Professional Documents
Culture Documents
CSCU Module 01 Foundations of Security PDF
CSCU Module 01 Foundations of Security PDF
Module 1
Simplifying Security.
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Scenario
Franklin,anemployeeworkingforan
organization,downloadsfreesoftware
fromawebsite.Afterinstallingthe
software,however,Franklin'ssystem
rebootsandstartstomalfunction.
What might have gone
wrong with Franklins system?
What would you have done in
Franklins place?
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
May23,2011
HomecomputerUsersatRiskDuetoUseofFolkModelSecurity
EASTLANSING,Mich. Mosthomecomputersarevulnerabletohackerattacksbecausetheuserseithermistakenlythinktheyhave
enoughsecurityinplaceortheydontbelievetheyhaveenoughvaluableinformationthatwouldbeofinteresttoahacker.
ThatsthepointofapaperpublishedthismonthbyMichiganStateUniversitysRickWash,whosaysthatmosthomecomputerusersrely
onwhatareknownasfolkmodels.Thosearebeliefsaboutwhathackersorvirusesarethatpeopleusetomakedecisionsaboutsecurity
tokeeptheirinformationsafe.
Unfortunately,theydontoftenworkthewaytheyshould.
Homesecurityishardbecausepeopleareuntrainedinsecurity,saidWash,anassistantprofessorintheDepartmentof
Telecommunication,InformationStudiesandMedia.Butitisntbecausepeopleareidiots.Rathertheytrytheirbesttomake senseof
whatsgoingonandfrequentlymakechoicesthatleavethemvulnerable.
http://news.msu.edu
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
May23,20118:21:51PMET
'Fakefrag'TrojanScaresYouintoPayingUp
AdeviousnewTrojanisputtingthefearofharddrivefailure
intocomputerowners,andthenrushinginto"save"theday
atyourexpense.
Oncethe"Fakefrag"Trojanfindsitswayontoyoursystemvia
speciallycraftedmaliciousWebpages,itgetstoworkonthe
taskofmakingyoubelieveallyourfileshavebeenerasedfrom
yourharddrive,thesecurityfirmSymantecreported.
Scareware scams,whichtrytoconvinceuserstheyhavea
computervirus,andthentrickthemintopurchasingfake
antivirussoftware,arenothingnew.However,Fakefrag takes
thecrimeastepfurther:itactuallymovesyourfilesfromthe
"AllUsers"foldertoatemporarylocation,andhidesfilesinthe
"CurrentUser"folder,Symantecsaid.
http://www.msnbc.msn.com
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Module Objectives
SecurityIncidents
LayersofSecurity
EssentialTerminologies
SecurityRiskstoHomeUsers
ComputerSecurity
WhattoSecure?
WhySecurity?
WhatMakesaHomeComputer
Vulnerable?
PotentialLossesDuetoSecurity
Attacks
WhatMakesaSystemSecure?
ElementsofSecurity
BenefitsofComputerSecurity
Awareness
FundamentalConceptsofSecurity
BasicComputerSecurityMechanisms
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Module Flow
Essential
Terminologies
Elementsof
Security
Computer
Security
Security
Risksto
HomeUsers
Layersof
Security
WhatMakes
aHome
Computer
Vulnerable?
Potential
LossesDue
toSecurity
Attacks
Benefitsof
Computer
Security
Awareness
Whatto
Secure?
Basic
Computer
Security
Mechanisms
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
ReportonJanuary,2011
900
787
800
700
600
604
537
511
500
409
400
300
200
100
0
141
6
14
23
2002
2003
2004
10
2005
2006
Years
2007
2008
2009
2010
2011
http://datalossdb.org
7
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
40%
10%
10%
10%
Stolen
Laptop
Stolen
Document
Lost
Laptop
10%
Hack
Web
10%
10%
Disposal Unknown
Document
http://datalossdb.org
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Essential Terminologies
Threat
Anactionoreventthat
hasthepotentialto
compromiseand/or
violatesecurity
Cracker,Attacker,
orIntruder
Anindividualwhobreaks
intocomputersystemsin
ordertosteal,change,or
destroyinformation
Exploit
Vulnerability
Adefinedwaytobreach
thesecurityofanIT
systemthrough
vulnerability
Existenceofaweakness,
design,orimplementation
errorthatcanleadtoan
unexpected,undesirable
eventcompromisingthe
securityofthesystem
Attack
DataTheft
Anyactionderivedfrom
intelligentthreatsto
violatethesecurityofthe
system
Anyactionofstealing
theinformationfromthe
userssystem
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Computer Security
Securityisastateofwell
beingofinformation and
infrastructure
Computersecurityrefersto
theprotectionofcomputer
systems andthe
informationauserstoresor
processes
Usersshouldfocuson
varioussecuritythreatsand
countermeasures inorderto
protecttheirinformation
assets
10
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Why Security?
