This document provides an introduction to information security concepts. It defines key terms like assets, threats, and vulnerabilities. It describes the importance of information security in preventing data theft, identity theft, and legal consequences. Common attackers are discussed, including hackers, cybercriminals, and insiders. The basic steps of an attack are outlined. Fundamental security principles like layering, limiting access, diversity, and simplicity are presented. Information security professionals and certifications like Security+ are also introduced.
1. Security+ Guide to Network
Security Fundamentals,
Fifth Edition
Chapter 1
INTRODUCTION TO SECURITY
2. Objectives
• Describe the challenges of securing information
• Define information security and explain why it is
important
• Identify the types of attackers that are common
today
• List the basic steps of an attack
• Describe the five basic principles of defense
Security+ Guide to Network Security Fundamentals, Fifth Edition 2
3. Challenges of Securing Information
• Today all citizens forced to continually protect
themselves from attacks by invisible foes
• Attacks not just physical but also include attacks on
information technology
• Attacks directed at individuals, schools,
businesses, and governments through desktop
computers, laptops, smartphones, and tablet
computers
• Information security is focused on protecting
electronic information of organizations and users
Security+ Guide to Network Security Fundamentals, Fifth Edition 3
4. Information Security Personnel
• Chief Information Security Officer (CISO) -
Responsible for assessing, managing, and
implementing security
• Security manager - Supervises technicians,
administrators, and security staff
• Security administrator - Manages daily operations
of security technology
• Security technician - Provide technical support to
configure security hardware, implement security
software, and diagnose and troubleshoot problems
Security+ Guide to Network Security Fundamentals, Fifth Edition 4
5. Information Security Employment
• Employees with certifications in security are in high
demand
• Security is rarely offshored or outsourced
• Job outlook for security professionals is
exceptionally strong
• U.S. Bureau of Labor Statistics (BLS)
“Occupational Outlook Handbook” indicates job
outlook for information security analysts through
end of decade expected to grow by 22 percent,
faster than average growth rate
Security+ Guide to Network Security Fundamentals, Fifth Edition 5
6. CompTIA Security+
• CompTIA Security+ certification is widely-
recognized and highly respected vendor-neutral
credential
• Requires passing current certification exam SY0-
401
• Tests knowledge and skills required to: identify
risks; provide infrastructure, application,
operational and information security; apply security
controls to maintain confidentiality, integrity, and
availability; and identify appropriate technologies
and products
Security+ Guide to Network Security Fundamentals, Fifth Edition 6
8. Cost
• List price voucher $302
• List price voucher with retake option $368
Security+ Guide to Network Security Fundamentals, Fifth Edition 8
9. Today’s Security Attacks
• Balances manipulated on prepaid debit cards
• Home Wi-Fi network attacked
• Twitter accounts exploited
• Ploutus ATM malware
• Exposed serial servers
• Manipulate aircraft and ocean vessels
• Computer cluster for cracking passwords
• Apple Mac vulnerabilities
• Electronic data records stolen
Security+ Guide to Network Security Fundamentals, Fifth Edition 9
10. Difficulties in Defending Against
Attacks
• Universally connected devices
• Increased speed of attacks
• Greater sophistication of attacks
• Availability and simplicity of attack tools
• Faster detection of vulnerabilities
• Delays in security updating
• Weak security update distribution
• Distributed attacks
• Introduction of BYOD
• User confusion
Security+ Guide to Network Security Fundamentals, Fifth Edition 10
11. Menu of Attack Tools (Figure 1-1)
Security+ Guide to Network Security Fundamentals, Fifth Edition 11
12. Difficulties in Defending (Table 1-2)
Security+ Guide to Network Security Fundamentals, Fifth Edition 12
13. What Is Information Security?
• Before defense is possible, one must understand:
– What is security
– What information security is
– Information security terminology
– Why it is important
Security+ Guide to Network Security Fundamentals, Fifth Edition 13
14. Understanding Security
• “Security” is defined as either the process (how to
achieve security) or the goal (what it means to
have security).
• In reality security is both: it is the goal to be free
from danger as well as the process that achieves
that freedom
• Security is the necessary steps to protect a person
or property from harm.
