Lecture 1- Introduction to Security

MN502

Acknowledgement: Instructor resource, Chapter 1, CompTIA Security+ Guide to

Network Security Fundamentals, Sixth Edition, 2018, by M. Ciampa
 Objectives

• Describe the challenges of securing

information
• Define information security and explain why it
is important
• Identify the types of attackers that are
common today
• Describe the five basic principles of defense

March 2018 Compiled by: Dr Fariza Sabrina 2

 Challenges of Securing
Information
• Securing information
– No simple solution
– Many different types of attacks
– Defending against attacks is often difficult

March 2018 Compiled by: Dr Fariza Sabrina 3

 Today’s Security Attacks

• Examples of recent attacks

– Remotely controlling a car
– Tampering with aircraft systems
– Yahoo accounts compromised by attackers
– USB flash drive malware/USB Killer
– WINVote voting machine tampering
– Vtech security breach
– Stolen data from the European Space Agency
– IRS fraud
– Hyatt Hotels Corporation hacked

March 2018 Compiled by: Dr Fariza Sabrina 4

 Reasons for Successful
Attacks

• Widespread vulnerabilities
• Configuration issues
• Poorly designed software
• Hardware limitations
• Enterprise-based issues

March 2018 Compiled by: Dr Fariza Sabrina 5

 Difficulties in Defending
Against Attacks

March 2018 Compiled by: Dr Fariza Sabrina 6

 What Is Information Security?

• Before defense is possible, one must

understand:
– Exactly what security is
– How security relates to information security
– The terminology that relates to information
security

March 2018 Compiled by: Dr Fariza Sabrina 7

 Understanding Security

• Security is:
– The goal to be free from danger
– The process that achieves that freedom
• Harm/danger may come from one of two sources:
– From a direct action that is intended to inflict damage
– From an indirect and unintentional action
• As security is increased, convenience is often
decreased
– The more secure something is, the less convenient it may
become to use

March 2018 Compiled by: Dr Fariza Sabrina 8

 Understanding Security

March 2018 Compiled by: Dr Fariza Sabrina 9

 Defining Information
Security (1 of 4)
• Information security - the tasks of securing
information that is in a digital format:
– Manipulated by a microprocessor
– Preserved on a storage device
– Transmitted over a network
• Information security goal - to ensure that
protective measures are properly implemented
to ward off attacks and prevent the total collapse
of the system when a successful attack occurs

March 2018 Compiled by: Dr Fariza Sabrina 10

 Defining Information
Security (2 of 4)
• Three types of information protection: often
called CIA
– Confidentiality
• Only approved individuals may access information
– Integrity
• Information is correct and unaltered
– Availability
• Information is accessible to authorized users

March 2018 Compiled by: Dr Fariza Sabrina 11

 Defining Information
Security (3 of 4)

March 2018 Compiled by: Dr Fariza Sabrina 12

 Defining Information
Security (4 of 4)

Layer Description
Products Form the security around the data. May be as basic
as door locks or as complicated as network security
equipment.
People Those who implement and properly use security
products to protect data.
Policies and procedures Plans and policies established by an enterprise to
ensure that people correctly use the products.

March 2018 Compiled by: Dr Fariza Sabrina 13

 Information Security
Terminology (1 of 4)

• Asset
– Item that has value

• Threat
– Type of action that has the potential to cause harm

• Threat actor
– A person or element with power to carry out a threat

March 2018 Compiled by: Dr Fariza Sabrina 14

 Information Security
Terminology (2 of 4)

March 2018 Compiled by: Dr Fariza Sabrina 15

 Information Security
Terminology (3 of 4)
• Vulnerability
– Flaw or weakness that allows a threat agent to bypass security
• Threat vector
– The means by which an attack can occur
• Risk
– A situation that involves exposure to some type of danger
• Risk response techniques:
– Accept – risk is acknowledged but no steps are taken to address it
– Transfer – transfer risk to a third party
– Avoid – identifying risk but making the decision to not engage in the
activity
– Mitigate – attempt to address risk by making the risk less serious
March 2018 Compiled by: Dr Fariza Sabrina 16
 Information Security
Terminology (4 of 4)

Term Example in Scooter scenario Example in information security

Asset Scooter Employee database

Threat Steal scooter Steal data

Threat actor Thief Attacker, hurricane

Vulnerability Hole in fence Software defect

Attack vector Climb through hole in fence Access web server passwords through
flaw in operating system
Likelihood Probability of scooter stolen Likelihood of virus infection

Risk Stolen scooter Virus infection or stolen data

March 2018 Compiled by: Dr Fariza Sabrina 17

 Understanding the Importance of
Information Security
• Information security can be helpful in:
– Preventing data theft
– Thwarting identity theft
– Avoiding the legal consequences of not securing information
– Maintaining productivity
– Foiling cyberterrorism

March 2018 Compiled by: Dr Fariza Sabrina 18

 Maintaining Productivity

• Post-attack clean up diverts resources away from normal activities

– Time, money, and other resources

• Table 1-6 shows the cost of attacks

Number of Average Number of Hours required Total lost Total lost

total hourly salary employees to to stop attack salaries hours of
employees combat attack and clean up productivity
100 $25 1 48 $4066 81
250 $25 3 72 $17,050 300
500 $30 5 80 $28,333 483
1000 $30 10 96 $220,000 1293

March 2018 Compiled by: Dr Fariza Sabrina 19

 Foiling Cyberterrorism

• Cyberterrorism
– Any premeditated, politically motivated attack against information, computer systems, computer
programs, and data

• Designed to:
– Cause panic
– Provoke violence
– Result in financial catastrophe

• May be directed at targets such as the banking industry, military

installations, power plants, air traffic control centers, and water
systems

March 2018 Compiled by: Dr Fariza Sabrina 20

 Who Are the Threat Actors?

• Threat actor – a generic term used to describe individuals who

launch attacks against other users and their computers
– Most have a goal of financial gain

• Financial cybercrime is often divided into two categories:

– First category focuses on individuals as the victims
– Second category focuses on enterprises and government

• Different groups of threat actors can vary widely, based on:

– Attributes
– Funding and resources
– Whether internal or external to the enterprise or organization
– Intent and motivation

March 2018 Compiled by: Dr Fariza Sabrina 21

 Script Kiddies (1 of 2)

• Script kiddies - individuals who want to attack computers yet they lack
the knowledge of computers and network needed to do so
• They download automated hacking software (scripts) from websites
• Over 40 percent of attacks require low or no skills

March 2018 Compiled by: Dr Fariza Sabrina 22

 Script Kiddies (2 of 2)

March 2018 Compiled by: Dr Fariza Sabrina 23

 Hactivists

• Hactivists - attackers who attack for ideological reasons that

are generally not as well-defined as a cyberterrorist’s
motivation
• Examples of hactivist attacks:
– Breaking into a website and changing the contents on the site to make a political statement
– Disabling a website belonging to a bank because the bank stopped accepting payments that
were deposited into accounts belonging to the hactivists

March 2018 Compiled by: Dr Fariza Sabrina 24

 Nation State Actors

• Nation state actor - an attacker commissioned by the

governments to attack enemies’ information systems
– May target foreign governments or even citizens of the government who are considered hostile
or threatening
– Known for being well-resourced and highly trained

• Advanced Persistent Threat (APT) - multiyear intrusion

campaign that targets highly sensitive economic, proprietary,
or national security information

March 2018 Compiled by: Dr Fariza Sabrina 25

 Insiders

• Employees, contractors, and business partners

• Over 58 percent of breaches attributed to insiders
• Examples of insider attacks:
– Health care worker may publicize celebrities’ health records
• Disgruntled over upcoming job termination
– Stock trader might conceal losses through fake transactions
– Employees may be bribed or coerced into stealing data before moving to a
new job

March 2018 Compiled by: Dr Fariza Sabrina 26

 Other Threat Actors
Threat Actor Description Explanation

Competitors Launch attack against an Competitors may steal new product

opponent’s system to research or list of current customers
steal classified to gain a competitive advantage
information
Organized crime Moving from traditional Criminal networks are usually run by a
criminal activities to more small number of experienced online
rewarding and less risky criminal networks who do not commit
online attacks crimes themselves but act as
entrepreneurs
Brokers Sell their knowledge of a Individuals who uncover
vulnerability to other vulnerabilities do not report it to the
attackers or governments software vendor but instead sell them
to the highest bidder
Cyberterrorists Attack a nation’s network Targets may include a small group of
and computer computers or networks that can affect
infrastructure to cause the largest number of users, such as
disruption and panic the computers that control the
among citizens electrical power grid of a state or
region

March 2018 Compiled by: Dr Fariza Sabrina 27

 Defending Against Attacks

• Five fundamental security principles for defenses:

