ITIS412: Information Security

Chapter 1: Introduction to Security

Challenges of Securing Information
 Today all citizens forced to continually protect themselves
from attacks by invisible foes
 Attacks not just physical but also include attacks on
information technology
 Attacks directed at individuals, schools, businesses, and
governments through desktop computers, laptops,
smartphones, and tablet computers
 Information security is focused on protecting electronic
information of organizations and users

2 ITIS 412
Information Security Personnel
 Chief Information Security Officer (CISO) - Responsible
for assessing, managing, and implementing security
 Security manager - Supervises technicians, administrators,
and security staff
 Security administrator - Manages daily operations of
security technology
 Security technician - Provide technical support to
configure security hardware, implement security software,
and diagnose and troubleshoot problems

3 ITIS 412
Information Security Employment
 Employees with certifications in security are in high
demand
 Security is rarely offshored or outsourced
 Job outlook for security professionals is exceptionally
strong
 U.S. Bureau of Labor Statistics (BLS) “Occupational
Outlook Handbook” indicates job outlook for information
security analysts through end of decade expected to grow
by 22 percent, faster than average growth rate

4 ITIS 412
CompTIA Security+
 CompTIA Security+ certification is widely-recognized
vendor-neutral credential
 Requires passing current certification exam SY0-401
 Tests knowledge and skills required to:
 identify risks;
 provide infrastructure, application, operational and
information security;
 apply security controls to maintain confidentiality,
integrity, and availability;
 identify appropriate protection technologies and
products
5 ITIS 412
Today’s Security Attacks
 Balances manipulated on prepaid debit cards
 Home Wi-Fi network attacked
 Twitter accounts exploited
 Ploutus ATM malware
 Exposed serial servers
 Manipulate aircraft and ocean vessels
 Computer cluster for cracking passwords
 Apple Mac vulnerabilities
 Electronic data records stolen

6 ITIS 412
Homework
 Search the web for recent cyber-attacks in one of
categories in the previous slide or in other categories.
 Prepare to speak about it in class.

7 ITIS 412
Project Teams
 I usually assign teams
 This time you pick your own
 Walk around
 Talk to each other
 Pick your teams & let me know

8 ITIS 412
Form Groups
 Enroll students on Blackboard
 Form Groups

9 ITIS 412
Difficulties in Defending Against Attacks
 Universally connected devices
 Increased speed of attacks
 Greater sophistication of attacks
 Availability and simplicity of attack tools
 Faster detection of vulnerabilities
 Delays in security updating
 Weak security update distribution
 Distributed attacks
 Introduction of BYOD
 User confusion

10 ITIS 412
Menu of Attack Tools

11 ITIS 412
Difficulties in Defending

12 ITIS 412
What Is Information Security?
 Beforedefense is possible, one must
understand:
 What is security
 What information security is
 Information security terminology
 Why it is important

13 ITIS 412
Understanding Security
 “Security” is defined as either the process (how to
achieve security) or the goal (what it means to have
security).
 In reality security is both: it is the goal to be free from
danger as well as the process that achieves that
freedom
 Security is the necessary steps to protect a person or
property from harm.
 This harm may come from one of two sources:
 Direct action
 Indirect and unintentional action
14 ITIS 412
Security and Convenience
 Relationship between security and convenience
 As security is increased, convenience is often
decreased
 Security is “inversely proportional” to convenience
 The more secure something is, the less convenient it
may become to use
 Security is sacrificing convenience for safety or giving
up short-term comfort for long-term protection

15 ITIS 412
Relationship Security-Convenience

16 ITIS 412
Defining Information Security
 Information security - Tasks of securing information
in digital format:
 Manipulated by a microprocessor
 Stored on a storage device
 Transmitted over a network
 Protection - Information security cannot completely
prevent successful attacks or guarantee that a system
is totally secure
 Protective measures ward off attacks and prevent total
collapse of the system when a successful attack does
occur
17 ITIS 412
Three Protections
 Information – Provides value to people and
organizations
 Three protections that must be extended over
information (CIA):
 Confidentiality: Ensures only authorized parties
can view information
 Integrity: Ensures information not altered
 Availability: Ensures information accessible when
needed to authorized parties

18 ITIS 412
AAA
 Threeadditional protections that must be
extended over information (AAA):
 Authentication: Ensures that the individual is who
she claims to be (the authentic or genuine person)
and not an imposter
 Authorization: Providing permission or approval to
specific technology resources
 Accounting: Provides tracking of events

