Chapter1 1: Introduction to security

1. 1. challenges of security information

1.1. Security is the single most important topic in the computer world

1.2. No single simple solution exists for protecting computers and security information

1.2.1. lnlfn

1.3. Different types of attacks computer face:Volume and diversity of attacks make it hard to defend against attacks

1.4. Difficulties in defending against these attacks

2. 2. todays attacks

2.1. Attacks directed at point-of-sale (PoS) systems: Resulted in over 1.02 billion records of consumers’ payment card information being stolen in a year Called “memory-scrapers”, steal user’s payment card numbers as card is being swiped

2.2. Healthcare industry : Medical and financial information about the patient and patient’s family can be used to steal identities Also used for billing fraud and for purchasing drugs for resale

2.3. Car hacking: Breaking into car’s electronic systems

2.4. From January 2005 through July 2015, over 853 million electronic data records in the US were breached Exposing attackers to personal electronic data

3. 3. Difficulties in defending against attacks

3.1. 1. Universally Connected Devices

3.1.1. Currently, all devices are connected to Internet.

3.1.2. This make it easily for attackers to silently launch an attack against the connected device.

3.2. 2. Increased Speed of attacks

3.2.1. With modern tools attackers can quickly scan systems to find weaknesses and launch attacks.

3.2.2. Many tools initiate attacks without human participation thus increase the speed at which systems are attacked.

3.3. 3. Greater sophistication of attacks

3.3.1. Attackers are using common Internet Protocols and applications to perform attacks.

3.3.2. This makes it tricky to distinguish an attack from legitimate (clean) traffic

3.4. 4. Availability and Simplicity of Attack Tools

3.4.1. In the past, attackers needed to have extensive knowledge about network and the ability to write programs in order to perform attacks.

3.4.2. Todays attack tools do not require any sophisticated knowledge

3.4.3. Tools have Graphical User Interface (GUI) that allows the user to select options for menus and perform an attack.

3.5. 5. Faster Detection of Vulnerabilities

3.5.1. There are software tools available that scan a computer system for Vulnerabilities (Weaknesses).

3.5.2. This is make it fast for attackers to exploit vulnerabilities and attack a system.

3.6. 6.Delays in Security Updating

3.6.1. One Antivirus software receives more than 390,000 submission of potential malwares everyday.

3.6.2. To keep us protected, Antivirus companies should send us an update every 5 seconds, which is not possible.

3.6.3. This delay makes it difficult to defend against an attack.

3.7. 7. Weak Security Update Distribution

3.7.1. Vendors (company of anti-virus) don’t usually send patches for customers.

3.7.2. Patch is a small security update with the recent malwares and vulnerabilities.

3.7.3. Vendors release entirely new version of software and ask the customer to pay.

3.7.4. This delay until the new version is released, will make users under attack.

3.8. 8. Distributed attacks

3.8.1. Attackers can use thousands of computers in an attack against a single computer or network (Many against one)

3.8.2. It is difficult to stop an attack by identifying and blocking a single source

3.9. 9. User confusion (Most difficult reason)

3.9.1. Users often have to make difficult security decisions regarding their computer systems, often with little or no information;

3.9.2. For example:

3.9.3. ex1: Is it safe to quarantine (isolate) this attachment?

3.9.4. ex2: Should I allow my bank to install this add-in?

3.9.5. Many users don’t even know about antivirus and security updates, which makes it easy for attackers to attack them.

4. 4. What Is Information Security?

4.1. What do we need to know? (before it is possible to defend attacks)

4.2. Common information security terminology

4.3. Helpful when creating defenses for computers

4.4. The importance of information security

5. 5.Understanding Security

5.1. Security

5.1.1. Necessary steps to protect a person or property from harm

5.1.2. Security is inversely proportional to convenience

5.1.3. As security increases, convenience decreases

5.1.4. Giving up short-term ease for long-term protection

6. 6. Defining Information Security

6.1. 1.Describes task of guarding information that is in a digital format

6.2. 2.Ensures that protective measures are properly implemented

6.2.1. creates a defense that attempts to ward off attacks and prevents the collapse of the system when an attack occurs, ie. Information Security is Protection

6.3. 3.Intended to protect information that has high value to people and organizations

6.3.1. Value comes from the characteristics of the information

6.4. 4. Three protections that must be extended (CIA)