• This harm may come from one of two sources:
– Direct action
– Indirect and unintentional action
Security+ Guide to Network Security Fundamentals, Fifth Edition 14
15. Security and Convenience
• Relationship between security and convenience
• As security is increased, convenience is often
decreased
• Security is “inversely proportional” to convenience
• The more secure something is, the less convenient
it may become to use
• Security is sacrificing convenience for safety or
giving up short-term comfort for long-term
protection
Security+ Guide to Network Security Fundamentals, Fifth Edition 15
17. Defining Information Security
• Information security - Tasks of securing
information in digital format:
– Manipulated by a microprocessor
– Stored on a storage device
– Transmitted over a network
• Protection - Information security cannot completely
prevent successful attacks or guarantee that a
system is totally secure
• Protective measures ward off attacks and prevent
total collapse of the system when a successful
attack does occur
Security+ Guide to Network Security Fundamentals, Fifth Edition 17
18. Three Protections
• Information – Provides value to people and
organizations
• Three protections that must be extended over
information (CIA):
– Confidentiality: Ensures only authorized parties can
view information
– Integrity: Ensures information not altered
– Availability: Ensures information accessible when
needed to authorized parties
Security+ Guide to Network Security Fundamentals, Fifth Edition 18
19. AAA
• Three additional protections that must be extended
over information (AAA):
– Authentication: Ensures that the individual is who
she claims to be (the authentic or genuine person)
and not an imposter
– Authorization: Providing permission or approval to
specific technology resources
– Accounting: Provides tracking of events
Security+ Guide to Network Security Fundamentals, Fifth Edition 19
20. Securing Devices
• Devices - Information security involves more than
protecting the information itself
• Information is:
– Stored on computer hardware
– Manipulated by software
– Transmitted by communications
• Each of these areas must also be protected
Security+ Guide to Network Security Fundamentals, Fifth Edition 20
21. Three Entities
• Entities - Information security is achieved through a
process that is a combination of three entities
• Information and the hardware, software, and
communications are protected in three layers:
– Products
– People
– Policies and procedures
• Procedures enable people to understand how to
use products to protect information
Security+ Guide to Network Security Fundamentals, Fifth Edition 21
24. Information Security Definition
• Comprehensive definition of information security
involves both the goals and process
• Information security defined as that which protects
the integrity, confidentiality, and availability of
information on the devices that store, manipulate,
and transmit the information through products,
people, and procedures
Security+ Guide to Network Security Fundamentals, Fifth Edition 24
25. Information Security Terminology:
Asset
• Asset - An item that has value
• In organization assets have these qualities:
– They provide value to the organization
– They cannot easily be replaced without a significant
investment in expense, time, worker skill, and/or
resources
– They can form part of the organization's corporate
identity.
Security+ Guide to Network Security Fundamentals, Fifth Edition 25
27. Information Security Terminology:
Threat
• Threat - Action that has the potential to cause
harm
• Information security threats are events or actions
that represent a danger to information assets
• Threat by itself does not mean that security has
been compromised; rather, it simply means that the
potential for creating a loss is real
• Threat can result in the corruption or theft of
information, a delay in information being
transmitted, or loss of good will or reputation
Security+ Guide to Network Security Fundamentals, Fifth Edition 27
28. Information Security Terminology:
Threat Agent
• Threat agent - Person or element that has the
power to carry out a threat
• Threat agent can be:
– Person attempting to break into a secure computer
network
– Force of nature such as a hurricane that could
destroy computer equipment and thus destroy
information
– Malicious software that attacks the computer
network
Security+ Guide to Network Security Fundamentals, Fifth Edition 28
29. Information Security Terminology:
Vulnerability
• Vulnerability - Flaw or weakness that allows a
threat agent to bypass security
• Example is software defect in an operating system
that allows an unauthorized user to gain control of
a computer without the user’s knowledge or
permission
Security+ Guide to Network Security Fundamentals, Fifth Edition 29
30. Information Security Terminology:
Threat Vector
• Threat vector - means by which an attack can
occur
• Example is attacker, knowing that a flaw in a web
server’s operating system has not been patched, is
using the threat vector (exploiting the vulnerability)
to steal user passwords
• Threat likelihood - probability that threat will come
to fruition
Security+ Guide to Network Security Fundamentals, Fifth Edition 30
31. Information Security Terminology: Risk
• Risk - situation that involves exposure to some
type of danger.
