Security+ Guide to NetworkSecurity+ Guide to Network Security Fundamentals, Third
Edition
Chapter 1pIntroduction to Security
ObjectivesObjectives
• Describe the challenges of securing information• Describe the challenges of securing information• Define information security and explain why it is
importantp• Identify the types of attackers that are common today
Security+ Guide to Network Security Fundamentals, Third Edition 2
Objectives (continued)Objectives (continued)
• List the basic steps of an attack• List the basic steps of an attack• Describe the five steps in a defense• Explain the different types of information securityExplain the different types of information security
careers and how the Security+ certification can enhance a security career
Security+ Guide to Network Security Fundamentals, Third Edition 3
Challenges of Securing InformationChallenges of Securing Information
• There is no simple solution to securing information• There is no simple solution to securing information• This can be seen through the different types of
attacks that users face todayy– As well as the difficulties in defending against these
attacks
Security+ Guide to Network Security Fundamentals, Third Edition 4
Today’s Security AttacksToday s Security Attacks
• Typical warnings:• Typical warnings:– A malicious program was introduced at some point in
the manufacturing process of a popular brand of digital photo frames
– Nigerian e-mail scam claimed to be sent from the U.N.“B b t d” W b i t– “Booby-trapped” Web pages are growing at an increasing rate
– A new worm disables Microsoft Windows AutomaticA new worm disables Microsoft Windows Automatic Updating and the Task Manager
– Apple has issued an update to address 25 security fl i it ti t OS X
Security+ Guide to Network Security Fundamentals, Third Edition
flaws in its operating system OS X5
Today’s Security Attacks (continued)Today s Security Attacks (continued)
• Typical warnings: (continued)• Typical warnings: (continued)– The Anti-Phishing Working Group (APWG) reports
that the number of unique phishing sites continues to increase
– Researchers at the University of Maryland attached four computers equipped with weak passwords to thefour computers equipped with weak passwords to the Internet for 24 days to see what would happen
• These computers were hit by an intrusion attempt on average once every 39 seconds
Security+ Guide to Network Security Fundamentals, Third Edition 6
Today’s Security Attacks (continued)Today s Security Attacks (continued)
• Security statistics bear witness to the continual ysuccess of attackers:– TJX Companies, Inc. reported that over 45 million
c stomer credit card and debit card n mbers erecustomer credit card and debit card numbers were stolen by attackers over an 18 month period from 2005 to 2007
– Table 1-1 lists some of the major security breaches that occurred during a three-month periodTh t t l t f d t b h i 2007– The total average cost of a data breach in 2007 was $197 per record compromised
– A recent report revealed that of 24 federal government
Security+ Guide to Network Security Fundamentals, Third Edition
A recent report revealed that of 24 federal government agencies, the overall grade was only “C−”
7
Security+ Guide to Network Security Fundamentals, Third Edition 8
Difficulties in Defending against Attacks
• Difficulties include the following:• Difficulties include the following:– Speed of attacks– Greater sophistication of attacksp– Simplicity of attack tools– Attackers can detect vulnerabilities more quickly and
more readily exploit these vulnerabilities– Delays in patching hardware and software products
Most attacks are now distributed attacks instead of– Most attacks are now distributed attacks, instead of coming from only one source
– User confusion
Security+ Guide to Network Security Fundamentals, Third Edition 9
Security+ Guide to Network Security Fundamentals, Third Edition 10
Security+ Guide to Network Security Fundamentals, Third Edition 11
Difficulties in Defending against Attacks (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 12
What Is Information Security?What Is Information Security?
