This document is the first chapter of a security guide that introduces information security. It describes the challenges of securing information in today's environment where there are many types of attacks and difficulties defending against attacks. Universally connected devices, faster attacks, more sophisticated attacks, and availability of attack tools all contribute to these challenges. The chapter then defines information security, explaining its importance in protecting the confidentiality, integrity and availability of information. It also identifies common types of attackers, including hackers, script kiddies, spies, insiders, cybercriminals and cyberterrorists.
1. Security+ Guide to Network
Security Fundamentals,
Fourth Edition
Chapter 1
Introduction to Security
2. Security+ Guide to Network Security Fundamentals, Fourth Edition 2
Objectives
• Describe the challenges of securing information
• Define information security and explain why it is
important
• Identify the types of attackers that are common
today
• List the basic steps of an attack
• Describe the five basic principles of defense
3. Security+ Guide to Network Security Fundamentals, Fourth Edition 3
Challenges of Securing Information
• There is no simple solution to securing information
• This can be seen through the different types of
attacks that users face today
– As well as the difficulties in defending against these
attacks
• Today’s Security Attacks
– Smartphones a new target
4. Security+ Guide to Network Security Fundamentals, Fourth Edition 4
Difficulties in Defending Against
Attacks
• Difficulties include the following:
Universally connected devices
Increased speed of attacks
Greater sophistication of attacks
Availability and simplicity of attack tools
Faster detection of vulnerabilities
Delays in patching
Weak distribution of patches
Distributed attacks
User confusion
5. Security+ Guide to Network Security Fundamentals, Fourth Edition 5
Difficulties in Defending Against
Attacks (cont’d.)
• Universally connected devices
• Attacker anywhere can silently launch an attack on any
connect device.
• Increased speed of attacks
• Availability of attack tools.
• Many tool can initiate new attacks without any human
participation
o Slammer worm infected 75,000 computers in the first
11 minutes of its release.
o Slammer infections doubled every 8.5 seconds
o Slammer scanned 55 million computers per Second.
6. Security+ Guide to Network Security Fundamentals, Fourth Edition 6
Difficulties in Defending Against
Attacks (cont’d.)
• Greater sophistication of attacks:
• Attackers today use common Internet tools and protocols
to send malicious data and commands.
• Some attack appear differently each time.
7. Difficulties in Defending Against
Attacks (cont’d.)
• Availability and simplicity of attack tools
Security+ Guide to Network Security Fundamentals, Fourth Edition 7
9. 9
Security+ Guide to Network Security Fundamentals, Fourth Edition
Difficulties in Defending Against
Attacks (cont’d.)
• Faster detection of vulnerabilities
• Using new software tools and techniques
• Day zero attacks
– Occur when an attacker discovered and exploit
previous unknown flaws
• Delays in patching
• Vendors are overwhelmed trying to keep pace with
updating their products against attacks.
• Weak distribution of patches
• Some software vendors have not invested in patch
distribution systems.
10. Difficulties in Defending Against
Attacks (cont’d.)
• Distributed attacks
• Many against one.
• Difficult to stop an attack by identifying and blocking
the source.
• User confusion:
• Make important decisions with little knowledge.
Security+ Guide to Network Security Fundamentals, Fourth Edition 10
11. Difficulties in Defending Against
Attacks (cont’d.)
11
Table 1-2 Difficulties in defending against attacks
12. Security+ Guide to Network Security Fundamentals, Fourth Edition 12
What Is Information Security?
• Before defense is possible, one must understand:
– What information security is
– Why it is important
– Who the attackers are
13. Security+ Guide to Network Security Fundamentals, Fourth Edition 13
Defining Information Security
• Security
– Steps to protect person or property from harm
• Harm may be intentional or non-intentional.
– Includes preventive measures, rapid response and
preemptive attacks.
• Information security
– Guarding digitally-formatted information:
• That provides value to people and organizations.
14. Security+ Guide to Network Security Fundamentals, Fourth Edition 14
Defining Information Security (cont’d.)
• Information security
– Ensures that protective measures are properly
implemented
– Cannot completely prevent attacks or guarantee that
a system is totally secure
15. Security+ Guide to Network Security Fundamentals, Fourth Edition 15
Defining Information Security (cont’d.)
• Information security is intended to protect
information that has value to people and
organizations
– Three types of information protection: often called
CIA
• Confidentiality
• Integrity
• Availability
• Information security is achieved through a
combination of three entities
16. Security+ Guide to Network Security Fundamentals, Fourth Edition 16
Defining Information Security (cont’d.)
• Confidentiality: Prevention of unauthorized
disclosure of information and keeping unwanted
parties from accessing assets of a computer
system also known as secrecy or privacy
• Integrity: Prevention of unauthorized modification
of information.
• Availability: Prevention of unauthorized
withholding of information or resources. Or
keeping system available
17. Defining Information Security (cont’d.)
Example
• Consider a payroll database in a corporation, it
must be ensured that:
– Salaries of employees are not disclosed to arbitrary
users of the database.
– Salaries are modified by only those individuals that
are properly authorized.