• Options when dealing with risk:
– Risk avoidance
– Acceptance
– Mitigation
– Deterrence
– Transference
Security+ Guide to Network Security Fundamentals, Fifth Edition 31
32. Understanding the Importance of
Information Security: Preventing Theft
• Preventing data theft – Stopping data from being
stolen cited as primary objective of information
security
• Business data theft is stealing proprietary business
information
• Personal data is prime target of attackers is credit
card numbers that can be used to purchase
thousands of dollars of merchandise
Security+ Guide to Network Security Fundamentals, Fifth Edition 32
33. Identity Theft
• Thwarting identity theft - Using another’s personal
information in unauthorized manner for financial
gain
• Example:
– Steal person’s SSN
– Create new credit card account
– Charge purchases
– Leave unpaid
• Serious problem for Internal Revenue Service
(IRS)
Security+ Guide to Network Security Fundamentals, Fifth Edition 33
34. Avoid Legal Consequences
• Avoiding legal consequences - Businesses that fail
to protect data they possess may face serious
financial penalties from federal or state laws
• Laws protecting electronic data privacy:
– Health Insurance Portability and Accountability
Act of 1996 (HIPAA)
– Sarbanes-Oxley Act of 2002 (Sarbox)
– Gramm-Leach-Bliley Act (GLBA)
– Payment Card Industry Data Security Standard
(PCI DSS)
– CA Database Security Breach Notification Act
Security+ Guide to Network Security Fundamentals, Fifth Edition 34
35. Cost of Attacks (Table 1-6)
• Maintaining productivity - Post-attack clean up
diverts resources like time and money
Security+ Guide to Network Security Fundamentals, Fifth Edition 35
36. Foiling Cyberterrorism
• Foiling cyberterrorism - Premeditated, politically
motivated attacks
• Targets are banking, military, power plants, air
traffic control centers
• Designed to:
– Cause panic
– Provoke violence
– Result in financial catastrophe
Security+ Guide to Network Security Fundamentals, Fifth Edition 36
37. Cyberterrorism Targets
• Potential cyberterrorism targets
– Banking
– Military
– Energy (power plants)
– Transportation (air traffic control centers)
– Water systems
Security+ Guide to Network Security Fundamentals, Fifth Edition 37
38. Who Are the Attackers?
• Hacker – Older term referred to a person who used
advanced computer skills to attack computers
• Black hat hackers - Attackers who violated
computer security for personal gain or to inflict
malicious damage
• White hat hackers - “Ethical attackers” who
received permission to probe system for any
weaknesses
• Gray hat hackers – Attackers who would break into
a computer system without permission and then
publically disclose vulnerability
Security+ Guide to Network Security Fundamentals, Fifth Edition 38
39. Cybercrimminals
• Cybercrimminals - Generic term describes
individuals who launch attacks against other users
and their computers
• A loose network of attackers, identity thieves, and
financial fraudsters who are highly motivated, less
risk-averse, well-funded, and tenacious
• Instead of attacking a computer to show off their
technology skills (fame), cybercriminals have a
more focused goal of financial gain (fortune):
cybercriminals steal information or launch attacks
to generate income
Security+ Guide to Network Security Fundamentals, Fifth Edition 39
40. Script Kiddies
• Script kiddies - Unskilled users with goal to break into
computers to create damage
• Download automated hacking software (scripts) to
use to perform malicious acts
• Attack software today has menu systems and
attacks are even easier for unskilled users
• 40 percent of attacks performed by script kiddies
Security+ Guide to Network Security Fundamentals, Fifth Edition 40
41. Brokers
• Brokers - Individuals who uncover vulnerabilities do not
report it to the software vendor but instead sell them to
the highest bidder
• These attackers sell their knowledge of a vulnerability
to other attackers or even governments
• Buyers are generally willing to pay a high price because
this vulnerability is unknown
Security+ Guide to Network Security Fundamentals, Fifth Edition 41
42. Insiders
• Insiders - Employees, contractors, and business
partners who steal from employer
• Most malicious insider attacks consist of the
sabotage or theft of intellectual property
• Offenders are usually employees who actually
believe that the accumulated data is owned by
them and not the organization
• Others are employees have been pressured into
stealing from their employer through blackmail or
the threat of violence
Security+ Guide to Network Security Fundamentals, Fifth Edition 42
43. Cyberterrorists
• Cyberterrorists – Attackers who have ideological
motivation
• Attacking because of their principles and beliefs
• Cyberterrorists can be inactive for several years
and then suddenly strike in a new way
• Targets may include a small group of computers or
networks that can affect the largest number of
users
• Example: computers that control the electrical
power grid of a state or region
Security+ Guide to Network Security Fundamentals, Fifth Edition 43
44. Hactivists
• Hactivists – Another group motivated by ideology
• Unlike cyberterrorists who launch attacks against
foreign nations to incite panic, hactivists generally
not as well-defined.
