Security+ Guide to Network

Security Fundamentals,
Fifth Edition
Chapter 1
INTRODUCTION TO SECURITY

Objectives
Describe the challenges of securing information
Define information security and explain why it is
important
Identify the types of attackers that are common
today
List the basic steps of an attack
Describe the five basic principles of defense

Security+ Guide to Network Security Fundamentals, Fifth Edition

Challenges of Securing Information

Today all citizens forced to continually protect
themselves from attacks by invisible foes
Attacks not just physical but also include attacks on
information technology
Attacks directed at individuals, schools,
businesses, and governments through desktop
computers, laptops, smartphones, and tablet
computers
Information security is focused on protecting
electronic information of organizations and users
Security+ Guide to Network Security Fundamentals, Fifth Edition

Information Security Personnel

Chief Information Security Officer (CISO) Responsible for assessing, managing, and
implementing security
Security manager - Supervises technicians,
administrators, and security staff
Security administrator - Manages daily operations
of security technology
Security technician - Provide technical support to
configure security hardware, implement security
software, and diagnose and troubleshoot problems
Security+ Guide to Network Security Fundamentals, Fifth Edition

Information Security Employment

Employees with certifications in security are in high
demand
Security is rarely offshored or outsourced
Job outlook for security professionals is
exceptionally strong
U.S. Bureau of Labor Statistics (BLS)
Occupational Outlook Handbook indicates job
outlook for information security analysts through
end of decade expected to grow by 22 percent,
faster than average growth rate
Security+ Guide to Network Security Fundamentals, Fifth Edition

CompTIA Security+
CompTIA Security+ certification is widelyrecognized and highly respected vendor-neutral
credential
Requires passing current certification exam SY0401
Tests knowledge and skills required to: identify
risks; provide infrastructure, application, operational
and information security; apply security controls to
maintain confidentiality, integrity, and availability;
and identify appropriate technologies and products
Security+ Guide to Network Security Fundamentals, Fifth Edition

Todays Security Attacks

Balances manipulated on prepaid debit cards

Home Wi-Fi network attacked
Twitter accounts exploited
Ploutus ATM malware
Exposed serial servers
Manipulate aircraft and ocean vessels
Computer cluster for cracking passwords
Apple Mac vulnerabilities
Electronic data records stolen

Security+ Guide to Network Security Fundamentals, Fifth Edition

Difficulties in Defending Against

Attacks

Universally connected devices

Increased speed of attacks
Greater sophistication of attacks
Availability and simplicity of attack tools
Faster detection of vulnerabilities
Delays in security updating
Weak security update distribution
Distributed attacks
Introduction of BYOD
User confusion

Security+ Guide to Network Security Fundamentals, Fifth Edition

Menu of Attack Tools (Figure 1-1)

Security+ Guide to Network Security Fundamentals, Fifth Edition

Difficulties in Defending (Table 1-2)

Security+ Guide to Network Security Fundamentals, Fifth Edition

10

What Is Information Security?

Before defense is possible, one must understand:

What is security
What information security is
Information security terminology
Why it is important

Security+ Guide to Network Security Fundamentals, Fifth Edition

11

Understanding Security
Security is defined as either the process (how to
achieve security) or the goal (what it means to have
security).
In reality security is both: it is the goal to be free from
danger as well as the process that achieves that
freedom
Security is the necessary steps to protect a person or
property from harm.
This harm may come from one of two sources:
Direct action
Indirect and unintentional action
Security+ Guide to Network Security Fundamentals, Fifth Edition

12

Security and Convenience

Relationship between security and convenience
As security is increased, convenience is often
decreased
Security is inversely proportional to convenience
The more secure something is, the less convenient
it may become to use
Security is sacrificing convenience for safety or
giving up short-term comfort for long-term
protection
Security+ Guide to Network Security Fundamentals, Fifth Edition

13

Relationship Security-Convenience
(Figure 1-2)

