Chapter 1: Information Security Fundamentals

1
Chapter 1 Information Security Fundamentals

• Mission College CIT 016
• Security

2
Objectives

• Identify the challenges for information security
• Define information security
• Explain the importance of information security

3
Objectives

• List and define information security terminology
• Describe the CompTIA Security certification exam
• Describe information security careers

4
Challenges for Information Security

• Challenge of keeping networks and computers
  secure has never been greater
• A number of trends illustrate why security is
  becoming increasingly difficult
• Many trends have resulted in security attacks
  growing at an alarming rate

5
Identifying the Challenges for Information
Security (continued)

• Computer Emergency Response Team (CERT) security
  organization compiles statistics regarding number
  of reported attacks, including
• Speed of attacks
• Sophistication of attacks
• Faster detection of weaknesses
• Distributed attacks
• Difficulties of patching

6
Challenges for Information Security
7
Challenges for Information Security
8
Defining Information Security

• Information security
• Tasks of guarding digital information, which is
  typically processed by a computer (such as a
  personal computer), stored on a magnetic or
  optical storage device (such as a hard drive or
  DVD), and transmitted over a network spacing

9
Defining Information Security

• Ensures that protective measures are properly
  implemented
• Is intended to protect information
• Involves more than protecting the information
  itself

10
Defining Information Security
11
Defining Information Security

• Three characteristics of information must be
  protected by information security
• Confidentiality
• Integrity
• Availability
• Center of diagram shows what needs to be
  protected (information)
• Information security achieved through a
  combination of the three above entities

12
Importance of Information Security

• Information security is important to businesses
• Prevents data theft
• Avoids legal consequences of not securing
  information
• Maintains productivity
• Foils cyberterrorism
• Thwarts identity theft

13
Preventing Data Theft

• Security often associated with theft prevention
• Drivers install security systems on their cars to
  prevent the cars from being stolen
• Same is true with information security?businesses
  cite preventing data theft as primary goal of
  information security

14
Preventing Data Theft (continued)

• Theft of data is single largest cause of
  financial loss due to a security breach
• One of the most important objectives of
  information security is to protect important
  business and personal data from theft

15
Avoiding Legal Consequences

• In recent years, a number of federal and state
  laws have been enacted to protect the privacy or
  electronic data.
• Businesses that fail to protect data may face
  serious penalties
• Laws include
• The Health Insurance Portability and
  Accountability Act of 1996 (HIPAA)
• The Sarbanes-Oxley Act of 2002 (Sarbox)
• The Gramm-Leach-Bliley Act (GLBA)
• USA PATRIOT Act 2001

16
HIPAA

• Health Insurance Portability and Accounting Act
  (1996)
• Title I of HIPAA protects health insurance
  coverage for workers and their families when they
  change or lose their jobs.
• Title II, the Administrative Simplification (AS)
  provisions, requires the establishment of
  national standards for electronic health care
  transactions and national identifiers for
  providers, health insurance plans, and employers.
  
• The AS provisions also address the security and
  privacy of health data.
• http//en.wikipedia.org/wiki/HIPAA

17
Sarbanes-Oxley Act of 2002

• Federal law passed in response to a number of
  major corporate and accounting scandals.
• SOX or SarbOX requires stringent reporting
  requirements and internal controls on electronic
  financial reporting systems.
• Corporate officers who knowingly certify a false
  financial report can be fined up to 5 million
  and serve 20 yrs. in prison.
• http//en.wikipedia.org/wiki/Sarbanes-Oxley_Act

18
Gramm-Leach-Bliley Act (GLBA)

• The GLBA requires banks and financial
  institutions to alert customers of their policies
  and practices in disclosing customer information.
• The GLBA also states that all electronic and
  paper data containing personally identifiable
  financial information must be protected.
• The Gramm-Leach-Bliley Act (GLBA) also allowed
  commercial and investment banks to consolidate.
• http//www.consumerprivacyguide.org/law/glb.shtml
• http//en.wikipedia.org/wiki/Gramm-Leach-Bliley_Ac
  t

