks by terrorist groups using computer technology and the Internet.These attacks could cripple a nation’s electronic and commercial infrastructure. Such an attack is called cyberterrorism. Utility companies, telecommunications, and financial services are considered prime targets of cyberterrorists because they can significantly disrupt business and personal activities by destroying a few targets. For example, disabling an electrical power plant could cripple businesses, homes, transportation services, and communications over a wide area. In August 2003, a malicious program launched through the Internet actually disabled portions of an Ohio nuclear power plant’s monitoring system. One challenge in combating cyberterrorism is that many prime targets are not owned and managed by the federal government. For example, almost 85% of the nation’s most critical computer networks and infrastructures are owned and managed by private companies. Because these networks are not centrally controlled by the government, it is difficult to maintain security. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:35:43 Page 11 Understanding Information Security Terminology 11 Information security is the key to ensuring that the nation’s ability to withstand an attack and respond appropriately is not compromised. Many industry experts believe that security to protect against cyberterrorism is vital in the nation’s war against terrorism. Thwarting Identity Theft Identity theft involves using someone’s personal information, such as social security numbers, to establish bank or credit card accounts that are then left unpaid, leaving the victim with the debts and ruining their credit rating. In some instances, thieves have bought cars and houses by taking out loans in someone else’s name. According to the Federal Trade Commission (FTC), at least seven million Americans, or about 3.4% of the adult population, have been victims of identity theft with almost 750,000 new victims annually. More than 28% of identity theft victims are between the ages of 18 and 29. According to the Identity Theft Resource Center, a victim of identity theft spends an average of more than 600 hours and $1,400 of out-of-pocket expenses restoring their credit by contacting credit bureaus, canceling credit cards, and negotiating with creditors. National, state, and local legislation continues to be enacted to deal with the growing problem of identity theft. For example, the Fair and Accurate CreditTransactions Act of 2003 is a federal law that addresses identify theft. This law establishes a national system of fraud detection and alerts, and requires credit agencies to identify patterns common to identity theft to prevent its occurrence. Consumers can also receive a free copy of their credit report each year to help recognize more quickly when their identity has been stolen. However, industry experts agree that the best defense against identity theft is to prevent private data from being stolen. It is the role of information security to thwart identity theft by making it more difficult for thieves to break into computers and networks that contain personal information. Based on the number of convictions, identity thieves today have about a 1 in 700 chance of being caught by authorities. UNDERSTANDING INFORMATION SECURITY TERMINOLOGY As with many advanced subjects, information security has its own terminology. The following scenario helps to illustrate information security terms and how they are used. Amanda wants to purchase a new stereo for her car. However, because several cars have been broken into near her apartment, she is concerned about someone stealing the stereo. Although she locks her car whenever she parks it, a hole in the fence surrounding her Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 1 32677_01 6/28/2004 13:35:43 Page 12 12 Chapter 1 Information Security Fundamentals apartment complex makes it possible for someone to access the parking lot without restriction. Amanda’s car and the threats to her car stereo are illustrated in Figure 1-2. Risk: likelihood stolen Loss of stereo (threat) Exploit (go through fence hole) Car stereo (asset) Fence hole (vulnerability) Figure 1-2 Thief (threat agent) Amanda’s car stereo Amanda’s new car stereo is an asset, which is something that has a value.What Amanda is trying to protect her new car stereo from is a threat, which is an event or object that might defeat the security measures in place and result in a loss. Information security threats are likewise events or actions that represent a danger to information.A threat by itself does not mean that security has been compromised; rather, it simply means that the potential for creating a loss is real. Although for Amanda the loss would be the theft of her stereo, in information security a loss can be the theft of information, a delay in transmitting information that results in a financial penalty, or the loss of good will or a reputation. A threat agent is a person or thing that has the power to carry out a threat. For Amanda, the threat agent is a thief. In information security, a threat agent could be a person attempting to break into a secure computer network. It could also be a force of nature such as a tornado or flood that could destroy computer equipment and thus destroy information, or it could be a virus that attacks a computer network. Amanda wants to protect her new car stereo and is concerned about a hole in the fence surrounding her apartment’s parking lot. The hole in the fence is a vulnerability or weakness that allows a threat agent to bypass security. An example of a vulnerability that information security must deal with is a software defect in an operating system that allows an unauthorized user to gain access to a computer without a password. If a thief can get to Amanda’s car because of the hole in the fence, then that thief is taking advantage of the vulnerability.This is known as exploiting the security weakness. Hackers who send infected e-mail messages to users knowing that their e-mail system does not scan attachments for a virus are exploiting a vulnerability. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:35:43 Page 13 Exploring the CompTIA Security+ Certification Exam 13 Amanda must decide if the risk of theft is too high for her to purchase the new stereo.A risk is the likelihood that the stereo will be stolen. In information security, a risk is the likelihood that a threat agent will exploit a vulnerability. Realistically, risk cannot ever be entirely eliminated; it would cost too much and take too long. Rather, some degree of risk must always be assumed. Organizations should ask,“How much risk can we tolerate?”They have three options when answering that question: accept the risk, diminish the risk, or transfer the risk. In Amanda’s case, she could accept the risk and buy the new stereo, knowing that the chances of it being stolen are high. Or she could diminish the risk by parking the car in a locked garage when possible and not letting anyone borrow her car keys. A third option is for Amanda to transfer the risk to someone else by purchasing additional car insurance.The insurance company would then absorb the loss and pay her if the stereo is stolen. In information security, most risks should be diminished if possible. Table 1-4 summarizes information security terms. Table 1-4 Information security terminology Term Asset Threat Threat agent Vulnerability Exploit Risk EXPLORING Example in Amanda’s Scenario Car stereo Steal stereo from car Thief Hole in fence Climb through hole Transfer to insurance company THE Example in Information Security Employee database Steal data Attacker, virus, tornado Software defect Send virus to unprotected e-mail server Educate users COMPTIA SECURITY+ CERTIFICATION EXAM Since 1982, the ComputingTechnology Industry Association (CompTIA) has been working to advance the growth of the IT industry and those people working within it.With more than 19,000 members in 89 countries, CompTIA is the leading global IT trade association and has influence in all areas of the IT industry worldwide. CompTIA is also the world’s largest developer of vendor-neutral IT certification exams. Experts and industry leaders from the public and private sectors, including corporate training, government, and colleges and universities, work with CompTIA to develop exams that validate an individual’s IT skill set. This group of experts provides the resources and subject-matter expertise necessary to build a vendor-neutral industry-defined exam. Currently, more than 600,000 people worldwide have received a CompTIA certification. The CompTIA Security+ certification tests for mastery in security concepts and practices. The exam was designed with input from security industry leaders, such as VeriSign, Symantec, RSA Security, Microsoft, Sun, IBM, Novell, and Motorola.The group concluded that foundational security knowledge required, on average, either two years of on-the-job Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 1 32677_01 6/28/2004 13:35:44 Page 14 14 Chapter 1 Information Security Fundamentals networking experience with some emphasis on security or equivalent classroom and laboratory work. The exam covers a variety of industry topics, including communications security, infrastructure security, operational and organizational security, and the basics of cryptography. It also requires well-rounded knowledge of general security concepts—access control, authentication, attack and malicious code risk reduction, auditing, logging, and system scanning, as well as the nuances of social engineering and the risks associated with it. The Security+ exam is designed to ensure that those passing the test have the minimum acceptable level of IT security knowledge for a person to effectively perform an information security role. The Security+ exam is designed to cover a broad range of security topics. The topics are categorized into five areas or domains. Table 1-5 lists the domains and the percentage of questions from each domain. Table 1-5 Security+ domains Security+ Domain General security concepts Communication security Infrastructure security Basics of cryptography Operational and organizational security Percentage of Test Questions 30 20 20 15 15 SURVEYING INFORMATION SECURITY CAREERS One of the fastest growing career fields is information security. As information attacks increase, companies are becoming more aware of their vulnerabilities and are looking for ways to reduce their risks and liabilities. Information security spans the entire business enterprise from top to bottom and affects the daily activities of every employee.This creates a wide range of job opportunities. Whereas in the past, security professionals were almost exclusively technicians, their role today has broadened. Not only must information security personnel know how to install a firewall, but they must understand and communicate why the equipment is needed and why an organization must develop strong policies, perform auditing, and encourage enforcement. Information security jobs are sometimes divided into three general roles: security management, security engineering, and security administration. A security manager focuses on developing corporate security plans and policies, providing education and awareness, and communicating with executive management about security issues. Security engineers design, build, and test security solutions to meet the policies while still addressing business needs. Security administrators configure and maintain security solutions to ensure proper service levels and availability.They also maintain the services in production by troubleshooting and monitoring security. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:35:44 Page 15 Chapter Summary 15 If you want to enter the field of information security, the training and background you need depend on which role you want to perform—administration, engineering, or management. However, all roles share some particular requirements.You should have a strong technology background, a willingness to keep learning, a sense of how to balance risk with the costs, excellent communication skills, and the highest level of integrity. Certifications such as CompTIA Security+ are becoming more important for jobs in information security. Certifications help employers determine who has the skills and knowledge necessary to secure their systems and data. Students with the Security+ certification have clearly demonstrated that they possess the necessary skill sets, have a current knowledge base, and can handle challenging tasks. In addition, those employed in information security must continue their professional education to achieve higher levels of certifications and advanced degrees. CHAPTER SUMMARY The challenge of keeping computers secure is becoming increasingly difficult.Attacks can be launched without human intervention and infect millions of computers in a few hours. Attacks are also becoming more complex and harder to identify. Weaknesses in hardware and software are being discovered daily, making it difficult to keep pace with the long list of patches that software vendors release. Distributed attacks from thousands of computers make isolating and shutting off the attack at the source almost impossible. These and other factors make information security an ever-increasing challenge. Information security protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures. Preventing the theft of information is generally the single most important reason for protecting data. Other reasons include avoiding legal consequences, maintaining productivity, foiling cyberterrorism, and thwarting identity theft. Information security has its own set of terminology.A threat is an event or an action that can defeat security measures and result in a loss.A threat agent is a person or thing that has the power to carry out a threat.A vulnerability is a weakness that allows a threat agent to bypass security. Taking advantage of a vulnerability is called an exploit. A risk is the likelihood that a threat agent will exploit a vulnerability. CompTIA has been working to advance the growth of the IT industry and those individuals working within it. CompTIA is also the world’s largest developer of vendorneutral IT certification exams. The CompTIA Security+ certification tests for security knowledge mastery.The Security+ exam is designed to ensure that those passing the test have the minimum acceptable level of IT security knowledge for a person to effectively perform an information security role. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 1 32677_01 6/28/2004 13:35:45 Page 16 16 Chapter 1 Information Security Fundamentals Careers in information security can be rewarding and challenging.There is a high demand for security professionals in IT management, engineering, and administration.Those with the CompTIA Security+ certification have clearly demonstrated their expertise in security fundamentals. KEY TERMS asset — An entity that has value. California Database Security Breach Act — A state act that requires disclosure to California residents if a breach of personal information has or is believed to have occurred. Children’s Online Privacy Protection Act (COPPA) — A federal act that requires operators of online services or Web sites directed at children under the age of 13 to obtain parental consent prior to the collection, use, disclosure, or display of a child’s personal information. cyberterrorism — A surprise attack by terrorist groups using computer technology and the Internet that could cripple a nation’s electronic and commercial infrastructure. day zero attack — An attack based on a previously unknown flaw that provides zero days of warning. exploit — To take advantage of a vulnerability. Gramm-Leach-Bliley Act (GLBA) — A federal act that requires private data to be protected by banks and other financial institutions. Health Insurance Portability and Accountability Act (HIPAA) — A federal act that requires healthcare enterprises to guard protected health information. information security — The protection of the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures. patch — A software update to fix a security flaw or other problem. risk — The likelihood that a threat agent will exploit a vulnerability. Sarbanes-Oxley Act (Sarbox) — A federal act that enforces reporting requirements and internal controls on electronic financial reporting systems. threat — An event or action that might defeat security measures in place and result in a loss. threat agent — A person or thing that has the power to carry out a threat. USA PATRIOT Act — A federal act that broadens the surveillance of law enforcement agencies to enhance the detection and suppression of terrorism. vulnerability — A weakness that allows a threat agent to bypass security. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:35:45 Page 17 Review Questions 17 REVIEW QUESTIONS 1 1. Each of the following factors illustrates why information security is increasingly difficult except . a. faster computer processors b. growing sophistication of attacks c. faster detection of weaknesses d. distributed attacks 2. A type of software that repairs security flaws in an application is called a(n) . a. hot fix b. exploit c. repair d. patch 3. The primary goal of information security is to protect a. procedures b. people c. information d. products . 