Chapter 1 Introduction to Security Security Awareness:  Applying Practical Security in Your World, Second Edition Chapter 1 Introduction to Security

Objectives List the challenges of defending against attacks Explain why information security is important Describe the different types of attackers List the general principles for defending against attacks Security Awareness: Applying Practical Security in Your World, 2e

Challenges of Security Last six months of 2004 Organizations faced average of 13.6 attacks per day versus 10.6 the previous six months During second quarter of 2005 422 Internet security vulnerabilities were discovered During first six months of 2005 Over 46.5 million Americans had their privacy breached Security Awareness: Applying Practical Security in Your World, 2e

Security Awareness: Applying Practical Security in Your World, 2e

Today’s Security Attacks Department of Defense Records over 60,000 attempted intrusions annually against their unclassified networks Companies worldwide Will spend almost $13 billion on computer security in 2005 Number of Internet fraud complaints Rose from 6,087 in 2000 to 48,252 in 2002 and 207,449 in 2004 Security Awareness: Applying Practical Security in Your World, 2e

Security Awareness: Applying Practical Security in Your World, 2e

Security Awareness: Applying Practical Security in Your World, 2e

Difficulties in Defending Against Attackers Why security is becoming increasingly difficult Speed of attacks Greater sophistication of attacks Attackers detect weaknesses faster and can quickly exploit these vulnerabilities Increasing number of zero day attacks Distributed attacks User confusion Security Awareness: Applying Practical Security in Your World, 2e

Security Awareness: Applying Practical Security in Your World, 2e

What is Information Security? Describes task of guarding information that is in a digital format Ensures that protective measures are properly implemented Intended to protect information that has high value to people and organizations Security Awareness: Applying Practical Security in Your World, 2e

Characteristics of Information Confidentiality Ensures that only authorized parties can view the information Integrity Ensures that information is correct Availability Secure computer must make data immediately available to authorized users Security Awareness: Applying Practical Security in Your World, 2e

What is Information Security? (continued) Protects the characteristics of information on Devices that store, manipulate, and transmit information Achieved through a combination of three entities Proper use of products People Procedures Security Awareness: Applying Practical Security in Your World, 2e

Security Awareness: Applying Practical Security in Your World, 2e

Information Security Terminology Asset Something that has value Threat Event or object that may defeat the security measures in place and result in a loss Threat agent Person or thing that has power to carry out a threat Security Awareness: Applying Practical Security in Your World, 2e

Information Security Terminology (continued) Vulnerability Weakness that allows threat agent to bypass security Risk Likelihood that threat agent will exploit a vulnerability Security Awareness: Applying Practical Security in Your World, 2e

Security Awareness: Applying Practical Security in Your World, 2e

Understanding the Importance of Information Security Information security is important to businesses and individuals Prevent data theft Thwart identify theft Avoid legal consequences of not securing information Maintain productivity Foil cyberterrorism Security Awareness: Applying Practical Security in Your World, 2e

Preventing Data Theft Security Data theft Often associated with theft prevention Data theft Single largest cause of financial loss due to a security breach Individuals can be victims Security Awareness: Applying Practical Security in Your World, 2e

Thwarting Identity Theft Involves using someone’s personal information to establish bank or credit card accounts According to the Federal Trade Commission (FTC) Number of identity theft victims increased 152% from 2002-2004 Cost of identity theft for 2004 exceeded $52 billion Age group that suffered the most identity theft Adults 18-29 years of age Security Awareness: Applying Practical Security in Your World, 2e

Avoiding Legal Consequences The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Healthcare enterprises must guard protected health information The Sarbanes-Oxley Act of 2002 (Sarbox) Attempts to fight corporate corruption Security Awareness: Applying Practical Security in Your World, 2e

Avoiding Legal Consequences (continued) The Gramm-Leach-Bliley Act (GLBA) Protects private data USA Patriot Act of 2001 Broadens surveillance of law enforcement agencies Security Awareness: Applying Practical Security in Your World, 2e

Avoiding Legal Consequences (continued) The California Database Security Breach Act of 2003 Businesses should inform residents within 48 hours if breach of personal information occurs Children’s Online Privacy Protection Act of 1998 (COPPA) Web sites designed for children under 13 should obtain parental consent prior to the Collection, use, disclosure, or display of child’s personal information Security Awareness: Applying Practical Security in Your World, 2e

Maintaining Productivity Computer Crime and Security Survey indicate that Virus attacks alone cost more than $42 million Spam Unsolicited e-mail messages Almost 230 million spam messages are sent each day (67% of total e-mail transmitted) Security Awareness: Applying Practical Security in Your World, 2e

Security Awareness: Applying Practical Security in Your World, 2e

Foiling Cyberterrorism Attacks by terrorist groups using computer technology and the Internet Challenges Many prime targets are not owned and managed by federal government Security Awareness: Applying Practical Security in Your World, 2e

Who are the Attackers? Hacker Cracker Script kiddies Someone who attacks computers Cracker Person who violates system security with malicious intent Script kiddies Want to break into computers to create damage Download automated hacking software (scripts) Lack the technical skills of crackers Security Awareness: Applying Practical Security in Your World, 2e

Who are the Attackers? (continued) Spies Hired to break into a computer and steal information Thieves Search for any unprotected computer and Attempt to steal credit card numbers, banking passwords, or similar information Employees May want to show the company a security weakness Security Awareness: Applying Practical Security in Your World, 2e

Cyberterrorists May attack because of ideology Goals of a cyberattack To deface electronic information To deny service to legitimate computer users To commit unauthorized intrusions into systems and networks Security Awareness: Applying Practical Security in Your World, 2e

Defending Against Attacks Layering Creates a barrier of multiple defenses that can be coordinated to thwart a variety of attacks Limiting Limiting access to information reduces the threat against it Diversity Breaching one security layer does not compromise the whole system Security Awareness: Applying Practical Security in Your World, 2e

Defending Against Attacks (continued) Obscurity Avoiding clear patterns of behavior make attacks from the outside much more difficult Simplicity Creating a system that is simple from the inside but complex on the outside reaps a major benefit Security Awareness: Applying Practical Security in Your World, 2e

Building a Comprehensive Security Strategy Block attacks If attacks are blocked by network security perimeter Then attacker cannot reach personal computers on which data is stored Security devices can be added to computer network To block unauthorized or malicious traffic Security Awareness: Applying Practical Security in Your World, 2e

Building a Comprehensive Security Strategy (continued) Update defenses Involves updating defensive hardware and software Involves applying operating system patches on a regular basis Minimize losses May involve keeping backup copies of important data in a safe place Send secure information May involve “scrambling” data so that unauthorized eyes cannot read it Security Awareness: Applying Practical Security in Your World, 2e

Summary Several difficulties in keeping computers and the information on them secure Why information security is becoming more difficult Speed and sophistication of attack Vulnerabilities User confusion Information security protects integrity, confidentiality, and availability of information Security Awareness: Applying Practical Security in Your World, 2e

Summary (continued) Information security has its own set of terminology Preventing theft of information Most important reason for protecting data Hacker Possesses advanced computer skills Basic principles for creating a secure environment Layering, limiting, diversity Obscurity, and simplicity Security Awareness: Applying Practical Security in Your World, 2e