19 ITIS 412
Securing Devices
 Devices - Information security involves more
than protecting the information itself
 Information is:
 Stored on computer hardware
 Manipulated by software
 Transmitted by communications

 Each of these areas must also be protected

20 ITIS 412
Three Entities
 Entities - Information security is achieved
through a process that is a combination of three
entities
 Information and the hardware, software, and
communications are protected in three layers:
 Products
 People
 Policies and procedures

 Procedures enable people to understand how to

use products to protect information
21 ITIS 412
Security Layers

22 IT 335
ITIS 412
Security Layers

23 ITIS 412
Information Security Definition
 Comprehensive definition of information security
involves both the goals and process
 Information security defined as that which protects
the integrity, confidentiality, and availability of
information on the devices that store, manipulate, and
transmit the information through products, people,
and procedures

24 ITIS 412
Information Security Terminology: Asset
 Asset - An item that has value
 In organization critical assets have these
qualities:
 They provide value to the organization
 They cannot easily be replaced without a significant
investment in expense, time, worker skill, and/or
resources
 They can form part of the organization's corporate
identity.

25 ITIS 412
Technology Assets Examples

26 ITIS 412
Information Security Terminology: Threat
 Information security threats: events or actions that
represent a danger to information assets
 Threat by itself does not mean that security has been
compromised;
 simply means that the potential for creating a loss is real
 Threat can result in:
 corruption or theft of information
 delay in information being transmitted
 loss of good will or reputation

27 ITIS 412
Information Security Terminology: Threat
Agent
 Threat agent - Person or element that has the
power to carry out a threat
 Threat agent can be:
 Person attempting to break into a secure computer
network
 Force of nature such as a hurricane that could
destroy computer equipment and thus destroy
information
 Malicious software that attacks the computer
network
28 ITIS 412
Information Security Terminology:
Vulnerability
 Vulnerability - Flaw or weakness that allows a threat
agent to bypass security
 Example is software defect in an operating system
that allows an unauthorized user to gain control of a
computer without the user’s knowledge or permission

29 ITIS 412
Information Security Terminology: Threat
Vector
 Threat vector - means by which an attack can occur
 Example is attacker, knowing that a flaw in a web
server’s operating system has not been patched, is
using the threat vector (exploiting the vulnerability) to
steal user passwords
 Threat likelihood - probability that threat will come
to fruition

30 ITIS 412
Information Security Terminology: Risk
 Risk - situation that involves exposure to some
type of danger.
 Options when dealing with risk:
 Risk avoidance
 Acceptance
 Mitigation
 Deterrence
 Transference

31 ITIS 412
Understanding the Importance of
Information Security: Preventing Theft
 Preventing data theft – Stopping data from being
stolen cited as primary objective of information
security
 Business data theft is stealing proprietary business
information
 Personal data is prime target of attackers is credit card
numbers that can be used to purchase thousands of
dollars of merchandise

32 ITIS 412
Identity Theft
 Thwarting identity theft - Using another’s personal
information in unauthorized manner for financial gain
 Example:
 Steal person’s SSN
 Create new credit card account
 Charge purchases
 Leave unpaid

33 ITIS 412
Avoid Legal Consequences
 Avoiding legal consequences - Businesses that fail to protect
data they possess may face serious financial penalties from
federal or state laws
 Laws protecting electronic data privacy:
 Health Insurance Portability and Accountability Act of 1996
(HIPAA)- Health records
 Sarbanes-Oxley Act of 2002 (Sarbox)-corporate reporting
 Gramm-Leach-Bliley Act (GLBA)-private info by banks
 Payment Card Industry Data Security Standard (PCI DSS)-
security standards for entities that deal with consumer credit
card info
 CA Database Security Breach Notification Act- Most states
except Alabama, Kentucy, New Mexico & S. Dakota
34 ITIS 412
Cost of Attacks
 Maintaining productivity - Post-attack clean up diverts
resources like time and money

35 ITIS 412
Foiling Cyberterrorism
 Foiling cyberterrorism - Premeditated,
politically motivated attacks
 Targets are banking, military, power plants, air
traffic control centers, or other critical
infrastucture
 Designed to:
 Cause panic
 Provoke violence
 Result in financial catastrophe