4. Each of the following is a characteristic of information except . a. integrity b. confidentiality c. conformity d. availability 5. Each of the following is intended to protect information except . a. people b. policies c. equipment d. confidentiality 6. Information security procedures tell people how to use products to protect information.True or false? 7. Hackers now use protocols such as the Hypertext Transfer Protocol (HTTP) to send data or commands to attack computers, making it difficult to distinguish an attack from legitimate network traffic.True or false? Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:35:45 Page 18 18 Chapter 1 Information Security Fundamentals 8. The theft of data is the least significant cause of financial loss due to a security breach.True or false? 9. Integrity ensures that information is correct and that no unauthorized person or malicious software program can alter or has altered that data.True or false? 10. Attackers can now use hundreds or thousands of computers in an attack against a single computer or network, making it impossible to stop an attack by identifying and blocking the source.True or false? 11. While most attacks today take advantage of vulnerabilities that someone has already uncovered, a(n) occurs when a hacker discovers and exploits a previously unknown flaw. 12. involves assuring that only authorized parties can view information. 13. Under the , healthcare enterprises must guard protected health information and implement policies and procedures to safeguard it. 14. The act is designed to broaden the surveillance of law enforcement agencies to help them detect and suppress terrorism. 15. Attacks by terrorists using computer technology and the Internet are called . 16. What is a distributed attack? 17. What is the difference between a threat and a threat agent? 18. What is a risk and how can it be mitigated? 19. Explain how people, products, and procedures help protect information. 20. Identify some problems with software patches when trying to protect information. HANDS-ON PROJECTS Project 1-1: Installing and Managing Microsoft Windows Updates One of the most important tasks in keeping a personal computer secure is to install patches, or updates, to the operating system. In this project, you will install the latest Windows updates on your computer and then set up your computer to automatically download the updates.You should be using a computer running Windows XP that is connected to the Internet. If you are using a computer in a school’s computer lab or another computer that is not your own, you should first talk to the lab manager or network administrator.You might need special permissions set to complete this project. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:36:31 Page 19 Hands-On Projects 19 1. On a Windows XP computer, click Start, point to All Programs, and then click Windows Update. Internet Explorer starts and connects you to the Microsoft Windows Update Web site, shown in Figure 1-3. Figure 1-3 Microsoft Windows Update Web site 2. Click Scan for updates.Windows Update checks your computer’s operating system to determine if the latest patches have been installed. Patches are divided into three categories: Critical Updates and Service Packs (updates you should install for security and performance),Windows XP (recommended updates to the operating system), and Driver Updates (recommended updates to driver software). 3. Click Review and install updates. In the right pane,Windows Update lists any Critical Updates or Service Packs that need to be installed. Follow the instructions on the screen, and then return to the Windows Update Web site, restarting your computer, if necessary. 4. To also install Windows XP updates, click Windows XP in the left pane and then click the Add button next to each update in the right pane that you want to install, as shown in Figure 1-4. (Your list of updates will vary.) To install driver updates, click Driver Updates in the left pane, and then click the Add button to select the driver updates you want to install. 5. Click Review and install updates.Windows Update lists the updates that you selected, displays their total size, and estimates how long it will take to download and install them. Click the Install Now button to install the updates, which might take a few minutes. 6. After Windows Update downloads and installs the updates, you might be instructed to restart your computer. Click the OK button to restart your computer. If you are not instructed to restart your computer, close Internet Explorer. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 1 32677_01 6/28/2004 13:37:8 Page 20 20 Chapter 1 Figure 1-4 Information Security Fundamentals Adding Windows XP updates Although you can check for updates at any time, it is easier to have Windows automatically check for you.You set up automatic updates using the System Properties dialog box. 1. To open the System Properties dialog box, hold down the Windows key and press the Break key (located above the Page Up key on most keyboards). Or you can click Start and then click Control Panel. If the Control Panel window opens in Category view, click Performance and Maintenance, and then click System. If the Control Panel window opens in Classic view, double-click System. 2. In the System Properties dialog box, click the Automatic Updates tab to display the Automatic Updates options, shown in Figure 1-5. 