Security+ Guide to Network Security Fundamentals, Third Edition

Chapter 1 Introduction to Security

Objectives
Describe the challenges of securing information Define information security and explain why it is important Identify the types of attackers Identify the steps of an attack and the defenses

Security+ Guide to Network Security Fundamentals, Third Edition

Challenges of Securing Information

There is no simple solution to securing information This can be seen through the different types of attacks that users face today
As well as the difficulties in defending against these attacks

Security+ Guide to Network Security Fundamentals, Third Edition

Difficulties in Defending against Attacks

Difficulties include the following:
Speed of attacks Greater sophistication of attacks Simplicity of attack tools Attackers can detect vulnerabilities more quickly and more readily exploit these vulnerabilities Delays in patching hardware and software products Most attacks are now distributed attacks, instead of coming from only one source User confusion
Security+ Guide to Network Security Fundamentals, Third Edition 4

Difficulties in Defending against Attacks (cont.)

Speed of attacks:
Slammer worm infected 75,000 computers in the first 11 minutes of its release. Slammer infections doubled every 8.5 seconds Slammer scanned 55 million computers per Second.

Security+ Guide to Network Security Fundamentals, Third Edition

Difficulties in Defending against Attacks (cont.)

Greater sophistication of attacks:
Attackers today use common Internet tools and protocols to send malicious data and commands. Some attack appear differently each time.

Security+ Guide to Network Security Fundamentals, Third Edition

 Simplicity of attack tools

Difficulties in Defending against Attacks (cont.)

Security+ Guide to Network Security Fundamentals, Third Edition

Difficulties in Defending against Attacks (cont.)

Simplicity of attack tools

Security+ Guide to Network Security Fundamentals, Third Edition

Difficulties in Defending against Attacks (cont.)

Attackers can detect vulnerabilities more quickly :
Discovered vulnerabilities doubled annually Day zero attacks

Delays in patching

Security+ Guide to Network Security Fundamentals, Third Edition

Difficulties in Defending against Attacks (cont.)

Most attacks are now Distributed attacks:
Many against one. Difficult to stop an attack by identifying and blocking the source.

User confusion:
Make important decisions with little knowledge.

Security+ Guide to Network Security Fundamentals, Third Edition

10

Difficulties in Defending against Attacks (cont.)

Security+ Guide to Network Security Fundamentals, Third Edition

11

Defining Information Security

Security can be considered as a state of freedom from a danger or risk
This state or condition of freedom exists because protective measures are established and maintained

Information security
The tasks of guarding information that is in a digital format Ensures that protective measures are properly implemented Cannot completely prevent attacks or guarantee that a system is totally secure
Security+ Guide to Network Security Fundamentals, Third Edition 12

Defining Information Security (cont.)

Information security:
Tasks of guarding digital information, which is typically processed by a computer (such as a personal computer), stored on a magnetic or optical storage device (such as a hard drive or DVD), and transmitted over a network spacing

Security+ Guide to Network Security Fundamentals, Third Edition

13

Defining Information Security (continued)

Information security is intended to protect information that has value to people and organizations
This value comes from the characteristics of the information:
Confidentiality Integrity Availability

Information security is achieved through a combination of three entities

Security+ Guide to Network Security Fundamentals, Third Edition 14

Defining Information Security (continued)

Confidentiality: Prevention of unauthorized disclosure of information and keeping unwanted parties from accessing assets of a computer system also known as secrecy or privacy Integrity: Prevention of unauthorized modification of information. Availability: Prevention of unauthorized withholding of information or resources. Or keeping system available
Security+ Guide to Network Security Fundamentals, Third Edition

15

Defining Information Security (continued)

Example Consider a payroll database in a corporation, it must be ensured that:
Salaries of employees are not disclosed to arbitrary users of the database. Salaries are modified by only those individuals that are properly authorized. Paychecks are printed on time at the end of each pay period.

Security+ Guide to Network Security Fundamentals, Third Edition

16

Figure 1-3 Information security components

Security+ Guide to Network Security Fundamentals, Fourth Edition 17

Defining Information Security (continued)

Security+ Guide to Network Security Fundamentals, Third Edition

18

Defining Information Security (continued)

A more comprehensive definition of information security is:
That which protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures

Security+ Guide to Network Security Fundamentals, Third Edition

19

Information Security Terminology

Asset
Something that has a value

Threat
An event or object that may defeat the security measures in place and result in a loss

Threat agent
A person or thing that has the power to carry out a threat

Security+ Guide to Network Security Fundamentals, Third Edition

20

Information Security Terminology (continued)

Vulnerability
Weakness that allows a threat agent to bypass security

Risk
The likelihood that a threat agent will exploit a vulnerability Realistically, risk cannot ever be entirely eliminated

Security+ Guide to Network Security Fundamentals, Third Edition

21

Information Security Terminology (continued)

Security+ Guide to Network Security Fundamentals, Third Edition

22

Information Security Terminology (continued)

The likelihood that a thief will exploit the hole

The likelihood that an attacker will exploit the software bug

Security+ Guide to Network Security Fundamentals, Third Edition

23

Understanding the Importance of Information Security

Preventing data theft
Security is often associated with theft prevention The theft of data is one of the largest causes of financial loss due to an attack Individuals are often victims of data thievery

Thwarting identity theft

Identity theft involves using someones personal information to establish bank or credit card accounts
Cards are then left unpaid, leaving the victim with the debts and ruining their credit rating
Security+ Guide to Network Security Fundamentals, Third Edition 24

Understanding the Importance of Information Security (continued)

Avoiding legal consequences
A number of federal and state laws have been enacted to protect the privacy of electronic data
Ex: The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Security+ Guide to Network Security Fundamentals, Third Edition

25

Understanding the Importance of Information Security (continued)

Maintaining Productivity
Cleaning up after an attack diverts resources such as time and money away from normal activities

Security+ Guide to Network Security Fundamentals, Third Edition

26

Understanding the Importance of Information Security (continued)

Foiling cyberterrorism
Cyberterrorism
Attacks by terrorist groups using computer technology and the Internet

Utility, telecommunications, and financial services companies are considered prime targets of cyberterrorists

Security+ Guide to Network Security Fundamentals, Third Edition

27

Who Are the Attackers?

The types of people behind computer attacks are generally divided into several categories
These include hackers, script kiddies, spies, employees, cybercriminals, and cyberterrorists

Security+ Guide to Network Security Fundamentals, Third Edition

28

Hackers
Hacker
Generic sense: anyone who illegally breaks into or attempts to break into a computer system Narrow sense: a person who uses advanced computer skills to attack computers only to expose security flaws

Although breaking into another persons computer system is illegal

Some hackers believe it is ethical as long as they do not commit theft, vandalism, or breach any confidentiality
Security+ Guide to Network Security Fundamentals, Third Edition 29

Script Kiddies
Script kiddies
Want to break into computers to create damage Unskilled users Download automated hacking software (scripts) from Web sites and use it to break into computers

They are sometimes considered more dangerous than hackers

Script kiddies tend to be computer users who have almost unlimited amounts of leisure time, which they can use to attack systems
Security+ Guide to Network Security Fundamentals, Third Edition 30

Spies
Computer spy
A person who has been hired to break into a computer and steal information

Spies are hired to attack a specific computer or system that contains sensitive information
Their goal is to break into that computer or system and take the information without drawing any attention to their actions

Spies, like hackers, possess excellent computer skills

Security+ Guide to Network Security Fundamentals, Third Edition 31

Employees
One of the largest information security threats to a business actually comes from its employees Reasons
An employee might want to show the company a weakness in their security dissatisfied employees may want get even with the company For money Blackmailing
Security+ Guide to Network Security Fundamentals, Third Edition 32

Cybercriminals
Cybercriminals
A loose-knit network of attackers, identity thieves, and financial fraudsters More highly motivated, less risk-averse, better funded, and more tenacious (stubborn) than hackers