Security+ Guide to Network Security Fundamentals, Fifth Edition

14

Defining Information Security

Information security - Tasks of securing information
in digital format:
Manipulated by a microprocessor
Stored on a storage device
Transmitted over a network

Protection - Information security cannot completely

prevent successful attacks or guarantee that a system
is totally secure
Protective measures ward off attacks and prevent
total collapse of the system when a successful attack
does occur
Security+ Guide to Network Security Fundamentals, Fifth Edition

15

Three Protections
Information Provides value to people and
organizations
Three protections that must be extended over
information (CIA):
Confidentiality: Ensures only authorized parties can
view information
Integrity: Ensures information not altered
Availability: Ensures information accessible when
needed to authorized parties

Security+ Guide to Network Security Fundamentals, Fifth Edition

16

AAA
Three additional protections that must be extended
over information (AAA):
Authentication: Ensures that the individual is who
she claims to be (the authentic or genuine person)
and not an imposter
Authorization: Providing permission or approval to
specific technology resources
Accounting: Provides tracking of events

Security+ Guide to Network Security Fundamentals, Fifth Edition

17

Securing Devices
Devices - Information security involves more than
protecting the information itself
Information is:
Stored on computer hardware
Manipulated by software
Transmitted by communications

Each of these areas must also be protected

Security+ Guide to Network Security Fundamentals, Fifth Edition

18

Three Entities
Entities - Information security is achieved through a
process that is a combination of three entities
Information and the hardware, software, and
communications are protected in three layers:
Products
People
Policies and procedures

Procedures enable people to understand how to

use products to protect information
Security+ Guide to Network Security Fundamentals, Fifth Edition

19

Security Layers (Figure 1-3)

Security+ Guide to Network Security Fundamentals, Fifth Edition

20

Security Layers (Table 1-3)

Security+ Guide to Network Security Fundamentals, Fifth Edition

21

Information Security Definition

Comprehensive definition of information security
involves both the goals and process
Information security defined as that which protects
the integrity, confidentiality, and availability of
information on the devices that store, manipulate,
and transmit the information through products,
people, and procedures

Security+ Guide to Network Security Fundamentals, Fifth Edition

22

Information Security Terminology:

Asset
Asset - An item that has value
In organization assets have these qualities:
They provide value to the organization
They cannot easily be replaced without a significant
investment in expense, time, worker skill, and/or
resources
They can form part of the organization's corporate
identity.

Security+ Guide to Network Security Fundamentals, Fifth Edition

23

Technology Assets (Table 1-4)

Security+ Guide to Network Security Fundamentals, Fifth Edition

24

Information Security Terminology:

Threat
Threat - Action that has the potential to cause
harm
Information security threats are events or actions
that represent a danger to information assets
Threat by itself does not mean that security has
been compromised; rather, it simply means that the
potential for creating a loss is real
Threat can result in the corruption or theft of
information, a delay in information being
transmitted, or loss of good will or reputation
Security+ Guide to Network Security Fundamentals, Fifth Edition

25

Information Security Terminology:

Threat Agent
Threat agent - Person or element that has the
power to carry out a threat
Threat agent can be:
Person attempting to break into a secure computer
network
Force of nature such as a hurricane that could
destroy computer equipment and thus destroy
information
Malicious software that attacks the computer
network
Security+ Guide to Network Security Fundamentals, Fifth Edition

26

Information Security Terminology:

Vulnerability
Vulnerability - Flaw or weakness that allows a
threat agent to bypass security
Example is software defect in an operating system
that allows an unauthorized user to gain control of
a computer without the users knowledge or
permission

Security+ Guide to Network Security Fundamentals, Fifth Edition

27

Information Security Terminology:

Threat Vector
Threat vector - means by which an attack can
occur
Example is attacker, knowing that a flaw in a web
servers operating system has not been patched, is
using the threat vector (exploiting the vulnerability)
to steal user passwords
Threat likelihood - probability that threat will come
to fruition