6.4.1. Confidentiality

6.4.2. Ensures that only authorized parties can view the information

6.4.3. Integrity

6.4.4. Ensures that information is correct

6.4.5. Availability

6.4.6. Secure computer must make data immediately available to authorized users

7. 6.information security

7.1. protects the confidentiality, integrity and availability of information

7.2. In addition to the CIA triad, another set of protections must be implemented: (AAA Framework)

7.2.1. Authentication

7.2.2. verifying the identity of a user or a host that is accessing the system or network resource

7.2.3. Authorization

7.2.4. permitting or restricting access to the information based on the type of users and their roles

7.2.5. Accounting (auditing)

7.2.6. provides tracking of events

7.3. Information security must protect devices that store, process, and transmit information

7.4. Information protected in three layers

7.4.1. 1.Products

7.4.2. 2. People

7.4.3. 3.Policies and procedures

8. 7. Information Security Terminology

8.1. Asset

8.1.1. Something that has value (car stereo)

8.2. Threat

8.2.1. Event or object that may defeat the security measures in place and result in a loss (car stereo is stolen – even though the car was locked)

8.3. Threat agent

8.3.1. Person or element that has power to carry out a threat (thief)

8.4. Vulnerability

8.4.1. Flaw or weakness that allows a threat agent to bypass security

8.5. Exploit the vulnerability through a threat vector

8.5.1. The means by which an attack can occur, such as an attacker stealing user passwords

8.6. Risk

8.6.1. It is a situation that involves exposure to some type of danger.

8.6.2. The likelihood that a threat agent will exploit a vulnerability

8.6.3. What is the probability that the threat will come and the scooter will be stolen?

8.6.4. Some degree of risk must always be assumed

8.6.5. Four options for dealing with risk (accept, mitigate, avoidance, deterrence)

8.7. Four options for dealing with risk

8.7.1. 1) Risk avoidance:

8.7.1.1. E.g. not purchasing a scooter because it might be lost

8.7.1.2. Not performing any activity that may carry risk.

8.7.1.3. A risk avoidance methodology attempts to minimize vulnerabilities which can pose a threat.

8.7.2. 2) Risk acceptance:

8.7.2.1. Opposite to risk avoidance

8.7.2.2. E.g. even we know that the scooter may be stolen, eh will buy it

8.7.2.3. It is acknowledging that the potential loss from a risk is not great enough to warrant spending money to avoid it

8.7.3. 3) Risk mitigation

8.7.3.1. Decreasing the possibility of having the risk

8.7.3.2. E.g. Asking the apartment manager to fix the hole in the fence so that the probability of stealing the scooter decreases.

8.7.4. 4) Risk deterrence

8.7.4.1. E.g. asking the apartment manager to post signs that there will be punishment as per law in case anyone entered through the fence

8.7.4.2. involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated.

9. 8. the Importance of Information Security

9.1. Goals of information security

9.1.1. Preventing data theft

9.1.2. Thwarting identity theft

9.1.3. Avoiding legal consequences of not securing data

9.1.4. Maintaining productivity

9.1.5. Foiling cyberterrorism

9.2. Data theft examples

9.2.1. Stealing business information

9.2.2. Stealing personal credit card number

9.3. Identity theft

9.3.1. 1- Stealing a person’s information

9.3.2. 2- Using information to impersonate the victim

9.3.3. 3- Usually motivated by financial gain

9.3.4. 4- Thieves can:

9.3.5. Create new bank or credit card accounts under the victim’s name, that are left unpaid, leaving the victim with the debts and a damaged credit rating

