About the Presentations • The presentations cover the objectives found in the opening of each chapter.

• All chapter objectives are listed in the beginning of each presentation. • You may customize the presentations to fit your class needs. • Some figures from the chapters are included. A complete set of images from the book can be found on the Instructor Resources disc.

Security Awareness

Chapter 1 Introduction to Security

Objectives After completing this chapter, you should be able to do the following: • Describe the challenges of securing information • Define information security and explain why it is important • Identify the types of attackers that are common today • List the basic steps of an attack • Describe the steps in a defense and a comprehensive defense strategy Security Awareness, 3 rd Edition 3

Challenges of Securing Information • No single simple solution to protecting computers and securing information • Different types of attacks • Difficulties in defending against these attacks Security Awareness, 3 rd Edition 4

Today’s Security Attacks • Typical monthly security newsletter – Malicious program was introduced in the manufacturing process of a popular brand of digital photo frames – E-mail claiming to be from the United Nations (U.N.) ‘‘Nigerian Government Reimbursement Committee’’ is sent to unsuspecting users – ‘‘Booby-trapped’’ Web pages are growing at an increasing rate – Mac computers can be the victim of attackers Security Awareness, 3 rd Edition 5

Today’s Security Attacks (cont’d.) • Security statistics – 45 million credit and debit card numbers stolen – Number of security breaches continues to rise – Recent report revealed that of 24 federal government agencies overall grade was only ‘‘C-’’ Security Awareness, 3 rd Edition 6

Table 1-1 Selected security breaches involving personal information in a three-month period

Course Technology/Cengage Learning

Security Awareness, 3 rd Edition 7

Difficulties in Defending Against Attacks • Speed of attacks • Greater sophistication of attacks • Simplicity of attack tools • Quicker detection of vulnerabilities –

Zero day attack

• Delays in patching products • Distributed attacks • User confusion Security Awareness, 3 rd Edition 8

Difficulties in Defending Against Attacks (cont’d.) Figure 1-1 Increased sophistication of attack tools

Course Technology/Cengage Learning

Security Awareness, 3 rd Edition 9

Difficulties in Defending Against Attacks (cont’d.) Figure 1-2 Menu of attack tools

Course Technology/Cengage Learning

Security Awareness, 3 rd Edition 10

Difficulties in Defending Against Attacks (cont’d.) Table 1-2 Difficulties in defending against attacks

Course Technology/Cengage Learning

Security Awareness, 3 rd Edition 11

What Is Information Security?

• Understand what information security is • Why is information security important today?

• Who are the attackers?

Security Awareness, 3 rd Edition 12

Defining Information Security • Security – State of freedom from a danger or risk • Information security – Tasks of guarding information that is in a digital format – Ensures that protective measures are properly implemented – Protect information that has value to people and organizations • Value comes from the characteristics of the information Security Awareness, 3 rd Edition 13

Defining Information Security (cont’d.) • Characteristics of information that must be protected by information security – Confidentiality – Integrity – Availability • Achieved through a combination of three entities – Products – People – Procedures Security Awareness, 3 rd Edition 14

Defining Information Security (cont’d.) Figure1-3 Information security components

Course Technology/Cengage Learning

Security Awareness, 3 rd Edition 15

Defining Information Security (cont’d.) Table 1-3 Information security layers

Course Technology/Cengage Learning

Security Awareness, 3 rd Edition 16

Information Security Terminology • • •

Asset

– Something that has a value

Threat

– Event or object that may defeat the security measures in place and result in a loss – By itself does not mean that security has been compromised

Threat agent

– Person or thing that has the power to carry out a threat Security Awareness, 3 rd Edition 17

Information Security Terminology (cont’d.) • • •

Vulnerability

– Weakness that allows a threat agent to bypass security

Exploiting

the security weakness – Taking advantage of the vulnerability

Risk

– Likelihood that a threat agent will exploit a vulnerability – Some degree of risk must always be assumed – Three options for dealing with risk Security Awareness, 3 rd Edition 18

Information Security Terminology (cont’d.) Table 1-4 Security information terminology

Course Technology/Cengage Learning

Security Awareness, 3 rd Edition 19

Understanding the Importance of Information Security • Preventing data theft – Theft of data is one of the largest causes of financial loss due to an attack – Affects businesses and individuals • Thwarting identity theft – Identity theft • Using someone’s personal information to establish bank or credit card accounts that are then left unpaid • Leaves the victim with debts and ruins their credit rating – Legislation continues to be enacted Security Awareness, 3 rd Edition 20