19
US Patriot Act (2001)

• Designed to broaden the surveillance of law
  enforcement agencies so they can detect and
  suppress terrorism.
• The US Patriot Act also authorizes law
  enforcement to install electronic monitoring
  devices to assess computer and telephone usage.
• http//en.wikipedia.org/wiki/Patriot_Act
• http//www.epic.org/privacy/terrorism/usapatriot/
• http//thomas.loc.gov/cgi-bin/bdquery/z?d107h.r.0
  3162

20
Maintaining Productivity

• After an attack on information security, clean-up
  efforts divert resources, such as time and money
  away from normal activities
• A Corporate IT Forum survey of major corporations
  showed
• Each attack costs a company an average of
  213,000 in lost man-hours and related costs
• One-third of corporations reported an average of
  more than 3,000 man-hours lost

21
Maintaining Productivity
22
Foiling Cyberterrorism

• An area of growing concern among defense experts
  are surprise attacks by terrorist groups using
  computer technology and the Internet
  (cyberterrorism)
• These attacks could cripple a nations electronic
  and commercial infrastructure
• Our challenge in combating cyberterrorism is that
  many prime targets are not owned and managed by
  the federal government
• http//www.pbs.org/wgbh/pages/frontline/shows/cybe
  rwar/

23
Thwarting Identity Theft

• Identity theft involves using someones personal
  information, such as social security numbers, to
  establish bank or credit card accounts that are
  then left unpaid, leaving the victim with the
  debts and ruining their credit rating
• National, state, and local legislation continues
  to be enacted to deal with this growing problem
• The Fair and Accurate Credit Transactions Act of
  2003 is a federal law that addresses identity
  theft
• Consumers can receive a free copy of their credit
  report once every year.

24
Information Security Terminology
25
Exploring the CompTIA Security Certification Exam

• Since 1982, the Computing Technology Industry
  Association (CompTIA) has been working to advance
  the growth of the IT industry
• CompTIA is the worlds largest developer of
  vendor-neutral IT certification exams
• The CompTIA Security certification tests for
  mastery in security concepts and practices

26
Exploring the CompTIA Security Certification Exam

• Exam was designed with input from security
  industry leaders, such as VeriSign, Symantec, RSA
  Security, Microsoft, Sun, IBM, Novell, and
  Motorola
• The Security exam is designed to cover a broad
  range of security topics categorized into five
  areas or domains
• General Security Concepts 30
• Communication Security 20
• Infrastructure Security 20
• Basics of Cryptography 15
• Operational and Organizational Security 15

27
Surveying Information Security Careers

• Information security is one of the fastest
  growing career fields
• As information attacks increase, companies are
  becoming more aware of their vulnerabilities and
  are looking for ways to reduce their risks and
  liabilities

28
Surveying Information Security Careers

• Sometimes divided into three general roles
• Security manager develops corporate security
  plans and policies, provides education and
  awareness, and communicates with executive
  management about security issues
• Security engineer designs, builds, and tests
  security solutions to meet policies and address
  business needs
• Security administrator configures and maintains
  security solutions to ensure proper service
  levels and availability

29
Summary

• The challenge of keeping computers secure is
  becoming increasingly difficult
• Attacks can be launched without human
  intervention and infect millions of computers in
  a few hours
• Information security protects the integrity,
  confidentiality, and availability of information
  on the devices that store, manipulate, and
  transmit the information through products,
  people, and procedures

30
Summary (continued)

• Information security has its own set of
  terminology
• A threat is an event or an action that can defeat
  security measures and result in a loss
• CompTIA has been working to advance the growth of
  the IT industry and those individuals working
  within it
• CompTIA is the worlds largest developer of
  vendor-neutral IT certification exams