9.3.6. 5-Avoiding legal consequences

9.3.6.1. 6- Laws protecting electronic data privacy

9.3.6.2. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

9.3.6.3. The Sarbanes-Oxley Act of 2002 (Sarbox)

9.3.6.4. The Gramm-Leach-Bliley Act (GLBA)

9.3.6.5. Payment Card Industry Data Security Standard

9.3.6.6. The California Database Security Breach Act (2003)

9.3.7. 7-Maintaining productivity

9.3.7.1. Cleaning up after an attack diverts resources

9.3.8. 8-Foiling Cyberterrorism

9.3.8.1. Premeditated, politically motivated attacks against information, computer systems, programs and data

9.3.8.2. Intended to cause panic, provoke violence, or cause financial catastrophe

9.3.9. Possible cyberterrorist targets

9.3.9.1. Banking industry

9.3.9.2. Military installations

9.3.9.3. Air traffic control centers

9.3.9.4. Water systems

10. 9.Building a Comprehensive Security Strategy

10.1. Four key elements to creating a practical security strategy:

10.2. 1.Block attacks

10.3. 2.Update defenses

10.4. 3.Minimize losses

10.5. 4. Send Secure Information

11. 10. Block Attacks

11.1. Strong (network) security perimeter

11.2. Part of the computer network

11.3. Local security on all computers important

11.4. To defeat attacks that breach the perimeter

11.5. Examples:

11.6. use firewall to block unauthorized or malicious tr

11.7. Use Intrusion Detection Systems: is a software that monitors network traffic to detect suspicious activity

12. 11. Update Defenses

12.1. Continually update defenses to protect information against new types of attacks

12.1.1. New attacks appear daily

12.1.2. Update defensive hardware and software

12.1.3. Apply operating system security updates regularly

13. 12.Minimize Losses

13.1. Actions must be taken in advance to minimize loss

13.2. Make backup copies of important data

13.3. Having a business recovery policy:

13.4. Details what to do in the event of a successful attack

14. 13.Who Are the Attackers?

14.1. 1.Cybercrime or cybercriminals

14.1.1. Targeted attacks against financial networks

14.1.2. Unauthorized access to information

14.1.3. Theft of personal information – identity theft

14.1.4. Goal: financial gain

14.1.5. Example of Financial cybercrime

14.1.5.1. Trafficking in stolen credit cards and financial information

14.1.5.2. Using spam email to commit fraud (sell counterfeits and pirated software)

14.2. 2.Hacker/Crackers

14.2.1. Hacker

14.2.1.1. Someone who uses his or her advanced skills to (legally) attack computers only to expose security flaws

14.2.1.2. White hat = Motive is to improve security by finding holes so they can be fixed.

14.2.2. Cracker

14.2.2.1. Person who violates system security with malicious intent

14.2.2.2. Like hackers, possess advanced skills to exploit vulnerabilities to attack computers and networks

14.2.2.3. Also known as black hats = searching for security weaknesses to destroy data, deny legitimate users of service, or otherwise cause serious problems on computers and networks (malicious and destructive)

14.3. 3.Script Kiddies

14.3.1. Goal: break into computers to create damage

14.3.2. Unskilled users = Lack the technical skills of crackers

14.3.3. Download or purchase automated hacking software, called exploit kit, that can be used without knowledge in computer.

14.3.4. 40 percent of attacks performed by script kiddies

14.4. 4.Brokers

14.4.1. They are individual who discover vulnerabilities in systems and sell them to highest bidder for money.

14.4.2. Generally possess excellent computer skills (to attack and cover their tracks)

14.5. 5.Insiders

14.5.1. An organization’s own employees, contractors, and business partners

14.5.2. One of the largest information security threats

14.5.3. One study (on data leakage) showed 48 percent of data breaches are caused by insiders accessing information

14.5.4. Most insider attacks: sabotage or theft of intellectual property

14.5.5. Example attacks

14.5.5.1. Healthcare worker publicized celebrities’ health records

14.5.5.2. Disgruntled over upcoming job termination

14.5.5.3. U.S. Army private accessed sensitive documents

14.6. 6.Cyberterrorists

14.6.1. Premeditated, politically motivated attacks

14.6.2. Target: information, computer systems, data (government, large organizations)

14.6.3. Designed to:

14.6.3.1. Cause panic

14.6.3.2. Provoke violence

14.6.3.3. Result in financial catastrophe (cause real harm)

14.6.4. Could cripple a nations electronic and commercial infrastructure, eg.

14.6.5. Utility companies, telecommunications and financial services

14.7. 7. Hactivists

14.7.1. Combination of words (hack + activism)

14.7.2. Motivated by ideology but their goal is just disruptive. However, Cyberterrorists wants to cause real harm.

14.7.3. Direct attacks at specific Web sites (unlike cyberterrorists)

14.7.4. May promote a political agenda

14.7.5. Or retaliate for a specific prior event,

14.7.6. E.g. disabling a the website of a bank that stopped accepting deposits into accounts belonging to hactivists

14.8. 8.State-Sponsored Attackers

14.8.1. Governments may instigate attacks against own citizens or foreign governments (whom they consider hostile or threatening)

14.8.2. Most state-sponsored attacks are directed towards businesses in foreign countries

14.8.3. Goal of causing financial harm or damage to the organization’s reputation

14.8.4. See examples, p23

14.8.5. Flame malware – targeted computer in Middle East

14.8.6. Stuxnet virus – targeted a nuclear power plant in Arabian Gulf

14.8.7. 300,000+ Iranian citizens had their e-mails read without consent.