• Attacks can involve breaking into a website and
changing the contents on the site as a means of
making a political statement against those who
oppose their beliefs
• Other attacks can be retaliatory
Security+ Guide to Network Security Fundamentals, Fifth Edition 44
45. State-Sponsored Attackers
• State-sponsored attackers – Attackers supported
by governments for launching computer attacks
against their foes
• Attackers target foreign governments or even
citizens of the government who are considered
hostile or threatening
Security+ Guide to Network Security Fundamentals, Fifth Edition 45
46. Steps of an Attack (Steps 1-4)
• Reconnaissance - Probe for any information about
the system to reveal if the system is a viable target
for an attack and how it could be attacked
• Weaponization - Create an exploit and package it
into a deliverable payload that can be used against
the target
• Delivery - The weapon is transmitted to the target
• Exploitation - The exploitation stage triggers the
intruders’ exploit
Security+ Guide to Network Security Fundamentals, Fifth Edition 46
47. Steps of an Attack (Steps 5-7)
• Installation - The weapon is installed to either
attack the computer or install a remote “backdoor”
so the attacker can access the system.
• Command and Control – Often the compromised
system connects back to the attacker so that the
system can be remotely controlled by the attacker
and receive future instructions
• Actions on Objectives - Now attackers can start to
take actions to achieve their original objectives,
such as stealing user passwords or launching
attacks against other computers
Security+ Guide to Network Security Fundamentals, Fifth Edition 47
49. Security+ Guide to Network Security Fundamentals, Fifth Edition
Defenses Against Attacks
• Fundamental security principles for defenses
– Layering
– Limiting
– Diversity
– Obscurity
– Simplicity
49
50. Layering
• Information security must be created in layers
• Single defense mechanism may be easy to
circumvent
• Unlikely that attacker can break through all defense
layers
• Layered security approach
– Can be useful in resisting a variety of attacks
– Provides the most comprehensive protection
Security+ Guide to Network Security Fundamentals, Fifth Edition 50
51. Limiting
• Limiting access to information reduces the threat
against it
• Only those who must use data granted access
• Amount of access limited to what that person
needs to know
• Methods of limiting access
– Technology (file permissions)
– Procedural (prohibiting document removal from
premises)
Security+ Guide to Network Security Fundamentals, Fifth Edition 51
52. Diversity
• Closely related to layering
• Layers must be different (diverse)
• If attackers penetrate one layer then same
techniques unsuccessful in breaking through other
layers
• Breaching one security layer does not compromise
the whole system
• Example of diversity is using security products from
different manufacturers
Security+ Guide to Network Security Fundamentals, Fifth Edition 52
53. Obscurity
• Obscuring inside details to outsiders
• Example: not revealing details
– Type of computer
– Operating system version
– Brand of software used
• Difficult for attacker to devise attack if system
details are unknown
Security+ Guide to Network Security Fundamentals, Fifth Edition 53
54. Things I’ve found along the way
Security+ Guide to Network Security Fundamentals, Fifth Edition 54
55. Things I’ve found along the way
Security+ Guide to Network Security Fundamentals, Fifth Edition 55
57. Security+ Guide to Network
Security Fundamentals,
Fifth Edition
Chapter 1
INTRODUCTION TO SECURITY
Editor's Notes
Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 1
INTRODUCTION TO SECURITY
Objectives
Describe the challenges of securing information
Define information security and explain why it is important
Identify the types of attackers that are common today
List the basic steps of an attack
Describe the five basic principles of defense
Challenges of Securing Information
Today all citizens forced to continually protect themselves from attacks by invisible foes
Attacks not just physical but also include attacks on information technology
Attacks directed at individuals, schools, businesses, and governments through desktop computers, laptops, smartphones, and tablet computers
Information security is focused on protecting electronic information of organizations and users
Information Security Personnel
Chief Information Security Officer (CISO) - Responsible for assessing, managing, and implementing security
Security manager - Supervises technicians, administrators, and security staff
Security administrator - Manages daily operations of security technology