Security+ Guide to Network Security Fundamentals, Fifth Edition

28

Information Security Terminology: Risk

Risk - situation that involves exposure to some
type of danger.
Options when dealing with risk:

Risk avoidance
Acceptance
Mitigation
Deterrence
Transference

Security+ Guide to Network Security Fundamentals, Fifth Edition

29

Understanding the Importance of

Information Security: Preventing Theft
Preventing data theft Stopping data from being
stolen cited as primary objective of information
security
Business data theft is stealing proprietary business
information
Personal data is prime target of attackers is credit
card numbers that can be used to purchase
thousands of dollars of merchandise

Security+ Guide to Network Security Fundamentals, Fifth Edition

30

Identity Theft
Thwarting identity theft - Using anothers personal
information in unauthorized manner for financial
gain
Example:

Steal persons SSN

Create new credit card account
Charge purchases
Leave unpaid

Serious problem for Internal Revenue Service

(IRS)
Security+ Guide to Network Security Fundamentals, Fifth Edition

31

Avoid Legal Consequences

Avoiding legal consequences - Businesses that fail to
protect data they possess may face serious financial
penalties from federal or state laws
Laws protecting electronic data privacy:
Health Insurance Portability and Accountability Act
of 1996 (HIPAA)
Sarbanes-Oxley Act of 2002 (Sarbox)
Gramm-Leach-Bliley Act (GLBA)
Payment Card Industry Data Security Standard
(PCI DSS)
CA Database Security Breach Notification Act
Security+ Guide to Network Security Fundamentals, Fifth Edition

32

Cost of Attacks (Table 1-6)

Maintaining productivity - Post-attack clean up
diverts resources like time and money

Security+ Guide to Network Security Fundamentals, Fifth Edition

33

Foiling Cyberterrorism
Foiling cyberterrorism - Premeditated, politically
motivated attacks
Targets are banking, military, power plants, air
traffic control centers
Designed to:
Cause panic
Provoke violence
Result in financial catastrophe

Security+ Guide to Network Security Fundamentals, Fifth Edition

34

Cyberterrorism Targets
Potential cyberterrorism targets

Banking
Military
Energy (power plants)
Transportation (air traffic control centers)
Water systems

Security+ Guide to Network Security Fundamentals, Fifth Edition

35

Who Are the Attackers?

Hacker Older term referred to a person who used
advanced computer skills to attack computers
Black hat hackers - Attackers who violated
computer security for personal gain or to inflict
malicious damage
White hat hackers - Ethical attackers who received
permission to probe system for any weaknesses
Gray hat hackers Attackers who would break into
a computer system without permission and then
publically disclose vulnerability
Security+ Guide to Network Security Fundamentals, Fifth Edition

36

Cybercrimminals
Cybercrimminals - Generic term describes
individuals who launch attacks against other users
and their computers
A loose network of attackers, identity thieves, and
financial fraudsters who are highly motivated, less
risk-averse, well-funded, and tenacious
Instead of attacking a computer to show off their
technology skills (fame), cybercriminals have a
more focused goal of financial gain (fortune):
cybercriminals steal information or launch attacks to
generate income
Security+ Guide to Network Security Fundamentals, Fifth Edition

37

Script Kiddies
Script kiddies - Unskilled users with goal to break into
computers to create damage

Download automated hacking software (scripts) to

use to perform malicious acts
Attack software today has menu systems and
attacks are even easier for unskilled users
40 percent of attacks performed by script kiddies

Security+ Guide to Network Security Fundamentals, Fifth Edition

38

Brokers
Brokers - Individuals who uncover vulnerabilities do not
report it to the software vendor but instead sell them to
the highest bidder
These attackers sell their knowledge of a vulnerability
to other attackers or even governments
Buyers are generally willing to pay a high price because
this vulnerability is unknown

