1. IT Security Awareness
October 26, 2010
Madison College
Chapter 1
Introduction to Security
2. Kit Kat
• The origins of the 'Kit Kat' brand
stem back to 1911
• The original four-finger bar was
developed after a worker at the
Rowntree York Factory put a
suggestion in a recommendation
box for a snack that "a man could
take to work in his pack up".
3. Kit Kat
Kit Kat bar launched on the 29th of August,
1939, under the title of 'Rowntree's Chocolate
Crisp' (priced at 2p), and was sold in London
and throughout Southern England.
The Hershey Company has a licence to
produce Kit Kat bars in the United States
which dates from 1969, when Hershey
executed a licensing agreement for both the
Kit Kat and the Rolo with Rowntree
4. Objectives
After completing this chapter, you should be able to
do the following:
•Describe the challenges of securing information
•Define information security and explain why it is
important
•Identify the types of attackers that are common
today
•List the basic steps of an attack
•Describe the steps in a defense and a
comprehensive defense strategy
Security Awareness, 3rd Edition 4
5. Challenges of Securing
Information
• No single simple solution to
protecting computers and securing
information
• Different types of attacks
• Difficulties in defending against
these attacks (Speed, Greater
Sophistication, Simplicity, Delays in
Patching, User Confusion)
Security Awareness, 3rd Edition 5
6. Today’s Security Attacks
• Typical monthly security newsletter
– Malicious program was
introduced in the manufacturing
process of a popular brand of
digital photo frames
– E-mail claiming to be from the
United Nations (U.N.) ‘‘Nigerian
Government Reimbursement
Committee’’ is sent to
unsuspecting users
– ‘‘Booby-trapped’’ Web pages are
growing at an increasing rate
– Mac computers can be the
Security Awareness, 3rd Edition victim of attackers 6
7. Today’s Security Attacks
(cont’d.)
• Security statistics
– 45 million credit and debit card
numbers stolen
– Number of security breaches continues
to rise
– Recent report revealed that of 24
federal government agencies overall
grade was only ‘‘C-’’
Security Awareness, 3rd Edition 7
8. Course Technology/Cengage Learning
Table 1-1 Selected security breaches involving
personal information in a three-month period
Security Awareness, 3rd Edition 8
9. Difficulties in Defending Against Attacks
• Speed of attacks
• Greater sophistication of attacks
• Simplicity of attack tools
• Quicker detection of vulnerabilities
– Zero day attack
• Delays in patching products
• Distributed attacks
• User confusion
Security Awareness, 3rd Edition 9
10. Difficulties in Defending
Against Attacks (cont’d.)
Figure 1-1 Increased sophistication of attack tools
Course Technology/Cengage Learning
Security Awareness, 3rd Edition 10
11. Difficulties in Defending
Against Attacks (cont’d.)
Figure 1-2 Menu of attack tools
Course Technology/Cengage Learning
Security Awareness, 3rd Edition 11
12. Difficulties in Defending
Against Attacks (cont’d.)
Table 1-2 Difficulties in defending against attacks
Security Awareness, 3rd Edition 12
13. What Is Information Security?
• Understand what information
security is
• Why is information security
important today?
• Who are the attackers?
Security Awareness, 3rd Edition 13
14. Defining Information Security
• Security
– State of freedom from a danger or risk
• Information security
– Tasks of guarding information that is in a
digital format
– Ensures that protective measures are
properly implemented
– Protect information that has value to people
and organizations
• Value comes from the characteristics of
the information
Security Awareness, 3rd Edition 14
15. Defining Information
Security (cont’d.)
• Characteristics of information that must be
protected by information security
– Confidentiality
– Integrity
– Availability
• Achieved through a combination of three entities
– Products
– People
– Procedures
Security Awareness, 3rd Edition 15
16. Defining Information
Security (cont’d.)
Figure1-3 Information security components
Course Technology/Cengage Learning
Security Awareness, 3rd Edition 16
18. Information Security Terminology
• Asset
– Something that has a value
• Threat
– Event or object that may defeat the security
measures in place and result in a loss
– By itself does not mean that security has
been compromised
• Threat agent
– Person or thing that has the power to carry
out a threat
Security Awareness, 3rd Edition 18
19. Information Security Terminology
(cont’d.)
• Vulnerability
– Weakness that allows a threat agent to
bypass security
• Exploiting the security weakness
– Taking advantage of the vulnerability
• Risk
– Likelihood that a threat agent will exploit a
vulnerability
– Some degree of risk must always be
assumed
– Three options for dealing with risk
Security Awareness, 3rd Edition 19
20. Information Security
Terminology (cont’d.)
Table 1-4 Security information
terminology
Course Technology/Cengage Learning
Security Awareness, 3rd Edition 20
21. Understanding the Importance of
Information Security
• Preventing data theft
– Theft of data is one of the largest causes of
financial loss due to an attack
– Affects businesses and individuals
• Thwarting identity theft
– Identity theft
• Using someone’s personal information to
establish bank or credit card accounts that
are then left unpaid
• Leaves the victim with debts and ruins
their credit rating
rd – Legislation continues to be enacted
Security Awareness, 3 Edition 21
22. Understanding the Importance of
Information Security (cont’d.)
• Avoiding legal consequences
– Federal and state laws that protect the
privacy of electronic data
• The Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
• The Sarbanes-Oxley Act of 2002
(Sarbox)
• The Gramm-Leach-Bliley Act (GLBA)
• USA Patriot Act (2001)
• The California Database Security
Breach Act (2003)
rd • Children’s Online Privacy Protection
Security Awareness, 3 Edition 22
Act of 1998 (COPPA)
23. Understanding the Importance of
Information Security (cont’d.)
• Maintaining productivity
– Lost wages and productivity during an attack
and cleanup
– Unsolicited e-mail message security risk
• U.S. businesses forfeit $9 billion each year
restricting spam
• Foiling cyberterrorism
– Could cripple a nation’s electronic and
commercial infrastructure
– ‘‘Information Security Problem’’
Security Awareness, 3rd Edition 23
24. Who Are the Attackers?
• Divided into several categories
– Hackers
– Script kiddies
– Spies
– Employees
– Cybercriminals
– Cyberterrorists
Security Awareness, 3rd Edition 24
25. Hackers
• Debated definition of hacker
– Identify anyone who illegally breaks
into or attempts to break into a
computer system
– Person who uses advanced computer
skills to attack computers only to
expose security flaws
• ‘‘White Hats’
Security Awareness, 3rd Edition 25
26. Script Kiddies
• Unskilled users
• Use automated hacking software
• Do not understand the technology
behind what they are doing
• Often indiscriminately target a wide
range of computers
Security Awareness, 3rd Edition 26
27.
28. • Person who has been hired to break into a
Spies computer and steal information
• Do not randomly search for unsecured
computers
• Hired to attack a specific computer or system
• Goal
– Break into computer or system
– Take the information without drawing any
attention to their actions
Security Awareness, 3rd Edition 28
29. Employees
• Reasons for attacks by employees
– Show company weakness in security
– Retaliation
– Money
– Blackmail
– Carelessness
Security Awareness, 3rd Edition 29
30. Cybercriminals
• Loose-knit network of attackers, identity
thieves, and financial fraudsters
• Motivated by money
• Financial cybercrime categories
– Stolen financial data
– Spam email to sell counterfeits and
pornography
Security Awareness, 3rd Edition 30
31. Cybercriminals (cont’d.)
Table 1-6 Eastern European promotion of cybercriminals
Course Technology/Cengage Learning
Security Awareness, 3rd Edition 31
32. Cyberterrorists
• Motivated by ideology
• Sometimes considered attackers
that should be feared most
Security Awareness, 3rd Edition 32
33. Attacks and Defenses
• Same basic steps are used in most
attacks
• Protecting computers against these
steps
– Calls for five fundamental security
principles
Security Awareness, 3rd Edition 33
34. Steps of an Attack
• Probe for information
• Penetrate any defenses
• Modify security settings
• Circulate to other
systems
• Paralyze networks and
devices
Security Awareness, 3rd Edition 34
35. Figure 1-5 Steps of an attack
Security Awareness, 3rd Edition 35
36. Defenses Against Attacks
• Layering
– If one layer is penetrated, several more layers
must still be breached
– Each layer is often more difficult or
complicated than the previous
– Useful in resisting a variety of attacks
• Limiting
– Limiting access to information reduces the
threat against it
– Technology-based and procedural methods
Security Awareness, 3rd Edition 36
37. Defenses Against Attacks
(cont’d.)
• Diversity
– Important that security layers are diverse
– Breaching one security layer does not
compromise the whole system
• Obscurity
– Avoiding clear patterns of behavior make
attacks from the outside much more difficult
• Simplicity
– Complex security systems can be hard to
understand, troubleshoot, and feel secure
about
Security Awareness, 3rd Edition 37
38. Building a Comprehensive
Security Strategy
• Block attacks
– Strong security perimeter
• Part of the computer network to which a
personal computer is attached
– Local security important too
• Update defenses
– Continually update defenses to protect
information against new types of
attacks
Security Awareness, 3rd Edition 38
39. Building a Comprehensive
Security Strategy (cont’d.)
• Minimize losses
– Realize that some attacks will get through
security perimeters and local defenses
– Make backup copies of important data
– Business recovery policy
• Send secure information
– ‘‘Scramble’’ data so that unauthorized eyes
cannot read it
– Establish a secure electronic link between the
sender and receiver
Security Awareness, 3rd Edition 39
40. Summary
• Attacks against information security have grown
exponentially in recent years
• Difficult to defend against today’s attacks
• Information security definition
– That which protects the
integrity, confidentiality, and availability of
information
• Main goals of information security
– Prevent data theft, thwart identity theft, avoid
the legal consequences of not securing
information, maintain productivity, and foil
cyberterrorism
Security Awareness, 3rd Edition 40
41. Summary (cont’d.)
• Several types of people are typically
behind computer attacks
• Five general steps that make up an
attack
• Practical, comprehensive security
strategy involves four key elements
Security Awareness, 3rd Edition 41