Cscu module 01 foundations of security

Foundations of Security
Module 1
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
1
Simplifying Security.

2
Scenario
Franklin, an employee working for an
organization, downloads free software
from a website. After installing the
software, however, Franklin's system
reboots and starts to malfunction.
What might have gone
wrong with Franklin’s system?
What would you have done in
Franklin’s place?

EAST LANSING, Mich. —Most home computers are vulnerable to hacker attacks because the users either mistakenly think they have
enough security in place or they don’t believe they have enough valuable information that would be of interest to a hacker.
That’s the point of a paper published this month by Michigan State University’s Rick Wash, who says that most home‐computer users rely
on what are known as “folk models.” Those are beliefs about what hackers or viruses are that people use to make decisions about security
– to keep their information safe.
Unfortunately, they don’t often work the way they should.
“Home security is hard because people are untrained in security,” said Wash, an assistant professor in the Department of
Telecommunication, Information Studies and Media. “But it isn’t because people are idiots. Rather they try their best to make sense of
what’s going on and frequently make choices that leave them vulnerable.”
Home‐computer Users at Risk Due to Use of ‘Folk Model’ Security
3
May 23, 2011
http://news.msu.edu

May 23, 2011 8:21:51 PM ET
'Fakefrag' Trojan Scares You into Paying Up
A devious new Trojan is putting the fear of hard drive failure
into computer owners, and then rushing in to "save" the day —
at your expense.
Once the "Fakefrag" Trojan finds its way onto your system via
specially crafted malicious Web pages, it gets to work on the
task of making you believe all your files have been erased from
your hard drive, the security firm Symantec reported.
Scareware scams, which try to convince users they have a
computer virus, and then trick them into purchasing fake
antivirus software, are nothing new. However, Fakefrag takes
the crime a step further: it actually moves your files from the
"All Users" folder to a temporary location, and hides files in the
"Current User" folder, Symantec said.
4
http://www.msnbc.msn.com

Module Objectives
5
Security Incidents
Essential Terminologies
Computer Security
Why Security?
Potential Losses Due to Security
Attacks
Elements of Security
Fundamental Concepts of Security
Layers of Security
Security Risks to Home Users
What to Secure?
What Makes a Home Computer
Vulnerable?
What Makes a System Secure?
Benefits of Computer Security
Awareness
Basic Computer Security Mechanisms

What to
Secure?
Computer
Security
6
Potential
Losses Due
to Security
Attacks
Essential
Terminologies
Elements of
Security
What Makes
a Home
Computer
Vulnerable?
Benefits of
Computer
Security
Awareness
Basic
Computer
Security
Mechanisms
Module Flow
Layers of
Security
Security
Risks to
Home Users

Security Incident Occurrences Over Time
7
900
700
600
500
400
300
200
100
0
6 14 23
2002 2003 2004 2005 2006 2007 2008 2009 2010
http://datalossdb.org
800
2011
Report on January, 2011
Security Incident Occurrences Over Time
Years
141
537 511
787
604
409
10

Security Incidents by Breach Type - 2011
Web Unknown
A security incident is “Any real or suspected adverse event in relation to the
security of computer systems or computer networks.”
40%
8
http://www.cert.org
10% 10% 10% 10% 10% 10%
Stolen Stolen
Lost
Hack
Laptop
Document
Laptop
Disposal
Document
http://datalossdb.org

Threat Exploit Vulnerability
Existence of a weakness,
design, or implementation
error that can lead to an
unexpected, undesirable
event compromising the
security of the system
Essential Terminologies
A defined way to breach
the security of an IT
system through
vulnerability
9
An action or event that
has the potential to
compromise and/or
violate security
Cracker, Attacker,
or Intruder Attack Data Theft
An individual who breaks
into computer systems in
order to steal, change, or
destroy information
Any action derived from
intelligent threats to
violate the security of the
system
Any action of stealing
the information from the
users’ system

1 2
10
Security is a state of well‐being
of information and
infrastructure
Computer security refers to
the protection of computer
systems and the
information a user stores or
processes
Users should focus on
various security threats and
countermeasures in order to
protect their information
assets
Computer Security
3

11
Why Security?
Computer security is
important for protecting the
confidentiality, integrity, and
availability of computer
systems and their resources
Computer administration
and management have
become more complex
which produces more attack
avenues
Network environments and
network‐based applications
provide more attack paths
Evolution of technology has
focused on the ease of use
while the skill level needed
for exploits has decreased

12
Misuse of computer
resources
Data loss/theft
Loss of trust
Financial loss
Unavailability of
resources
Identity theft
Potential Losses Due to
Security Attacks

What to
Secure?
13
Module Flow
Computer
Security
Potential
Losses Due
to Security
Attacks
Essential
Terminologies
Elements of
Security
What Makes
a Home
Computer
Vulnerable?
Benefits of
Computer
Security
Awareness
Basic
Computer
Security
Mechanisms
Layers of
Security
Security
Risks to
Home Users

