Transcript XML: Part - City College of San Francisco

Chapter 1: Information
Security Fundamentals
Mission College CIT 016
Security+
Objectives



Identify the challenges for information
security
Define information security
Explain the importance of information
security
2
Objectives



List and define information security
terminology
Describe the CompTIA Security+
certification exam
Describe information security careers
3
Challenges for Information Security



Challenge of keeping networks and
computers secure has never been
greater
A number of trends illustrate why
security is becoming increasingly
difficult
Many trends have resulted in security
attacks growing at an alarming rate
4
Identifying the Challenges for
Information Security (continued)

Computer Emergency Response Team
(CERT) security organization compiles
statistics regarding number of reported
attacks, including:





Speed of attacks
Sophistication of attacks
Faster detection of weaknesses
Distributed attacks
Difficulties of patching
5
Challenges for Information Security
6
Challenges for Information Security
7
Defining Information Security

Information security:

Tasks of guarding digital information, which
is typically processed by a computer (such
as a personal computer), stored on a
magnetic or optical storage device (such as
a hard drive or DVD), and transmitted over
a network spacing
8
Defining Information Security



Ensures that protective measures are
properly implemented
Is intended to protect information
Involves more than protecting the
information itself
9
Defining Information Security
10
Defining Information Security

Three characteristics of
information must be protected by
information security:
1.
2.
3.


Confidentiality
Integrity
Availability
Center of diagram shows what
needs to be protected
(information)
Information security achieved
through a combination of the three
above entities
11
Importance of Information Security

Information security is important to
businesses:





Prevents data theft
Avoids legal consequences of not securing
information
Maintains productivity
Foils cyberterrorism
Thwarts identity theft
12
Preventing Data Theft



Security often associated with theft
prevention
Drivers install security systems on their
cars to prevent the cars from being
stolen
Same is true with information
security―businesses cite preventing
data theft as primary goal of
information security
13
Preventing Data Theft (continued)


Theft of data is single largest cause of
financial loss due to a security breach
One of the most important objectives
of information security is to protect
important business and personal data
from theft
14
Avoiding Legal Consequences



In recent years, a number of federal
and state laws have been enacted to
protect the privacy or electronic data.
Businesses that fail to protect data may
face serious penalties
Laws include:




The Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
The Sarbanes-Oxley Act of 2002 (Sarbox)
The Gramm-Leach-Bliley Act (GLBA)
USA PATRIOT Act 2001
15
HIPAA




Health Insurance Portability and Accounting
Act (1996)
Title I of HIPAA protects health insurance
coverage for workers and their families when
they change or lose their jobs.
Title II, the Administrative Simplification (AS)
provisions, requires the establishment of
national standards for electronic health care
transactions and national identifiers for
providers, health insurance plans, and
employers.
The AS provisions also address the security
and privacy of health data.
http://en.wikipedia.org/wiki/HIPAA
16
Sarbanes-Oxley Act of 2002



Federal law passed in response to a
number of major corporate and
accounting scandals.
SOX or SarbOX requires stringent reporting
requirements and internal controls on
electronic financial reporting systems.
Corporate officers who knowingly certify a
false financial report can be fined up to $5
million and serve 20 yrs. in prison.
http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act
17
Gramm-Leach-Bliley Act (GLBA)



The GLBA requires banks and financial
institutions to alert customers of their policies
and practices in disclosing customer
information.
The GLBA also states that all electronic and
paper data containing personally identifiable
financial information must be protected.
The Gramm-Leach-Bliley Act (GLBA) also
allowed commercial and investment banks to
consolidate.
http://www.consumerprivacyguide.org/law/glb.shtml
http://en.wikipedia.org/wiki/Gramm-Leach-Bliley_Act
18
US Patriot Act (2001)


Designed to broaden the surveillance of
law enforcement agencies so they can
detect and suppress terrorism.
The US Patriot Act also authorizes law
enforcement to install electronic
monitoring devices to assess computer
and telephone usage.
http://en.wikipedia.org/wiki/Patriot_Act
http://www.epic.org/privacy/terrorism/usapatriot/
http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.03162:
19
Maintaining Productivity


After an attack on information security,
clean-up efforts divert resources, such
as time and money away from normal
activities
A Corporate IT Forum survey of major
corporations showed:


Each attack costs a company an average of
$213,000 in lost man-hours and related
costs
One-third of corporations reported an
average of more than 3,000 man-hours lost
20
Maintaining Productivity
21
Foiling Cyberterrorism



An area of growing concern among defense
experts are surprise attacks by terrorist
groups using computer technology and the
Internet (cyberterrorism)
These attacks could cripple a nation’s
electronic and commercial infrastructure
Our challenge in combating cyberterrorism is
that many prime targets are not owned and
managed by the federal government
http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/
22
Thwarting Identity Theft


Identity theft involves using someone’s
personal information, such as social security
numbers, to establish bank or credit card
accounts that are then left unpaid, leaving the
victim with the debts and ruining their credit
rating
National, state, and local legislation continues
to be enacted to deal with this growing
problem
 The Fair and Accurate Credit Transactions
Act of 2003 is a federal law that addresses
identity theft
 Consumers can receive a free copy of their
credit report once every year.
23
Information Security Terminology
24
Exploring the CompTIA Security+
Certification Exam



Since 1982, the Computing Technology
Industry Association (CompTIA) has
been working to advance the growth of
the IT industry
CompTIA is the world’s largest
developer of vendor-neutral IT
certification exams
The CompTIA Security+ certification
tests for mastery in security concepts
and practices
25
Exploring the CompTIA Security+
Certification Exam


Exam was designed with input from security
industry leaders, such as VeriSign, Symantec,
RSA Security, Microsoft, Sun, IBM, Novell, and
Motorola
The Security+ exam is designed to cover a
broad range of security topics categorized into
five areas or domains
1. General Security Concepts – 30%
2. Communication Security – 20%
3. Infrastructure Security – 20%
4. Basics of Cryptography – 15%
5. Operational and Organizational Security 15%
26
Surveying Information Security Careers


Information security is one of the
fastest growing career fields
As information attacks increase,
companies are becoming more aware
of their vulnerabilities and are looking
for ways to reduce their risks and
liabilities
27
Surveying Information Security Careers

Sometimes divided into three general
roles:



Security manager develops corporate
security plans and policies, provides
education and awareness, and
communicates with executive management
about security issues
Security engineer designs, builds, and tests
security solutions to meet policies and
address business needs
Security administrator configures and
maintains security solutions to ensure
proper service levels and availability
28
Summary



The challenge of keeping computers
secure is becoming increasingly difficult
Attacks can be launched without human
intervention and infect millions of
computers in a few hours
Information security protects the
integrity, confidentiality, and availability
of information on the devices that store,
manipulate, and transmit the information
through products, people, and
procedures
29
Summary (continued)




Information security has its own set of
terminology
A threat is an event or an action that can
defeat security measures and result in a
loss
CompTIA has been working to advance
the growth of the IT industry and those
individuals working within it
CompTIA is the world’s largest developer
of vendor-neutral IT certification exams
30