Syllabus Review Key Points Unit deliverables Homework Tests Class Conduct Security+ Guide to Network Security Fundamentals, Third Edition

Transcription

1 1 Introduction to Computer Security Concepts INFOTECH 260 Mr. Ken Foster 2 Introductions Introduce Yourself: First and Last Name How long you have been attending Heald Your level of computer experience Expectations for this class Syllabus Review Key Points Unit deliverables Homework Tests Class Conduct Security+ Guide to Network Security Fundamentals, Third Edition Chapter 1 Introduction to Security Learning Objectives Describe the challenges of securing information Define information security and explain it s importance Identify common types of attackers List the basic steps of an attack Describe the five steps in a defense Explore the different types of information security careers and how the Security+ fits into the framework Challenges of Securing Information No simple solutions Attacks come in many forms: Platform specific Blended Advanced Persistent Threat (APT) Each type required varying strategies for defense Attacks tend to evolve faster then solutions You can t patch users 1

2 Today s Security Attacks Cross-Site Scripting Launched through components on web pages Typically java code wrapped around page Ads Unknowing redirects users to malicious sites designed to injection Trojans and other malware onto the system Phishing / Spear Phishing s designed to invoke an immediate reaction Response causes further exploitation Nigerian scam IRS Refund Scam Today s Security Attacks (Cont.) Scareware Typically Java-based applets that are triggered when a user launches the page. They appear to be legitimate OS applications. Offer to clean your hard drive if you upgrade Often introduces backdoors Apple, Linux, and Smartphones are not immune Pwn2Own contest exposed Safari exploit owning the system in under 10 minutes Inqtana-A (MAC Virus) Java exploits are cross-platform exploitable 260,000 Android Smartphones impacted (March 2011) Today s Security Attacks (cont.) Typical warnings: (continued) The Anti-Phishing Working Group (APWG) reports that the number of unique phishing sites continues to increase Researchers at the University of Maryland attached four computers equipped with weak passwords to the Internet for 24 days to see what would happen These computers were hit by an intrusion attempt on average once every 39 seconds Today s Security Attacks (cont.) Security statistics bear witness to the continual success of attackers: TJX Companies, Inc. reported that over 45 million customer credit card and debit card numbers were stolen by attackers over an 18 month period from 2005 to 2007 The total average cost of a data breach in 2007 was $197 per record compromised Average cost in 2011 is now $214 per record A recent report revealed that of 24 federal government agencies, the overall grade was only C Difficulties Defending against Attacks Difficulties include the following: 2

3 Speed of attacks Greater sophistication of attacks Simplicity of attack tools More rapid exploitation of newly discovered attacks Delays in patching hardware and software products Most attacks are now distributed attacks, instead of coming from only one source User confusion User Apathy What Is Information Security? Knowing why information security is important today and who the attackers are is beneficial Defining Information Security Security can be considered as a state of freedom from a danger or risk This state or condition of freedom exists because protective measures are established and maintained Information security The tasks of guarding information that is in a digital format Ensures that protective measures are properly implemented Cannot completely prevent attacks or guarantee that a system is totally secure Defining Information Security (cont) Information security is intended to protect information that has value to people and organizations This value comes from the characteristics of the information: Confidentiality Integrity Availability Information security is achieved through a combination of three entities CIA Triad The Sides of the Triad are mutually supportive Applying these concepts to an Online Retaining Example: Confidentiality without Integrity can cause data errors A customer fails to input a zip code for shipping, which later causes order fulfillment application to crash when the order is processed. Integrity without Availability prevents normal operations Customers can not place orders because the web servers is down 3

