It security awareness overview
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

It security awareness overview

on

  • 926 views

 

Statistics

Views

Total Views
926
Views on SlideShare
926
Embed Views
0

Actions

Likes
0
Downloads
44
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

It security awareness overview Presentation Transcript

  • 1. IT Security Awareness January 24, 2011 Madison College Chapter 1Introduction to Security
  • 2. Objectives After completing this chapter, you should be able to do the following: •Describe the challenges of securing information •Define information security and explain why it is important •Identify the types of attackers that are common today •List the basic steps of an attack •Describe the steps in a defense and a comprehensive defense strategySecurity Awareness, 3rd Edition 2
  • 3. Challenges of Securing Information • No single simple solution to protecting computers and securing information • Different types of attacks • Difficulties in defending against these attacks (Speed, Greater Sophistication, Simplicity, Delays in Patching, User Confusion)Security Awareness, 3rd Edition 3
  • 4. Today’s Security Attacks • Typical monthly security newsletter – Malicious program was introduced in the manufacturing process of a popular brand of digital photo frames – E-mail claiming to be from the United Nations (U.N.) ‘‘Nigerian Government Reimbursement Committee’’ is sent to unsuspecting users – ‘‘Booby-trapped’’ Web pages are growing at an increasing rate – Mac computers can be theSecurity Awareness, 3rd Edition victim of attackers 4
  • 5. Today’s Security Attacks (cont’d.) • Security statistics – 45 million credit and debit card numbers stolen – Number of security breaches continues to rise – Recent report revealed that of 24 federal government agencies overall grade was only ‘‘C-’’Security Awareness, 3rd Edition 5
  • 6. Course Technology/Cengage Learning Table 1-1 Selected security breaches involving personal information in a three-month periodSecurity Awareness, 3rd Edition 6
  • 7. Difficulties in Defending Against Attacks • Speed of attacks • Greater sophistication of attacks • Simplicity of attack tools • Quicker detection of vulnerabilities – Zero day attack • Delays in patching products • Distributed attacks • User confusion Security Awareness, 3rd Edition 7
  • 8. Difficulties in Defending Against Attacks (cont’d.) Figure 1-1 Increased sophistication of attack tools Course Technology/Cengage LearningSecurity Awareness, 3rd Edition 8
  • 9. Difficulties in Defending Against Attacks (cont’d.) Figure 1-2 Menu of attack tools Course Technology/Cengage LearningSecurity Awareness, 3rd Edition 9
  • 10. Difficulties in Defending Against Attacks (cont’d.) Table 1-2 Difficulties in defending against attacksSecurity Awareness, 3rd Edition 10
  • 11. What Is Information Security? • Understand what information security is • Why is information security important today? • Who are the attackers?Security Awareness, 3rd Edition 11
  • 12. Defining Information Security • Security – State of freedom from a danger or risk • Information security – Tasks of guarding information that is in a digital format – Ensures that protective measures are properly implemented – Protect information that has value to people and organizations • Value comes from the characteristics of the informationSecurity Awareness, 3rd Edition 12
  • 13. Defining Information Security (cont’d.) • Characteristics of information that must be protected by information security – Confidentiality – Integrity – Availability • Achieved through a combination of three entities – Products – People – ProceduresSecurity Awareness, 3rd Edition 13
  • 14. Defining Information Security (cont’d.) Figure1-3 Information security components Course Technology/Cengage LearningSecurity Awareness, 3rd Edition 14
  • 15. Defining Information Security(cont’d.) Table 1-3 Information security layers Course Technology/Cengage Learning Security Awareness, 3rd Edition 15
  • 16. Information Security Terminology • Asset – Something that has a value • Threat – Event or object that may defeat the security measures in place and result in a loss – By itself does not mean that security has been compromised • Threat agent – Person or thing that has the power to carry out a threat Security Awareness, 3rd Edition 16
  • 17. Information Security Terminology (cont’d.) • Vulnerability – Weakness that allows a threat agent to bypass security • Exploiting the security weakness – Taking advantage of the vulnerability • Risk – Likelihood that a threat agent will exploit a vulnerability – Some degree of risk must always be assumed – Three options for dealing with riskSecurity Awareness, 3rd Edition 17
  • 18. Information Security Terminology (cont’d.) Table 1-4 Security information terminologyCourse Technology/Cengage LearningSecurity Awareness, 3rd Edition 18
  • 19. Understanding the Importance of Information Security • Preventing data theft – Theft of data is one of the largest causes of financial loss due to an attack – Affects businesses and individuals • Thwarting identity theft – Identity theft • Using someone’s personal information to establish bank or credit card accounts that are then left unpaid • Leaves the victim with debts and ruins their credit rating rd – Legislation continues to be enactedSecurity Awareness, 3 Edition 19
