Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Similar documents
Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 1 Introduction to Security

Security+ Guide to Network Security Fundamentals, Fifth Edition. Chapter 1 INTRODUCTION TO SECURITY

Syllabus Review Key Points Unit deliverables Homework Tests Class Conduct Security+ Guide to Network Security Fundamentals, Third Edition

A Review Paper on Network Security Attacks and Defences

Introduction to Ethical Hacking. Chapter 1

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Chapter 12. Information Security Management

Cybersecurity It Matters to SMB

Cybersecurity and Hospitals: A Board Perspective

Information Security in Corporation

Securing Information Systems

Keys to a more secure data environment

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Security Awareness. Chapter 2 Personal Security

Securing Information Systems

Securing Information Systems

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

716 West Ave Austin, TX USA

Computer Security Policy

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Why you MUST protect your customer data

CYBER SECURITY AND MITIGATING RISKS

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

CHAPTER 8 SECURING INFORMATION SYSTEMS

White paper Cybersecurity

Discovering Computers Living in a Digital World

Panda Security 2010 Page 1

Cyber Security Issues

Office 365 Buyers Guide: Best Practices for Securing Office 365

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Who We Are! Natalie Timpone

IS Today: Managing in a Digital World 9/17/12

Security Audit What Why

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Chapter 6 Network and Internet Security and Privacy

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

Vulnerability Management

Tracking and Reporting

SDR Guide to Complete the SDR

Securing Information Systems

DeMystifying Data Breaches and Information Security Compliance

Secure Network Design Document

Cyberspace : Privacy and Security Issues

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Cybercrime Criminal Law Definitions and Concepts

QuickBooks Online Security White Paper July 2017

Enterprise SM VOLUME 1, SECTION 5.7: SECURE MANAGED SERVICE

PCI Compliance. What is it? Who uses it? Why is it important?

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Compliance in 5 Steps

Employee Security Awareness Training

Online Threats. This include human using them!

Integrated Access Management Solutions. Access Televentures

June 2 nd, 2016 Security Awareness

HIPAA UPDATE. Michael L. Brody, DPM

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Securing Today s Mobile Workforce

Troubleshooting and Cyber Protection Josh Wheeler

Ethical Hacking and Countermeasures: Attack Phases, Second Edition. Chapter 1 Introduction to Ethical Hacking

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

INSIDE. Integrated Security: Creating the Secure Enterprise. Symantec Enterprise Security

Symantec Protection Suite Add-On for Hosted Security

Chapter 4 Network and Internet Security

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

U.S. State of Cybercrime

Guide to Network Security First Edition. Chapter One Introduction to Information Security

What We Can Learn from Other s Cybersecurity Failures. Keith Price BBus, MSc, CGEIT, CISM, CISSP

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Learning from a breach

Operational Network Security

Cyber Insurance: What is your bank doing to manage risk? presented by

Dom Nessi Burns Engineering March 29, 2017 CYBERSECURITY TRENDS 2017 REPORT

Building a Case for Mainframe Security

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Achieving End-to-End Security in the Internet of Things (IoT)

Review Kaspersky Internet Security - multi-device 2015 online software downloader ]

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Mitigating Security Breaches in Retail Applications WHITE PAPER

Checklist: Credit Union Information Security and Privacy Policies

What is Penetration Testing?

How Cyber-Criminals Steal and Profit from your Data

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

Internal Audit Report DATA CENTER LOGICAL SECURITY

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Legal Considerations and Case Studies

Security Policies and Procedures Principles and Practices

Employee Security Awareness Training Program

Chapter 10: Security and Ethical Challenges of E-Business

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Entertaining & Effective Security Awareness Training

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

Complete document security

Transcription:

Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 1 Introduction to Security

Objectives Describe the challenges of securing information Define information security and explain why it is important Identify the types of attackers that are common today List the basic steps of an attack Describe the five basic principles of defense Security+ Guide to Network Security Fundamentals, Fourth Edition 2

Challenges of Securing Information Security figures prominently in 21 st century world Personal security Information security Securing information No simple solution Many different types of attacks Defending against attacks often difficult Security+ Guide to Network Security Fundamentals, Fourth Edition 3

Today s Security Attacks Advances in computing power Make password-breaking easy Software vulnerabilities often not patched Smartphones a new target Security+ Guide to Network Security Fundamentals, Fourth Edition 4

Today s Security Attacks (cont d.) Examples of recent attacks Bogus antivirus software Marketed by credit card thieves Online banking attacks Hacking contest Nigerian 419 advanced fee fraud Number one type of Internet fraud Identity theft using Firesheep Malware Infected USB flash drive devices Security+ Guide to Network Security Fundamentals, Fourth Edition 5