Many security experts believe that cybercriminals belong to organized gangs of young and mostly Eastern European attackers Cybercriminals have a more focused goal that can be summed up in a single word: money
Security+ Guide to Network Security Fundamentals, Third Edition 33

Cybercriminals (continued)

Security+ Guide to Network Security Fundamentals, Third Edition

34

Cybercriminals (continued)
Cybercrime
Targeted attacks against financial networks, unauthorized access to information, and the theft of personal information

Financial cybercrime is often divided into two categories

Use of stolen credit card numbers and financial information Using spam to commit fraud
Security+ Guide to Network Security Fundamentals, Third Edition 35

Cyberterrorists
Cyberterrorists
Their motivation may be defined as ideology, or attacking for the sake of their principles or beliefs

Goals of a cyberattack:
To deface electronic information and spread misinformation and propaganda To deny service to legitimate computer users To commit unauthorized intrusions into systems and networks that result in critical infrastructure outages and corruption of vital data
Security+ Guide to Network Security Fundamentals, Third Edition 36

Attackers Profile Summary

Cybercriminals

Money

Security+ Guide to Network Security Fundamentals, Second Edition

37

Attacks and Defenses

Although there are a wide variety of attacks that can be launched against a computer or network
The same basic steps are used in most attacks

Protecting computers against these steps in an attack calls for five fundamental security principles

Security+ Guide to Network Security Fundamentals, Third Edition

38

Steps of an Attack
The five steps that make up an attack
Probe for information Penetrate any defenses Modify security settings Circulate to other systems Paralyze networks and devices

Security+ Guide to Network Security Fundamentals, Third Edition

39

Security+ Guide to Network Security Fundamentals, Third Edition

40

Defenses against Attacks

Although multiple defenses may be necessary to withstand an attack
These defenses should be based on five fundamental security principles:
Protecting systems by layering Limiting Diversity Obscurity Simplicity

Security+ Guide to Network Security Fundamentals, Third Edition

41

Layering
Information security must be created in layers One defense mechanism may be relatively easy for an attacker to circumvent
Instead, a security system must have layers, making it unlikely that an attacker has the tools and skills to break through all the layers of defenses

A layered approach can also be useful in resisting a variety of attacks Layered security provides the most comprehensive protection
Security+ Guide to Network Security Fundamentals, Third Edition 42

Limiting
Limiting access to information reduces the threat against it Only those who must use data should have access to it
In addition, the amount of access granted to someone should be limited to what that person needs to know

Some ways to limit access are technology-based, while others are procedural

Security+ Guide to Network Security Fundamentals, Third Edition

43

Diversity
Layers must be different (diverse)
If attackers penetrate one layer, they cannot use the same techniques to break through all other layers

Using diverse layers of defense means that breaching one security layer does not compromise the whole system

Security+ Guide to Network Security Fundamentals, Third Edition

44

Obscurity
An example of obscurity would be not revealing the type of computer, operating system, software, and network connection a computer uses
An attacker who knows that information can more easily determine the weaknesses of the system to attack it

Obscuring information can be an important way to protect information

Security+ Guide to Network Security Fundamentals, Third Edition

45

Simplicity
Information security is by its very nature complex Complex security systems can be hard to understand, troubleshoot, and feel secure about As much as possible, a secure system should be simple for those on the inside to understand and use Complex security schemes are often compromised to make them easier for trusted users to work with
Keeping a system simple from the inside but complex on the outside can sometimes be difficult but result in a major benefit
Security+ Guide to Network Security Fundamentals, Third Edition 46

Summary
Attacks against information security have grown exponentially in recent years There are several reasons why it is difficult to defend against todays attacks Information security may be defined as that which protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures

Security+ Guide to Network Security Fundamentals, Third Edition

47

Summary (continued)
The main goals of information security are to prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorism The types of people behind computer attacks are generally divided into several categories There are five general steps that make up an attack: probe for information, penetrate any defenses, modify security settings, circulate to other systems, and paralyze networks and devices
Security+ Guide to Network Security Fundamentals, Third Edition 48