3. If necessary, check the Keep my computer up to date box. 4. In the Settings area, click the Download the updates automatically and notify me when they are ready to be installed option button.Your computer will automatically download any Critical Updates and Service Packs from the Microsoft Web site when they are available. However, they will not be installed until you give approval. 5. Click Apply and then OK. Project 1-2: Analyzing Security Using the Microsoft Baseline Security Analyzer The Microsoft Baseline Security Analyzer (MBSA) is a tool that allows you to scan one or more Windows computers for common security holes. When MBSA scans a Windows computer, it checks the operating system and other installed Microsoft components to determine whether the security settings are properly configured and reflect current recommended security updates. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:37:8 Page 21 Hands-On Projects 21 1 Figure 1-5 Automatic Updates options in the System Properties dialog box In this project, you will install and use the MBSA.You should be using a computer running Windows XP that is connected to the Internet. If you are using a computer in a school’s computer lab or another computer that is not your own, you should first talk to the lab manager or network administrator.You might need special permissions set to complete this project. 1. On a computer using Windows XP, use Internet Explorer to go to the MBSA Web page at www.microsoft.com/technet/security/tools/mbsahome.mspx. Content on Microsoft’s Web site is frequently moved. If you cannot reach the MBSA page at this link, go to www.microsoft.com and search for MBSA. 2. In the Download Now section, click the link for the English language version. Note that MBSA can be installed and run on Microsoft Windows 2000 Server, Windows 2000 Professional,Windows XP Home Edition,Windows XP Professional, and Windows Server 2003. It does not run on Windows 95, 98, or Me systems. 3. When the File Download dialog box appears, click Open. 4. When the Microsoft Baseline Security Analyzer Setup Wizard appears, click Next. 5. Click I accept the license agreement and then click Next. 6. When asked for a destination folder, click Next to accept the default location. 7. Click Install. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:37:41 Page 22 22 Chapter 1 Information Security Fundamentals If your antivirus program displays a warning about detecting a script, follow the instructions to authorize this script to execute. 8. When a message appears indicating that the MBSA has been set up, click OK. Now you are ready to run the MBSA tool to check for security vulnerabilities on your computer. 1. Double-click the Microsoft Baseline Security Analyzer icon on your desktop. (You can also click Start, point to All Programs, and then click Microsoft Baseline Security Analyzer 1.2.) The Microsoft Baseline Security Analyzer window opens, shown in Figure 1-6. Figure 1-6 Microsoft Baseline Security Analyzer window 2. Click Scan a computer. 3. When asked to pick a computer to scan, click Start scan. The MBSA scans the computer for weaknesses (which might take a few minutes), and then displays the results in a security report, as shown in Figure 1-7. Scroll through the report. The report lists the weaknesses on this computer. Those with a red X indicate that action must be taken immediately, while those with a yellow X mean action should be taken soon. A green check mark means that no action is needed, while a blue asterisk means that this item was skipped. For items with a red or yellow X, click What was scanned, then click Result details, and finally click How to correct this, reading each description and closing the window when you’re finished. Try to correct each problem. 4. In the Actions section in the left pane, click Print, and then click the Print button in the Print dialog box to print a copy of the report. 5. Close the Microsoft Baseline Security Analyzer window. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:37:42 Page 23 Hands-On Projects 23 1 Figure 1-7 Microsoft Baseline Security Analyzer report Project 1-3: Locating Open Ports Using ShieldsUp! Recall that the Transmission Control Protocol (TCP) portion of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite is responsible for the reliable transmission of data from one host to another, and is based on port numbers. Just as an IP address indicates the address of a host computer on a network, a port number identifies what program or service on the receiving computer is being accessed. There are a total of 65,535 available port numbers, while 1,023 are called well-known port numbers, which are associated with particular programs or services. Some of the well-known port numbers are 21 (FTP service), 23 (Telnet), 25 (e-mail), and 80 (HTTP). Because an open port serves as an entry point into a computer, several Web-based tools can analyze the security of a computer by sending probes to determine which ports appear open to the outside world.Attackers can take advantage of open ports to transmit malicious code to your computer when it is connected to the Internet or another network. In this project, you will analyze your computer using Gibson Research’s ShieldsUp!.You should be using a computer running Windows XP that is connected to the Internet. 1. On a computer using Windows XP, use Internet Explorer to go to the Web site www.grc.com.Wait to be redirected to the ShieldsUp! page. 2. Scroll down, and then click ShieldsUp!. Content on the Web site periodically changes.You might need to search the site for a link to the ShieldsUp! page. 3. If you receive a security alert that you are now viewing a secure page, click OK. 4. Click the Proceed button. If you receive a security alert that you are now leaving a secure page, click Yes. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:37:43 Page 24 24 Chapter 1 Information Security Fundamentals The ShieldsUp! page opens, shown in Figure 1-8. Figure 1-8 Shields Up! Web page 5. Click the File Sharing button. Shields Up! probes your computer to determine what information hackers can find on your computer. A report like the one shown in Figure 1-9 appears. Figure 1-9 File sharing report 6. Print the File Sharing report by clicking File on the menu bar, clicking Print, and then clicking the Print button in the Print dialog box. 7. Click the Back button on your browser to return to the ShieldsUp! page. 8. Click the All Service Ports button to scan additional openings on your computer. When the scan is finished, scroll the report to view the results. See Figure 1-10. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:37:44 Page 25 Hands-On Projects 25 1 Figure 1-10 Service ports report 9. Print the Service Ports report by clicking File on the menu bar, clicking Print, and then clicking the Print button in the Print dialog box. 10. Close the browser window. Project 1-4: Identifying Processes Using Open Ports The ShieldsUp! program that you used in Project 1-3 might have identified which ports appear open on your computer. In this project, you will identify the programs (also called processes) that are using different ports. This information can be valuable if a port is identified as being open. Simply closing the port could then result in that process being unable to function properly. Instead, you should first examine the process to determine if it is needed.You can turn off unnecessary processes and then close the port. 1. Click Start, point to All Programs, point to Accessories, and then click Command Prompt to open a Command Prompt window. 2. Type netstat –ano and then press Enter to see the established connections and the ports on which your computer is listening for new connections. See Figure 1-11. Settings in the State column indicate whether the computer is “listening” on a particular port or if the port is closed.The PID column lists unique numbers associated with a process using that port. 3. To determine which process has a particular PID, right-click a blank area of the taskbar, and then click Task Manager to display the Windows Task Manager window. 4. Click the Processes tab. 5. Click View on the menu bar, and then click Select Columns. Check the PID (Process Identifier) box, if necessary, and then click OK. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:37:45 Page 26 26 Chapter 1 Figure 1-11 Information Security Fundamentals Netstat output 6. Click the PID column heading to sort the process by PID, as shown in Figure 1-12. (The appearance of your window and the processes listed will vary.) Figure 1-12 Windows Task Manager window Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 32677_01 6/28/2004 13:38:35 Page 27 Case Projects 27 7. Using the information from the Netstat command, locate a port that is in “listening” mode and find its PID.Then locate that same PID on the Task Manager screen to identify the process. 8. Close all open windows. CASE PROJECTS Case Project 1-1: The Security Challenge On your first day on the job as an IT intern, you attend a meeting with several department heads regarding proposed budget reductions. One of the department heads suggests that money for information security be cut by at least 40 percent because the company has not been infected with a virus in the last three months, proving that the current defenses are adequate. What would you say in response? Write a one-page memo that outlines why security is more important today than ever before. Case Project 1-2: Security for Everyone Security experts agree that average home computer users have very little knowledge regarding how to make their computers secure. How can this deficiency be addressed? What suggestions would you offer to make more users security competent? Outline your ideas in a one-page paper. Case Project 1-3: Day Zero Attacks The imminent threat of day zero attacks is of considerable concern to IT professionals and all network users. Using the Internet and other sources, research day zero attacks.What are some of the attacks that have occurred with no warning? What was their impact? What steps are being taken to combat this threat? Should people who discover software vulnerabilities be fined if they publicly release this information? Write a one-page paper on your findings. Case Project 1-4: Federal Data Protection Laws The Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (Sarbox), and the Gramm-Leach-Bliley Act (GLBA) are three recent federal laws that are intended to protect private data. Do they go far enough? Research the basics of these three acts. In your opinion, are they sufficient? Make two recommendations per act that you think would make them better. Case Project 1-5: Worms versus Viruses The Western Consulting Group (WCG) provides services for a broad range of businesses in your area.They ask you to help them with a project. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers. 1 32677_01 6/28/2004 13:37:45 Page 28 28 Chapter 1 Information Security Fundamentals A local florist with three locations wants to offer Web-based ordering. However, the owner (who does not have a technical background) believes that security concerns are “overblown” because his computer at home has never been hit with a virus.WCG asks you to prepare a PowerPoint presentation about the security issues that the florist might face.You can go to www.cmsconnect.com/Marketing/CalcMain.htm and use the online cost calculators to help determine how much the business could lose if hit by an attack. Limit your presentation to about 15 minutes. Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.