Security+ Guide to Network Security Fundamentals, Fourth Edition

1-1

Chapter 1 Introduction to Security

At a Glance

Instructors Manual Table of Contents

Overview Objectives Teaching Tips Quick Quizzes Class Discussion Topics Additional Projects Additional Resources Key Terms

Security+ Guide to Network Security Fundamentals, Fourth Edition

1-2

Lecture Notes

Overview
Chapter 1 introduces security fundamentals that form the basis of the Security+ certification. It begins by examining the current challenges in computer security and why it is so difficult to achieve. It then describes information security in more detail to illustrate why it is important. Finally, the chapter looks at who is responsible for these attacks and what the fundamental defenses against attackers are.

Chapter Objectives
Describe the challenges of securing information Define information security and explain why it is important Identify the types of attackers that are common today List the basic steps of an attack Describe the five steps in a defense

Teaching Tips
Challenges of Securing Information
1. Explain that there is no simple solution to securing information. This can be seen through the different types of attacks that users face today, as well as the difficulties in defending against these attacks. Todays Security Attacks 1. Describe some typical security warnings, such as the following: a. A malicious program was introduced at some point in the manufacturing process of a popular brand of digital photo frames. b. A Nigerian e-mail scam claimed to be sent from the U.N. c. Booby-trapped Web pages are growing at an increasing rate. d. A new worm disables Microsoft Windows Automatic Updating and the Task Manager. e. Apple has issued an update to address 25 security flaws in its operating system OS X. f. The Anti-Phishing Working Group (APWG) reports that the number of unique phishing sites continues to increase. g. Researchers at the University of Maryland attached four computers equipped with weak passwords to the Internet for 24 days to see what would happen. These computers were hit by an intrusion attempt on average once every 39 seconds.

Security+ Guide to Network Security Fundamentals, Fourth Edition

1-3

2. Mention that security statistics bear witness to the continual success of attackers: a. TJX Companies, Inc. reported that over 45 million customer credit card and debit card numbers were stolen by attackers over an 18 month period from 2005 to 2007. b. Table 1-1 lists some of the major security breaches that occurred during a threemonth period. c. The total average cost of a data breach in 2007 was $197 per record compromised. d. A recent report revealed that of 24 federal government agencies, the overall grade was only C. Phishing Web sites are well known for suddenly appearing and then disappearing to reduce the risk of being traced. The average time a site is online is only four days according to the APWG (www.antiphishing.org).

Teaching Tip

Teaching Tip

The US-CERT security bulletin is available at www.us-cert.gov/cas/bulletins/. Difficulties in Defending against Attacks

1. Describe the following difficulties in defending against attacks: a. Speed of attacks b. Greater sophistication of attacks c. Simplicity of attack tools (see Figures 1-1 and 1-2) d. Attackers can detect vulnerabilities more quickly and more readily exploit these vulnerabilities e. Delays in patching hardware and software products f. Most attacks are now distributed attacks, instead of coming from only one source g. User confusion 2. Table 1-2 summarizes these difficulties.

What Is Information Security?

1. Mention that knowing why information security is important today and who the attackers are is beneficial. Defining Information Security 1. Explain that security can be considered as a state of freedom from a danger or risk. This state or condition of freedom exists because protective measures are established and maintained.

Security+ Guide to Network Security Fundamentals, Fourth Edition

1-4

2. Define information security as the tasks of guarding information that is in a digital format. It ensures that protective measures are properly implemented. Information security cannot completely prevent attacks or guarantee that a system is totally secure. 3. Explain that information security is intended to protect information that has value to people and organizations. That value comes from the characteristics of the information: a. Confidentiality b. Integrity c. Availability Teaching Tip The confidentiality, integrity, and availability of information is known as CIA.

4. Explain that information security is achieved through a combination of three entities. Use Figure 1-3 and Table 1-3 to illustrate your explanation. 5. A more comprehensive definition of information security is that which protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures. Information Security Terminology 1. Define the following information security terms: a. Asset b. Threat c. Threat agent d. Vulnerability e. Risk 2. Use Figure 1-4 and Table 1-4 to illustrate the terminology above.

Quick Quiz 1
1. ____ ensures that only authorized parties can view the information. Answer: Confidentiality 2. ____ ensures that data is accessible to authorized users. Answer: Availability 3. A(n) ____ is defined as something that has a value. Answer: asset 4. A(n) ____ is the likelihood that a threat agent will exploit a vulnerability. Answer: risk

Security+ Guide to Network Security Fundamentals, Fourth Edition

1-5

Understanding the Importance of Information Security 1. Mention that the main goals of information security are to prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorism. 2. Explain that security is often associated with theft prevention. The theft of data is one of the largest causes of financial loss due to an attack. Individuals are often victims of data thievery. 3. Mention that identity theft involves using someones personal information to establish bank or credit card accounts that are then left unpaid, leaving the victim with the debts and ruining their credit rating. 4. Explain that a number of federal and state laws have been enacted to protect the privacy of electronic data, including the following: a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) b. The Sarbanes-Oxley Act of 2002 (Sarbox) c. The Gramm-Leach-Bliley Act (GLBA) d. USA Patriot Act (2001) e. The California Database Security Breach Act (2003) f. Childrens Online Privacy Protection Act of 1998 (COPPA)

Teaching Tip

In 2008, California extended its data breach notification law to encompass incidents including electronic medical and health insurance information.

5. Explain that cleaning up after an attack diverts resources such as time and money away from normal activities. Use Table 1-5 to illustrate your explanation. 6. Define cyberterrorism as attacks by terrorist groups using computer technology and the Internet. Utility, telecommunications, and financial services companies are considered prime targets of cyberterrorists.

Who Are the Attackers?

1. The types of people behind computer attacks are generally divided into several categories. These include hackers, script kiddies, spies, employees, cybercriminals, and cyberterrorists. Hackers 1. Explain that the term hacker in a generic sense means anyone who illegally breaks into or attempts to break into a computer system. In a more narrow sense, hacker means a person who uses advanced computer skills to attack computers only to expose security flaws.

Security+ Guide to Network Security Fundamentals, Fourth Edition

1-6

2. Mention that although breaking into another persons computer system is illegal, some hackers believe it is ethical as long as they do not commit theft, vandalism, or breach any confidentiality. Security vulnerabilities, however, can be exposed in ways other than attacking another computer without the owners consent, and most security professionals would not refer to themselves as hackers.

Teaching Tip

Script Kiddies 1. Define script kiddies as unskilled users that want to break into computers to create damage. They download automated hacking software (scripts) from Web sites and use it to break into computers. 2. Mention that script kiddies are sometimes considered more dangerous than hackers. They tend to be computer users who have almost unlimited amounts of leisure time, which they can use to attack systems. Spies 1. Define a computer spy as a person who has been hired to break into a computer and steal information. 2. Explain that spies are hired to attack a specific computer or system that contains sensitive information. Their goal is to break into that computer or system and take the information without drawing any attention to their actions. 3. Mention that spies, like hackers, possess excellent computer skills. Insiders 1. Mention that one of the largest information security threats to a business actually comes from an unlikely source: its employees, contractors and business partners. 2. Describe some of the reasons an employee would break into their companys computer, including: a. An employee might want to show the company a weakness in their security b. Disgruntled employees may be intent on retaliating against the company c. Industrial espionage d. Blackmailing 3. Discuss the following example of an insider attack: a. A U.S. Army private in Iraq accessed secret U.S. diplomatic cables and other sensitive documents, which were then given to an international whistleblower who posted them on the Internet. b.

Security+ Guide to Network Security Fundamentals, Fourth Edition

1-7

Cybercriminals 1. Define cybercriminals as a loose-knit network of attackers, identity thieves, and financial fraudsters. They are described as more highly motivated, less risk-averse, better funded, and more tenacious than hackers. 2. Mention that many security experts believe that cybercriminals belong to organized gangs of young and mostly Eastern European attackers. Use Table 1-6 to illustrate your explanation. Cybercriminals often meet in online underground forums that have names like DarkMarket.org and theftservices.com. The purpose of these meetings is to trade information and coordinate attacks around the world.

Teaching Tip

3. Explain that cybercriminals have a more focused goal that can be summed up in a single word: money. 4. Define cybercrime as targeted attacks against financial networks, unauthorized access to information, and the theft of personal information. 5. Explain that financial cybercrime is often divided into two categories: a. Trafficking in stolen credit card numbers and financial information b. Using spam to commit fraud Cyberterrorists 1. Explain that the motivation of cyberterrorists may be defined as ideology, or attacking for the sake of their principles or beliefs. 2. Describe the following goals of a cyberattack: a. To deface electronic information and spread misinformation and propaganda b. To deny service to legitimate computer users c. To commit unauthorized intrusions into systems and networks that result in critical infrastructure outages and corruption of vital data Teaching Tip Cyberterrorists are sometimes considered the attackers that should be feared the most, for it is almost impossible to predict when or where an attack may occur.

Attacks and Defenses

1. Explain that although there are a wide variety of attacks that can be launched against a computer or network, the same basic steps are used in most attacks.