Understanding the Importance of Information Security (cont’d.) • Avoiding legal consequences – Federal and state laws that protect the privacy of electronic data • The

Health Insurance Portability and Accountability Act

of 1996 (HIPAA) • The

Sarbanes-Oxley Act

of 2002 (Sarbox) • The

Gramm-Leach-Bliley Act

(GLBA) •

USA Patriot Ac

t (2001) • The

California Database Security Breach Act

(2003) •

Children’s Online Privacy Protection Act

of 1998 (COPPA) Security Awareness, 3 rd Edition 21

Understanding the Importance of Information Security (cont’d.) • Maintaining productivity – Lost wages and productivity during an attack and cleanup – Unsolicited e-mail message security risk • U.S. businesses forfeit $9 billion each year restricting spam • Foiling

cyberterrorism

– Could cripple a nation’s electronic and commercial infrastructure – ‘‘Information Security Problem’’ Security Awareness, 3 rd Edition 22

Who Are the Attackers?

• Divided into several categories – Hackers – Script kiddies – Spies – Employees – Cybercriminals – Cyberterrorists Security Awareness, 3 rd Edition 23

Hackers • Debated definition of

hacker

– Identify anyone who illegally breaks into or attempts to break into a computer system – Person who uses advanced computer skills to attack computers only to expose security flaws • ‘‘White Hats’ Security Awareness, 3 rd Edition 24

Script Kiddies • Unskilled users • Use automated hacking software • Do not understand the technology behind what they are doing • Often indiscriminately target a wide range of computers Security Awareness, 3 rd Edition 25

Spies • Person who has been hired to break into a computer and steal information • Do not randomly search for unsecured computers • Hired to attack a specific computer or system • Goal – Break into computer or system – Take the information without drawing any attention to their actions Security Awareness, 3 rd Edition 26

Employees • Reasons for attacks by employees – Show company weakness in security – Retaliation – Money – Blackmail – Carelessness Security Awareness, 3 rd Edition 27

Cybercriminals • Loose-knit network of attackers, identity thieves, and financial fraudsters • Motivated by money • Financial cybercrime categories – Stolen financial data – Spam email to sell counterfeits and pornography Security Awareness, 3 rd Edition 28

Cybercriminals (cont’d.) Table 1-6 Eastern European promotion of cybercriminals

Course Technology/Cengage Learning

Security Awareness, 3 rd Edition 29

Cyberterrorists • Motivated by ideology • Sometimes considered attackers that should be feared most Security Awareness, 3 rd Edition 30

Attacks and Defenses • Same basic steps are used in most attacks • Protecting computers against these steps – Calls for five fundamental security principles Security Awareness, 3 rd Edition 31

Steps of an Attack • Probe for information • Penetrate any defenses • Modify security settings • Circulate to other systems • Paralyze networks and devices Security Awareness, 3 rd Edition 32

Figure 1-5 Steps of an attack

Course Technology/Cengage Learning

Security Awareness, 3 rd Edition 33

Defenses Against Attacks • Layering – If one layer is penetrated, several more layers must still be breached – Each layer is often more difficult or complicated than the previous – Useful in resisting a variety of attacks • Limiting – Limiting access to information reduces the threat against it – Technology-based and procedural methods Security Awareness, 3 rd Edition 34

Defenses Against Attacks (cont’d.) • Diversity – Important that security layers are diverse – Breaching one security layer does not compromise the whole system • Obscurity – Avoiding clear patterns of behavior make attacks from the outside much more difficult • Simplicity – Complex security systems can be hard to understand, troubleshoot, and feel secure about Security Awareness, 3 rd Edition 35

Building a Comprehensive Security Strategy • Block attacks – Strong security perimeter • Part of the computer network to which a personal computer is attached – Local security important too • Update defenses – Continually update defenses to protect information against new types of attacks Security Awareness, 3 rd Edition 36

Building a Comprehensive Security Strategy (cont’d.) • Minimize losses – Realize that some attacks will get through security perimeters and local defenses – Make backup copies of important data – Business recovery policy • Send secure information – ‘‘Scramble’’ data so that unauthorized eyes cannot read it – Establish a secure electronic link between the sender and receiver Security Awareness, 3 rd Edition 37

Summary • Attacks against information security have grown exponentially in recent years • Difficult to defend against today’s attacks • Information security definition – That which protects the integrity, confidentiality, and availability of information • Main goals of information security – Prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorism Security Awareness, 3 rd Edition 38

Summary (cont’d.) • Several types of people are typically behind computer attacks • Five general steps that make up an attack • Practical, comprehensive security strategy involves four key elements Security Awareness, 3 rd Edition 39