Security technician - Provide technical support to configure security hardware, implement security software, and diagnose and troubleshoot problems
Information Security Employment
Employees with certifications in security are in high demand
Security is rarely offshored or outsourced
Job outlook for security professionals is exceptionally strong
U.S. Bureau of Labor Statistics (BLS) “Occupational Outlook Handbook” indicates job outlook for information security analysts through end of decade expected to grow by 22 percent, faster than average growth rate
CompTIA Security+
CompTIA Security+ certification is widely-recognized and highly respected vendor-neutral credential
Requires passing current certification exam SY0-401
Tests knowledge and skills required to: identify risks; provide infrastructure, application, operational and information security; apply security controls to maintain confidentiality, integrity, and availability; and identify appropriate technologies and products
Today’s Security Attacks
Balances manipulated on prepaid debit cards
Home Wi-Fi network attacked
Twitter accounts exploited
Ploutus ATM malware
Exposed serial servers
Manipulate aircraft and ocean vessels
Computer cluster for cracking passwords
Apple Mac vulnerabilities
Electronic data records stolen
Difficulties in Defending Against Attacks
Universally connected devices
Increased speed of attacks
Greater sophistication of attacks
Availability and simplicity of attack tools
Faster detection of vulnerabilities
Delays in security updating
Weak security update distribution
Distributed attacks
Introduction of BYOD
User confusion
Menu of Attack Tools (Figure 1-1)
A screenshot of the Kali Linux menu. There are four cascading menus displays. The first menu at the left has Kali Linux highlighted. The next menu to the right has Sniffing/Spoofing highlighted. The next menu has Web Sniffers highlighted. The last menu displays different Kali Linux Web sniffing tools.
Difficulties in Defending (Table 1-2)
A table with two columns and nine rows. The first row is composed of column headers: reason and description. Row 2. Reason: Universally connected devices. Description: Attackers from anywhere in the world can send attacks. Row 3. Reason: Increased speed of attacks. Description: Attackers can launch attacks against millions of computers within minutes. Row 4. Reason: Greater sophistication of attacks. Row 4. Description: Attack tools vary their behavior so the same attack appears differently each time. Row 5. Reason: Availability and simplicity of attack tools. Row 5. Description: Attacks are no longer limited to highly skilled attackers. Row 6. Reason: Faster detection of vulnerabilities. Row 6. Description: Attackers can discover security holes in hardware or software more quickly. Row 7. Reason: Delays security updating. Row 7. Description: Vendors are overwhelmed trying to keep pace updating their products against the latest attacks. Row 8. Reason: Weak security update distribution. Row 8. Description: Many software products lack a means to distribute security updates in a timely fashion. Row 9. Reason: Distributed attacks. Row 9. Description: Attackers use thousands of computers in an attack against a single computer or network. Row 10. Reason: Democratization of users. Row 10. Description: Organizations are having difficulty providing security for a wide array of personal devices. Row 11. Reason: User confusion. Row 11. Description: Users are required to make difficult security decisions with little or no instruction.
What Is Information Security?
Before defense is possible, one must understand:
What is security
What information security is
Information security terminology
Why it is important
Understanding Security
“Security” is defined as either the process (how to achieve security) or the goal (what it means to have security).
In reality security is both: it is the goal to be free from danger as well as the process that achieves that freedom
Security is the necessary steps to protect a person or property from harm.
This harm may come from one of two sources:
Direct action
Indirect and unintentional action
Security and Convenience
Relationship between security and convenience
As security is increased, convenience is often decreased
Security is “inversely proportional” to convenience
The more secure something is, the less convenient it may become to use
Security is sacrificing convenience for safety or giving up short-term comfort for long-term protection
Relationship Security-Convenience (Figure 1-2)
Figure 1-2: Relationship of security to convenience. A graph with the X-axis labeled Security ranging form Low to High. The Y-axis is labeled Convenience ranging from Low to High. The line starts at High on the Y-axis Convenience and then decreases to High on the X-axis Security.