– Layering
– Limiting
– Diversity
– Obscurity
– Simplicity

March 2018 Compiled by: Dr Fariza Sabrina 28

 Layering

• Information security must be created in layers

– A single defense mechanism may be easy to circumvent
– Making it unlikely that an attacker can break through all defense layers

• Layered security approach (also called defense-in-depth)

– Can be useful in resisting a variety of attacks
– Provides the most comprehensive protection

March 2018 Compiled by: Dr Fariza Sabrina 29

 Limiting

• Limiting access to information:

– Reduces the threat against it

• Only those who must use data should be granted access

– Should be limited to only what they need to do their job

• Methods of limiting access

– Technology-based - such as file permissions
– Procedural - such as prohibiting document removal from premises

March 2018 Compiled by: Dr Fariza Sabrina 30

 Diversity

• Closely related to layering

– Layers must be different (diverse)

• If attackers penetrate one layer:

– Same techniques will be unsuccessful in breaking through other layers

• Breaching one security layer does not compromise the

whole system
• Example of diversity
– Using security products from different manufacturers
– Groups who are responsible for regulating access (control diversity) are different

March 2018 Compiled by: Dr Fariza Sabrina 31

 Obscurity

• Obscuring inside details to outsiders

• Example: not revealing details
– Type of computer
– Operating system version
– Brand of software used

• Difficult for attacker to devise attack if system details are unknown

March 2018 Compiled by: Dr Fariza Sabrina 32

 Simplicity

• Nature of information security is complex

• Complex security systems:
– Can be difficult to understand and troubleshoot
– Are often compromised for ease of use by trusted users

• A secure system should be simple from the inside

– But complex from the outside

March 2018 Compiled by: Dr Fariza Sabrina 33

 Frameworks and Reference
Architectures
• Industry-standard frameworks and reference architectures
– Provide a resource of how to create a secure IT environment
– Give an overall program structure and security management guidance to implement and
maintain an effective security program

• Various frameworks/architectures are specific to a

particular sector (industry-specific frameworks)
– Such as the financial industry

• Some frameworks/architectures are domestic

– While other s are world wide

March 2018 Compiled by: Dr Fariza Sabrina 34

 Summary

• Information security attacks have grown

exponentially in recent years
• It is difficult to defend against today’s attacks
• Information security protects information’s integrity,
confidentiality, and availability:
• Different types of people with different motivations
conduct computer attacks
• An attack has seven general steps known as the
Cyber Kill Chain

March 2018 Compiled by: Dr Fariza Sabrina 35

 Case Study
“Bay Pointe Security Consulting (BPSC) provides security consulting services to a wide
range of businesses, individuals, schools, and organizations. Because of its reputation
and increasing demand for its services, BPSC has partnered with a local college to hire
technology students close to graduation to assist them on specific projects. This not
only helps BPSC with their projects but also provides real-world experience to students
who are interested in the security field.
As part of National Cybersecurity Awareness Month a local business organization is
conducting a series of “Lunch-and-Learn” meetings during the month for citizens and
small business owners to learn more about security. BPSC has been asked to present an
introductory session on the fundamentals of security: what it is, why it is important
today, who are the attackers, what types of attacks do they launch, etc. Because you
are completing your degree, BPSC has asked you to make the presentation to the class”
[1].
1. Explain what IT security is and why it is important today. Also include who is responsible for
attacks and their attack techniques.
2. Outline general principles that can be used to protect security in an organisation.
Reference:
[1] M. Ciampa, "Introduction to Security," in Security+ Guide to Network Security Fundamentals, 5th ed., Cengage, 2015.

March 2018 Compiled by: Dr Fariza Sabrina 36

 Review Questions

• Understanding of information security

• Identify and analyse the challenges of
information security in an organisation.
• Discuss some of the recent security attacks
• Explain the relationship between security to
convenience.
• Identify and explain different options of
dealing with security risk.
March 2018 Compiled by: Dr Fariza Sabrina 37
 Review Questions

• Describe different types of attackers and identify the

differences among them.
• Identify different types of security attacks and
discuss potential dangers of a cyberterrorist attack.
• The largest information security threats to a business
actually comes from an unlikely source: its
employees, contractors and business partners. In
your opinion, why would an employee would break
into their company’s computer

March 2018 Compiled by: Dr Fariza Sabrina 38

 Review Questions

• To withstand a security attack the defence should be

based on five fundamental security principles.
Explain how each of the principles could protect
information.

March 2018 Compiled by: Dr Fariza Sabrina 39