4 19 Availability without Confidentiality allows for unauthorized access, which affects Integrity as well. Hackers have the ability to alter code on the server, redirecting customers to a malware site, harming sales and your reputation. Checkpoint: 1. ensures that only authorized parties can view the information. 2. ensures that data is accessible to authorized users ensures that data is only modified by authorized users. Defining Information Security (cont.) A more comprehensive definition of information security is: That which protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures Information Security Terminology Asset Something that has a value Threat An event or object that may defeat the security measures in place and result in a loss Threat agent A person or thing that has the power to carry out a threat Information Security Terminology (cont) Vulnerability Weakness that allows a threat agent to bypass security Risk The likelihood that a threat agent will exploit a vulnerability Realistically, risk cannot ever be entirely eliminated Information Security Terminology (cont) Information Security Terminology (cont) Understanding the Importance of Information Security Preventing data theft Security is often associated with theft prevention The theft of data is one of the largest causes of financial loss due to an attack Individuals are often victims of data thievery Thwarting identity theft Identity theft involves using someone s personal information to establish bank or credit card accounts 4

5 Cards are then left unpaid, leaving the victim with the debts and ruining their credit rating Understanding the Importance of Information Security (cont) Avoiding legal consequences A number of federal and state laws have been enacted to protect the privacy of electronic data The Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Sarbanes-Oxley Act of 2002 (Sarbox) The Gramm-Leach-Bliley Act (GLBA) USA Patriot Act (2001) The California Database Security Breach Act (2003) Children s Online Privacy Protection Act of 1998 (COPPA) Understanding the Importance of Information Security (continued) Maintaining Productivity Cleaning up after an attack diverts resources such as time and money away from normal activities Understanding the Importance of Information Security (cont) Foiling Cyberterrorism Cyberterrorism Attacks by terrorist groups using computer technology and the Internet Utility, telecommunications, and financial services companies are considered prime targets of cyberterrorists Supervisory Control And Data Acquisition (SCADA) Systems It generally refers to industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes Who Are the Attackers? The types of people behind computer attacks are generally divided into several categories: Hackers Script kiddies Spies Employees Cybercriminals Cyberterrorists Hackers Hacker Generic sense: anyone who illegally breaks into or attempts to break into a computer system Narrow sense: a person who uses advanced computer skills to attack computers only to expose security flaws Although breaking into another person s computer system is illegal 5

6 Some hackers believe it is ethical as long as they do not commit theft, vandalism, or breach any confidentiality Script Kiddies Script kiddies Want to break into computers to create damage Unskilled users Download automated hacking software (scripts) from Web sites and use it to break into computers Tend to lack coding expertise to build exploit tool They are sometimes considered more dangerous than hackers Script kiddies tend to be computer users who have almost unlimited amounts of leisure time, which they can use to attack systems Spies Computer Spy A person who has been hired to break into a computer and steal information Spies are hired to attack a specific computer or system that contains sensitive information Their goal is to break into that computer or system and take the information without drawing any attention to their actions Spies, like hackers, possess excellent computer skills Self Motivated Can be either Affiliation or Government Sponsored Employees One of the biggest information security threats to a business actually comes from its employees Also known as the Insider Threat Reasons: An employee might want to show the company a weakness in their security Circumvent security for personal knowledge / gain Disgruntled employees intent on retaliating against the company Industrial espionage Blackmailing Cybercriminals Cybercriminals A loose-knit network of attackers, identity thieves, and financial fraudsters More highly motivated, less risk-averse, better funded, and more tenacious than hackers Security experts believe that cybercriminals belong to organized gangs of young attackers from Europe and Asia Russian Business Network (RBN) 6

7 35 36 DarkMarket Avalanche Gang Cybercriminals have a more focused goal that can be summed up in a single word: money Cybercriminals (cont) Cybercriminals (cont) Cybercrime Targeted attacks against financial networks, unauthorized access to information, and the theft of personal information Financial cybercrime is often divided into two categories Trafficking in stolen credit card numbers and financial information Using spam to commit fraud Cyberterrorists Cyberterrorists Their motivation may be defined as ideology or attacking for the sake of their principles or beliefs Goals of a cyberattack: To deface electronic information, spread misinformation, and promote propaganda To deny service to legitimate computer users To commit unauthorized intrusions into systems and networks that result in critical infrastructure outages and corruption of vital data Attacks and Defenses Although there are a wide variety of attacks that can be launched against a computer or network, the same basic steps are used in most attacks Protecting computers against these steps in an attack calls for five fundamental security principles Steps of an Attack The five steps that make up an attack are: Probe for information Penetrate any defenses Modify security settings Circulate to other systems Paralyze networks and devices Defenses against Attacks Although multiple defenses may be necessary to withstand an attack These defenses should be based on five fundamental security principles: Protecting systems by layering 7