Non‐repudiation is “ensuring that a
party to a contract or a communication
cannot deny the authenticity of their
signature on a document”
Elements of Security
Integrity is “ensuring that the
information is accurate,
complete, reliable, and is in its
original form”
14
Confidentiality is “ensuring
that information is accessible
only to those authorized to
have access” (ISO‐17799)
Authenticity is “the
identification and assurance
of the origin of information”
Availability is “ensuring that the
information is accessible to
authorized persons when
required without delay”
Non‐
Confidentiality Authenticity Integrity Availability Repudiation

The Security, Functionality, and Ease
of Use Triangle
Applications/software products by default are preconfigured for ease of use, which makes the
user vulnerable to various security flaws
Similarly, increased functionality (features) in an application make it difficult to use in addition
to being less secure
15
Functionality
(Features)
Ease of
Use
Security
(Restrictions)
Moving the ball toward
security means moving
away from the
functionality and ease of
use

Fundamental Concepts of Security
16
Precaution
Maintenance
Reaction
Adhering to the preventative measures while
using computer system and applications
Managing all the changes in the computer
applications and keeping them up to date
Acting timely when security incidents occur

Layers of Security
17
Layer 1
Layer 2
Layer 3
Layer 4
Layer 5
Physical
Security
Safeguards the
personnel,
hardware, programs,
networks, and data
from physical
threats
Network
Security
Protects the
networks and
their services from
unauthorized
modification,
destruction, or
disclosure
System
Security
Protects the system
and its information
from theft,
corruption,
unauthorized
access, or misuse
Application
Security
Covers the use of
software,
hardware, and
procedural
methods to protect
applications from
external threats
User
Security
Ensures that a valid
user is logged in
and that the
logged‐in user is
allowed to use an
application/
program

Security Risks to Home Users
Home computers are prone to various cyber attacks as they provide attackers easy
targets due to a low level of security awareness
Security risk to home users arise from various computer attacks and accidents
causing physical damage to computer systems
18
Computer Attacks
Malware attacks
Email attacks
Mobile code (Java/JavaScript/ActiveX) attacks
Denial of service and cross‐site scripting attacks
Identity theft and computer frauds
Packet sniffing
Being an intermediary for another attack
(zombies)
Computer Accidents
Hard disk or other component failures
Power failure and surges
Theft of a computing device
Note: These threats and their countermeasures will be discussed in detail in the later modules

Hardware Software
Information Communications
What to Secure?
19
Laptops, Desktop PCs, CPU,
hard disk, storage devices,
cables, etc.
Operating system and software
applications
Personal identification such as
Social Security Number (SSN),
passwords, credit card numbers,
etc.
Emails, instant messengers, and
browsing activites

What to
Secure?
20
Module Flow
Computer
Security
Potential
Losses Due
to Security
Attacks
Essential
Terminologies
Elements of
Security
What Makes
a Home
Computer
Vulnerable?
Benefits of
Computer
Security
Awareness
Basic
Computer
Security
Mechanisms
Layers of
Security
Security
Risks to
Home Users

What Makes a Home Computer
Vulnerable?
21
Low level of
security awareness
Default computer and
application settings
Increasing online
activities
None or very little
investment in
security systems
Not following any
standard security
policies or guidelines

What Makes a System Secure?
System security measures help protect computers and information stored in the systems
from accidental loss, malicious threats, unauthorized access, etc.
System Access Controls Data Access Controls
22
System and Security
Administration
System Design
Ensure that unauthorized users do not
get into the system
Force legal users to be conscious about
security
Monitor system activities such as who is
accessing the data and for what purpose
Define access rules based on the system
security levels
Perform regular system and security
administration tasks such as configuring
system settings, implementing security
policies, monitoring system state, etc.
Deploy various security characteristics in
system hardware and software design
such as memory segmentation, privilege
isolation, etc.

Computer security awareness helps minimize the chances of computer attacks
It helps users minimize losses in case of an accident that causes physical damage
to computer systems
It enables users to protect sensitive information and computing resources from
unauthorized access
Benefits of Computer Security
Awareness
It helps prevent the loss of information stored on the systems
It helps users to prevent cybercriminals from using their systems in order to
launch attacks on the other computer systems
23

 Security is a state of well‐being of information and infrastructures
 Computer security is the protection of computing systems and the data that they
Module Summary
24
store or access
 Confidentiality, integrity, non‐repudiation, authenticity, and availability are the
elements of security
 Security risk to home users arise from various computer attacks and accidents
causing physical damage to computer systems
 Computer security awareness helps minimize the chances of computer attacks and
prevent the loss of information stored on the systems

Basic Computer Security Checklist
Regular update of operating system and other installed applications
Use of encryption techniques and digital signatures
25
Use of strong passwords
Use of anti‐virus systems
Regular backup of important files
Use of firewall and intrusion detection systems
Following standard guidelines for Internet activities
Physical security of computing infrastructure
Awareness of current security scenario and attack techniques

Cscu module 01 foundations of security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cscu module 01 foundations of security

Similar to Cscu module 01 foundations of security (20)

Cscu module 01 foundations of security