– Paychecks are printed on time at the end of each
pay period.
17
18. Defining Information Security (cont’d.)
• Another set of protections implemented to secure
information (AAA)
– Authentication
• Individual is who they claim to be and not an imposter
– Authorization
• Grant ability to access information
– Accounting
• Provides tracking of events
Security+ Guide to Network Security Fundamentals, Fourth Edition 18
20. Defining Information Security (cont’d.)
Table 1-3 Information security layers
Security+ Guide to Network Security Fundamentals, Fourth Edition 20
21. Security+ Guide to Network Security Fundamentals, Fourth Edition 21
Defining Information Security (cont’d.)
• A more comprehensive definition of information
security is:
– That which protects the integrity, confidentiality,
and availability of information on the devices that
store, manipulate, and transmit the information
through products, people, and procedures
22. Security+ Guide to Network Security Fundamentals, Fourth Edition 22
Information Security Terminology
• Asset
– Something that has a value
• Threat
– Actions or events that have potential to cause harm
• Threat agent
– Person or element with power to carry out a threat
24. Security+ Guide to Network Security Fundamentals, Fourth Edition 24
Information Security Terminology
(cont’d.)
• Vulnerability
– Flaw or weakness
• Threat agent can bypass security
• Risk
– Likelihood that threat agent will exploit vulnerability
– Cannot be eliminated entirely
• Cost would be too high
• Take too long to implement
– Some degree of risk must be assumed
26. Security+ Guide to Network Security Fundamentals, Fourth Edition 26
Information Security Terminology
(cont’d.)
• Options to deal with risk
– Accept
• Realize there is a chance of loss
– Diminish
• Take precautions
• Most information security risks should be diminished
– Transfer
• Example: purchasing insurance
28. Security+ Guide to Network Security Fundamentals, Fourth Edition 28
Understanding the Importance of
Information Security
• Preventing data theft
– Security often associated with theft prevention
– Business data theft
• Proprietary information
– Individual data theft
• Credit card numbers
29. Security+ Guide to Network Security Fundamentals, Fourth Edition 29
Understanding the Importance of
Information Security (cont’d.)
• Thwarting identity theft
– Using another’s personal information in
unauthorized manner
• Usually for financial gain
– Example:
• Steal person’s SSN
– Create new credit card account
– Charge purchases
– Leave unpaid
30. Security+ Guide to Network Security Fundamentals, Fourth Edition 30
Understanding the Importance of
Information Security (cont’d.)
• Avoiding legal consequences
– Laws protecting electronic data privacy
– Businesses that fail to protect data they posses may
face serious penalties
• The Health Insurance Portability and Accountability
Act of 1996 (HIPAA)
• In Saudi Arabia, All banks must comply with PCI DSS
standard (SAMA regulation).
31. Understanding the Importance of
Information Security (cont’d.)
• Maintaining productivity
– Post-attack clean up diverts resources
• Time and money
Table 1-6 Cost of attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition 31
32. Security+ Guide to Network Security Fundamentals, Fourth Edition 32
Understanding the Importance of
Information Security (cont’d.)
• Foiling cyberterrorism
– Premeditated, politically motivated attacks
– Target: information, computer systems, data
– Designed to:
• Cause panic
• Provoke violence
• Result in financial catastrophe
– Potential cyberterrorism targets
• Banking, military, energy (power plants) ,
transportation (air traffic control centers), water
systems
33. Security+ Guide to Network Security Fundamentals, Fourth Edition 33
Who Are the Attackers?
• Categories of attackers (attackers profile)
– Hackers
– Script kiddies
– Spies
– Insiders
– Cybercriminals
– Cyberterrorists
34. Security+ Guide to Network Security Fundamentals, Fourth Edition 34
Hackers
• Hacker
– Person who uses computer skills to attack
computers
– Term not common in security community
• White hat hackers
– Goal to expose security flaws
– Not to steal or corrupt data
• Black hat hackers
– Goal is malicious and destructive
35. Security+ Guide to Network Security Fundamentals, Fourth Edition 35
Script Kiddies
• Script kiddies
– Goal: break into computers to create damage
– Unskilled users
– Download automated hacking software (scripts)
• Use them to perform malicious acts
– Attack software today has menu systems
• Attacks are even easier for unskilled users
– 40% of attacks performed by script kiddies
36. Security+ Guide to Network Security Fundamentals, Fourth Edition 36
Spies
• Computer spy
– Person hired to break into a computer and steal
information
• Hired to attack a specific computer or system:
– Containing sensitive information
• Goal: steal information without drawing attention to
their actions
• Possess excellent computer skills
37. Insiders
• Employees, contractors, and business partners
• Most insider attack are either the sabotage or theft
of intellectual property.
