Sie sind auf Seite 1von 25

CopyrightbyEC-Council

AllRightsReserved.ReproductionisStrictlyProhibited.
1
Foundations of Security
Simplifying Security.
Module 1
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
2
Scenario
Franklin,anemployeeworkingforan
organization,downloadsfreesoftware
fromawebsite.Afterinstallingthe
software,however,Franklin'ssystem
rebootsandstartstomalfunction.
What mi ght have gone
w r ong w i t h Fr ank l i ns syst em?
What woul d you have done i n
Fr ank l i ns pl ac e?
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
3
HomecomputerUsersatRiskDuetoUseofFolkModelSecurity
EASTLANSING,Mich. Mosthomecomputersarevulnerabletohackerattacksbecausetheuserseithermistakenlythinktheyhave
enoughsecurityinplaceortheydontbelievetheyhaveenoughvaluableinformationthatwouldbeofinteresttoahacker.
ThatsthepointofapaperpublishedthismonthbyMichiganStateUniversitysRickWash,whosaysthatmosthomecomputerusersrely
onwhatareknownasfolkmodels.Thosearebeliefsaboutwhathackersorvirusesarethatpeopleusetomakedecisionsaboutsecurity
tokeeptheirinformationsafe.
Unfortunately,theydontoftenworkthewaytheyshould.
Homesecurityishardbecausepeopleareuntrainedinsecurity,saidWash,anassistantprofessorintheDepartmentof
Telecommunication,InformationStudiesandMedia.Butitisntbecausepeopleareidiots.Rathertheytrytheirbesttomake senseof
whatsgoingonandfrequentlymakechoicesthatleavethemvulnerable.
May23,2011
http://news.msu.edu
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
4
'Fakefrag'TrojanScaresYouintoPayingUp
AdeviousnewTrojanisputtingthefearofharddrivefailure
intocomputerowners,andthenrushinginto"save"theday
atyourexpense.
Oncethe"Fakefrag"Trojanfindsitswayontoyoursystemvia
speciallycraftedmaliciousWebpages,itgetstoworkonthe
taskofmakingyoubelieveallyourfileshavebeenerasedfrom
yourharddrive,thesecurityfirmSymantecreported.
Scareware scams,whichtrytoconvinceuserstheyhavea
computervirus,andthentrickthemintopurchasingfake
antivirussoftware,arenothingnew.However,Fakefrag takes
thecrimeastepfurther:itactuallymovesyourfilesfromthe
"AllUsers"foldertoatemporarylocation,andhidesfilesinthe
"CurrentUser"folder,Symantecsaid.
http://www.msnbc.msn.com
May23,20118:21:51PMET
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
5
Module Objectives
SecurityIncidents
EssentialTerminologies
ComputerSecurity
WhySecurity?
PotentialLossesDuetoSecurity
Attacks
ElementsofSecurity
FundamentalConceptsofSecurity
LayersofSecurity
SecurityRiskstoHomeUsers
WhattoSecure?
WhatMakesaHomeComputer
Vulnerable?
WhatMakesaSystemSecure?
BenefitsofComputerSecurity
Awareness
BasicComputerSecurityMechanisms
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
6
Computer
Security
Potential
LossesDue
toSecurity
Attacks
Essential
Terminologies
Elementsof
Security
WhatMakes
aHome
Computer
Vulnerable?
Benefitsof
Computer
Security
Awareness
Basic
Computer
Security
Mechanisms
Whatto
Secure?
Module Flow
Layersof
Security
Security
Risksto
HomeUsers
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
7
0
100
200
300
400
500
600
700
2002 2003 2004 2005 2006 2007 2008 2009 2010
http://datalossdb.org
800
900
Security Incident Occurrences Over Time
2011
ReportonJanuary,2011
S
e
c
u
r
i
t
y

I
n
c
i
d
e
n
t

O
c
c
u
r
r
e
n
c
e
s

O
v
e
r

T
i
m
e
Year s
6
14
23
141
537
511
787
604
409
10
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
8
Security Incidents by Breach Type - 2011
AsecurityincidentisAnyrealorsuspectedadverseevent inrelationtothe
securityofcomputersystemsorcomputernetworks.
http://www.cert.org
10% 10% 10% 10% 10% 10%
40%
Hack Stolen
Laptop
Stolen
Document
Lost
Laptop
Disposal
Document
Web Unknown
http://datalossdb.org
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
9
Essential Terminologies
Threat
Exploit Vulnerability
Cracker,Attacker,
orIntruder
Attack DataTheft
Anactionoreventthat
hasthepotentialto
compromiseand/or
violatesecurity
Adefinedwaytobreach
thesecurityofanIT
systemthrough
vulnerability
Existenceofaweakness,
design,orimplementation
errorthatcanleadtoan
unexpected,undesirable
eventcompromisingthe
securityofthesystem
Anindividualwhobreaks
intocomputersystemsin
ordertosteal,change,or
destroyinformation
Anyactionderivedfrom
intelligentthreatsto
violatethesecurityofthe
system
Anyactionofstealing
theinformationfromthe
userssystem
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
10
2
1
Securityisastateofwell
beingofinformation and
infrastructure
Computersecurityrefersto
theprotectionofcomputer
systems andthe
informationauserstoresor
processes
Usersshouldfocuson
varioussecuritythreatsand
countermeasures inorderto
protecttheirinformation
assets
Computer Security
3
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
11
Why Security?
Computersecurityis
importantforprotectingthe
confidentiality,integrity,and
availability ofcomputer
systemsandtheirresources
Computeradministration
andmanagementhave
becomemorecomplex
whichproducesmoreattack
avenues
Networkenvironmentsand
networkbasedapplications
providemoreattackpaths
Evolutionoftechnologyhas
focusedontheeaseofuse
whiletheskilllevelneeded
forexploitshasdecreased
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
12
Misuseofcomputer
resources
Dataloss/theft
Lossoftrust
Financialloss
Unavailabilityof
resources
Identitytheft
Potential Losses Due to
Security Attacks
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
13
Module Flow
Computer
Security
Potential
LossesDue
toSecurity
Attacks
Essential
Terminologies
Elementsof
Security
WhatMakes
aHome
Computer
Vulnerable?
Benefitsof
Computer
Security
Awareness
Basic
Computer
Security
Mechanisms
Whatto
Secure?
Layersof
Security
Security
Risksto
HomeUsers
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
14
Elements of Security
Authenticity isthe
identificationandassurance
oftheoriginofinformation
Confidentiality isensuring
thatinformationisaccessible
onlytothoseauthorizedto
haveaccess(ISO17799)
Availability isensuringthatthe
informationisaccessibleto
authorizedpersonswhen
requiredwithoutdelay
Integrity isensuringthatthe
informationisaccurate,
complete,reliable,andisinits
originalform
Nonrepudiation isensuringthata
partytoacontractoracommunication
cannotdenytheauthenticityoftheir
signatureonadocument
Non
Repudiation
Availability Integrity Authenticity Confidentiality
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
15
The Security, Functionality, and Ease
of Use Triangle
Functionality
(Features)
Ease of
Use
Security
(Restrictions)
Movingtheballtoward
securitymeansmoving
awayfromthe
functionalityandeaseof
use
Applications/softwareproductsbydefaultarepreconfiguredforeaseofuse,whichmakesthe
uservulnerabletovarioussecurityflaws
Similarly,increasedfunctionality(features) inanapplicationmakeitdifficulttouseinaddition
tobeinglesssecure
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
16
Precaution
Maintenance
Reaction
Adheringtothepreventativemeasures while
usingcomputersystemandapplications
Managingallthechangesinthecomputer
applicationsandkeepingthemuptodate
Actingtimelywhensecurityincidents occur
Fundamental Concepts of Security
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
17
Layers of Security
Layer 1
Layer 2
Layer 3
Layer 4
Layer 5
Physical
Security
Safeguardsthe
personnel,
hardware,programs,
networks,anddata
fromphysical
threats
Network
Security
Protectsthe
networksand
theirservicesfrom
unauthorized
modification,
destruction,or
disclosure
System
Security
Protectsthesystem
anditsinformation
fromtheft,