• Knowing why information security is important today• Knowing why information security is important today and who the attackers are is beneficial
Security+ Guide to Network Security Fundamentals, Third Edition 13
Defining Information SecurityDefining Information Security
• Security can be considered as a state of freedom• Security can be considered as a state of freedom from a danger or risk– This state or condition of freedom exists because
protective measures are established and maintained• Information security
– The tasks of guarding information that is in a digital format
– Ensures that protective measures are properly– Ensures that protective measures are properly implemented
– Cannot completely prevent attacks or guarantee that
Security+ Guide to Network Security Fundamentals, Third Edition
a system is totally secure14
Defining Information Security g y(continued)
Information security is intended to protect• Information security is intended to protect information that has value to people and organizationsg– This value comes from the characteristics of the
information:• Confidentiality• Integrity• AvailabilityAvailability
• Information security is achieved through a combination of three entities
Security+ Guide to Network Security Fundamentals, Third Edition 15
Security+ Guide to Network Security Fundamentals, Third Edition 16
Defining Information Security g y(continued)
Security+ Guide to Network Security Fundamentals, Third Edition 17
Defining Information Security g y(continued)
A more comprehensive definition of information• A more comprehensive definition of information security is:– That which protects the integrity, confidentiality, andThat which protects the integrity, confidentiality, and
availability of information on the devices that store, manipulate, and transmit the information through products people and proceduresproducts, people, and procedures
Security+ Guide to Network Security Fundamentals, Third Edition 18
Information Security TerminologyInformation Security Terminology
• Asset– Something that has a value
• Threat– An event or object that may defeat the security
measures in place and result in a lossmeasures in place and result in a loss• Threat agent
– A person or thing that has the power to carry out aA person or thing that has the power to carry out a threat
Security+ Guide to Network Security Fundamentals, Third Edition 19
Information Security Terminology y gy(continued)
• Vulnerability– Weakness that allows a threat agent to bypass
securitysecurity• Risk
– The likelihood that a threat agent will exploit a– The likelihood that a threat agent will exploit a vulnerability
– Realistically, risk cannot ever be entirely eliminated
Security+ Guide to Network Security Fundamentals, Third Edition 20
Information Security Terminology y gy(continued)
Security+ Guide to Network Security Fundamentals, Third Edition 21
Information Security Terminology y gy(continued)
Security+ Guide to Network Security Fundamentals, Third Edition 22
Understanding the Importance of g pInformation Security
f• Preventing data theft– Security is often associated with theft prevention
The theft of data is one of the largest causes of– The theft of data is one of the largest causes of financial loss due to an attack
– Individuals are often victims of data thieveryy• Thwarting identity theft
– Identity theft involves using someone’s personal information to establish bank or credit card accounts
• Cards are then left unpaid, leaving the victim with the debts and ruining their credit rating
Security+ Guide to Network Security Fundamentals, Third Edition
debts and ruining their credit rating
23
Understanding the Importance of g pInformation Security (continued)
• Avoiding legal consequences– A number of federal and state laws have been
enacted to protect the privacy of electronic dataenacted to protect the privacy of electronic data• The Health Insurance Portability and Accountability Act
of 1996 (HIPAA)• The Sarbanes-Oxley Act of 2002 (Sarbox)• The Gramm-Leach-Bliley Act (GLBA)• USA Patriot Act (2001)USA Patriot Act (2001)• The California Database Security Breach Act (2003)• Children’s Online Privacy Protection Act of 1998
Security+ Guide to Network Security Fundamentals, Third Edition
(COPPA)24
Understanding the Importance of g pInformation Security (continued)
• Maintaining Productivity– Cleaning up after an attack diverts resources such as
time and money away from normal activitiestime and money away from normal activities
Security+ Guide to Network Security Fundamentals, Third Edition 25
Understanding the Importance of g pInformation Security (continued)
• Foiling cyberterrorism– Cyberterrorism
• Attacks by terrorist groups using computer technology• Attacks by terrorist groups using computer technology and the Internet
– Utility, telecommunications, and financial services companies are considered prime targets of cyberterrorists
Security+ Guide to Network Security Fundamentals, Third Edition 26
Who Are the Attackers?Who Are the Attackers?
f• The types of people behind computer attacks are generally divided into several categories
These include hackers script kiddies spies– These include hackers, script kiddies, spies, employees, cybercriminals, and cyberterrorists
Security+ Guide to Network Security Fundamentals, Third Edition 27
HackersHackers
Hacker• Hacker– Generic sense: anyone who illegally breaks into or
attempts to break into a computer systemp p y– Narrow sense: a person who uses advanced
computer skills to attack computers only to expose it flsecurity flaws
• Although breaking into another person’s computer system is illegalsystem is illegal– Some hackers believe it is ethical as long as they do
not commit theft, vandalism, or breach any
Security+ Guide to Network Security Fundamentals, Third Edition
confidentiality28
Script KiddiesScript Kiddies
S• Script kiddies– Want to break into computers to create damage
Unskilled users– Unskilled users– Download automated hacking software (scripts) from
Web sites and use it to break into computersp• They are sometimes considered more dangerous
than hackers– Script kiddies tend to be computer users who have
almost unlimited amounts of leisure time, which they can use to attack systems
Security+ Guide to Network Security Fundamentals, Third Edition
can use to attack systems
29
SpiesSpies
• Computer spy– A person who has been hired to break into a
computer and steal informationcomputer and steal information• Spies are hired to attack a specific computer or
system that contains sensitive informationsystem that contains sensitive information– Their goal is to break into that computer or system
and take the information without drawing any attention to their actions
• Spies, like hackers, possess excellent computer skills
Security+ Guide to Network Security Fundamentals, Third Edition
skills
30
EmployeesEmployees
• One of the largest information security threats to a business actually comes from its employeesR• Reasons– An employee might want to show the company a
weakness in their securityweakness in their security– Disgruntled employees may be intent on retaliating
against the company– Industrial espionage– Blackmailing
Security+ Guide to Network Security Fundamentals, Third Edition 31
CybercriminalsCybercriminals
• Cybercriminals– A loose-knit network of attackers, identity thieves, and
financial fraudstersfinancial fraudsters– More highly motivated, less risk-averse, better
funded, and more tenacious than hackers,• Many security experts believe that cybercriminals
belong to organized gangs of young and mostly Eastern European attackers
• Cybercriminals have a more focused goal that can be summed up in a single word: money
Security+ Guide to Network Security Fundamentals, Third Edition
be summed up in a single word: money32
Cybercriminals (continued)Cybercriminals (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 33
Cybercriminals (continued)Cybercriminals (continued)
• Cybercrime– Targeted attacks against financial networks,
unauthorized access to information and the theft ofunauthorized access to information, and the theft of personal information
• Financial cybercrime is often divided into twoFinancial cybercrime is often divided into two categories– Trafficking in stolen credit card numbers and financial
information– Using spam to commit fraud
Security+ Guide to Network Security Fundamentals, Third Edition 34
CyberterroristsCyberterrorists
• Cyberterrorists– Their motivation may be defined as ideology, or
f f fattacking for the sake of their principles or beliefs• Goals of a cyberattack:
To deface electronic information and spread– To deface electronic information and spread misinformation and propaganda
– To deny service to legitimate computer usersy g p– To commit unauthorized intrusions into systems and
networks that result in critical infrastructure outages d ti f it l d t
Security+ Guide to Network Security Fundamentals, Third Edition
and corruption of vital data35
Attacks and DefensesAttacks and Defenses
Although there are a wide variety of attacks that can• Although there are a wide variety of attacks that can be launched against a computer or network– The same basic steps are used in most attacksThe same basic steps are used in most attacks
• Protecting computers against these steps in an attack calls for five fundamental security principles
Security+ Guide to Network Security Fundamentals, Third Edition 36
Steps of an AttackSteps of an Attack
• The five steps that make up an attack• The five steps that make up an attack– Probe for information– Penetrate any defensesy– Modify security settings– Circulate to other systems– Paralyze networks and devices
Security+ Guide to Network Security Fundamentals, Third Edition 37
Security+ Guide to Network Security Fundamentals, Third Edition 38
Defenses against AttacksDefenses against Attacks
• Although multiple defenses may be necessary to• Although multiple defenses may be necessary to withstand an attack– These defenses should be based on five fundamental
security principles:• Protecting systems by layering
Limiting• Limiting• Diversity• Obscurityy• Simplicity
Security+ Guide to Network Security Fundamentals, Third Edition 39
LayeringLayering
• Information security must be created in layers• Information security must be created in layers• One defense mechanism may be relatively easy for
an attacker to circumvent– Instead, a security system must have layers, making it
unlikely that an attacker has the tools and skills to b k th h ll th l f d fbreak through all the layers of defenses
• A layered approach can also be useful in resisting a variety of attacksvariety of attacks
• Layered security provides the most comprehensive protection
Security+ Guide to Network Security Fundamentals, Third Edition
p
40
LimitingLimiting
• Limiting access to information reduces the threat• Limiting access to information reduces the threat against it
