Describing the challenges of securing information


Published on

Published in: Technology, News & Politics
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Describing the challenges of securing information

  1. 1. IT Security Awareness October 26, 2010 Madison College Chapter 1Introduction to Security
  2. 2. Kit Kat• The origins of the Kit Kat brand stem back to 1911• The original four-finger bar was developed after a worker at the Rowntree York Factory put a suggestion in a recommendation box for a snack that "a man could take to work in his pack up".
  3. 3. Kit KatKit Kat bar launched on the 29th of August,1939, under the title of Rowntrees ChocolateCrisp (priced at 2p), and was sold in Londonand throughout Southern England.The Hershey Company has a licence toproduce Kit Kat bars in the United Stateswhich dates from 1969, when Hersheyexecuted a licensing agreement for both theKit Kat and the Rolo with Rowntree
  4. 4. Objectives After completing this chapter, you should be able to do the following: •Describe the challenges of securing information •Define information security and explain why it is important •Identify the types of attackers that are common today •List the basic steps of an attack •Describe the steps in a defense and a comprehensive defense strategySecurity Awareness, 3rd Edition 4
  5. 5. Challenges of Securing Information • No single simple solution to protecting computers and securing information • Different types of attacks • Difficulties in defending against these attacks (Speed, Greater Sophistication, Simplicity, Delays in Patching, User Confusion)Security Awareness, 3rd Edition 5
  6. 6. Today’s Security Attacks • Typical monthly security newsletter – Malicious program was introduced in the manufacturing process of a popular brand of digital photo frames – E-mail claiming to be from the United Nations (U.N.) ‘‘Nigerian Government Reimbursement Committee’’ is sent to unsuspecting users – ‘‘Booby-trapped’’ Web pages are growing at an increasing rate – Mac computers can be theSecurity Awareness, 3rd Edition victim of attackers 6
  7. 7. Today’s Security Attacks (cont’d.) • Security statistics – 45 million credit and debit card numbers stolen – Number of security breaches continues to rise – Recent report revealed that of 24 federal government agencies overall grade was only ‘‘C-’’Security Awareness, 3rd Edition 7
  8. 8. Course Technology/Cengage Learning Table 1-1 Selected security breaches involving personal information in a three-month periodSecurity Awareness, 3rd Edition 8
  9. 9. Difficulties in Defending Against Attacks • Speed of attacks • Greater sophistication of attacks • Simplicity of attack tools • Quicker detection of vulnerabilities – Zero day attack • Delays in patching products • Distributed attacks • User confusion Security Awareness, 3rd Edition 9
  10. 10. Difficulties in Defending Against Attacks (cont’d.) Figure 1-1 Increased sophistication of attack tools Course Technology/Cengage LearningSecurity Awareness, 3rd Edition 10
  11. 11. Difficulties in Defending Against Attacks (cont’d.) Figure 1-2 Menu of attack tools Course Technology/Cengage LearningSecurity Awareness, 3rd Edition 11
  12. 12. Difficulties in Defending Against Attacks (cont’d.) Table 1-2 Difficulties in defending against attacksSecurity Awareness, 3rd Edition 12
  13. 13. What Is Information Security? • Understand what information security is • Why is information security important today? • Who are the attackers?Security Awareness, 3rd Edition 13
  14. 14. Defining Information Security • Security – State of freedom from a danger or risk • Information security – Tasks of guarding information that is in a digital format – Ensures that protective measures are properly implemented – Protect information that has value to people and organizations • Value comes from the characteristics of the informationSecurity Awareness, 3rd Edition 14
  15. 15. Defining Information Security (cont’d.) • Characteristics of information that must be protected by information security – Confidentiality – Integrity – Availability • Achieved through a combination of three entities – Products – People – ProceduresSecurity Awareness, 3rd Edition 15
  16. 16. Defining Information Security (cont’d.) Figure1-3 Information security components Course Technology/Cengage LearningSecurity Awareness, 3rd Edition 16
  17. 17. Defining Information Security(cont’d.) Table 1-3 Information security layers Course Technology/Cengage Learning Security Awareness, 3rd Edition 17
  18. 18. Information Security Terminology • Asset – Something that has a value • Threat – Event or object that may defeat the security measures in place and result in a loss – By itself does not mean that security has been compromised • Threat agent – Person or thing that has the power to carry out a threat Security Awareness, 3rd Edition 18
  19. 19. Information Security Terminology (cont’d.) • Vulnerability – Weakness that allows a threat agent to bypass security • Exploiting the security weakness – Taking advantage of the vulnerability • Risk – Likelihood that a threat agent will exploit a vulnerability – Some degree of risk must always be assumed – Three options for dealing with riskSecurity Awareness, 3rd Edition 19
  20. 20. Information Security Terminology (cont’d.) Table 1-4 Security information terminologyCourse Technology/Cengage LearningSecurity Awareness, 3rd Edition 20
