Security Awareness:

1
Security Awareness  Applying Practical Security
in Your World, Second Edition

• Chapter 1
• Introduction to Security

2
Objectives

• List the challenges of defending against attacks
• Explain why information security is important
• Describe the different types of attackers
• List the general principles for defending against
  attacks

3
Challenges of Security

• Last six months of 2004
• Organizations faced average of 13.6 attacks per
  day versus 10.6 the previous six months
• During second quarter of 2005
• 422 Internet security vulnerabilities were
  discovered
• During first six months of 2005
• Over 46.5 million Americans had their privacy
  breached

4
(No Transcript)
5
Todays Security Attacks

• Department of Defense
• Records over 60,000 attempted intrusions annually
  against their unclassified networks
• Companies worldwide
• Will spend almost 13 billion on computer
  security in 2005
• Number of Internet fraud complaints
• Rose from 6,087 in 2000 to 48,252 in 2002 and
  207,449 in 2004

6
(No Transcript)
7
(No Transcript)
8
Difficulties in Defending Against Attackers

• Why security is becoming increasingly difficult
• Speed of attacks
• Greater sophistication of attacks
• Attackers detect weaknesses faster and can
  quickly exploit these vulnerabilities
• Increasing number of zero day attacks
• Distributed attacks
• User confusion

9
(No Transcript)
10
What is Information Security?

• Information security
• Describes task of guarding information that is in
  a digital format
• Ensures that protective measures are properly
  implemented
• Intended to protect information that has high
  value to people and organizations

11
Characteristics of Information

• Confidentiality
• Ensures that only authorized parties can view the
  information
• Integrity
• Ensures that information is correct
• Availability
• Secure computer must make data immediately
  available to authorized users

12
What is Information Security? (continued)

• Information security
• Protects the characteristics of information on
• Devices that store, manipulate, and transmit
  information
• Achieved through a combination of three entities
• Proper use of products
• People
• Procedures

13
(No Transcript)
14
Information Security Terminology

• Asset
• Something that has value
• Threat
• Event or object that may defeat the security
  measures in place and result in a loss
• Threat agent
• Person or thing that has power to carry out a
  threat

15
Information Security Terminology (continued)

• Vulnerability
• Weakness that allows threat agent to bypass
  security
• Risk
• Likelihood that threat agent will exploit a
  vulnerability

16
(No Transcript)
17
Understanding the Importance of Information
Security

• Information security is important to businesses
  and individuals
• Prevent data theft
• Thwart identify theft
• Avoid legal consequences of not securing
  information
• Maintain productivity
• Foil cyberterrorism

18
Preventing Data Theft

• Security
• Often associated with theft prevention
• Data theft
• Single largest cause of financial loss due to a
  security breach
• Individuals can be victims

19
Thwarting Identity Theft

• Identity theft
• Involves using someones personal information to
  establish bank or credit card accounts
• According to the Federal Trade Commission (FTC)
• Number of identity theft victims increased 152
  from 2002-2004
• Cost of identity theft for 2004 exceeded 52
  billion
• Age group that suffered the most identity theft
• Adults 18-29 years of age

20
Avoiding Legal Consequences

• The Health Insurance Portability and
  Accountability Act of 1996 (HIPAA)
• Healthcare enterprises must guard protected
  health information
• The Sarbanes-Oxley Act of 2002 (Sarbox)
• Attempts to fight corporate corruption

21
Avoiding Legal Consequences (continued)

• The Gramm-Leach-Bliley Act (GLBA)
• Protects private data
• USA Patriot Act of 2001
• Broadens surveillance of law enforcement agencies

22
Avoiding Legal Consequences (continued)

• The California Database Security Breach Act of
  2003
• Businesses should inform residents within 48
  hours if breach of personal information occurs
• Childrens Online Privacy Protection Act of 1998
  (COPPA)
• Web sites designed for children under 13 should
  obtain parental consent prior to the
• Collection, use, disclosure, or display of
  childs personal information

23
Maintaining Productivity

• Computer Crime and Security Survey indicate that
• Virus attacks alone cost more than 42 million
• Spam
• Unsolicited e-mail messages
• Almost 230 million spam messages are sent each
  day (67 of total e-mail transmitted)

24
(No Transcript)
25
Foiling Cyberterrorism

• Cyberterrorism
• Attacks by terrorist groups using computer
  technology and the Internet
• Challenges
• Many prime targets are not owned and managed by
  federal government

26
Who are the Attackers?

• Hacker
• Someone who attacks computers
• Cracker
• Person who violates system security with
  malicious intent
• Script kiddies
• Want to break into computers to create damage
• Download automated hacking software (scripts)
• Lack the technical skills of crackers

27
Who are the Attackers? (continued)

• Spies
• Hired to break into a computer and steal
  information
• Thieves
• Search for any unprotected computer and
• Attempt to steal credit card numbers, banking
  passwords, or similar information
• Employees
• May want to show the company a security weakness

28
Cyberterrorists

• May attack because of ideology
• Goals of a cyberattack
• To deface electronic information
• To deny service to legitimate computer users
• To commit unauthorized intrusions into systems
  and networks

29
Defending Against Attacks

• Layering
• Creates a barrier of multiple defenses that can
  be coordinated to thwart a variety of attacks
• Limiting
• Limiting access to information reduces the threat
  against it
• Diversity
• Breaching one security layer does not compromise
  the whole system

30
Defending Against Attacks (continued)

• Obscurity
• Avoiding clear patterns of behavior make attacks
  from the outside much more difficult
• Simplicity
• Creating a system that is simple from the inside
  but complex on the outside reaps a major benefit

31
Building a Comprehensive Security Strategy

• Block attacks
• If attacks are blocked by network security
  perimeter
• Then attacker cannot reach personal computers on
  which data is stored
• Security devices can be added to computer network
  
• To block unauthorized or malicious traffic

32
Building a Comprehensive Security Strategy
(continued)

• Update defenses
• Involves updating defensive hardware and software
  
• Involves applying operating system patches on a
  regular basis
• Minimize losses
• May involve keeping backup copies of important
  data in a safe place
• Send secure information
• May involve scrambling data so that
  unauthorized eyes cannot read it

33
Summary

• Several difficulties in keeping computers and the
  information on them secure
• Why information security is becoming more
  difficult
• Speed and sophistication of attack
• Vulnerabilities
• User confusion
• Information security protects integrity,
  confidentiality, and availability of information

34
Summary (continued)

• Information security has its own set of
  terminology
• Preventing theft of information
• Most important reason for protecting data
• Hacker
• Possesses advanced computer skills
• Basic principles for creating a secure
  environment
• Layering, limiting, diversity
• Obscurity, and simplicity