Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties in defending against these attacks 1
Today’s Security Attacks Typical monthly security newsletter –Malicious programs – attachments –‘‘Booby-trapped’’ Web pages are growing at an increasing rate –Mac computers can be the victim of attackers 2
Today’s Security Attacks (cont’d.) Security statistics –Millions of credit and debit card numbers stolen –Number of security breaches continues to rise 3
Difficulties in Defending Against Attacks Speed of attacks Greater sophistication of attacks Simplicity of attack tools Quicker vulnerabilities detected Delays in patching products Distributed attacks User confusion 4
Who Are the Attackers? Divided into several categories –Hackers –Script kiddies –Spies –Employees –Cybercriminals –Cyberterrorists 5
Hackers Debated definition of hacker –Identify anyone who illegally breaks into or attempts to break into a computer system –Person who uses advanced computer skills to attack computers only to expose security flaws ‘‘White Hats’ 6
Script Kiddies Unskilled users Use automated hacking software Do not understand the technology behind what they are doing Often indiscriminately target a wide range of computers 7
Spies Person who has been hired to break into a computer and steal information Do not randomly search for unsecured computers Hired to attack a specific computer or system Goal –Break into computer or system –Take the information without drawing any attention to their actions 8
Employees Reasons for attacks by employees –Show company weakness in security –Retaliation –Money –Blackmail –Carelessness 9
Cybercriminals Loose-knit network of attackers, identity thieves, and financial fraudsters Motivated by money Financial cybercrime categories –Stolen financial data –Spam to sell counterfeits, etc. 10
Cyberterrorists Motivated by ideology 11
Attacks and Defences Same basic steps are used in most attacks Protecting computers against these steps –Calls for five fundamental security principles 12
Steps of an Attack Probe for information Penetrate any defences Modify security settings Circulate to other systems Paralyse networks and devices 13
Defences Against Attacks Layering –If one layer is penetrated, several more layers must still be breached –Each layer is often more difficult or complicated than the previous –Useful in resisting a variety of attacks Limiting –Limiting access to information reduces the threat against it –Technology-based and procedural methods 14
Defences Against Attacks (cont’d.) Diversity –Important that security layers are diverse –Breaching one security layer does not compromise the whole system Obscurity –Avoiding clear patterns of behavior make attacks from the outside much more difficult Simplicity –Complex security systems can be hard to understand, troubleshoot, and feel secure about 15
Building a Comprehensive Security Strategy Block attacks –Strong security perimeter Part of the computer network to which a personal computer is attached –Local security important too Update defences –Continually update defenses to protect information against new types of attacks 16
Building a Comprehensive Security Strategy (cont’d.) Minimise losses –Realise that some attacks will get through security perimeters and local defenses –Make backup copies of important data –Business recovery policy Send secure information –‘‘Scramble’’ data so that unauthorized eyes cannot read it –Establish a secure electronic link between the sender and receiver 17
Summary Attacks against information security have grown exponentially in recent years Difficult to defend against today’s attacks Information security definition –That which protects the integrity, confidentiality, and availability of information Main goals of information security –Prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorism 18
Summary (cont’d.) Several types of people are typically behind computer attacks Five general steps that make up an attack Practical, comprehensive security strategy involves four key elements 19