corruption,
unauthorized
access,ormisuse
Application
Security
Coverstheuseof
software,
hardware,and
procedural
methodstoprotect
applicationsfrom
externalthreats
User
Security
Ensuresthatavalid
userisloggedin
andthatthe
loggedinuseris
allowedtousean
application/
program
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
18
Security Risks to Home Users
Homecomputersarepronetovariouscyberattacks astheyprovideattackerseasy
targetsduetoalowlevelofsecurityawareness
Securityrisktohomeusersarisefromvariouscomputerattacks andaccidents
causingphysicaldamagetocomputersystems
ComputerAttacks
Malwareattacks
Emailattacks
Mobilecode(Java/JavaScript/ActiveX)attacks
Denialofserviceandcrosssitescriptingattacks
Identitytheftandcomputerfrauds
Packetsniffing
Beinganintermediaryforanotherattack
(zombies)
ComputerAccidents
Harddiskorothercomponentfailures
Powerfailureandsurges
Theftofacomputingdevice
Note:Thesethreatsandtheircountermeasureswillbediscussedindetailinthelatermodules
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
19
What to Secure?
Hardware Software
Information Communications
Laptops,DesktopPCs,CPU,
harddisk,storagedevices,
cables,etc.
Operatingsystemandsoftware
applications
Personalidentificationsuchas
SocialSecurityNumber(SSN),
passwords,creditcardnumbers,
etc.
Emails,instantmessengers,and
browsingactivites
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
20
Module Flow
Computer
Security
Potential
LossesDue
toSecurity
Attacks
Essential
Terminologies
Elementsof
Security
WhatMakes
aHome
Computer
Vulnerable?
Benefitsof
Computer
Security
Awareness
Basic
Computer
Security
Mechanisms
Whatto
Secure?
Layersof
Security
Security
Risksto
HomeUsers
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
21
What Makes a Home Computer
Vulnerable?
Lowlevelof
securityawareness
Defaultcomputerand
applicationsettings
Increasingonline
activities
Noneorverylittle
investmentin
securitysystems
Notfollowingany
standardsecurity
policiesorguidelines
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
22
SystemAccessControls DataAccessControls
SystemandSecurity
Administration
SystemDesign
What Makes a System Secure?
Systemsecuritymeasureshelpprotect computersandinformationstoredinthesystems
fromaccidentalloss,maliciousthreats,unauthorizedaccess,etc.
Ensurethatunauthorizedusersdonot
getintothesystem
Forcelegaluserstobeconsciousabout
security
Monitorsystemactivitiessuchaswhois
accessingthedataandforwhatpurpose
Defineaccessrulesbasedonthesystem
securitylevels
Performregularsystemandsecurity
administrationtaskssuchasconfiguring
systemsettings,implementingsecurity
policies,monitoringsystemstate,etc.
Deployvarioussecuritycharacteristicsin
systemhardwareandsoftwaredesign
suchasmemorysegmentation,privilege
isolation,etc.
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
23
Benefits of Computer Security
Awareness
Computersecurityawarenesshelpsminimizethechancesofcomputerattacks
Ithelpspreventthelossofinformation storedonthesystems
Ithelpsuserstopreventcybercriminalsfromusingtheirsystems inorderto
launchattacksontheothercomputersystems
Ithelpsusersminimizelossesincaseofanaccident thatcausesphysicaldamage
tocomputersystems
Itenablesuserstoprotectsensitiveinformationandcomputingresources from
unauthorizedaccess
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
24
Module Summary
Securityisastateofwellbeingofinformationandinfrastructures
Computersecurityistheprotectionofcomputingsystemsandthedatathatthey
storeoraccess
Confidentiality,integrity,nonrepudiation,authenticity,andavailabilityarethe
elementsofsecurity
Securityrisktohomeusersarisefromvariouscomputerattacksandaccidents
causingphysicaldamagetocomputersystems
Computersecurityawarenesshelpsminimizethechancesofcomputerattacksand
preventthelossofinformationstoredonthesystems
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
25
Basic Computer Security Checklist
Regularbackupofimportantfiles
Useofstrongpasswords
Useoffirewallandintrusiondetectionsystems
Useofantivirussystems
Useofencryptiontechniquesanddigitalsignatures
Regularupdateofoperatingsystemandotherinstalledapplications
FollowingstandardguidelinesforInternetactivities
Physicalsecurityofcomputinginfrastructure
Awarenessofcurrentsecurityscenarioandattacktechniques