Defining Information Security
Information security - Tasks of securing information in digital format:
Manipulated by a microprocessor
Stored on a storage device
Transmitted over a network
Protection - Information security cannot completely prevent successful attacks or guarantee that a system is totally secure
Protective measures ward off attacks and prevent total collapse of the system when a successful attack does occur
Three Protections
Information – Provides value to people and organizations
Three protections that must be extended over information (CIA):
Confidentiality: Ensures only authorized parties can view information
Integrity: Ensures information not altered
Availability: Ensures information accessible when needed to authorized parties
AAA
Three additional protections that must be extended over information (AAA):
Authentication: Ensures that the individual is who she claims to be (the authentic or genuine person) and not an imposter
Authorization: Providing permission or approval to specific technology resources
Accounting: Provides tracking of events
Securing Devices
Devices - Information security involves more than protecting the information itself
Information is:
Stored on computer hardware
Manipulated by software
Transmitted by communications
Each of these areas must also be protected
Three Entities
Entities - Information security is achieved through a process that is a combination of three entities
Information and the hardware, software, and communications are protected in three layers:
Products
People
Policies and procedures
Procedures enable people to understand how to use products to protect information
Security Layers (Figure 1-3)
A figure of three concentric circles with a core in the middle. The core has Information in the center, with Confidentiality to the upper left, Integrity to the upper right, and Availability beneath it. Each are connected with a line to Information, and a padlock appears beneath each word. A circle encompasses this information. Communications overlaps the top of the circle with a group of individuals, while Hardware overlaps the lower left of the circle with the picture of a hard drive, while software overlaps the circle with a picture of a disc to the lower right. The first concentric circle outside this core is labeled Products (physical security) and has the picture of a computer. The second concentric circle is labeled People (personnel security) and has a picture of users. The third concentric circle is labeled Procedures (organizational security) and has a picture of a piece of paper.
Security Layers (Table 1-3)
A table with two columns and four rows. The first row is composed of column headers: Layer and Description. Row 2. Layer: Products. Row 2. Description: Form the security around the data. May be as basic as door locks or as complicated as network security equipment. Row 3. Layer: People. Row 3. Description: Those who implement and properly use security products to protect data. Row 4. Layer: Policies and procedures. Row 4. Description: Plans and policies established by an organization to ensure that people correctly use the products.
Information Security Definition
Comprehensive definition of information security involves both the goals and process
Information security defined as that which protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures
Information Security Terminology: Asset
Asset - An item that has value
In organization assets have these qualities:
They provide value to the organization
They cannot easily be replaced without a significant investment in expense, time, worker skill, and/or resources
They can form part of the organization's corporate identity.
Technology Assets (Table 1-4)
A table with four columns and six rows. The first row is composed of column headers: Element name, Description, Example, and Critical asset?. Row 2. Element name: Information. Row 2. Description: Data that has been collected, classified, organized, and stored in various forms. Row 2. Example: Customer, personnel, production, sales, marketing, and finance databases. Row 2: Critical Asset? Yes: Extremely difficult to replace. Row 3. Element name: Customized business software. Row 3. Description: Software that supports the business processes of the organization. Row 3. Example: Customized order transaction application. Row 3. Critical Asset? Yes: Unique and customized for the organization. Row 4. Element name: System software. Row 4. Description: Software that provides the foundation for application software. Row 4. Example: Operating system. Row 4. Critical Asset? No: Can be easily replaced. Row 5. Element name: Physical items. Row 5. Description: Computers equipment, communications equipment, storage media, furniture, and fixtures. Row 5. Example: Servers, routers, DVDs, and power supplies. Row 5. Critical asset? No: Can be easily replaced. Row 6. Element name: Services. Row 6. Description: Outsourced computing services. Row 6. Example: Voice and data communications. Row 6. Critical asset? No: Can be easily replaced.
