1_Introduction to security.pdf
Document Details
Uploaded by ThinnerSalmon79
Sana'a University
Full Transcript
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 1 Introduction to Security Objectives Describe the challenges of securing information Define information security and explain why it is important Identify the ty...
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 1 Introduction to Security Objectives Describe the challenges of securing information Define information security and explain why it is important Identify the types of attackers that are common today List the basic steps of an attack Describe the five basic principles of defense Security+ Guide to Network Security Fundamentals, Fourth Edition 2 Challenges of Securing Information There is no simple solution to securing information This can be seen through the different types of attacks that users face today – As well as the difficulties in defending against these attacks Today’s Security Attacks – Smartphones a new target Security+ Guide to Network Security Fundamentals, Fourth Edition 3 Difficulties in Defending Against Attacks Difficulties include the following: § Universally connected devices § Increased speed of attacks § Greater sophistication of attacks § Availability and simplicity of attack tools § Faster detection of vulnerabilities § Delays in patching § Weak distribution of patches § Distributed attacks § User confusion Security+ Guide to Network Security Fundamentals, Fourth Edition 4 Difficulties in Defending Against Attacks (cont’d.) Universally connected devices Attacker anywhere can silently launch an attack on any connect device. Increased speed of attacks Availability of attack tools. Many tool can initiate new attacks without any human participation o Slammer worm infected 75,000 computers in the first 11 minutes of its release. o Slammer infections doubled every 8.5 seconds o Slammer scanned 55 million computers per Second. Security+ Guide to Network Security Fundamentals, Fourth Edition 5 Difficulties in Defending Against Attacks (cont’d.) Greater sophistication of attacks: Attackers today use common Internet tools and protocols to send malicious data and commands. Some attack appear differently each time. Security+ Guide to Network Security Fundamentals, Fourth Edition 6 Difficulties in Defending Against Attacks (cont’d.) Availability and simplicity of attack tools Security+ Guide to Network Security Fundamentals, Fourth Edition 7 Difficulties in Defending Against Attacks (cont’d.) Availability and simplicity of attack tools 8 Difficulties in Defending Against Attacks (cont’d.) Faster detection of vulnerabilities Using new software tools and techniques Day zero attacks – Occur when an attacker discovered and exploit previous unknown flaws Delays in patching Vendors are overwhelmed trying to keep pace with updating their products against attacks. Weak distribution of patches Some software vendors have not invested in patch distribution systems. 9 Security+ Guide to Network Security Fundamentals, Fourth Edition Difficulties in Defending Against Attacks (cont’d.) Distributed attacks Many against one. Difficult to stop an attack by identifying and blocking the source. User confusion: Make important decisions with little knowledge. Security+ Guide to Network Security Fundamentals, Fourth Edition 10 Difficulties in Defending Against Attacks (cont’d.) Table 1-2 Difficulties in defending against attacks 11 What Is Information Security? Before defense is possible, one must understand: – What information security is – Why it is important – Who the attackers are Security+ Guide to Network Security Fundamentals, Fourth Edition 12 Defining Information Security Security – Steps to protect person or property from harm Harm may be intentional or non-intentional. – Includes preventive measures, rapid response and preemptive attacks. Information security – Guarding digitally-formatted information: That provides value to people and organizations. Security+ Guide to Network Security Fundamentals, Fourth Edition 13 Defining Information Security (cont’d.) Information security – Ensures that protective measures are properly implemented – Cannot completely prevent attacks or guarantee that a system is totally secure Security+ Guide to Network Security Fundamentals, Fourth Edition 14 Defining Information Security (cont’d.) Information security is intended to protect information that has value to people and organizations – Three types of information protection: often called CIA Confidentiality Integrity Availability Information security is achieved through a combination of three entities Security+ Guide to Network Security Fundamentals, Fourth Edition 15 Defining Information Security (cont’d.) Confidentiality: Prevention of unauthorized disclosure of information and keeping unwanted parties from accessing assets of a computer system also known as secrecy or privacy Integrity: Prevention of unauthorized modification of information. Availability: Prevention of unauthorized withholding of information or resources. Or keeping system available Security+ Guide to Network Security Fundamentals, Fourth Edition 16 Defining Information Security (cont’d.) Example Consider a payroll database in a corporation, it must be ensured that: – Salaries of employees are not disclosed to arbitrary users of the database. – Salaries are modified by only those individuals that are properly authorized. – Paychecks are printed on time at the end of each pay period. 