• Reasons
– An employee might want to show the company a
weakness in their security
– Dissatisfied employees may want get even with the
company
– For money
– Blackmailing
– Carelessness
Security+ Guide to Network Security Fundamentals, Fourth Edition
37
38. Security+ Guide to Network Security Fundamentals, Fourth Edition 38
Insiders
• Examples of insider attacks
– Health care worker publicized celebrities’ health
records
• Disgruntled over upcoming job termination
– Government employee planted malicious coding
script
– Stock trader concealed losses through fake
transactions
– U.S. Army private accessed sensitive documents
39. Security+ Guide to Network Security Fundamentals, Fourth Edition 39
Cybercriminals
• Network of attackers, identity thieves, spammers,
financial fraudsters
• Difference from ordinary attackers
– More highly motivated
– Willing to take more risk
– Better funded
– More tenacious
– Goal: financial gain
40. Cybercriminals (cont’d.)
• Organized gangs of young attackers
– Eastern European, Asian, and third-worldregions
Table 1-7 Characteristics of cybercriminals
Security+ Guide to Network Security Fundamentals, Fourth Edition 40
41. Security+ Guide to Network Security Fundamentals, Fourth Edition 41
Cybercriminals (cont’d.)
• Cybercrime
– Targeted attacks against financial networks
– Unauthorized access to information
– Theft of personal information
• Financial cybercrime
– Trafficking in stolen credit cards and financial
information
– Using spam to commit fraud
42. Security+ Guide to Network Security Fundamentals, Fourth Edition 42
Cyberterrorists
• Cyberterrorists
– Ideological motivation
• Attacking because of their principles and beliefs
• Goals of a cyberattack:
– Deface electronic information
• Spread misinformation and propaganda
– Deny service to legitimate computer users
– Commit unauthorized intrusions
• Results: critical infrastructure outages; corruption of
vital data
44. Security+ Guide to Network Security Fundamentals, Fourth Edition 44
Attacks and Defenses
• Wide variety of attacks
– Same basic steps used in attack
• To protect computers against attacks:
– Follow five fundamental security principles
45. Steps of an Attack
1. Probe for information
– Such as type of hardware, software used or personal
information.
– Examples: Ping sweeps, port scanning or queries
that respond with failure message.
2. Penetrate any defenses
– Launch the attack
– Example: cracking passwords
3. Modify security settings
– Allows attacker to reenter compromised system
easily.
45
46. Security+ Guide to Network Security Fundamentals, Fourth Edition 46
Steps of an Attack (cont’d.)
4. Circulate to other systems
– Use the compromised system or network as a base
of attack toward other systems.
– Same tools directed toward other systems.
5. Paralyze networks and devices
– Attackers may work to maliciously damage the infected
computer or network.
– Examples: delete/edit critical OS files or inject malicious
software.
48. Security+ Guide to Network Security Fundamentals, Fourth Edition 48
Defenses Against Attacks
• Although multiple defenses may be necessary to
withstand an attack
– These defenses should be based on five fundamental
security principles:
• Layering
• Limiting
• Diversity
• Obscurity
• Simplicity
49. Security+ Guide to Network Security Fundamentals, Fourth Edition 49
Layering
• Information security must be created in layers
– Single defense mechanism may be easy to
circumvent
– Unlikely that attacker can break through all defense
layers
• Layered security approach
– Can be useful in resisting a variety of attacks
– Provides the most comprehensive protection
50. Security+ Guide to Network Security Fundamentals, Fourth Edition 50
Limiting
• Limiting access to information reduces the threat
against it
• Only those who must use data granted access
– In addition, the amount of access limited to what that
person needs to know
• Methods of limiting access
– Technology
• File permissions
– Procedural
• Prohibiting document removal from premises
51. Security+ Guide to Network Security Fundamentals, Fourth Edition 51
Diversity
• Closely related to layering
– Layers must be different (diverse)
• If attackers penetrate one layer:
– They can't use the same techniques to break
through other layers
• Breaching one security layer does not compromise
the whole system
• Example of diversity
– Using security products from different manufacturers
52. Security+ Guide to Network Security Fundamentals, Fourth Edition 52
Obscurity
• Obscuring inside details to outsiders
• An example of obscurity would be not revealing the
type of computer, operating system, software, and
network connection a computer uses
– An attacker who knows that information can more
easily determine the weaknesses of the system to
attack it
• Obscuring information can be an important means
of protection.
53. Security+ Guide to Network Security Fundamentals, Fourth Edition 53
Simplicity
• Nature of information security is complex
• Complex security systems
– Difficult to understand and troubleshoot
– Often compromised for ease of use by trusted users
• Secure system should be simple for insiders to
understand and use
• Keeping a system simple from the inside but
complex on the outside can sometimes be difficult
but result in a major benefit
54. Security+ Guide to Network Security Fundamentals, Fourth Edition 54
Summary
• Information security attacks growing exponentially
in recent years
• Several reasons for difficulty defending against
today’s attacks
• Information security protects information’s integrity,
confidentiality, and availability:
– On devices that store, manipulate, and transmit
information
– Using products, people, and procedures
55. Security+ Guide to Network Security Fundamentals, Fourth Edition 55
Summary (cont’d.)
• Goals of information security
– Prevent data theft
– Thwart identity theft
– Avoid legal consequences of not securing
information
– Maintain productivity
– Foil cyberterrorism
• Different types of people with different motivations
conduct computer attacks
• An attack has five general steps