Security Awareness Fifth Edition

Cengage Learning icon. Security Awareness Fifth Edition.

Objectives. After completing this chapter, you should be able to do the following: Describe the challenges of securing information Define information security and explain why it is important Identify the types of attackers that are common today Describe attacks and defenses.

Challenges of Securing Information. No single simple solution exists for protecting computers and securing information Different types of attacks that computers face Difficulties in defending against these attacks.

Today’s Attacks (part 1 of 5). Attacks directed at point-of-sale ( PoS ) systems in retail stores Resulted in over 1.02 billion records of consumers’ payment card information being stolen in a year (2.8 million records each day) Malicious programs called “memory-scrapers”, steal user’s payment card numbers as card is being swiped at the PoS. Attackers are infecting PoS by sending email attachments as resume Healthcare industry Medical and financial information about the patient and patient’s family can be used to steal identities Stolen identities used for billing fraud (charging medical treatments to victims) and even for purchasing drugs for resale. Total cost of healthcare data breaches is about $6 billion per year.

Today’s Attacks (part 2 of 5). Vulnerability in home wireless networking equipment Would allow attackers to launch malicious software against any device connected to the home network Vulnerability in 1.4 millions vehicles Attackers could remotely control the cars A/C, radio, windshield wipers, brakes, speed & driver has no control A researcher was able to connect his laptop to an aircraft’s in-flight entertainment system (IFE) Once connected to IFE he could access other systems on the plane and control the flight height Cars with Passive Keyless Entry & Start (PKES) can be hacked to get access by using a backpack that amplifies the power to seem like the key FOB is near the car.

Today’s Attacks (part 3 of 5). Personal medical devices could be next target for attackers Belgium credit provider had customer information stolen Attackers threatened to publish information if company did not pay E-mail account compromised Attacker sent bogus emails to account owner’s contacts asking them to wire money.

Today’s Attacks (part 4 of 5). Car hacking Breaking into car’s electronic systems Vulnerabilities in Apple devices Continue to be exposed and manipulated by attackers From January 2005 through July 2015, over 853 million electronic data records in the US were breached Exposing attackers to personal electronic data.

Today’s Attacks (part 5 of 5). Organization Description of Security Breach Number of identities exposed Office of Personnel Management Current and former federal employees exposed employees’ job assignments, performance, and training, and may have exposed Social Security information and/or financial information. 4,000,000 CareFirst BlueCross BlueShield The breach of a single database exposed names, birth dates, email addresses, and insurance identification numbers. 1,100,000 Penn State’s College of Engineering In two different intrusions attackers accessed “sensitive data” of all College of Engineering students, faculty, and staff. 18,000 Salley Beauty “Unusual activity of payment cards at some stores” followed a similar attack 60 days before in which information on over 25,000 customer payment cards was stolen. Unknown AT&T In three separate incidents employees accessed customer names and Social Security numbers, which were then sold to outsiders who used that information to unlock stolen cell phones. 280,000 Anthem BlueCross BlueShield Names, birthdays, medical IDs, Social Security numbers, street addresses, email addresses, employment and income information were stolen in an attack that may have gone undetected for ten months. 80,000,000.

Difficulties in Defending Against Attacks (part 1 of 2).

Difficulties in Defending Against Attacks (part 2 of 2).

What Is Information Security?. What do we need to know? Common information security terminology Helpful when creating defenses for computers The importance of information security.

Understanding Security (part 1 of 2). Security Necessary steps to protect a person or property from harm Example: security for a home Protection from burglary Protection from natural forces (storms, etc.) Security is inversely proportional to convenience As security increases, convenience decreases.

Understanding Security (part 2 of 2). The relationship of security to convenience.

Defining Information Security (part 1 of 5). Information security Task of securing information in a digital format Ensures protective measures are properly implemented Protects information with value to people and organizations Three protections that must be extended (CIA) Confidentiality Integrity Availability.

Defining Information Security (part 2 of 5). In addition to the CIA triad, another set of protections must be implemented: Authentication Authorization Accounting.

Defining Information Security (part 3 of 5). Information security must protect devices that store, process, and transmit information Information protected in three layers Products People Policies and procedures.

Defining Information Security (part 4 of 5). Information security layers.

Defining Information Security (part 5 of 5). Layer Description Products Forms the security around the data. May be as basic as door locks or as complicated as network security equipment. People Those who implement and properly use security products to protect data. Policies and procedures Plans and policies established by an organization to ensure that people correctly use the products..

Information Security Terminology (part 1 of 5). Asset Something of value Threat Type of action with potential to cause harm Threat agent Person or element with power to carry out a threat Vulnerability Flaw or weakness that allows a threat agent to bypass security.

Information Security Terminology (part 2 of 5). Information security components analogy.

Information Security Terminology (part 3 of 5). Exploit the vulnerability through a threat vector The means by which an attack can occur, such as an attacker stealing user passwords Risk The likelihood that a threat agent will exploit a vulnerability Some degree of risk must always be assumed.

Information Security Terminology (part 4 of 5). Options for dealing with risk Risk avoidance – will not purchase the scooter Risk acceptance – buy scooter with risk acceptance Risk mitigation – Could fix the hole in fence Risk deterrence – Post signs that Trespassers will be punished to the full extent of the law. Risk transference – Insure the asset with Insurance Company.