  21. 21. Understanding the Importance of Information Security • Preventing data theft – Theft of data is one of the largest causes of financial loss due to an attack – Affects businesses and individuals • Thwarting identity theft – Identity theft • Using someone’s personal information to establish bank or credit card accounts that are then left unpaid • Leaves the victim with debts and ruins their credit rating rd – Legislation continues to be enactedSecurity Awareness, 3 Edition 21
  22. 22. Understanding the Importance of Information Security (cont’d.) • Avoiding legal consequences – Federal and state laws that protect the privacy of electronic data • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) • The Sarbanes-Oxley Act of 2002 (Sarbox) • The Gramm-Leach-Bliley Act (GLBA) • USA Patriot Act (2001) • The California Database Security Breach Act (2003) rd • Children’s Online Privacy ProtectionSecurity Awareness, 3 Edition 22 Act of 1998 (COPPA)
  23. 23. Understanding the Importance ofInformation Security (cont’d.) • Maintaining productivity – Lost wages and productivity during an attack and cleanup – Unsolicited e-mail message security risk • U.S. businesses forfeit $9 billion each year restricting spam • Foiling cyberterrorism – Could cripple a nation’s electronic and commercial infrastructure – ‘‘Information Security Problem’’ Security Awareness, 3rd Edition 23
  24. 24. Who Are the Attackers? • Divided into several categories – Hackers – Script kiddies – Spies – Employees – Cybercriminals – CyberterroristsSecurity Awareness, 3rd Edition 24
  25. 25. Hackers • Debated definition of hacker – Identify anyone who illegally breaks into or attempts to break into a computer system – Person who uses advanced computer skills to attack computers only to expose security flaws • ‘‘White Hats’Security Awareness, 3rd Edition 25
  26. 26. Script Kiddies • Unskilled users • Use automated hacking software • Do not understand the technology behind what they are doing • Often indiscriminately target a wide range of computersSecurity Awareness, 3rd Edition 26
  27. 27. • Person who has been hired to break into aSpies computer and steal information • Do not randomly search for unsecured computers • Hired to attack a specific computer or system • Goal – Break into computer or system – Take the information without drawing any attention to their actions Security Awareness, 3rd Edition 28
  28. 28. Employees • Reasons for attacks by employees – Show company weakness in security – Retaliation – Money – Blackmail – Carelessness Security Awareness, 3rd Edition 29
  29. 29. Cybercriminals • Loose-knit network of attackers, identity thieves, and financial fraudsters • Motivated by money • Financial cybercrime categories – Stolen financial data – Spam email to sell counterfeits and pornography Security Awareness, 3rd Edition 30
  30. 30. Cybercriminals (cont’d.) Table 1-6 Eastern European promotion of cybercriminals Course Technology/Cengage LearningSecurity Awareness, 3rd Edition 31
  31. 31. Cyberterrorists • Motivated by ideology • Sometimes considered attackers that should be feared mostSecurity Awareness, 3rd Edition 32
  32. 32. Attacks and Defenses • Same basic steps are used in most attacks • Protecting computers against these steps – Calls for five fundamental security principlesSecurity Awareness, 3rd Edition 33
  33. 33. Steps of an Attack • Probe for information • Penetrate any defenses • Modify security settings • Circulate to other systems • Paralyze networks and devicesSecurity Awareness, 3rd Edition 34
  34. 34. Figure 1-5 Steps of an attackSecurity Awareness, 3rd Edition 35
  35. 35. Defenses Against Attacks • Layering – If one layer is penetrated, several more layers must still be breached – Each layer is often more difficult or complicated than the previous – Useful in resisting a variety of attacks • Limiting – Limiting access to information reduces the threat against it – Technology-based and procedural methodsSecurity Awareness, 3rd Edition 36
  36. 36. Defenses Against Attacks (cont’d.) • Diversity – Important that security layers are diverse – Breaching one security layer does not compromise the whole system • Obscurity – Avoiding clear patterns of behavior make attacks from the outside much more difficult • Simplicity – Complex security systems can be hard to understand, troubleshoot, and feel secure aboutSecurity Awareness, 3rd Edition 37
  37. 37. Building a Comprehensive Security Strategy • Block attacks – Strong security perimeter • Part of the computer network to which a personal computer is attached – Local security important too • Update defenses – Continually update defenses to protect information against new types of attacksSecurity Awareness, 3rd Edition 38
  38. 38. Building a Comprehensive Security Strategy (cont’d.) • Minimize losses – Realize that some attacks will get through security perimeters and local defenses – Make backup copies of important data – Business recovery policy • Send secure information – ‘‘Scramble’’ data so that unauthorized eyes cannot read it – Establish a secure electronic link between the sender and receiverSecurity Awareness, 3rd Edition 39
  39. 39. Summary • Attacks against information security have grown exponentially in recent years • Difficult to defend against today’s attacks • Information security definition – That which protects the integrity, confidentiality, and availability of information • Main goals of information security – Prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorismSecurity Awareness, 3rd Edition 40
  40. 40. Summary (cont’d.) • Several types of people are typically behind computer attacks • Five general steps that make up an attack • Practical, comprehensive security strategy involves four key elementsSecurity Awareness, 3rd Edition 41