Information Security Terminology: Threat
Threat - Action that has the potential to cause harm
Information security threats are events or actions that represent a danger to information assets
Threat by itself does not mean that security has been compromised; rather, it simply means that the potential for creating a loss is real
Threat can result in the corruption or theft of information, a delay in information being transmitted, or loss of good will or reputation
Information Security Terminology: Threat Agent
Threat agent - Person or element that has the power to carry out a threat
Threat agent can be:
Person attempting to break into a secure computer network
Force of nature such as a hurricane that could destroy computer equipment and thus destroy information
Malicious software that attacks the computer network
Information Security Terminology: Vulnerability
Information Security Terminology: Threat Agent
Threat agent - Person or element that has the power to carry out a threat
Threat agent can be:
Person attempting to break into a secure computer network
Force of nature such as a hurricane that could destroy computer equipment and thus destroy information
Malicious software that attacks the computer network
Information Security Terminology: Threat Vector
Threat vector - means by which an attack can occur
Example is attacker, knowing that a flaw in a web server’s operating system has not been patched, is using the threat vector (exploiting the vulnerability) to steal user passwords
Threat likelihood - probability that threat will come to fruition
Information Security Terminology: Risk
Risk - situation that involves exposure to some type of danger.
Options when dealing with risk:
Risk avoidance
Acceptance
Mitigation
Deterrence
Transference
Understanding the Importance of Information Security: Preventing Theft
Preventing data theft – Stopping data from being stolen cited as primary objective of information security
Business data theft is stealing proprietary business information
Personal data is prime target of attackers is credit card numbers that can be used to purchase thousands of dollars of merchandise
Identity Theft
Thwarting identity theft - Using another’s personal information in unauthorized manner for financial gain
Example:
Steal person’s SSN
Create new credit card account
Charge purchases
Leave unpaid
Serious problem for Internal Revenue Service (IRS)
Avoid Legal Consequences
Avoiding legal consequences - Businesses that fail to protect data they possess may face serious financial penalties from federal or state laws
Laws protecting electronic data privacy:
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Sarbanes-Oxley Act of 2002 (Sarbox)
Gramm-Leach-Bliley Act (GLBA)
Payment Card Industry Data Security Standard (PCI DSS)
CA Database Security Breach Notification Act (2003)
Cost of Attacks (Table 1-6)
Maintaining productivity - Post-attack clean up diverts resources like time and money
Table 1-6: Cost of attacks
A table with six columns and five rows. The first row is composed of column headers: Number of total employees, Average hourly salary, Number of employees to combat attack, Hours required to stop attack and clean up, Total lost salaries, and Total lost hours of productivity.
Row 2. Number of total employees: 100. Row 2. Average hourly salary: $25. Row 2. Number of employees to combat attack: 1. Row 2. Hours required to stop attack and clean up: 48. Row 2. Total lost salaries: $4,066. Row 2. Total lost hours of productivity: 81.
Row 3. Number of total employees: 250. Row 3. Average hourly salary: $25. Row 3. Number of employees to combat attack: 3. Row 3. Hours required to stop attack and clean up: 72. Row 3. Total lost salaries: $17,050. Row 3. Total lost hours of productivity: 300.
Row 4. Number of total employees: 500. Row 4. Average hourly salary: $30. Row 4. Number of employees to combat attack: 5. Row 4. Hours required to stop attack and clean up: 80. Row 4. Total lost salaries: $28,333. Row 4. Total lost hours of productivity: 483.
Row 5. Number of total employees: 1,000. Row 5. Average hourly salary: $30. Row 5. Number of employees to combat attack: 10. Row 5. Hours required to stop attack and clean up: 96. Row 5. Total lost salaries: $220,000. Row 5. Total lost hours of productivity: 1,293.
Foiling Cyberterrorism
Foiling cyberterrorism - Premeditated, politically motivated attacks
Targets are banking, military, power plants, air traffic control centers
Designed to:
Cause panic
Provoke violence
Result in financial catastrophe
Cyberterrorism Targets
Potential cyberterrorism targets
Banking
Military
Energy (power plants)
Transportation (air traffic control centers)
Water systems
Who Are the Attackers?