Table 1-1 Selected security breaches involving personal information in a one-month period Security+ Guide to Network Security Fundamentals, Fourth Edition 6

Difficulties in Defending Against Attacks Universally connected devices Increased speed of attacks Greater sophistication of attacks Availability and simplicity of attack tools Faster detection of vulnerabilities Security+ Guide to Network Security Fundamentals, Fourth Edition 7

Difficulties in Defending Against Attacks (cont d.) Delays in patching Weak distribution of patches Distributed attacks User confusion Security+ Guide to Network Security Fundamentals, Fourth Edition 8

Table 1-2 Difficulties in defending against attacks Security+ Guide to Network Security Fundamentals, Fourth Edition 9

What Is Information Security? Before defense is possible, one must understand: What information security is Why it is important Who the attackers are Security+ Guide to Network Security Fundamentals, Fourth Edition 10

Defining Information Security Security Steps to protect person or property from harm Harm may be intentional or nonintentional Sacrifices convenience for safety Information security Guarding digitally-formatted information: That provides value to people and organizations Security+ Guide to Network Security Fundamentals, Fourth Edition 11

Defining Information Security (cont d.) Three types of information protection: often called CIA Confidentiality Only approved individuals may access information Integrity Information is correct and unaltered Availability Information is accessible to authorized users Security+ Guide to Network Security Fundamentals, Fourth Edition 12

Defining Information Security (cont d.) Protections implemented to secure information Authentication Individual is who they claim to be Authorization Grant ability to access information Accounting Provides tracking of events Security+ Guide to Network Security Fundamentals, Fourth Edition 13

Figure 1-3 Information security components Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 14

Defining Information Security (cont d.) Table 1-3 Information security layers Security+ Guide to Network Security Fundamentals, Fourth Edition 15

Information Security Terminology Asset Item of value Threat Actions or events that have potential to cause harm Threat agent Person or element with power to carry out a threat Security+ Guide to Network Security Fundamentals, Fourth Edition 16

Table 1-4 Information technology assets Security+ Guide to Network Security Fundamentals, Fourth Edition 17

Information Security Terminology (cont d.) Vulnerability Flaw or weakness Threat agent can bypass security Risk Likelihood that threat agent will exploit vulnerability Cannot be eliminated entirely Cost would be too high Take too long to implement Some degree of risk must be assumed Security+ Guide to Network Security Fundamentals, Fourth Edition 18

Figure 1-4 Information security components analogy Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 19

Information Security Terminology (cont d.) Options to deal with risk Accept Realize there is a chance of loss Diminish Take precautions Most information security risks should be diminished Transfer risk to someone else Example: purchasing insurance Security+ Guide to Network Security Fundamentals, Fourth Edition 20

Understanding the Importance of Information Security Preventing data theft Security often associated with theft prevention Business data theft Proprietary information Individual data theft Credit card numbers Security+ Guide to Network Security Fundamentals, Fourth Edition 21

Understanding the Importance of Information Security (cont d.) Thwarting identity theft Using another s personal information in unauthorized manner Usually for financial gain Example: Steal person s SSN Create new credit card account Charge purchases Leave unpaid Security+ Guide to Network Security Fundamentals, Fourth Edition 22

Understanding the Importance of Information Security (cont d.) Avoiding legal consequences Laws protecting electronic data privacy The Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Sarbanes-Oxley Act of 2002 (Sarbox) The Gramm-Leach-Bliley Act (GLBA) California s Database Security Breach Notification Act (2003) Security+ Guide to Network Security Fundamentals, Fourth Edition 23

Understanding the Importance of Information Security (cont d.) Maintaining productivity Post-attack clean up diverts resources Time and money Table 1-6 Cost of attacks Security+ Guide to Network Security Fundamentals, Fourth Edition 24

Understanding the Importance of Information Security (cont d.) Foiling cyberterrorism Premeditated, politically motivated attacks Target: information, computer systems, data Designed to: Cause panic Provoke violence Result in financial catastrophe Security+ Guide to Network Security Fundamentals, Fourth Edition 25

Understanding the Importance of Information Security (cont d.) Potential cyberterrorism targets Banking Military Energy (power plants) Transportation (air traffic control centers) Water systems Security+ Guide to Network Security Fundamentals, Fourth Edition 26

Who Are the Attackers? Categories of attackers Hackers Script kiddies Spies Insiders Cybercriminals Cyberterrorists Security+ Guide to Network Security Fundamentals, Fourth Edition 27

Hackers Hacker Person who uses computer skills to attack computers Term not common in security community White hat hackers Goal to expose security flaws Not to steal or corrupt data Black hat hackers Goal is malicious and destructive Security+ Guide to Network Security Fundamentals, Fourth Edition 28

Script Kiddies Script kiddies Goal: break into computers to create damage Unskilled users Download automated hacking software (scripts) Use them to perform malicious acts Attack software today has menu systems Attacks are even easier for unskilled users 40 percent of attacks performed by script kiddies Security+ Guide to Network Security Fundamentals, Fourth Edition 29

Spies Computer spy Person hired to break into a computer: To steal information Hired to attack a specific computer or system: Containing sensitive information Goal: steal information without drawing attention to their actions Possess excellent computer skills: To attack and cover their tracks Security+ Guide to Network Security Fundamentals, Fourth Edition 30

Insiders Employees, contractors, and business partners 48 percent of breaches attributed to insiders Examples of insider attacks Health care worker publicized celebrities health records Disgruntled over upcoming job termination Government employee planted malicious coding script Stock trader concealed losses through fake transactions U.S. Army private accessed sensitive documents Security+ Guide to Network Security Fundamentals, Fourth Edition 31

Cybercriminals Network of attackers, identity thieves, spammers, financial fraudsters Difference from ordinary attackers More highly motivated Willing to take more risk Better funded More tenacious Goal: financial gain Security+ Guide to Network Security Fundamentals, Fourth Edition 32

Cybercriminals (cont d.) Organized gangs of young attackers Eastern European, Asian, and third-world regions Table 1-7 Characteristics of cybercriminals Security+ Guide to Network Security Fundamentals, Fourth Edition 33

Cybercriminals (cont d.) Cybercrime Targeted attacks against financial networks Unauthorized access to information Theft of personal information Financial cybercrime Trafficking in stolen credit cards and financial information Using spam to commit fraud Security+ Guide to Network Security Fundamentals, Fourth Edition 34

Cyberterrorists Cyberterrorists Ideological motivation Attacking because of their principles and beliefs Goals of a cyberattack: Deface electronic information Spread misinformation and propaganda Deny service to legitimate computer users Commit unauthorized intrusions Results: critical infrastructure outages; corruption of vital data Security+ Guide to Network Security Fundamentals, Fourth Edition 35

Attacks and Defenses Wide variety of attacks Same basic steps used in attack To protect computers against attacks: Follow five fundamental security principles Security+ Guide to Network Security Fundamentals, Fourth Edition 36

Steps of an Attack Probe for information Such as type of hardware or software used Penetrate any defenses Launch the attack Modify security settings Allows attacker to reenter compromised system easily Circulate to other systems Same tools directed toward other systems Paralyze networks and devices Security+ Guide to Network Security Fundamentals, Fourth Edition 37

Figure 1-6 Steps of an attack Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 38

Defenses Against Attacks Fundamental security principles for defenses Layering Limiting Diversity Obscurity Simplicity Security+ Guide to Network Security Fundamentals, Fourth Edition 39

Layering Information security must be created in layers Single defense mechanism may be easy to circumvent Unlikely that attacker can break through all defense layers Layered security approach Can be useful in resisting a variety of attacks Provides the most comprehensive protection Security+ Guide to Network Security Fundamentals, Fourth Edition 40

Limiting Limiting access to information: Reduces the threat against it Only those who must use data granted access Amount of access limited to what that person needs to know Methods of limiting access Technology File permissions Procedural Prohibiting document removal from premises Security+ Guide to Network Security Fundamentals, Fourth Edition 41

Diversity Closely related to layering Layers must be different (diverse) If attackers penetrate one layer: Same techniques unsuccessful in breaking through other layers Breaching one security layer does not compromise the whole system Example of diversity Using security products from different manufacturers Security+ Guide to Network Security Fundamentals, Fourth Edition 42

Obscurity Obscuring inside details to outsiders Example: not revealing details Type of computer Operating system version Brand of software used Difficult for attacker to devise attack if system details are unknown Security+ Guide to Network Security Fundamentals, Fourth Edition 43

Simplicity Nature of information security is complex Complex security systems Difficult to understand and troubleshoot Often compromised for ease of use by trusted users Secure system should be simple: For insiders to understand and use Simple from the inside Complex from the outside Security+ Guide to Network Security Fundamentals, Fourth Edition 44

Summary Information security attacks growing exponentially in recent years Several reasons for difficulty defending against today s attacks Information security protects information s integrity, confidentiality, and availability: On devices that store, manipulate, and transmit information Using products, people, and procedures Security+ Guide to Network Security Fundamentals, Fourth Edition 45

Summary (cont d.) Goals of information security Prevent data theft Thwart identity theft Avoid legal consequences of not securing information Maintain productivity Foil cyberterrorism Different types of people with different motivations conduct computer attacks An attack has five general steps Security+ Guide to Network Security Fundamentals, Fourth Edition 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback