Introduction to security

Objectives

• Identify the challenges for information security

• Define information security
• Explain the importance of information security
• Developing Attacker Profiles
• List and define information security terminology

2
 Identifying the Challenges for
Information Security
• Challenge of keeping networks and computers
secure has never been greater
• A number of trends illustrate why security is
becoming increasingly difficult
• Many trends have resulted in security attacks
growing at an alarming rate

3
 Identifying the Challenges for
Information Security (continued)
• Computer Emergency Response Team (CERT)
security organization compiles statistics regarding
number of reported attacks, including:
– Speed of attacks
– Sophistication of attacks
– Faster detection of weaknesses
– Distributed attacks
– Difficulties of patching

4
 Identifying the Challenges for
Information Security (continued)

5
 Defining Information Security

• Information security:
– Information security, sometimes shortened
to InfoSec, is the practice of preventing unauthorized
access, use, disclosure, disruption, modification,
inspection, recording or destruction of information
-wikipedia

6
 Defining Information Security
(continued)
• Ensures that protective measures are properly
implemented
• Is intended to protect information
• Involves more than protecting the information itself

7
Defining Information Security
(continued)

8
 Defining Information Security
(continued)
• Three characteristics of information must be
protected by information security:
– Confidentiality
– Integrity
– Availability
• Center of diagram shows what needs to be
protected (information)
• Information security achieved through a combination
of three entities
9
 Understanding the Importance of
Information Security
• Information security is important to businesses:
– Prevents data theft
– Avoids legal consequences of not securing information
– Maintains productivity
– Foils cyberterrorism
– Thwarts identity theft

10
 Preventing Data Theft

• Security often associated with theft prevention

• Drivers install security systems on their cars to
prevent the cars from being stolen
• Same is true with information security―businesses
cite preventing data theft as primary goal of
information security

11
 Preventing Data Theft (continued)

• Theft of data is single largest cause of financial loss

due to a security breach
• One of the most important objectives of information
security is to protect important business and personal
data from theft

12
 Maintaining Productivity

• After an attack on information security, clean-up

efforts divert resources, such as time and money
away from normal activities
• A Corporate IT Forum survey of major corporations
showed:
– Each attack costs a company an average of $213,000
in lost man-hours and related costs
– One-third of corporations reported an average of more
than 3,000 man-hours lost

13
Maintaining Productivity (continued)

14
 Foiling Cyberterrorism

• An area of growing concern among defense experts

are surprise attacks by terrorist groups using
computer technology and the Internet
(cyberterrorism)
• These attacks could cripple a nation’s electronic and
commercial infrastructure
• Our challenge in combating cyberterrorism is that
many prime targets are not owned and managed by
the federal government

15
 Thwarting Identity Theft

• Identity theft involves using someone’s personal

information, such as social security numbers, to
establish bank or credit card accounts that are then
left unpaid, leaving the victim with the debts and
ruining their credit rating
• National, state, and local legislation continues to be
enacted to deal with this growing problem
– The Fair and Accurate Credit Transactions Act of 2003
is a federal law that addresses identity theft

16
Understanding Information Security
Terminology

17
Developing Attacker Profiles

18
 Hackers

• Person who uses advanced computer skills to attack

computers, but not with a malicious intent
• Use their skills to expose security flaws

19
 Crackers

• Person who violates system security with malicious

intent
• Have advanced knowledge of computers and
networks and the skills to exploit them
• Destroy data, deny legitimate users of service, or
otherwise cause serious problems on computers and
networks

20
 Script Kiddies

• Break into computers to create damage

• Are unskilled users
• Download automated hacking software from Web
sites and use it to break into computers
• Tend to be young computer users with almost
unlimited amounts of leisure time, which they can use
to attack systems

21
 Spies

• Person hired to break into a computer and steal

information
• Do not randomly search for unsecured computers to
attack
• Hired to attack a specific computer that contains
sensitive information

22
 Employees

• One of the largest information security threats to

business
• Employees break into their company’s computer for
these reasons:
– To show the company a weakness in their security
– To say, “I’m smarter than all of you”
– For money

23
 Cyberterrorists

• Experts fear terrorists will attack the network and

computer infrastructure to cause panic
• Cyberterrorists’ motivation may be defined as
ideology, or attacking for the sake of their principles
or beliefs
• One of the targets highest on the list of
cyberterrorists is the Internet itself

24
 Cyberterrorists (continued)

• Three goals of a cyberattack:

– Deface electronic information to spread disinformation
and propaganda
– Deny service to legitimate computer users
– Commit unauthorized intrusions into systems and
networks that result in critical infrastructure outages
and corruption of vital data

25
 Identifying Who Is Responsible for
Information Security
• When an organization secures its information, it
completes a few basic tasks:
– It must analyze its assets and the threats these assets
face from threat agents
– It identifies its vulnerabilities and how they might be
exploited
– It regularly assesses and reviews the security policy to
ensure it is adequately protecting its information

26
 Identifying Who Is Responsible for
Information Security (continued)
• Bottom-up approach: major tasks of securing
information are accomplished from the lower levels of
the organization upwards
• This approach has one key advantage: the bottom-
level employees have the technical expertise to
understand how to secure information

27
Identifying Who Is Responsible for
Information Security (continued)

28
 Identifying Who Is Responsible for
Information Security (continued)
• Top-down approach starts at the highest levels of the
organization and works its way down
• A security plan initiated by top-level managers has
the backing to make the plan work

29
 Identifying Who Is Responsible for
Information Security (continued)

• Chief information security officer (CISO): helps

develop the security plan and ensures it is carried out
• Human firewall: describes the security-enforcing role
of each employee

30
 Understanding Security Principles

• Ways information can be attacked:

– Crackers can launch distributed denial-of-service
(DDoS) attacks through the Internet
– Spies can use social engineering
– Employees can guess other user’s passwords
– Hackers can create back doors
• Protecting against the wide range of attacks calls for
a wide range of defense mechanisms

31
 Layering
• Layered security approach has the advantage of
creating a barrier of multiple defenses that can be
coordinated to thwart a variety of attacks
• Information security likewise must be created in
layers
• All the security layers must be properly coordinated
to be effective

32
Layering (continued)

33
 Limiting
• Limiting access to information reduces the threat
against it
• Only those who must use data should have access
to it
• Access must be limited for a subject (a person or a
computer program running on a system) to interact
with an object (a computer or a database stored on a
server)
• The amount of access granted to someone should be
limited to what that person needs to know or do
34
Limiting (continued)

35
 Diversity

• Diversity is closely related to layering

• You should protect data with diverse layers of
security, so if attackers penetrate one layer, they
cannot use the same techniques to break through all
other layers
• Using diverse layers of defense means that
breaching one security layer does not compromise
the whole system

36
 Diversity (continued)

• You can set a firewall to filter a specific type of traffic,

such as all inbound traffic, and a second firewall on
the same system to filter another traffic type, such as
outbound traffic
• Using firewalls produced by different vendors creates
even greater diversity

37
 Obscurity

• Obscuring what goes on inside a system or

organization and avoiding clear patterns of behavior
make attacks from the outside difficult

38
 Simplicity

• Complex security systems can be difficult to

understand, troubleshoot, and feel secure about
• The challenge is to make the system simple from the
inside but complex from the outside

39
Describe information security careers

40
 Summary

• The challenge of keeping computers secure is

becoming increasingly difficult
• Attacks can be launched without human intervention
and infect millions of computers in a few hours
• Information security protects the integrity,
confidentiality, and availability of information on the
devices that store, manipulate, and transmit the
information through products, people, and
procedures

41
 Summary (continued)

• Information security has its own set of terminology

• A threat is an event or an action that can defeat
security measures and result in a loss

42