• Only those who must use data should have access yto it– In addition, the amount of access granted to someone
h ld b li it d t h t th t d t kshould be limited to what that person needs to know• Some ways to limit access are technology-based,
while others are proceduralwhile others are procedural
Security+ Guide to Network Security Fundamentals, Third Edition 41
DiversityDiversity
• Layers must be different (diverse)• Layers must be different (diverse)– If attackers penetrate one layer, they cannot use the
same techniques to break through all other layers• Using diverse layers of defense means that
breaching one security layer does not compromise th h l tthe whole system
Security+ Guide to Network Security Fundamentals, Third Edition 42
ObscurityObscurity
• An example of obscurity would be not revealing the• An example of obscurity would be not revealing the type of computer, operating system, software, and network connection a computer uses– An attacker who knows that information can more
easily determine the weaknesses of the system to attack itattack it
• Obscuring information can be an important way to protect informationp
Security+ Guide to Network Security Fundamentals, Third Edition 43
SimplicitySimplicity
• Information security is by its very nature complex• Information security is by its very nature complex• Complex security systems can be hard to
understand, troubleshoot, and feel secure about, ,• As much as possible, a secure system should be
simple for those on the inside to understand and use• Complex security schemes are often compromised
to make them easier for trusted users to work withK i t i l f th i id b t l– Keeping a system simple from the inside but complex on the outside can sometimes be difficult but reaps a major benefit
Security+ Guide to Network Security Fundamentals, Third Edition
j
44
Surveying Information Security Careers and the Security+ Certification• Today businesses and organizations require• Today, businesses and organizations require
employees and even prospective applicants– To demonstrate that they are familiar with computer y p
security practices• Many organizations use the CompTIA Security+
tifi ti t if it tcertification to verify security competency
Security+ Guide to Network Security Fundamentals, Third Edition 45
Types of Information Security JobsTypes of Information Security Jobs
• Information assurance (IA)• Information assurance (IA)– A superset of information security including security
issues that do not involve computers– Covers a broader area than just basic technology
defense tools and tacticsAl i l d li bilit t t i i k t– Also includes reliability, strategic risk management, and corporate governance issues such as privacy, compliance, audits, business continuity, and disaster recovery
– Is interdisciplinary; individuals who are employed in it may come from different fields of study
Security+ Guide to Network Security Fundamentals, Third Edition
may come from different fields of study
46
Types of Information Security Jobs (continued)
• Information security also called computer security• Information security, also called computer security– Involves the tools and tactics to defend against
computer attacks– Does not include security issues that do not involve
computersT b d t i f i f ti it• Two broad categories of information security positions– Information security managerial position– Information security managerial position– Information security technical position
Security+ Guide to Network Security Fundamentals, Third Edition 47
Security+ Guide to Network Security Fundamentals, Third Edition 48
CompTIA Security+ CertificationCompTIA Security+ Certification
• The CompTIA Security+ (2008 Edition) Certification• The CompTIA Security+ (2008 Edition) Certification is the premiere vendor-neutral credential
• The Security+ exam is an internationally recognized y y gvalidation of foundation-level security skills and knowledge– Used by organizations and security professionals
around the world• The skills and knowledge measured by the• The skills and knowledge measured by the
Security+ exam are derived from an industry-wide Job Task Analysis (JTA)
Security+ Guide to Network Security Fundamentals, Third Edition 49
CompTIA Security+ Certification (continued)
• The six domains covered by the Security+ exam:• The six domains covered by the Security+ exam:– Systems Security, Network Infrastructure, Access
Control, Assessments and Audits, Cryptography, and Organizational Security
Security+ Guide to Network Security Fundamentals, Third Edition 50
SummarySummary
• Attacks against information security have grown g y gexponentially in recent years
• There are several reasons why it is difficult to defend i t t d ’ tt kagainst today’s attacks
• Information security may be defined as that which protects the integrity confidentiality and availabilityprotects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures
Security+ Guide to Network Security Fundamentals, Third Edition 51
Summary (continued)Summary (continued)
• The main goals of information security are to prevent g ydata theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity and foil cyberterrorismproductivity, and foil cyberterrorism
• The types of people behind computer attacks are generally divided into several categoriesgenerally divided into several categories
• There are five general steps that make up an attack: probe for information, penetrate any defenses, modify security settings, circulate to other systems, and paralyze networks and devices
Security+ Guide to Network Security Fundamentals, Third Edition 52
Summary (continued)Summary (continued)
• The demand for IT professionals who know how to secure networks and computers from attacks is at an all-time high
Security+ Guide to Network Security Fundamentals, Third Edition 53