8 42 Limiting Diversity Obscurity Simplicity Layering Information security must be created in layers One defense mechanism may be relatively easy for an attacker to circumvent Instead, a security system must have layers, making it unlikely that an attacker has the tools and skills to break through all the layers of defenses A layered approach can also be useful in resisting a variety of attacks Layered security provides the most comprehensive protection This is referred to as Defense-in-Depth Limiting Limiting access to information reduces the threat against it Only those who must use data should have access to it In addition, the amount of access granted to someone should be limited to what that person needs to know Some ways to limit access are technology-based, while others are procedural View vs. Read or Write access Diversity Layers must be different (diverse) If attackers penetrate one layer, they cannot use the same techniques to break through all other layers Using diverse layers of defense means that breaching one security layer does not compromise the whole system 45 Traditionally, a mature Defense in Depth approach attempted to use different vender solutions at each level to prevent a vender-wide flaw from compromising your entire solution. Example: Firewall: Cisco; IPS: MacAfee; AV: Symantec; Host-based Intrusion prevention: CA networks; Network Access Control: Bluecoat Obscurity Reducing or preventing information about your systems or layered protections being exposed to unauthorized persons. This information includes: Type of computer Operating system Network Topography / Connections Software Limiting the attackers success in the probing phase by collecting this information increases the attackers chance of detection in the penetration phase. Obscuring information can be an important way to protect information 8

9 46 47 Simplicity Information security is by its very nature complex Complex security systems can be hard to understand, troubleshoot, and feel secure about As much as possible, a secure system should be simple for those on the inside to understand and use Complex security schemes are often compromised to make them easier for trusted users to work with Keeping a system simple from the inside but complex on the outside can sometimes be difficult but reaps a major benefit Surveying Information Security Careers Security+ Certification Today, government and private sector businesses are moving towards requiring employees to process certifications Security + demonstrates the individual is familiar with computer security practices Demonstrates a level of competence that is noteworthy among their peers Many organizations use the CompTIA Security+ certification to verify security competency Types of Information Security Jobs Information Assurance (IA) A superset of information security including security issues that do not involve computers Covers a broader area than just basic technology defense tools and tactics Also includes reliability, strategic risk management, and corporate governance issues such as privacy, compliance, audits, business continuity, and disaster recovery Is interdisciplinary; individuals who are employed in it may come from different fields of study Information Security Jobs (cont) Information security, also called computer security Involves the tools and tactics to defend against computer attacks Does not include security issues that do not involve computers Two broad categories of information security positions: Information security managerial position Information security technical position Sample Salaries Comparisons CompTIA Security+ Certification The CompTIA Security+ (2008 Edition) Certification is the premiere vendor-neutral credential The Security+ exam is an internationally recognized validation of foundation-level 9

10 security skills and knowledge Used by organizations and security professionals around the world The skills and knowledge measured by the Security+ exam are derived from an industrywide Job Task Analysis (JTA) CompTIA Security+ Certification (cont) The six domains covered by the Security+ exam: Systems Security Network Infrastructure Access Control Assessments and Audits Cryptography Organizational Security Summary Attacks against information security have grown exponentially in recent years There are several reasons why it is difficult to defend against today s attacks Information security may be defined as that which protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures Summary (cont) The main goals of information security are to prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorism The types of people behind computer attacks are generally divided into several categories 56 There are five general steps that make up an attack: probe for information, penetrate any defenses, modify security settings, circulate to other systems, and paralyze networks and devices Summary (cont) The demand for IT professionals who know how to secure networks and computers from attacks is at an all-time high 10