IAS2253
Chapter One
Introduction to Computer and Network
Security
�Objectives
Explain the relationships among the component
parts of information security, especially network
security
Define the key terms and critical concepts of
information and network security
Explain the business need for information and
network security
Identify the threats posed to information and
network security, as well as the common attacks
associated with those threats
2013 Course Technology/Cengage Learning. All Rights Reserved.
�Objectives (contd.)
Distinguish between threats to information from
within systems and attacks against information
from within systems
Describe the organizational roles of information
and network security professionals
Define managements role in the development,
maintenance, and enforcement of information
security policy, standards, practices, procedures,
and guidelines
2013 Course Technology/Cengage Learning. All Rights Reserved.
�Objectives (contd.)
Discuss how an organization institutionalizes
policies, standards, and practices using education,
training, and awareness programs
2013 Course Technology/Cengage Learning. All Rights Reserved.
�Introduction
Network security
Critical to day-to-day IT operations of nearly every
organization
Information security
Field has matured in last 20 years
Large in scope
2013 Course Technology/Cengage Learning. All Rights Reserved.
�What is Information Security?
Protection of information and its critical elements
Systems and hardware that use, store, and transmit
information
Information security includes:
Information security management
Computer and data security
Network security
2013 Course Technology/Cengage Learning. All Rights Reserved.
�What is Information Security? (contd.)
Security layers
Network security
Protect components, connections, and contents
Physical items or areas
Personal security
Protect people
Operations security
Protect details of activities
Communications security
Protect media, technology, and content
2013 Course Technology/Cengage Learning. All Rights Reserved.
�Information Security Terminology
Access
Ability to use, modify, or affect another object
Asset
Organizational resource being protected
Attack
Act that causes damage to information or systems
Control, safeguard, or countermeasure
Security mechanisms, policies, or procedures
2013 Course Technology/Cengage Learning. All Rights Reserved.
�Information Security Terminology
(contd.)
Exploit
Technique used to compromise a system
Exposure
Condition or state of being exposed to attack
Intellectual property
Works of the mind
Inventions, literature, art, logos, and other creative
works
Loss
Single instance of damage to an information asset
2013 Course Technology/Cengage Learning. All Rights Reserved.
�Information Security Terminology
(contd.)
Protection profile or security posture
Set of controls that protect an asset
Risk
Probability that something unwanted will happen
Subject
Agent used to conduct the attack
Object
Target entity of an attack
2013 Course Technology/Cengage Learning. All Rights Reserved.
10
�Figure 1-2 Computer as the subject and object of an attack
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
11
�Information Security Terminology
(contd.)
Threat
Entity presenting danger to an asset
Threat agent
Specific instance of a threat
Examples: lightning strike, tornado, or specific
hacker
Vulnerability
Weakness or fault in a system
Opens up the possibility of attack or damage
2013 Course Technology/Cengage Learning. All Rights Reserved.
12
�Critical Characteristics of Information
Characteristics of information determine its value
Availability
Ability to access information without obstruction
Accuracy
Information is free from errors
Authenticity
Quality or state of being genuine
Confidentiality
Protection from disclosure to unauthorized
individuals or systems
2013 Course Technology/Cengage Learning. All Rights Reserved.
13
�Critical Characteristics of Information
(contd.)
Data owners
Responsible for the security and use of a particular
set of information
Data custodians
Responsible for information storage, maintenance,
and protections
Data users
End users who work with information
Integrity
Information remains whole, complete, uncorrupted
2013 Course Technology/Cengage Learning. All Rights Reserved.
14
�Critical Characteristics of Information
(contd.)
Utility
Information has value for some purpose or end
Possession
Ownership or control of some object or item
Privacy
Information is used in accordance with legal
requirements
2013 Course Technology/Cengage Learning. All Rights Reserved.
15
�Security Models
Information security model
Maps security goals to concrete ideas
C.I.A. triad
Original basis of computer security
Figure 1-3 C.I.A. triad
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
16
�Security Models (contd.)
McCumber cube
Graphical description of architectural approach
Widely used in computer and information security
27 cells represent areas to address to secure
information systems
2013 Course Technology/Cengage Learning. All Rights Reserved.
17
�Security Models (contd.)
Figure 1-4 McCumber cube
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
18
�Balancing Information Security and
Access
Information security must balance protection and
availability
Allow reasonable access
Protect against threats
Imbalance occurs when:
Needs of end user are undermined
2013 Course Technology/Cengage Learning. All Rights Reserved.
19
�Business Needs First
Important organizational functions of an information
security program
Protects organizations ability to function
Enables safe operation of applications
Protects data
Safeguards technology assets
2013 Course Technology/Cengage Learning. All Rights Reserved.
20
�Business Needs First (contd.)
Protecting the functionality of an organization
General management and IT management are
responsible
More to do with management than technology
Enabling safe operation of applications
Securing storage of business-critical data
Ensuring integrity of key business transactions
Making communications constantly available
2013 Course Technology/Cengage Learning. All Rights Reserved.
21
�Business Needs First (contd.)
Protecting data that organizations collect and use
Data in motion
Data at rest
Safeguarding technology assets in organizations
Security should match size and scope of asset
Examples of assets: firewalls; caching network
appliances
2013 Course Technology/Cengage Learning. All Rights Reserved.
22
�Threats to Information Security
Wide range of threats pervade interconnected
world
Threats are relatively well researched
See Table 1-1
12 categories of danger to an organizations people,
information, and systems
2013 Course Technology/Cengage Learning. All Rights Reserved.
23
�Table 1-1 Threats to information security
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
24
�Common Threats
Cracker
Individual who cracks (removes) software
protection
Cyberterrorist
Hacks systems to conduct terrorist activities
Hackers
Gain access without authorization
Hacktivist or cyberactivist
Disrupts or interferes with operations to protest
against an organization or government agency
2013 Course Technology/Cengage Learning. All Rights Reserved.
25
�Common Threats (contd.)
Malicious code or malicious software
Computer viruses
Macro or boot virus
Worms
Trojan horses
Backdoor, trap door, or maintenance hook
Rootkit
Packet monkeys
Phreaker
Hacker who targets public telephone network
2013 Course Technology/Cengage Learning. All Rights Reserved.
26
�Common Threats (contd.)
Script kiddies
Hackers of limited skill who use expertly written
software to attack a system
Shoulder surfing
Observing passwords of others
Software piracy
Unlawful use or duplication of software IP
2013 Course Technology/Cengage Learning. All Rights Reserved.
27
�Attacks on Information Security
Threats are always present
Attacks occur through specific actions
May cause business loss
2013 Course Technology/Cengage Learning. All Rights Reserved.
28
�Malicious Code
State-of-the-art malicious code attack
Polymorphic (or multivector) worm
Uses several attack vectors to exploit variety of
vulnerabilities
See Table 1-2 for known attack vectors
2013 Course Technology/Cengage Learning. All Rights Reserved.
29
�Table 1-2 Attack replication vectors
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
30
�Password Attacks
Password cracking
Attempt to bypass access controls
Guessing passwords
Rainbow tables
Used when the hash of the users password is known
Brute force attacks
Trying every possible combination
Dictionary
Trying specific, commonly used passwords
2013 Course Technology/Cengage Learning. All Rights Reserved.
31
�Denial-of-Service (DoS) and
Distributed Denial-of-Service (DDoS)
Attacks
Denial-of-service attack
Attacker sends large number of requests to a target
Target system cannot handle volume of requests
System crashes
Or cannot handle legitimate requests
Distributed denial-of-service attack
Coordinated stream of requests against a target
Occurs from many locations simultaneously
2013 Course Technology/Cengage Learning. All Rights Reserved.
32
�Figure 1-5 Denial-of-service attacks
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
33
�Spoofing
Technique used to gain unauthorized access to
computers
Intruder sends messages with fake IP address of a
trusted host
Modifies the packet headers with the trusted IP
Newer routers and firewalls can offer protection
2013 Course Technology/Cengage Learning. All Rights Reserved.
34
�Figure 1-6 IP spoofing
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
35
�Man-in-the-Middle Attacks
Attacker monitors packets from the network
Modifies packets using IP spoofing techniques
Inserts packets back into network
Can be used to eavesdrop, modify, reroute, forge,
divert data
2013 Course Technology/Cengage Learning. All Rights Reserved.
36
�Figure 1-7 Man-in-the-middle attack
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
37
�E-Mail Attacks
Spam
Malicious code may be embedded in attachments
Mail bomb
Attacker reroutes large quantities of e-mail to the
target system
Poorly-configured e-mail systems at risk
2013 Course Technology/Cengage Learning. All Rights Reserved.
38
�Sniffers
Program or device monitoring data traveling over a
network
Can be used for legitimate functions
Also for stealing information
Unauthorized sniffers virtually impossible to detect
Shows all data going by including passwords
2013 Course Technology/Cengage Learning. All Rights Reserved.
39
�Social Engineering
Process of using social skills to convince people to
reveal access credentials
Usually involves impersonation
New employee
Employee who needs assistance
Someone higher in organizational hierarchy
2013 Course Technology/Cengage Learning. All Rights Reserved.
40
�Buffer Overflow
Application error
Occurs when more data is sent to a buffer than it
can handle
Attacker can take advantage of the consequence of
the failure
2013 Course Technology/Cengage Learning. All Rights Reserved.
41
�Timing Attacks
Measuring the time required to access a Web page
Deducing that the user has visited the site before
Presence of the page in browsers cache
Another type of timing attack:
Side channel attack on cryptographic algorithms
2013 Course Technology/Cengage Learning. All Rights Reserved.
42
�Security Professionals and the
Organization
Information security program
Supported by wide range of professionals
Administrative support also required
Executive management
Chief information officer (CIO)
Chief information security officer (CISO)
2013 Course Technology/Cengage Learning. All Rights Reserved.
43
�Security Professionals and the
Organization (contd.)
Information security project team
Champion
Team leader
Security policy developers
Risk assessment specialists
Security professionals
Systems, network, and storage administrators
End users
2013 Course Technology/Cengage Learning. All Rights Reserved.
44
�Information Security Policy, Standards,
and Practices
Policy
Guidance implemented by senior management
Regulates activities
Similar to laws
Standards
Detailed description of how to comply with policy
De facto standards
De jure standards
2013 Course Technology/Cengage Learning. All Rights Reserved.
45
�Figure 1-8 Policies, standards, and practices
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
46
�Information Security Policy, Standards,
and Practices (contd.)
Management policy
Basis for information security planning, design, and
deployment
Criteria for effective policy
Dissemination
Review
Comprehension
Compliance
Uniformity
2013 Course Technology/Cengage Learning. All Rights Reserved.
47
�Enterprise Information Security Policy
(EISP)
Other names for EISP
General security policy
IT security policy
Information security policy
Supports mission and vision of the organization
Executive-level document
Guides the security program
Addresses legal compliance
2013 Course Technology/Cengage Learning. All Rights Reserved.
48
�Table 1-3 Components of the EISP
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
49
�Issue-Specific Security Policy (ISSP)
States organizations position on each issue
Examples of topics
Use of company-owned networks and the Internet
Use of e-mail
Prohibitions against hacking
Use of personal equipment on company networks
2013 Course Technology/Cengage Learning. All Rights Reserved.
50
�Table 1-4 Components of
the ISSP
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
51
�Systems-Specific Policy (SysSP)
Managerial guidance SysSPs
Guides technology implementation and configuration
Regulates behavior of people in organization
Technical specification SysSPs
Access control lists
Capability table
Access control matrix
Configuration rule policies
Specific instructions to regulate security system
2013 Course Technology/Cengage Learning. All Rights Reserved.
52
�Frameworks and Industry Standards in
Information Security
Security blueprint
Used to implement the security program
Basis for design, selection, and implementation of
program elements
Security framework
Outline of overall information security strategy
Roadmap for planned changes to the environment
Security models
Can be used to develop a security blueprint
2013 Course Technology/Cengage Learning. All Rights Reserved.
53
�The ISO 27000 series
One of the most widely referenced security models
Gives recommendations for information security
management
See Figure 1-9 for overall methodology
2013 Course Technology/Cengage Learning. All Rights Reserved.
54
�Figure 1-9 ISO/IEC 27002
major process steps
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
55
�Table 1-6 ISO 27000 series current and planned standards (www.27000.org)
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
56
�NIST Security Models
Available from csrc.nist.gov
Publicly available
Free
Reviewed by government and industry
professionals
Many documents available
2013 Course Technology/Cengage Learning. All Rights Reserved.
57
�IETF Security Architecture
Security area working group
Acts as advisory board for IETF
RFC 2196: Site security handbook
Good reference
Covers five basic areas of security
2013 Course Technology/Cengage Learning. All Rights Reserved.
58
�Benchmarking and Best Business
Practices
Methods used by some organizations
To assess security practices
Federal Agency Security Practices Web site
Popular resource for best practices
SANS Institute
Cooperative information security research
organization
Other sources
www.cert.org
http://www.us-cert.gov
2013 Course Technology/Cengage Learning. All Rights Reserved.
59
�Benchmarking and Best Business
Practices (contd.)
Spheres of security
Shows that information is at risk from various
sources
Illustrated in Figure 1-10
Defense in depth
Layered implementation of security
Organization establishes multiple layers of security
controls
2013 Course Technology/Cengage Learning. All Rights Reserved.
60
�Figure 1-10 Spheres of security
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
61
�Figure 1-11 Defense in depth
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
62
�Benchmarking and Best Business
Practices (contd.)
Redundancy
Implementing multiple types of technology
Prevents failure of one system from compromising
security of another system
Security perimeter
Defines the boundary between organizations
security and outside world
Both electronic and physical
2013 Course Technology/Cengage Learning. All Rights Reserved.
63
�Figure 1-12 Security perimeters
Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.
64
�Summary
Information security is the protection of information
Information value comes from its characteristics
A threat is an object, person, or entity that
represents a danger to an asset
An attack is an action that takes advantage of a
vulnerability to compromise a controlled system
Security models include the C.I.A. triad and the
McCumber cube
2013 Course Technology/Cengage Learning. All Rights Reserved.
65
�Summary (contd.)
Information security functions
Protects organizations ability to function
Enables safe operation of applications
Protects data
Safeguards technology assets
Many types of professionals support an information
security program
Management policy is the basis for all information
security planning
2013 Course Technology/Cengage Learning. All Rights Reserved.
66