Information Security Terminology (part 5 of 5). Term Example in Ellie’s scenario Example in information security Asset Scooter Employee database Threat Steal scooter Steal data Threat agent Thief Attacker, hurricane Vulnerability Hole in fence Software defect Threat vector Climb through hole in fence Access web server passwords through software flaw Threat likelihood Probability of scooter stolen Likelihood of virus infection Risk Not purchase scooter Not install wireless network.

Understanding the Importance of Information Security (part 1 of 5).

Understanding the Importance of Information Security (part 2 of 5).

Understanding the Importance of Information Security (part 3 of 5).

Understanding the Importance of Information Security (part 4 of 5).

Understanding the Importance of Information Security (part 5 of 5).

Who Are the Attackers?. Attackers are divided into several categories Cybercriminals Script kiddies Brokers Insiders Cyberterrorists Hactivists State-sponsored.

Cybercriminals (part 1 of 2). Generic definition People who launch attacks against other users and their computers Specific definition Loose network of highly motivated attackers, identity thieves, and financial fraudsters Many belong to organized gangs of attackers Targets Individuals and businesses Businesses and governments.

Cybercriminals (part 2 of 2). Name Description Example Surface web Anything that can be found and indexed by a search engine Textbook publisher website Deep web Content that cannot be found by a search engine but only through a search dialog box on the site State medical license database Dark web Information that has been intentionally hidden and cannot be accessed through a standard web browser Attacker black market site.

Script Kiddies (part 1 of 2). Attackers who lack knowledge necessary to perform attack on their own Use automated attack software Can purchase “exploit kit” for a fee from other attackers Over 40 percent of attacks require low or no skills.

Script Kiddies (part 2 of 2). Skills needed for creating attacks.

Brokers. Attackers sell their knowledge of a vulnerability to other attackers or governments Sell to highest bidder Goal Break into computer or system Take information without drawing attention to their actions Generally possess excellent computer skills.

Insiders. An organization’s own employees, contractors, and business partners One study showed 48 percent of data breaches are caused by insiders accessing information Most insider attacks: sabotage or theft of intellectual property Most sabotage comes from employees who have recently been demoted, reprimanded, or left the company.

Cyberterrorists. Attacks may be ideologically motivated For the sake of their principles or beliefs Almost impossible to predict when or where an attack may occur Can be inactive for years and then suddenly strike in a new way Attack to incite panic.

Hactivists. Motivated by ideology Direct attacks at specific Web sites May promote a political agenda Or retaliate for a specific prior event, such as disabling a the website of a bank that stopped accepting deposits into accounts belonging to hactivists.

State-Sponsored Attackers (part 1 of 2). Governments may instigate attacks against own citizens or foreign governments Most state-sponsored attacks are directed towards businesses in foreign countries Goal of causing financial harm or damage to the organization’s reputation.

State-Sponsored Attackers (part 2 of 2). Attacker category Objective Typical target Sample attack Cybercriminals Fortune over fame Users, businesses, governments Steal credit card information Script kiddies Thrills, notoriety Businesses, users Erase data Brokers Sell vulnerability to highest bidder Any Find vulnerability in operating system Insiders Retaliate against employer, shame government Governments, businesses Steal documents to publish sensitive information Cyberterrorists Cause disruption and panic Businesses Cripple computers that control water treatment Hactivists To right a perceived wrong against them Governments, businesses Disrupt financial website State-sponsored attackers Spy on citizens, disrupt foreign government Users, governments Read citizen’s email messages.

Building a Comprehensive Security Strategy. Four key elements to creating a practical security strategy: Block attacks Update defenses Minimize losses Stay alert Tactics used since Middle Ages.

Block Attacks. Medieval castle designed to block attacks High, protective stone wall Moat filled with water Objective: create a security perimeter Strong security perimeter Part of the computer network Data to be secured resides on personal computers attached to the network Local security on all computers important To foil attacks that breach the perimeter.

Update Defenses. Medieval example: leather shields were an adequate defense until flaming arrows were invented Continually update defenses to protect information against new types of attacks New attacks appear daily Update defensive hardware and software Apply operating system security updates regularly.

Minimize Losses. Medieval example: having a bucket of water available to put out fire started by flaming arrow Some attacks will get through security perimeters and local defenses Actions must be taken in advance to minimize loss Make backup copies of important data Institute a business recovery policy Details what to do in the event of a successful attack.

Stay Alert. Medieval example: defenders of the castle had to stay alert and be vigilant to join the fight Today, information security is the responsibility of all users Users must have the knowledge of what to do As well as the proper motivation to stay secure.

Summary (part 1 of 2). Attacks against information security have grown exponentially in recent years Difficult to defend against today’s attacks Information security definition Protecting the integrity, confidentiality, and availability of information on devices that store, transmit, and process information Information security goals Prevent data theft, thwart identity theft, avoid legal consequences, maintain productivity, and foil cyberterrorism.

Summary (part 2 of 2). Attackers fall into several categories Different motivations, targets, and skill levels Elements of a comprehensive security strategy Block attacks Update defenses Minimize losses Stay alert to attacks.