  • 20. Understanding the Importance of Information Security (cont’d.) • Avoiding legal consequences – Federal and state laws that protect the privacy of electronic data • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) • The Sarbanes-Oxley Act of 2002 (Sarbox) • The Gramm-Leach-Bliley Act (GLBA) • USA Patriot Act (2001) • The California Database Security Breach Act (2003) rd •Security Awareness, 3 Edition Children’s Online Privacy Protection 20 Act of 1998 (COPPA)
  • 21. Understanding the Importance ofInformation Security (cont’d.) • Maintaining productivity – Lost wages and productivity during an attack and cleanup – Unsolicited e-mail message security risk • U.S. businesses forfeit $9 billion each year restricting spam • Foiling cyberterrorism – Could cripple a nation’s electronic and commercial infrastructure – ‘‘Information Security Problem’’ Security Awareness, 3rd Edition 21
  • 22. Who Are the Attackers? • Divided into several categories – Hackers – Script kiddies – Spies – Employees – Cybercriminals – CyberterroristsSecurity Awareness, 3rd Edition 22
  • 23. Hackers • Debated definition of hacker – Identify anyone who illegally breaks into or attempts to break into a computer system – Person who uses advanced computer skills to attack computers only to expose security flaws • ‘‘White Hats’Security Awareness, 3rd Edition 23
  • 24. Script Kiddies • Unskilled users • Use automated hacking software • Do not understand the technology behind what they are doing • Often indiscriminately target a wide range of computersSecurity Awareness, 3rd Edition 24
  • 25. • Person who has been hired to break into aSpies computer and steal information • Do not randomly search for unsecured computers • Hired to attack a specific computer or system • Goal – Break into computer or system – Take the information without drawing any attention to their actions Security Awareness, 3rd Edition 26
  • 26. Employees • Reasons for attacks by employees – Show company weakness in security – Retaliation – Money – Blackmail – Carelessness Security Awareness, 3rd Edition 27
  • 27. Cybercriminals • Loose-knit network of attackers, identity thieves, and financial fraudsters • Motivated by money • Financial cybercrime categories – Stolen financial data – Spam email to sell counterfeits and pornography Security Awareness, 3rd Edition 28
  • 28. Cybercriminals (cont’d.) Table 1-6 Eastern European promotion of cybercriminals Course Technology/Cengage LearningSecurity Awareness, 3rd Edition 29
  • 29. Cyberterrorists • Motivated by ideology • Sometimes considered attackers that should be feared mostSecurity Awareness, 3rd Edition 30
  • 30. Attacks and Defenses • Same basic steps are used in most attacks • Protecting computers against these steps – Calls for five fundamental security principlesSecurity Awareness, 3rd Edition 31
  • 31. Steps of an Attack • Probe for information • Penetrate any defenses • Modify security settings • Circulate to other systems • Paralyze networks and devicesSecurity Awareness, 3rd Edition 32
  • 32. Figure 1-5 Steps of an attackSecurity Awareness, 3rd Edition 33
  • 33. Defenses Against Attacks • Layering – If one layer is penetrated, several more layers must still be breached – Each layer is often more difficult or complicated than the previous – Useful in resisting a variety of attacks • Limiting – Limiting access to information reduces the threat against it – Technology-based and procedural methodsSecurity Awareness, 3rd Edition 34
  • 34. Defenses Against Attacks (cont’d.) • Diversity – Important that security layers are diverse – Breaching one security layer does not compromise the whole system • Obscurity – Avoiding clear patterns of behavior make attacks from the outside much more difficult • Simplicity – Complex security systems can be hard to understand, troubleshoot, and feel secure aboutSecurity Awareness, 3rd Edition 35
  • 35. Building a Comprehensive Security Strategy • Block attacks – Strong security perimeter • Part of the computer network to which a personal computer is attached – Local security important too • Update defenses – Continually update defenses to protect information against new types of attacksSecurity Awareness, 3rd Edition 36
  • 36. Building a Comprehensive Security Strategy (cont’d.) • Minimize losses – Realize that some attacks will get through security perimeters and local defenses – Make backup copies of important data – Business recovery policy • Send secure information – ‘‘Scramble’’ data so that unauthorized eyes cannot read it – Establish a secure electronic link between the sender and receiverSecurity Awareness, 3rd Edition 37
  • 37. Summary • Attacks against information security have grown exponentially in recent years • Difficult to defend against today’s attacks • Information security definition – That which protects the integrity, confidentiality, and availability of information • Main goals of information security – Prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorismSecurity Awareness, 3rd Edition 38
  • 38. Summary (cont’d.) • Several types of people are typically behind computer attacks • Five general steps that make up an attack • Practical, comprehensive security strategy involves four key elementsSecurity Awareness, 3rd Edition 39