Minggu, 10 April 2011

Security Network - Introduction to Security

Chapter I - Introduction to Security

Today’s Security Attacks
  Typical warnings:
A malicious program was introduced at some point in the manufacturing process of a popular brand of digital photo frames
Nigerian e-mail scam claimed to be sent from the U.N.
“Booby-trapped” Web pages are growing at an increasing rate
A new worm disables Microsoft Windows Automatic Updating and the Task Manager
Apple has issued an update to address 25 security flaws in its operating system OS X
The Anti-Phishing Working Group (APWG) reports that the number of unique phishing sites continues to increase
Researchers at the University of Maryland attached four computers equipped with weak passwords to the Internet for 24 days to see what would happen
  These computers were hit by an intrusion attempt on average once every 39 seconds
  Security statistics bear witness to the continual success of attackers:
TJX Companies, Inc. reported that over 45 million customer credit card and debit card numbers were stolen by attackers over an 18 month period from 2005 to 2007
Table 1-1 lists some of the major security breaches that occurred during a three-month period
The total average cost of a data breach in 2007 was $197 per record compromised
A recent report revealed that of 24 federal government agencies, the overall grade was only “C−”

Difficulties in Defending against Attacks
  Difficulties include the following:
Speed of attacks
Greater sophistication of attacks
Simplicity of attack tools
Attackers can detect vulnerabilities more quickly and more readily exploit these vulnerabilities
Delays in patching hardware and software products
Most attacks are now distributed attacks, instead of coming from only one source
User confusion

Defining Information Security
  Security can be considered as a state of freedom from a danger or risk
This state or condition of freedom exists because protective measures are established and maintained
  Information security
The tasks of guarding information that is in a digital format
Ensures that protective measures are properly implemented
Cannot completely prevent attacks or guarantee that a system is totally secure
  Information security is intended to protect information that has value to people and organizations
This value comes from the characteristics of the information:
  Confidentiality àensures that only authorized parties can viewed the information)
  Integrity à ensures that information is correct and no unauthorized person or malicious software has altered that data
  Availabilityà ensures that data is accessible to authorised users
  Information security is achieved through a combination of three entities
  A more comprehensive definition of information security is:
That which protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures

Information Security Terminology
  Asset
Something that has a value
  Threat
An event or object that may defeat the security measures in place and result in a loss
  Threat agent
A person or thing that has the power to carry out a threat
  Vulnerability
Weakness that allows a threat agent to bypass security
  Risk
The likelihood that a threat agent will exploit a vulnerability
Realistically, risk cannot ever be entirely eliminated

Understanding the Importance of Information Security
  Preventing data theft
Security is often associated with theft prevention
The theft of data is one of the largest causes of financial loss due to an attack
Individuals are often victims of data thievery
  Thwarting identity theft
Identity theft involves using someone’s personal information to establish bank or credit card accounts
  Cards are then left unpaid, leaving the victim with the debts and ruining their credit rating
  Avoiding legal consequences
A number of federal and state laws have been enacted to protect the privacy of electronic data
  The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  The Sarbanes-Oxley Act of 2002 (Sarbox)
  The Gramm-Leach-Bliley Act (GLBA)
  USA Patriot Act (2001)
  The California Database Security Breach Act (2003)
  Children’s Online Privacy Protection Act of 1998 (COPPA)
  Maintaining Productivity
Cleaning up after an attack diverts resources such as time and money away from normal activities
  Foiling cyberterrorism
Cyberterrorism
  Attacks by terrorist groups using computer technology and the Internet
Utility, telecommunications, and financial services companies are considered prime targets of cyberterrorists

Who Are the Attackers?
  The types of people behind computer attacks are generally divided into several categories
These include hackers, script kiddies, spies, employees, cybercriminals, and cyberterrorists

Hackers
  Hacker
Generic sense: anyone who illegally breaks into or attempts to break into a computer system
Narrow sense: a person who uses advanced computer skills to attack computers only to expose security flaws
  Although breaking into another person’s computer system is illegal
Some hackers believe it is ethical as long as they do not commit theft, vandalism, or breach any confidentiality

Script Kiddies
  Script kiddies
Want to break into computers to create damage
Unskilled users
Download automated hacking software (scripts) from Web sites and use it to break into computers
  They are sometimes considered more dangerous than hackers
Script kiddies tend to be computer users who have almost unlimited amounts of leisure time, which they can use to attack systems

Spies
  Computer spy
A person who has been hired to break into a computer and steal information
  Spies are hired to attack a specific computer or system that contains sensitive information
Their goal is to break into that computer or system and take the information without drawing any attention to their actions
  Spies, like hackers, possess excellent computer skills