Security+ Guide to Network Security Fundamentals, Fifth Edition

39

Insiders
Insiders - Employees, contractors, and business
partners who steal from employer
Most malicious insider attacks consist of the
sabotage or theft of intellectual property
Offenders are usually employees who actually
believe that the accumulated data is owned by
them and not the organization
Others are employees have been pressured into
stealing from their employer through blackmail or
the threat of violence
Security+ Guide to Network Security Fundamentals, Fifth Edition

40

Cyberterrorists
Cyberterrorists Attackers who have ideological
motivation
Attacking because of their principles and beliefs
Cyberterrorists can be inactive for several years
and then suddenly strike in a new way
Targets may include a small group of computers or
networks that can affect the largest number of
users
Example: computers that control the electrical
power grid of a state or region
Security+ Guide to Network Security Fundamentals, Fifth Edition

41

Hactivists
Hactivists Another group motivated by ideology
Unlike cyberterrorists who launch attacks against
foreign nations to incite panic, hactivists generally
not as well-defined.
Attacks can involve breaking into a website and
changing the contents on the site as a means of
making a political statement against those who
oppose their beliefs
Other attacks can be retaliatory

Security+ Guide to Network Security Fundamentals, Fifth Edition

42

State-Sponsored Attackers
State-sponsored attackers Attackers supported
by governments for launching computer attacks
against their foes
Attackers target foreign governments or even
citizens of the government who are considered
hostile or threatening

Security+ Guide to Network Security Fundamentals, Fifth Edition

43

Steps of an Attack (Steps 1-4)

Reconnaissance - Probe for any information about
the system to reveal if the system is a viable target
for an attack and how it could be attacked
Weaponization - Create an exploit and package it
into a deliverable payload that can be used against
the target
Delivery - The weapon is transmitted to the target
Exploitation - The exploitation stage triggers the
intruders exploit

Security+ Guide to Network Security Fundamentals, Fifth Edition

44

Steps of an Attack (Steps 5-7)

Installation - The weapon is installed to either attack
the computer or install a remote backdoor so the
attacker can access the system.
Command and Control Often the compromised
system connects back to the attacker so that the
system can be remotely controlled by the attacker
and receive future instructions
Actions on Objectives - Now attackers can start to
take actions to achieve their original objectives,
such as stealing user passwords or launching
attacks against other computers
Security+ Guide to Network Security Fundamentals, Fifth Edition

45

Cyber Kill Chain (Figure 1-6)

Security+ Guide to Network Security Fundamentals, Fifth Edition

46

Defenses Against Attacks

Fundamental security principles for defenses

Layering
Limiting
Diversity
Obscurity
Simplicity

Security+ Guide to Network Security Fundamentals, Fifth Edition

47

Layering
Information security must be created in layers
Single defense mechanism may be easy to
circumvent
Unlikely that attacker can break through all defense
layers
Layered security approach
Can be useful in resisting a variety of attacks
Provides the most comprehensive protection

Security+ Guide to Network Security Fundamentals, Fifth Edition

48

Limiting
Limiting access to information reduces the threat
against it
Only those who must use data granted access
Amount of access limited to what that person
needs to know
Methods of limiting access
Technology (file permissions)
Procedural (prohibiting document removal from
premises)

Security+ Guide to Network Security Fundamentals, Fifth Edition

49

Diversity
Closely related to layering
Layers must be different (diverse)
If attackers penetrate one layer then same
techniques unsuccessful in breaking through other
layers
Breaching one security layer does not compromise
the whole system
Example of diversity is using security products from
different manufacturers
Security+ Guide to Network Security Fundamentals, Fifth Edition

50

Obscurity
Obscuring inside details to outsiders
Example: not revealing details
Type of computer
Operating system version
Brand of software used

Difficult for attacker to devise attack if system

details are unknown

Security+ Guide to Network Security Fundamentals, Fifth Edition

51

Security+ Guide to Network

Security Fundamentals,
Fifth Edition
Chapter 1
INTRODUCTION TO SECURITY