Security+ Guide to Network Security Fundamentals, Fourth Edition

1-8

2. Explain that protecting computers against these steps in an attack calls for five fundamental security principles. Steps of an Attack 1. Use Figure 1-5 to describe the five steps that make up an attack: a. Probe for information b. Penetrate any defenses c. Modify security settings d. Circulate to other systems e. Paralyze networks and devices

Defenses against Attacks

1. Mention that although multiple defenses may be necessary to withstand an attack, these defenses should be based on five fundamental security principles: layering, limiting, diversity, obscurity, and simplicity. Layering 1. Mention that information security must be created in layers. 2. Explain that one defense mechanism may be relatively easy for an attacker to circumvent. Instead, a security system must have layers, making it unlikely that an attacker has the tools and skills to break through all the layers of defenses. 3. Explain that a layered approach can also be useful in resisting a variety of attacks. Layered security provides the most comprehensive protection. Limiting 1. Mention that limiting access to information reduces the threat against it. 2. Explain that only those who must use data should have access to it. In addition, the amount of access granted to someone should be limited to what that person needs to know. 3. Mention that some ways to limit access are technology-based, while others are procedural. Teaching Tip Diversity 1. Explain that layers must be different (diverse) so that if attackers penetrate one layer, they cannot use the same techniques to break through all other layers. What level of access should users have? The best answer is the least amount necessary to do their jobs, and no more.

Security+ Guide to Network Security Fundamentals, Fourth Edition

1-9

2. Using diverse layers of defense means that breaching one security layer does not compromise the whole system. Obscurity 1. Explain that an example of obscurity is not revealing the type of computer, operating system, software, and network connection that a computer uses. An attacker who knows that information can more easily determine the weaknesses of the system. 2. Mention that obscuring information can be an important way to protect information. Simplicity 1. Explain that information security is by its very nature complex. Complex security systems can be hard to understand, troubleshoot, and feel secure about. 2. Mention that as much as possible, a secure system should be simple for those on the inside to understand and use. Complex security schemes are often compromised to make them easier for trusted users to work with. Keeping a system simple from the inside but complex on the outside can sometimes be difficult but reaps a major benefit.

Quick Quiz 2
1. Targeted attacks against financial networks, unauthorized access to information, and the theft of personal information is sometimes known as ____. Answer: cybercrime 2. The motivation of ____ may be defined as ideology, or attacking for the sake of their principles or beliefs. Answer: cyberterrorists 3. ____ is a superset of information security including security issues that do not involve computers. Answer: Information assurance 4. An example of _____ in information security would be not revealing the type of computer, version of operating system, or brand of software that is used. Answer: obscurity

Class Discussion Topics

1. What are the differences between hackers and crackers? 2. Describe cyberterrorism.

Security+ Guide to Network Security Fundamentals, Fourth Edition

1-10

Additional Projects
1. Ask your students to read more about phishing scams and write a report with a series of guidelines to recognize them and other fraudulent e-mails.
2.

Nessus is a widely used free vulnerability scanner tool used by many security experts. Ask your students to read more about Nessus and write a report summarizing its more important features.

Additional Resources
1. FTC - Spam http://www.ftc.gov/bcp/edu/microsites/spam/ 2. Fight Spam on the Internet! http://spam.abuse.net/ 3. How to recognize phishing e-mail messages, links, or phone calls http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx 4. Anti-Phishing Working Group http://www.antiphishing.org/ 5. SANS' Information Security Reading Room http://www.sans.org/reading_room/ 6. Zero day initiative http://www.zerodayinitiative.com/

Key Terms
accounting The ability that provides tracking of events. asset An item that has value. authorization The act of ensuring that an individual or element is genuine. authentication The steps that ensure that the individual is who they claim to be. availability Security actions that ensure that data is accessible to authorized users. Californias Database Security Breach Notification Act The first state law that covers any state agency, person, or company that does business in California. confidentiality Security actions that ensure only authorized parties can view the information. cybercrime Targeted attacks against financial networks, unauthorized access to information, and the theft of personal information. cybercriminals A network of attackers, identity thieves, spammers, and financial fraudsters.

Security+ Guide to Network Security Fundamentals, Fourth Edition

1-11

cyberterrorism A premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence. cyberterrorists Attackers whose motivation may be defined as ideology, or attacking for the sake of their principles or beliefs. exploiting The act of taking advantage of a vulnerability. Gramm-Leach-Bliley Act (GLBA) A law that requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information. hacker A term used to refer to a person who uses advanced computer skills to attack computers. Health Insurance Portability and Accountability Act (HIPAA) A law designed to guard protected health information and implement policies and procedures to safeguard it. identity theft Stealing another persons personal information, such as a Social Security number, and then using the information to impersonate the victim, generally for financial gain. information security The tasks of securing information that is in a digital format. integrity Security actions that ensure that the information is correct and no unauthorized person or malicious software has altered the data. risk The likelihood that a threat agent will exploit the vulnerability. Sarbanes-Oxley Act (Sarbox) A law designed to fight corporate corruption. script kiddies Individuals who want to break into computers to create damage, yet lack the advanced knowledge of computers and networks needed to do so. spy A person who has been hired to break into a computer and steal information. threat A type of action that has the potential to cause harm. threat agent A person or element that has the power to carry out a threat. vulnerability A flaw or weakness that allows a threat agent to bypass security.