Introduction to Security Niken D Cahyani Gandeva Bayu Satrya Telkom Institute of Technology Chapter -1 Reference & Assessment Source Mark Ciampa, Security + Guide to Network Security Fundamentals, Course Technology, Cengage Learning, Eric Conrad, Eleventh Hour CISSP : Study Guide, Elsevier Inc., Chris McNab, Network Security Assessment, OReilly, Jason Andress, The Basics of Information Security, Elsevier Inc., 2011. Reference & Assessment Assessment UTS: 30%, UAS: 30%, Work LABZ: 25%, and Task: 15%. Punishment Any kind of Cheating E Learning Objectives I. Challenges of Securing Information II. What Is Information Security? III. Who Are the Attackers? IV. Attacks and Defenses V. Surveying Information Security Careers Introduction (1) Although this century is still young, so far it has been characterized by a single word: security. An unprecedented increase in the number of attacks upon citizens has occurred around the world. Suicide bombings, airplane hijackings, subway massacres, and guerrilla commando raids occur regularly. Introduction (2) To counteract these attacks, governments and other organizations have implemented new types of security defenses. Passengers using public transportation are routinely searched. Fences are erected across borders. Telephone calls are monitored. The number and brutal nature of attacks is resulting in dramatic security defenses that affect how the average citizen lives, works, and plays. Introduction (3) A new element of ITvirtually unheard of just a few years agois now at the very core of the industry: information security. Information security is focused on protecting the valuable electronic information of organizations and users. Thus the demand for IT professionals who know how to secure networks and computers is at an all-time high. Today businesses and organizations require employees and even prospective applicants to demonstrate that they are familiar with computer security practices. 1. Challenges of Securing Information To a casual observer it may seem that there should be a straightforward solution to securing computers, such as using a stronger antivirus product or creating a longer password. However, there is no simple solution to securing information. This can be seen through the different types of attacks that users face today, as well as the difficulties in defending against these attacks. Todays Security Attacks (Ex:1) A malicious program was introduced at some point in the manufacturing process of a popular brand of digital photo frames. When a user inserts a flash drive into the frames Universal Serial Bus (USB) connector to transfer pictures to it for viewing, the malicious program is silently installed on the flash drive. When the flash drive is inserted into a computer, that computer is then infected. Todays Security Attacks (Ex:2) Anclaiming to be from the United Nations (U.N.) Nigerian Government Reimbursement Committee is sent to unsuspecting users. Thesays that the user has been identified as a past recipient of the famous Nigerian General spam, in which the user is asked for his bank account number so a Nigerian General can temporarily hide funds from rebels. Difficulties in Defending against Attacks The challenge of keeping computers secure has never been greater, not only because of the number of attacks but also because of the difficulties faced in defending against these attacks. These difficulties include: Speed of attacks Greater sophistication of attacks Simplicity of attack tools Attackers can detect vulnerabilities more quickly and more readily exploit these vulnerabilities Delays in patching hardware and software products Most attacks are now distributed attacks, instead of coming from only one source User confusion Difficulties in Defending against Attacks 2. What Is Information Security? In a general sense, security can be considered as a state of freedom from a danger or risk. For example, a nation experiences security when its military has the strength to protect its citizens from a hostile outside force. This state or condition of freedom exists because protective measures are established and maintained. 2. What Is Information Security? The term information security is frequently used to describe the tasks of guarding information that is in a digital format. This digital information is typically manipulated by a microprocessor (such as on a personal computer), stored on a magnetic or optical storage device (like a hard drive or a DVD), and transmitted over a network (such as a local area network or the Internet). 2. What Is Information Security? Information security can be understood by examining its goals and how it is accomplished. First, information security ensures that protective measures are properly implemented. Second, information security is intended to protect information that has value to people and organizations, and that value comes from the characteristics of the information. 2. What Is Information Security? Three of the characteristics of information that must be protected by information security are: 1) Confidentiality ensures that only authorized parties can view the information. 2) Integrity ensures that the information is correct and no unauthorized person or malicious software has altered that data. 3) Availability ensures that data is accessible to authorized users. Information Security Components Information Security Terminology Understanding the Importance of IS Information security is important to businesses and individuals. The main goals of information security are to prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorism. 3. Who Are the Attackers? The types of people behind computer attacks are generally divided into several categories. These include hackers, script kiddies, spies, employees, cybercriminals, and cyberterrorists. 3. Who Are the Attackers? Hackers a generic sense to identify anyone who illegally breaks into or attempts to break into a computer system. Script Kiddies Want to break into computers to create damage. However, whereas hackers have an advanced knowledge of computers and networks, script kiddies are unskilled users. 3. Who Are the Attackers? Spies A computer spy is a person who has been hired to break into a computer and steal information. Their goal is to break into that computer or system and take the information without drawing any attention to their actions. Employees One of the largest information security threats to a business actually comes from an unlikely source: its employees. Why would employees break into their companys computer? Sometimes an employee might want to show the company a weakness in their security. 3. Who Are the Attackers? Cybercriminals Cybercriminals are a loose-knit network of attackers, identity thieves, and financial fraudsters. These cybercriminals are described as being more highly motivated, less risk-averse, better funded, and more tenacious than hackers. Cyberterrorists their motivation may be defined as ideology, or attacking for the sake of their principles or beliefs. Cyberterrorists are sometimes considered the attackers that should be feared the most, for it is almost impossible to predict when or where an attack may occur. 4. Attacks and Defenses Although there are a wide variety of attacks that can be launched against a computer or network, the same basic steps are used in most attacks. Protecting computers against these steps in an attack calls for five fundamental security principles. Steps of an Attack There are a variety of types of attacks. One way to categorize these attacks is by the five steps that make up an attack : 1) Probe for information 2) Penetrate any defenses 3) Modify security settings 4) Circulate to other systems 5) Paralyze networks and devices Steps of an Attack Defenses against Attacks Although multiple defenses may be necessary to withstand an attack, these defenses should be based on five fundamental security principles: protecting systems by layering, limiting, diversity, obscurity, and simplicity. 4.1. Layering One defense mechanism may be relatively easy for an attacker to circumvent. Instead, a security system must have layers, making it unlikely that an attacker has the tools and skills to break through all the layers of defenses. A layered approach can also be useful in resisting a variety of attacks. Layered security provides the most comprehensive protection. 4.2. Limiting Limiting access to information reduces the threat against it. Only those who must use data should have access to it. In addition, the amount of access granted to someone should be limited to what that person needs to know. For example, access to the human resource database for an organization should be limited to approved employees, including department managers and vice presidents. 4.3. Diversity Diversity is closely related to layering. Just as it is important to protect data with layers of security, so too must the layers be different (diverse) so that if attackers penetrate one layer, they cannot use the same techniques to break through all other layers. For example, some organizations use security products provided by different vendors. An attacker who can circumvent a Brand A device would have more difficulty trying to break through both Brand A and Brand B devices because they are different. 4.4. Obscurity An example of obscurity would be not revealing the type of computer, operating system, software, and network connection a computer uses. An attacker who knows that information can more easily determine the weaknesses of the system to attack it. However, if this information is hidden, it takes much more effort to acquire the information and, in many instances, an attacker will then move on to another computer in which the information is easily available. Obscuring information can be an important way to protect information. 4.5. Simplicity Complex security systems can be hard to understand, troubleshoot, and feel secure about. As much as possible, a secure system should be simple for those on the inside to understand and use. Complex security schemes are often compromised to make them easier for trusted users to work withyet this can also make it easier for the attackers. In short, keeping a system simple from the inside but complex on the outside can sometimes be difficult but reaps a major benefit. 5. Surveying Information Security Careers and the Security+ Certification