17 Defining Information Security (cont’d.) Another set of protections implemented to secure information (AAA) – Authentication Individual is who they claim to be and not an imposter – Authorization Grant ability to access information – Accounting Provides tracking of events Security+ Guide to Network Security Fundamentals, Fourth Edition 18 Defining Information Security (cont’d.) Figure 1-3 Information security components © Cengage Learning 2012 19 Defining Information Security (cont’d.) Table 1-3 Information security layers Security+ Guide to Network Security Fundamentals, Fourth Edition 20 Defining Information Security (cont’d.) A more comprehensive definition of information security is: – That which protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures Security+ Guide to Network Security Fundamentals, Fourth Edition 21 Information Security Terminology Asset – Something that has a value Threat – Actions or events that have potential to cause harm Threat agent – Person or element with power to carry out a threat Security+ Guide to Network Security Fundamentals, Fourth Edition 22 Information Security Terminology (cont’d.) Table 1-4 Information technology assets 23 Information Security Terminology (cont’d.) Vulnerability – Flaw or weakness Threat agent can bypass security Risk – Likelihood that threat agent will exploit vulnerability – Cannot be eliminated entirely Cost would be too high Take too long to implement – Some degree of risk must be assumed Security+ Guide to Network Security Fundamentals, Fourth Edition 24 Information Security Terminology (cont’d.) Figure 1-4 Information security components analogy © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 25 Information Security Terminology (cont’d.) Options to deal with risk – Accept Realize there is a chance of loss – Diminish Take precautions Most information security risks should be diminished – Transfer Example: purchasing insurance Security+ Guide to Network Security Fundamentals, Fourth Edition 26 Information Security Terminology (cont’d.) Security+ Guide to Network Security Fundamentals, Fourth Edition 27 Understanding the Importance of Information Security Preventing data theft – Security often associated with theft prevention – Business data theft Proprietary information – Individual data theft Credit card numbers Security+ Guide to Network Security Fundamentals, Fourth Edition 28 Understanding the Importance of Information Security (cont’d.) Thwarting identity theft – Using another’s personal information in unauthorized manner Usually for financial gain – Example: Steal person’s SSN – Create new credit card account – Charge purchases – Leave unpaid Security+ Guide to Network Security Fundamentals, Fourth Edition 29 Understanding the Importance of Information Security (cont’d.) Avoiding legal consequences – Laws protecting electronic data privacy – Businesses that fail to protect data they posses may face serious penalties The Health Insurance Portability and Accountability Act of 1996 (HIPAA) In Saudi Arabia, All banks must comply with PCI DSS standard (SAMA regulation). Security+ Guide to Network Security Fundamentals, Fourth Edition 30 Understanding the Importance of Information Security (cont’d.) Maintaining productivity – Post-attack clean up diverts resources Time and money Table 1-6 Cost of attacks Security+ Guide to Network Security Fundamentals, Fourth Edition 31 Understanding the Importance of Information Security (cont’d.) Foiling cyberterrorism – Premeditated, politically motivated attacks – Target: information, computer systems, data – Designed to: Cause panic Provoke violence Result in financial catastrophe – Potential cyberterrorism targets Banking, military, energy (power plants) , transportation (air traffic control centers), water systems Security+ Guide to Network Security Fundamentals, Fourth Edition 32 Who Are the Attackers? Categories of attackers (attackers profile) – Hackers – Script kiddies – Spies – Insiders – Cybercriminals – Cyberterrorists Security+ Guide to Network Security Fundamentals, Fourth Edition 33 Hackers Hacker – Person who uses computer skills to attack computers – Term not common in security community White hat hackers – Goal to expose security flaws – Not to steal or corrupt data Black hat hackers – Goal is malicious and destructive Security+ Guide to Network Security Fundamentals, Fourth Edition 34 Script Kiddies Script kiddies – Goal: break into computers to create damage – Unskilled users – Download automated hacking software (scripts) Use them to perform malicious acts – Attack software today has menu systems Attacks are even easier for unskilled users – 40% of attacks performed by script kiddies Security+ Guide to Network Security Fundamentals, Fourth Edition 35 Spies Computer spy – Person hired to break into a computer and steal information Hired to attack a specific computer or system: – Containing sensitive information Goal: steal information without drawing attention to their actions Possess excellent computer skills Security+ Guide to Network Security Fundamentals, Fourth Edition 36 Insiders Employees, contractors, and business partners Most insider attack are either the sabotage or theft of intellectual property. Reasons – An employee might want to show the company a weakness in their security – Dissatisfied employees may want get even with the company – For money – Blackmailing – Carelessness 37 Security+ Guide to Network Security Fundamentals, Fourth Edition Insiders Examples of insider attacks – Health care worker publicized celebrities’ health records Disgruntled over upcoming job termination – Government employee planted malicious coding script – Stock trader concealed losses through fake transactions – U.S. Army private accessed sensitive documents Security+ Guide to Network Security Fundamentals, Fourth Edition 38 Cybercriminals Network of attackers, identity thieves, spammers, financial fraudsters Difference from ordinary attackers – More highly motivated – Willing to take more risk – Better funded – More tenacious – Goal: financial gain Security+ Guide to Network Security Fundamentals, Fourth Edition 39 Cybercriminals (cont’d.) Organized gangs of young attackers – Eastern European, Asian, and third-world regions Table 1-7 Characteristics of cybercriminals Security+ Guide to Network Security Fundamentals, Fourth Edition 40 Cybercriminals (cont’d.) Cybercrime – Targeted attacks against financial networks – Unauthorized access to information – Theft of personal information Financial cybercrime – Trafficking in stolen credit cards and financial information – Using spam to commit fraud Security+ Guide to Network Security Fundamentals, Fourth Edition 41 Cyberterrorists Cyberterrorists – Ideological motivation Attacking because of their principles and beliefs Goals of a cyberattack: – Deface electronic information Spread misinformation and propaganda – Deny service to legitimate computer users – Commit unauthorized intrusions Results: critical infrastructure outages; corruption of vital data Security+ Guide to Network Security Fundamentals, Fourth Edition 42 Attackers Profile Summary Cybercriminals Money Insider Security+ Guide to Network Security Fundamentals, Fourth Edition 43 Attacks and Defenses Wide variety of attacks – Same basic steps used in attack To protect computers against attacks: – Follow five fundamental security principles Security+ Guide to Network Security Fundamentals, Fourth Edition 44 Steps of an Attack 1. Probe for information – Such as type of hardware, software used or personal information. – Examples: Ping sweeps, port scanning or queries that respond with failure message. 2. Penetrate any defenses – Launch the attack – Example: cracking passwords 3. Modify security settings – Allows attacker to reenter compromised system easily. 45 Steps of an Attack (cont’d.) 4. Circulate to other systems – Use the compromised system or network as a base of attack toward other systems. – Same tools directed toward other systems. 5. Paralyze networks and devices – Attackers may work to maliciously damage the infected computer or network. – Examples: delete/edit critical OS files or inject malicious software. Security+ Guide to Network Security Fundamentals, Fourth Edition 46 Figure 1-6 Steps of an attack © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 47 Defenses Against Attacks Although multiple defenses may be necessary to withstand an attack – These defenses should be based on five fundamental security principles: Layering Limiting Diversity Obscurity Simplicity Security+ Guide to Network Security Fundamentals, Fourth Edition 48 Layering Information security must be created in layers – Single defense mechanism may be easy to circumvent – Unlikely that attacker can break through all defense layers Layered security approach – Can be useful in resisting a variety of attacks – Provides the most comprehensive protection Security+ Guide to Network Security Fundamentals, Fourth Edition 49 Limiting Limiting access to information reduces the threat against it Only those who must use data granted access – In addition, the amount of access limited to what that person needs to know Methods of limiting access – Technology File permissions – Procedural Prohibiting document removal from premises Security+ Guide to Network Security Fundamentals, Fourth Edition 50 Diversity Closely related to layering – Layers must be different (diverse) If attackers penetrate one layer: – They can't use the same techniques to break through other layers Breaching one security layer does not compromise the whole system Example of diversity – Using security products from different manufacturers Security+ Guide to Network Security Fundamentals, Fourth Edition 51 Obscurity Obscuring inside details to outsiders An example of obscurity would be not revealing the type of computer, operating system, software, and network connection a computer uses – An attacker who knows that information can more easily determine the weaknesses of the system to attack it Obscuring information can be an important means of protection. Security+ Guide to Network Security Fundamentals, Fourth Edition 52 Simplicity Nature of information security is complex Complex security systems – Difficult to understand and troubleshoot – Often compromised for ease of use by trusted users Secure system should be simple for insiders to understand and use Keeping a system simple from the inside but complex on the outside can sometimes be difficult but result in a major benefit Security+ Guide to Network Security Fundamentals, Fourth Edition 53 Summary Information security attacks growing exponentially in recent years Several reasons for difficulty defending against today’s attacks Information security protects information’s integrity, confidentiality, and availability: – On devices that store, manipulate, and transmit information – Using products, people, and procedures Security+ Guide to Network Security Fundamentals, Fourth Edition 54 Summary (cont’d.) Goals of information security – Prevent data theft – Thwart identity theft – Avoid legal consequences of not securing information – Maintain productivity – Foil cyberterrorism Different types of people with different motivations conduct computer attacks An attack has five general steps Security+ Guide to Network Security Fundamentals, Fourth Edition 55