Employees
  One of the largest information security threats to a business actually comes from its employees
  Reasons
An employee might want to show the company a weakness in their security
Disgruntled employees may be intent on retaliating against the company
Industrial espionage
Blackmailing

Cybercriminals
  Cybercriminals
A loose-knit network of attackers, identity thieves, and financial fraudsters
More highly motivated, less risk-averse, better funded, and more tenacious than hackers
  Many security experts believe that cybercriminals belong to organized gangs of young and mostly Eastern European attackers
  Cybercriminals have a more focused goal that can be summed up in a single word: money

Cybercriminals
  Cybercrime
Targeted attacks against financial networks, unauthorized access to information, and the theft of personal information
  Financial cybercrime is often divided into two categories
Trafficking in stolen credit card numbers and financial information
Using spam to commit fraud

Cyberterrorists
  Cyberterrorists
Their motivation may be defined as ideology, or attacking for the sake of their principles or beliefs
  Goals of a cyberattack:
To deface electronic information and spread misinformation and propaganda
To deny service to legitimate computer users
To commit unauthorized intrusions into systems and networks that result in critical infrastructure outages and corruption of vital data

Attacks and Defenses
  Although there are a wide variety of attacks that can be launched against a computer or network
The same basic steps are used in most attacks
  Protecting computers against these steps in an attack calls for five fundamental security principles

Steps of an Attack
  The five steps that make up an attack
Probe for information
Penetrate any defenses
Modify security settings
Circulate to other systems
Paralyze networks and devices

Defenses against Attacks
  Although multiple defenses may be necessary to withstand an attack
These defenses should be based on five fundamental security principles:
  Protecting systems by layering
  Limiting
  Diversity
  Obscurity
  Simplicity

Layering
  Information security must be created in layers
  One defense mechanism may be relatively easy for an attacker to circumvent
Instead, a security system must have layers, making it unlikely that an attacker has the tools and skills to break through all the layers of defenses
  A layered approach can also be useful in resisting a variety of attacks
  Layered security provides the most comprehensive protection

Limiting
  Limiting access to information reduces the threat against it
  Only those who must use data should have access to it
In addition, the amount of access granted to someone should be limited to what that person needs to know
  Some ways to limit access are technology-based, while others are procedural

Diversity
  Layers must be different (diverse)
If attackers penetrate one layer, they cannot use the same techniques to break through all other layers
  Using diverse layers of defense means that breaching one security layer does not compromise the whole system

Obscurity
  An example of obscurity would be not revealing the type of computer, operating system, software, and network connection a computer uses
An attacker who knows that information can more easily determine the weaknesses of the system to attack it
  Obscuring information can be an important way to protect information

Simplicity
  Information security is by its very nature complex
  Complex security systems can be hard to understand, troubleshoot, and feel secure about
  As much as possible, a secure system should be simple for those on the inside to understand and use
  Complex security schemes are often compromised to make them easier for trusted users to work with
Keeping a system simple from the inside but complex on the outside can sometimes be difficult but reaps a major benefit

Surveying Information Security Careers and the Security+ Certification
  Today, businesses and organizations require employees and even prospective applicants
To demonstrate that they are familiar with computer security practices
  Many organizations use the CompTIA Security+ certification to verify security competency

Types of Information Security Jobs
  Information assurance (IA)
A superset of information security including security issues that do not involve computers
Covers a broader area than just basic technology defense tools and tactics
Also includes reliability, strategic risk management, and corporate governance issues such as privacy, compliance, audits, business continuity, and disaster recovery
Is interdisciplinary; individuals who are employed in it may come from different fields of study
  Information security, also called computer security
Involves the tools and tactics to defend against computer attacks
Does not include security issues that do not involve computers
  Two broad categories of information security positions
Information security managerial position
Information security technical position

CompTIA Security+ Certification
  The CompTIA Security+ (2008 Edition) Certification is the premiere vendor-neutral credential
  The Security+ exam is an internationally recognized validation of foundation-level security skills and knowledge
Used by organizations and security professionals around the world
  The skills and knowledge measured by the Security+ exam are derived from an industry-wide Job Task Analysis (JTA)
  The six domains covered by the Security+ exam:
Systems Security, Network Infrastructure, Access Control, Assessments and Audits, Cryptography, and Organizational Security

Summary
  • Attacks against information security have grown exponentially in recent years
  • There are several reasons why it is difficult to defend against today’s attacks
  • Information security may be defined as that which protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures
  • The main goals of information security are to prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorism
  • The types of people behind computer attacks are generally divided into several categories
  • There are five general steps that make up an attack: probe for information, penetrate any defenses, modify security settings, circulate to other systems, and paralyze networks and devices
  • The demand for IT professionals who know how to secure networks and computers from attacks is at an all-time high

Thanks ......

0 komentar: