Security+ Guide to Network

Security Fundamentals,
Fifth Edition

Chapter 1
INTRODUCTION TO SECURITY
 Objectives
• Describe the challenges of securing information
• Define information security and explain why it is
important
• Identify the types of attackers that are common
today
• List the basic steps of an attack
• Describe the five basic principles of defense

Security+ Guide to Network Security Fundamentals, Fifth Edition 2

 Challenges of Securing Information
• Today all citizens forced to continually protect
themselves from attacks by invisible foes
• Attacks not just physical but also include attacks on
information technology
• Attacks directed at individuals, schools,
businesses, and governments through desktop
computers, laptops, smartphones, and tablet
computers
• Information security is focused on protecting
electronic information of organizations and users

Security+ Guide to Network Security Fundamentals, Fifth Edition 3

 Information Security Personnel
• Chief Information Security Officer (CISO) -
Responsible for assessing, managing, and
implementing security
• Security manager - Supervises technicians,
administrators, and security staff
• Security administrator - Manages daily operations
of security technology
• Security technician - Provide technical support to
configure security hardware, implement security
software, and diagnose and troubleshoot problems

Security+ Guide to Network Security Fundamentals, Fifth Edition 4

 CompTIA Security+
• CompTIA Security+ certification is widely-
recognized and highly respected vendor-neutral
credential
• Requires passing current certification exam SY0-
601
• Tests knowledge and skills required to: identify
risks; provide infrastructure, application,
operational and information security; apply security
controls to maintain confidentiality, integrity, and
availability; and identify appropriate technologies
and products.
Security+ Guide to Network Security Fundamentals, Fifth Edition 5
 Today’s Security Attacks
• Balances manipulated on prepaid debit cards
• Home Wi-Fi network attacked
• Twitter accounts exploited
• Ploutus ATM malware
• Exposed serial servers
• Manipulate aircraft and ocean vessels
• Computer cluster for cracking passwords
• Apple Mac vulnerabilities
• Electronic data records stolen

Security+ Guide to Network Security Fundamentals, Fifth Edition 6

 Difficulties in Defending Against
Attacks
• Universally connected devices
• Increased speed of attacks
• Greater sophistication of attacks
• Availability and simplicity of attack tools
• Faster detection of vulnerabilities
• Delays in security updating
• Weak security update distribution
• Distributed attacks
• Introduction of BYOD (Bring your own device)
• User confusion
Security+ Guide to Network Security Fundamentals, Fifth Edition 7
 Menu of Attack Tools (Figure 1-1)

Security+ Guide to Network Security Fundamentals, Fifth Edition 8

 Difficulties in Defending (Table 1-2)

Security+ Guide to Network Security Fundamentals, Fifth Edition 9

 What Is Information Security?
• Before defense is possible, one must understand:
– What is security
– What information security is
– Information security terminology
– Why it is important

Security+ Guide to Network Security Fundamentals, Fifth Edition 10

 Understanding Security
• “Security” is defined as either the process (how to
achieve security) or the goal (what it means to have
security).
• In reality security is both: it is the goal to be free
from danger as well as the process that achieves
that freedom
• Security is the necessary steps to protect a person
or property from harm.
• This harm may come from one of two sources:
– Direct action
– Indirect and unintentional action
Security+ Guide to Network Security Fundamentals, Fifth Edition 11
 Relationship Security-Convenience
(Figure 1-2)

Security+ Guide to Network Security Fundamentals, Fifth Edition 12

 Defining Information Security
• Information security - Tasks of securing
information in digital format:
– Manipulated by a microprocessor
– Stored on a storage device
– Transmitted over a network
• Protection - Information security cannot completely
prevent successful attacks or guarantee that a
system is totally secure
• Protective measures ward off attacks and prevent
total collapse of the system when a successful
attack does occur
Security+ Guide to Network Security Fundamentals, Fifth Edition 13
 Three Protections
• Information – Provides value to people and
organizations
• Three protections that must be extended over
information (CIA):
– Confidentiality: Ensures only authorized parties can
view information
– Integrity: Ensures information not altered
– Availability: Ensures information accessible when
needed to authorized parties.

Security+ Guide to Network Security Fundamentals, Fifth Edition 14

 AAA
• Three additional protections that must be extended
over information (AAA):
– Authentication: Ensures that the individual is who
she claims to be (the authentic or genuine person)
and not an imposter
– Authorization: Providing permission or approval to
specific technology resources
– Accounting: Provides tracking of events

Security+ Guide to Network Security Fundamentals, Fifth Edition 15

 Securing Devices
• Devices - Information security involves more than
protecting the information itself
• Information is:
– Stored on computer hardware
– Manipulated by software
– Transmitted by communications
• Each of these areas must also be protected

Security+ Guide to Network Security Fundamentals, Fifth Edition 16

 Three Entities
• Entities - Information security is achieved through a
process that is a combination of three entities
• Information and the hardware, software, and
communications are protected in three layers:
– Products
– People
– Policies and procedures
• Procedures enable people to understand how to
use products to protect information

Security+ Guide to Network Security Fundamentals, Fifth Edition 17

 Security Layers (Figure 1-3)

Security+ Guide to Network Security Fundamentals, Fifth Edition 18

 Security Layers (Table 1-3)

Security+ Guide to Network Security Fundamentals, Fifth Edition 19

 Information Security Definition
• Comprehensive definition of information security
involves both the goals and process
• Information security defined as that which protects
the integrity, confidentiality, and availability of
information on the devices that store, manipulate,
and transmit the information through products,
people, and procedures

Security+ Guide to Network Security Fundamentals, Fifth Edition 20

 Information Security Terminology:
Asset
• Asset - An item that has value
• In organization assets have these qualities:
– They provide value to the organization
– They cannot easily be replaced without a significant
investment in expense, time, worker skill, and/or
resources
– They can form part of the organization's corporate
identity.

Security+ Guide to Network Security Fundamentals, Fifth Edition 21

 Technology Assets (Table 1-4)

Security+ Guide to Network Security Fundamentals, Fifth Edition 22

 Information Security Terminology:
Threat
• Threat - Action that has the potential to cause
harm
• Information security threats are events or actions
that represent a danger to information assets
• Threat by itself does not mean that security has
been compromised; rather, it simply means that the
potential for creating a loss is real
• Threat can result in the corruption or theft of
information, a delay in information being
transmitted, or loss of good will or reputation

Security+ Guide to Network Security Fundamentals, Fifth Edition 23

 Information Security Terminology:
Threat Agent
• Threat agent - Person or element that has the
power to carry out a threat
• Threat agent can be:
– Person attempting to break into a secure computer
network
– Force of nature such as a hurricane that could
destroy computer equipment and thus destroy
information
– Malicious software that attacks the computer
network

Security+ Guide to Network Security Fundamentals, Fifth Edition 24

 Information Security Terminology:
Vulnerability
• Vulnerability - Flaw or weakness that allows a
threat agent to bypass security
• Example is software defect in an operating system
that allows an unauthorized user to gain control of
a computer without the user’s knowledge or
permission

Security+ Guide to Network Security Fundamentals, Fifth Edition 25

 Information Security Terminology:
Threat Vector
• Threat vector - means by which an attack can
occur
• Example is attacker, knowing that a flaw in a web
server’s operating system has not been patched, is
using the threat vector (exploiting the
vulnerability) to steal user passwords
• Threat likelihood - probability that threat will come
to fruition

Security+ Guide to Network Security Fundamentals, Fifth Edition 26

Information Security Terminology: Risk
• Risk - situation that involves exposure to some
type of danger.
• Options when dealing with risk:
– Risk avoidance
– Acceptance
– Mitigation
– Deterrence
– Transference

Security+ Guide to Network Security Fundamentals, Fifth Edition 27

 Understanding the Importance of
Information Security: Preventing Theft
• Preventing data theft – Stopping data from being
stolen cited as primary objective of information
security
• Business data theft is stealing proprietary business
information
• Personal data is prime target of attackers is credit
card numbers that can be used to purchase
thousands of dollars of merchandise

Security+ Guide to Network Security Fundamentals, Fifth Edition 28

 Identity Theft
• Thwarting identity theft - Using another’s personal
information in unauthorized manner for financial
gain
• Example:
– Steal person’s SSN
– Create new credit card account
– Charge purchases
– Leave unpaid
• Serious problem for Internal Revenue Service
(IRS)
Security+ Guide to Network Security Fundamentals, Fifth Edition 29
 Avoid Legal Consequences
• Avoiding legal consequences - Businesses that fail
to protect data they possess may face serious
financial penalties from federal or state laws
• Laws protecting electronic data privacy:
– Health Insurance Portability and Accountability
Act of 1996 (HIPAA)
– Sarbanes-Oxley Act of 2002 (Sarbox)
– Gramm-Leach-Bliley Act (GLBA)
– Payment Card Industry Data Security Standard
(PCI DSS)
– CA Database Security Breach Notification Act
Security+ Guide to Network Security Fundamentals, Fifth Edition 30
 Cost of Attacks (Table 1-6)
• Maintaining productivity - Post-attack clean up
diverts resources like time and money

Security+ Guide to Network Security Fundamentals, Fifth Edition 31

 Foiling Cyberterrorism
• Foiling cyberterrorism - Premeditated, politically
motivated attacks
• Targets are banking, military, power plants, air
traffic control centers
• Designed to:
– Cause panic
– Provoke violence
– Result in financial catastrophe

Security+ Guide to Network Security Fundamentals, Fifth Edition 32

 Cyberterrorism Targets
• Potential cyberterrorism targets
– Banking
– Military
– Energy (power plants)
– Transportation (air traffic control centers)
– Water systems

Security+ Guide to Network Security Fundamentals, Fifth Edition 33

 Who Are the Attackers?
• Hacker – Older term referred to a person who used
advanced computer skills to attack computers
• Black hat hackers - Attackers who violated
computer security for personal gain or to inflict
malicious damage
• White hat hackers - “Ethical attackers” who
received permission to probe system for any
weaknesses
• Gray hat hackers – Attackers who would break into
a computer system without permission and then
publically disclose vulnerability
Security+ Guide to Network Security Fundamentals, Fifth Edition 34
 Cybercrimminals
• Cybercrimminals - Generic term describes
individuals who launch attacks against other users
and their computers
• A loose network of attackers, identity thieves, and
financial fraudsters who are highly motivated, less
risk-averse, well-funded, and tenacious
• Instead of attacking a computer to show off their
technology skills (fame), cybercriminals have a
more focused goal of financial gain (fortune):
cybercriminals steal information or launch attacks
to generate income
Security+ Guide to Network Security Fundamentals, Fifth Edition 35
 Script Kiddies
• Script kiddies - Unskilled users with goal to break into
computers to create damage
• Download automated hacking software (scripts) to
use to perform malicious acts
• Attack software today has menu systems and
attacks are even easier for unskilled users
• 40 percent of attacks performed by script kiddies.
• In this case attackers are using someone’s else
code/scripts to attack systems.

Security+ Guide to Network Security Fundamentals, Fifth Edition 36

 Brokers
• Brokers - Individuals who uncover vulnerabilities do not
report it to the software vendor but instead sell them to
the highest bidder
• These attackers sell their knowledge of a vulnerability
to other attackers or even governments
• Buyers are generally willing to pay a high price because
this vulnerability is unknown

Security+ Guide to Network Security Fundamentals, Fifth Edition 37

 Insiders
• Insiders - Employees, contractors, and business
partners who steal from employer
• Most malicious insider attacks consist of the
sabotage or theft of intellectual property
• Offenders are usually employees who actually
believe that the accumulated data is owned by
them and not the organization
• Others are employees have been pressured into
stealing from their employer through blackmail or
the threat of violence

Security+ Guide to Network Security Fundamentals, Fifth Edition 38

 Cyberterrorists
• Cyberterrorists – Attackers who have ideological
motivation
• Attacking because of their principles and beliefs
• Cyberterrorists can be inactive for several years
and then suddenly strike in a new way
• Targets may include a small group of computers or
networks that can affect the largest number of
users
• Example: computers that control the electrical
power grid of a state or region
Security+ Guide to Network Security Fundamentals, Fifth Edition 39
 Hactivists
• Hactivists – Another group motivated by ideology
• Unlike cyberterrorists who launch attacks against
foreign nations to incite panic, hactivists generally
not as well-defined.
• Attacks can involve breaking into a website and
changing the contents on the site as a means of
making a political statement against those who
oppose their beliefs
• Other attacks can be retaliatory

Security+ Guide to Network Security Fundamentals, Fifth Edition 40

 State-Sponsored Attackers
• State-sponsored attackers – Attackers supported
by governments for launching computer attacks
against their foes
• Attackers target foreign governments or even
citizens of the government who are considered
hostile or threatening

Security+ Guide to Network Security Fundamentals, Fifth Edition 41

 Steps of an Attack (Steps 1-4)
• Reconnaissance - Probe for any information about
the system to reveal if the system is a viable target
for an attack and how it could be attacked
• Weaponization - Create an exploit and package it
into a deliverable payload that can be used against
the target
• Delivery - The weapon is transmitted to the target
• Exploitation - The exploitation stage triggers the
intruders’ exploit

Security+ Guide to Network Security Fundamentals, Fifth Edition 42

 Steps of an Attack (Steps 5-7)
• Installation - The weapon is installed to either
attack the computer or install a remote “backdoor”
so the attacker can access the system.
• Command and Control – Often the compromised
system connects back to the attacker so that the
system can be remotely controlled by the attacker
and receive future instructions
• Actions on Objectives - Now attackers can start to
take actions to achieve their original objectives,
such as stealing user passwords or launching
attacks against other computers
Security+ Guide to Network Security Fundamentals, Fifth Edition 43
 Cyber Kill Chain-Stages of Cyber-attack (Figure
1-6)

Security+ Guide to Network Security Fundamentals, Fifth Edition 44

 Defenses Against Attacks
• Fundamental security principles for defenses
– Layering
– Limiting
– Diversity
– Obscurity
– Simplicity

Security+ Guide to Network Security Fundamentals, Fifth Edition 45

 Layering
• Information security must be created in layers
• Single defense mechanism may be easy to
circumvent
• Unlikely that attacker can break through all defense
layers
• Layered security approach
– Can be useful in resisting a variety of attacks
– Provides the most comprehensive protection

Security+ Guide to Network Security Fundamentals, Fifth Edition 46

 Limiting
• Limiting access to information reduces the threat
against it
• Only those who must use data granted access
• Amount of access limited to what that person
needs to know
• Methods of limiting access
– Technology (file permissions)
– Procedural (prohibiting document removal from
premises)

Security+ Guide to Network Security Fundamentals, Fifth Edition 47

 Diversity
• Closely related to layering
• Layers must be different (diverse)
• If attackers penetrate one layer then same
techniques unsuccessful in breaking through other
layers
• Breaching one security layer does not compromise
the whole system
• Example of diversity is using security products from
different manufacturers

Security+ Guide to Network Security Fundamentals, Fifth Edition 48

 Obscurity
• Obscuring inside details to outsiders
• Example: not revealing details
– Type of computer
– Operating system version
– Brand of software used
• Difficult for attacker to devise attack if system
details are unknown

Security+ Guide to Network Security Fundamentals, Fifth Edition 49