INTRODUCTION TO

INFORMATION SECURITY
1

CHAPTER 1

[email protected]
 Learning Outcomes
2

The student should be able to:

Understand Information Security
Areas in information security
Goals of information security
Roles of information security organization
Understand the issues of online security
Issues related internet services
Terminologies in information security
Security threats

[email protected]
 What is Security?

The quality or state of being secureto be free

from danger
A successful organization should have multiple
layers of security in place:
Physical security
Personal security

Operations security

Communications security

Network security

Information security
 Challenges in Information Security
4

Challenge of keeping networks and

computers secure has never been greater
A number of trends illustrate why security is
becoming increasingly difficult
Many trends have resulted in security attacks
growing at an alarming rate

[email protected]
 Challenges in Information Security (Cont)
5

Computer Emergency Response Team (CERT)

security organization compiles statistics
regarding number of reported attacks, including:
Speed of attacks

Sophistication of attacks

Faster detection of weaknesses

Distributed attacks

Difficulties of patching

[email protected]
 Challenges in Information Security (Cont)
6

[email protected]
 Challenges in Information Security (Cont)
7

[email protected]
 What is Information Security?
8

Information security:
1. Tasks of guarding digital information,
which is typically processed by a computer
(such as a personal computer), stored on a
magnetic or optical storage device (such
as a hard drive or DVD), and transmitted
over a network spacing

[email protected]
 What is Information Security? (Cont)
9

2. Ensures that protective measures

are properly implemented
3. Is intended to protect information
4. Involves more than protecting the
information itself

[email protected]
 What is Information Security? (Cont)
10

[email protected]
 What is Information Security? (Cont)
11

Center of diagram shows what needs to be

protected (information)
Information security achieved through a
combination of three entities

[email protected]
 Securing Components

Computer can be subject of an attack and/or the

object of an attack
When the subject of an attack, computer is used
as an active tool to conduct attack

When the object of an attack, computer is the

entity being attacked
Figure 1-5 Subject and Object of Attack
 Areas in Information Security
14

Physical Security
Operational Security
Management and Policies

[email protected]
 Physical Security

The first line of defense an organization should follow

to help combat insider issues is to develop information
security policies and an information security plan
Information security policies identify the rules required to
maintain information security
Information security plan details how an organization will
implement the information security policies
 Physical Security

An organization should develop information security

policies and an information security plan
Information security policies identify the rules
required to maintain information security
Information security plan details how an
organization will implement the information security
policies
 Operational Security
Three primary information security areas
Authentication and authorization
Something the user has such as a smart card or token
Something that is part of the user such as a fingerprint or voice signature
Something the user has such as a smart card or token
Prevention and resistance
Content filtering
Encryption
Firewalls
Detection and response
If prevention and resistance strategies fail and there is a security breach, an
organization can use detection and response technologies to mitigate the damage
Antivirus software is the most common type of detection and response technology
 Management & Policies

Develop the information security policies

Communicate the information security policies
Identify critical information assets and risks
Firewall hardware and/or software that guards a private
network by analyzing the information leaving and entering
the network
Intrusion detection software (IDS) searches out patterns
in network traffic to indicate attacks and quickly respond to
prevent harm
Test and reevaluate risks
Obtain stakeholder support
 Information Security Goals
19

1. Integrity
Assurance that data is not altered or destroyed
in an unauthorized manner
2. Confidentiality
Protection of data from unauthorized
disclosure to a third party
3. Availability
Continuous operation of computing systems

[email protected]
 Information Security Organisation
20

CERT/CC
US-CERT
SANS Institute
ISC2
FIPS
ICSA

[email protected]
 Information Security Organisation (Cont.)
21

CERT/CC Computer Emergency Response Team - handling

computer security incidents
US-CERT US Computer Emergency Response Team
SANS Institute - specializes in internet security training GIAC
Certification
ISC2 - specializes in information security education and
certifications
FIPS - standardizations developed by the United States federal
government for use in computer systems
ICSA Lab - mission was to increase awareness of the need for
computer security and to provide education about various
security products and technologies

[email protected]
 Security Issues in Information Security
22

Electronic mail and news

Ways for people to exchange information with each other
without requiring an immediate, interactive response.
File transfer
Transmitting files over a computer network or the Internet (the
simplest way to exchange files).
Remote Access to Host
The ability to log onto a network from a distant location (eg;
TELNET or SSH)
Real time conferencing services
Designed for interactive use by on-line participants (video
conference).
[email protected]
 Attack Definition
23

Information Theft:
Attacks that allow an attacker to get data without ever
having to directly use your computers.
How:
dumpster diving

steal your e-mail

Used for:
to access bank account

to make loans (car, real estate)

[email protected]
 Attack Definition (Cont)
24

Unauthorised disclosure :
An organization suspects some of its employees
of leaking confidential information to its
competitor.
It is also usually believed that its competitor
actually planted spies within the organization in
order to target and steal new product plan.
How:
planting virus, trojan horse

snooping software

[email protected]
 Attack Definition (Cont)
25

Information warfare:
Is the use and management of information in
pursuit of a competitive advantage over an
opponent.
Remotely disabling target using software (e.g.;
television and radio disinformation)
Disinformation: false or inaccurate information
that is spread deliberately.

[email protected]
 Attack Definition (Cont)
26

Accidental data loss:

Most common data loss cause, simply accidentally
deleting a file that wasn't supposed to be deleted.
Caused by a careless employee or an untrained
employee who did not know better

[email protected]
 Attacker Profiles
27

Six categories:
Hackers

Crackers

Script kiddies
Spies

Employees

Cyberterrorists

[email protected]
 Attacker Profiles (Cont.)
28

[email protected]
 Attacker Profiles (Cont.)
29

Hacker
Person who uses advanced computer skills to attack computers,
but not with a malicious intent
Use their skills to expose security flaws
Crackers
Person who violates system security with malicious intent
Have advanced knowledge of computers and networks and the
skills to exploit them
Destroy data, deny legitimate users of service, or otherwise
cause serious problems on computers and networks

[email protected]
 Attacker Profiles (Cont.)
30

Script Kiddies
Break into computers to create damage
Are unskilled users
Download automated hacking software from Web sites and use it
to break into computers
Tend to be young computer users with almost unlimited amounts of
leisure time, which they can use to attack systems
Spies
Person hired to break into a computer and steal information
Do not randomly search for unsecured computers to attack
Hired to attack a specific computer that contains sensitive
information

[email protected]
 Attacker Profiles (Cont.)
31

Employees
One of the largest information security threats to business
Employees break into their companys computer for these reasons:
To show the company a weakness in their security
To say, Im smarter than all of you
For money
Cyberterrorists
Experts fear terrorists will attack the network and computer
infrastructure to cause panic
Cyberterrorists motivation may be defined as ideology, or attacking for
the sake of their principles or beliefs
One of the targets highest on the list of cyberterrorists is the Internet
itself

[email protected]
 Attacker Profiles (Cont.)
32

Employees
One of the largest information security threats to business
Employees break into their companys computer for these reasons:
To show the company a weakness in their security
To say, Im smarter than all of you
For money
Cyberterrorists
Experts fear terrorists will attack the network and computer
infrastructure to cause panic
Cyberterrorists motivation may be defined as ideology, or attacking for
the sake of their principles or beliefs
One of the targets highest on the list of cyberterrorists is the Internet
itself

[email protected]
 Basic Attacks
33

Today, the global computing infrastructure is

most likely target of attacks
Attackers are becoming more sophisticated,
moving away from searching for bugs in specific
software applications toward probing the
underlying software and hardware infrastructure
itself

[email protected]
 Basic Attacks (Cont)
34

Social Engineering
Easiest way to attack a computer system requires almost no technical
ability and is usually highly successful
Social engineering relies on tricking and deceiving someone to access a
system
Social engineering is not limited to telephone calls or dated credentials
Password Guessing
Password: secret combination of letters and numbers that validates or
authenticates a user
Passwords are used with usernames to log on to a system using a
dialog box
Attackers attempt to exploit weak passwords by password guessing

[email protected]
 Basic Attacks (Cont)
35

Social Engineering
Dumpster diving: digging through trash receptacles to find computer
manuals, printouts, or password lists that have been thrown away
Phishing: sending people electronic requests for information that
appear to come from a valid source
Password Guessing
Brute force: attacker attempts to create every possible password
combination by changing one character at a time, using each newly
generated password to access the system
Dictionary attack: takes each word from a dictionary and encodes it
(hashing) in the same way the computer encodes a users password

[email protected]
 Basic Attacks (Cont)
36

Weak Keys
Cryptography:
Science of transforming information so it is secure while being
transmitted or stored
Encryption:
changing the original text to a secret message using cryptography
Mathematical Attacks
Cryptanalysis: process of attempting to break an encrypted
message
Mathematical attack: analyzes characters in an encrypted text to
discover the keys and decrypt
the data

[email protected]
 Basic Attacks (Cont)
37

Man-in-the-Middle Attacks
Passive attack: attacker captures sensitive data being
transmitted and sends it to the original recipient without his
presence being detected
Active attack: contents of the message are intercepted and
altered before being sent on
Replay
Similar to an active man-in-the-middle attack
Whereas an active man-in-the-middle attack changes the
contents of a message before sending it on, a replay attack only
captures the message and then sends it again later

[email protected]
 Basic Attacks (Cont)
38

TCP/IP Hijacking
With wired networks, TCP/IP hijacking uses spoofing, which is the
act of pretending to be the legitimate owner
One particular type of spoofing is Address Resolution Protocol
(ARP) spoofing
In ARP spoofing, a hacker changes the table so packets are
redirected to his computer
Denial of Service
attempts to make a server or other network device unavailable by
flooding it with requests
After a short time, the server runs out of resources and can no
longer function

[email protected]
 Malicious Code - Malware
39

Consists of computer programs designed to break

into computers or to create havoc on computers
Most common types:
Viruses

Worms

Logic bombs

Trojan horses

Back doors

[email protected]
 Malicious Code Malware (Cont)
40

Viruses
Programs that secretly attach to another document or program and
execute when that document or program is opened
Worms
A virus needs the user to perform some type of action, such as
starting a program or reading an e-mail message, to start the
infection
Logic Bombs
Computer program that lies dormant until triggered by a specific
event, for example:
A certain date being reached on the system calendar
A persons rank in an organization dropping below a specified level

[email protected]
 Malicious Code Malware (Cont)
41

Trojan Horses
Programs that hide their true intent and then reveals themselves
when activated
Might disguise themselves as free calendar programs or other
interesting software
Back Doors
Secret entrances into a computer of which the user is unaware
Many viruses and worms install a back door allowing a remote
user to access a computer without the legitimate users
knowledge or permission

[email protected]
 Security Threats
42

Categories::
Data disclosure:
Exposure of data to third parties. Key point to consider is
whether the disclosure is relevant and necessary.
Data modification:
A modification attack is an attempt to modify information
that an attacker is not authorized to modify.
Data availability:
Describe products and services that that continues to be
available at a required level of performance in situations
ranging from normal through "disastrous."

[email protected]
 Security Threats (Cont)
43

Activities::
Hacking:
Computer hacking is the practice of modifying computer
hardware and software to accomplish the hackers goal.

Cracking:
Activities to breaks into someone else's computer system
or bypasses passwords or licenses in computer programs.

[email protected]
 Security Threats (Cont)
44

Spoofing:
A method of attacking a computer program, in which
the program is modified so as to appear to be working
normally when in reality it has been modified with the
purpose to circumvent security mechanisms.

Sniffing:
A method that a network device, like the Nintendo DS,
uses to identify available wireless networks in the area.

[email protected]
 Information Security Careers
45

Information security is one of the fastest growing

career fields
As information attacks increase, companies are
becoming more aware of their vulnerabilities and
are looking for ways to reduce their risks and
liabilities

[email protected]
 Information Security Careers (Cont)
46

Sometimes divided into three general roles:

Security manager develops corporate security plans
and policies, provides education and awareness, and
communicates with executive management about
security issues
Security engineer designs, builds, and tests security
solutions to meet policies and address business needs
Security administrator configures and maintains
security solutions to ensure proper service levels and
availability

[email protected]
 Summary
47

The challenge of keeping computers secure is

becoming increasingly difficult
Attacks can be launched without human
intervention and infect millions of computers in a
few hours
Information security protects the integrity,
confidentiality, and availability of information on the
devices that store, manipulate, and transmit the
information through products, people, and
procedures
[email protected]