Hacker – Older term referred to a person who used advanced computer skills to attack computers
Black hat hackers - Attackers who violated computer security for personal gain or to inflict malicious damage
White hat hackers - “Ethical attackers” who received permission to probe system for any weaknesses
Gray hat hackers – Attackers who would break into a computer system without permission and then publically disclose vulnerability
Cybercrimminals
Cybercrimminals - Generic term describes individuals who launch attacks against other users and their computers
A loose network of attackers, identity thieves, and financial fraudsters who are highly motivated, less risk-averse, well-funded, and tenacious
Instead of attacking a computer to show off their technology skills (fame), cybercriminals have a more focused goal of financial gain (fortune): cybercriminals steal information or launch attacks to generate income
Script Kiddies
Script kiddies - Unskilled users with goal to break into computers to create damage
Download automated hacking software (scripts) to use to perform malicious acts
Attack software today has menu systems and attacks are even easier for unskilled users
40 percent of attacks performed by script kiddies
Brokers
Brokers - Individuals who uncover vulnerabilities do not report it to the software vendor but instead sell them to the highest bidder
These attackers sell their knowledge of a vulnerability to other attackers or even governments
Buyers are generally willing to pay a high price because this vulnerability is unknown
Insiders
Insiders - Employees, contractors, and business partners who steal from employer
Most malicious insider attacks consist of the sabotage or theft of intellectual property
Offenders are usually employees who actually believe that the accumulated data is owned by them and not the organization
Others are employees have been pressured into stealing from their employer through blackmail or the threat of violence
Cyberterrorists
Cyberterrorists – Attackers who have ideological motivation
Attacking because of their principles and beliefs
Cyberterrorists can be inactive for several years and then suddenly strike in a new way
Targets may include a small group of computers or networks that can affect the largest number of users
Example: computers that control the electrical power grid of a state or region
Hactivists
Hactivists – Another group motivated by ideology
Unlike cyberterrorists who launch attacks against foreign nations to incite panic, hacttivists generally not as well-defined.
Attacks can involve breaking into a website and changing the contents on the site as a means of making a political statement against those who oppose their beliefs
Other attacks can be retaliatory
State-Sponsored Attackers
State-sponsored attackers – Attackers supported by governments for launching computer attacks against their foes
Attackers target foreign governments or even citizens of the government who are considered hostile or threatening
Steps of an Attack (Steps 1-4)
Reconnaissance - Probe for any information about the system to reveal if the system is a viable target for an attack and how it could be attacked
Weaponization - Create an exploit and package it into a deliverable payload that can be used against the target
Delivery - The weapon is transmitted to the target
Exploitation - The exploitation stage triggers the intruders’ exploit
Steps of an Attack (Steps 5-7)
Installation - The weapon is installed to either attack the computer or install a remote “backdoor” so the attacker can access the system.
Command and Control – Often the compromised system connects back to the attacker so that the system can be remotely controlled by the attacker and receive future instructions
Actions on Objectives - Now attackers can start to take actions to achieve their original objectives, such as stealing user passwords or launching attacks against other computers
Cyber Kill Chain (Figure 1-6)
A figure of seven boxes each connected with an arrow to the next box in the sequence. The first box is Reconnaissance. The second box is Weaponization. The third box is Delivery. The fourth box is Exploitation. The fifth box is Installation. The sixth box is Command and Control. The seventh box is Actions on Objectives.
Defenses Against Attacks
Fundamental security principles for defenses
Layering
Limiting
Diversity
Obscurity
Simplicity
Layering
Information security must be created in layers
Single defense mechanism may be easy to circumvent
Unlikely that attacker can break through all defense layers
Layered security approach
Can be useful in resisting a variety of attacks
Provides the most comprehensive protection
Limiting
Limiting access to information reduces the threat against it
Only those who must use data granted access
Amount of access limited to what that person needs to know
Methods of limiting access
Technology (file permissions)
Procedural (prohibiting document removal from premises)
Diversity
Closely related to layering
Layers must be different (diverse)
If attackers penetrate one layer then same techniques unsuccessful in breaking through other layers
Breaching one security layer does not compromise the whole system
Example of diversity is using security products from different manufacturers
Obscurity
Obscuring inside details to outsiders
Example: not revealing details
Type of computer
Operating system version
Brand of software used
Difficult for attacker to devise attack if system details are unknown
Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 1
INTRODUCTION TO SECURITY