36 ITIS 412
Who Are the Attackers?
 Hacker – Older term referred to a person who used
advanced computer skills to attack computers
 Black hat hackers - Attackers who violated computer
security for personal gain or to inflict malicious
damage
 White hat hackers - “Ethical attackers” who received
permission to probe system for any weaknesses
 Gray hat hackers – Attackers who would break into a
computer system without permission and then
publically disclose vulnerability

37 ITIS 412
Cybercrimminals
 Cybercriminals - Generic term describes individuals
who launch attacks against other users and their
computers
 A loose network of attackers, identity thieves, and
financial fraudsters who are highly motivated by
financial gain

38 ITIS 412
Script Kiddies
 Script kiddies - Unskilled users with goal to break
into computers to create damage
 Download automated hacking software
(scripts) to use to perform malicious acts
 40 % of attacks performed by script kiddies

39 ITIS 412
Brokers
Brokers - Individuals who uncover
vulnerabilities do not report them to the software
vendor but instead sell them to the highest bidder
 other attackers or even governments
Buyersare generally willing to pay a high price
because this vulnerability is unknown

40 ITIS 412
Insiders
 Insiders - Employees, contractors, and business partners
who steal from employer
 Most malicious insider attacks consist of the sabotage or
theft of intellectual property
 Offenders are usually employees who actually believe that
the accumulated data is owned by them and not the
organization
 Others are employees have been pressured into stealing
from their employer through blackmail or the threat of
violence

41 ITIS 412
Cyberterrorists
 Cyberterrorists – Attackers who have ideological
motivation
 Can be inactive for several years and then suddenly
strike in a new way
 Targets may include a small group of computers or
networks that can affect the largest number of users
 E.g. computers that control the electrical power grid of a
state or region

42 ITIS 412
Hactivists
 Hactivists – Another group motivated by ideology
 Unlike cyberterrorists who launch attacks against foreign
nations to incite panic, hactivists generally not as well-
defined.
 Attacks can involve breaking into a website and changing
the contents on the site as a means of making a political
statement against those who oppose their beliefs
 Other attacks can be retaliatory

43 ITIS 412
State-Sponsored Attackers (Cyberwar)
 State-sponsored attackers – Attackers supported by
governments for launching computer attacks against their
foes
 Attackers target foreign governments or even citizens of
the government who are considered hostile or threatening

44 ITIS 412
Steps of an Attack (Steps 1-4)
 Reconnaissance - Probe for any information about the
system to reveal if the system is a viable target for an
attack and how it could be attacked
 Weaponization - Create an exploit and package it into a
deliverable payload that can be used against the target
 Delivery - The weapon is transmitted to the target
 Exploitation - The exploitation stage triggers the intruders’
exploit

45 ITIS 412
Steps of an Attack (Steps 5-7)
 Installation - The weapon is installed to either attack the
computer or install a remote “backdoor” so the attacker
can access the system.
 Command and Control – Often the compromised system
connects back to the attacker so that the system can be
remotely controlled by the attacker and receive future
instructions
 Actions on Objectives - Now attackers can start to take
actions to achieve their original objectives, such as
stealing user passwords or launching attacks against other
computers

46 ITIS 412
 Cyber Kill Chain

47 ITIS 412
Defenses Against Attacks
 Fundamental security principles for defenses
 Layering
 Limiting
 Diversity
 Obscurity
 Simplicity

48 ITIS 412
Layering
 Information security must be created in layers
 Single defense mechanism may be easy to
circumvent
 Unlikely that attacker can break through all
defense layers
 Layered security approach
 Can be useful in resisting a variety of attacks
 Provides the most comprehensive protection

49 ITIS 412
Limiting
 Limiting access to information reduces the
threat against it
 Only those who must use data granted access
 Amount of access limited to what that person
needs to know
 Methods of limiting access
 Technology (file permissions)
 Procedural (prohibiting document removal from
premises)

50 ITIS 412
Diversity
 Closely related to layering
 Layers must be different (diverse)
 If attackers penetrate one layer then same techniques
unsuccessful in breaking through other layers
 Breaching one security layer does not compromise the
whole system
 Example of diversity is using security products from
different manufacturers

51 ITIS 412
Obscurity
 Obscuring inside details to outsiders
 Example: not revealing details
 Type of computer
 Operating system version
 Brand of software used

 Difficult for attacker to devise attack if system

details are unknown

52 ITIS 412