Computersecurityis
importantforprotectingthe
confidentiality,integrity,and
availability ofcomputer
systemsandtheirresources
Computeradministration
andmanagementhave
becomemorecomplex
whichproducesmoreattack
avenues
Evolutionoftechnologyhas
focusedontheeaseofuse
whiletheskilllevelneeded
forexploitshasdecreased
Networkenvironmentsand
networkbasedapplications
providemoreattackpaths
11
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Financialloss
Unavailabilityof
resources
Dataloss/theft
Identitytheft
Lossoftrust
12
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Module Flow
Essential
Terminologies
Elementsof
Security
Computer
Security
Security
Risksto
HomeUsers
Layersof
Security
WhatMakes
aHome
Computer
Vulnerable?
Potential
LossesDue
toSecurity
Attacks
Benefitsof
Computer
Security
Awareness
13
Whatto
Secure?
Basic
Computer
Security
Mechanisms
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Elements of Security
Confidentiality isensuring
thatinformationisaccessible
onlytothoseauthorizedto
haveaccess(ISO17799)
Confidentiality
Integrity isensuringthatthe
informationisaccurate,
complete,reliable,andisinits
originalform
Authenticity
Authenticity isthe
identificationandassurance
oftheoriginofinformation
Integrity
Nonrepudiation isensuringthata
partytoacontractoracommunication
cannotdenytheauthenticityoftheir
signatureonadocument
Availability
Non
Repudiation
Availability isensuringthatthe
informationisaccessibleto
authorizedpersonswhen
requiredwithoutdelay
14
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Movingtheballtoward
securitymeansmoving
awayfromthe
functionalityandeaseof
use
Security
(Restrictions)
Ease of
Use
Functionality
(Features)
15
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Maintenance
Adheringtothepreventativemeasures while
usingcomputersystemandapplications
Managingallthechangesinthecomputer
applicationsandkeepingthemuptodate
Reaction
Actingtimelywhensecurityincidents occur
16
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Layers of Security
Layer 5
Layer 4
Layer 3
Layer 2
Layer 1
Physical
Security
Network
Security
Protectsthe
networksand
Safeguardsthe
theirservicesfrom
personnel,
unauthorized
hardware,programs, modification,
networks,anddata
destruction,or
fromphysical
disclosure
threats
System
Security
Protectsthesystem
anditsinformation
fromtheft,
corruption,
unauthorized
access,ormisuse
17
Application
Security
Coverstheuseof
software,
hardware,and
procedural
methodstoprotect
applicationsfrom
externalthreats
User
Security
Ensuresthatavalid
userisloggedin
andthatthe
loggedinuseris
allowedtousean
application/
program
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
ComputerAccidents
ComputerAttacks
Malwareattacks
Harddiskorothercomponentfailures
Emailattacks
Powerfailureandsurges
Mobilecode(Java/JavaScript/ActiveX)attacks
Theftofacomputingdevice
Denialofserviceandcrosssitescriptingattacks
Identitytheftandcomputerfrauds
Packetsniffing
Beinganintermediaryforanotherattack
(zombies)
Note:Thesethreatsandtheircountermeasureswillbediscussedindetailinthelatermodules
18
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
What to Secure?
Hardware
Software
Laptops,DesktopPCs,CPU,
harddisk,storagedevices,
cables,etc.
Operatingsystemandsoftware
applications
Information
Communications
Personalidentificationsuchas
SocialSecurityNumber(SSN),
passwords,creditcardnumbers,
etc.
Emails,instantmessengers,and
browsingactivites
19
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Module Flow
Essential
Terminologies
Elementsof
Security
Computer
Security
Security
Risksto
HomeUsers
Layersof
Security
WhatMakes
aHome
Computer
Vulnerable?
Potential
LossesDue
toSecurity
Attacks
Benefitsof
Computer
Security
Awareness
20
Whatto
Secure?
Basic
Computer
Security
Mechanisms
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Defaultcomputerand
applicationsettings
Noneorverylittle
investmentin
securitysystems
21
Increasingonline
activities
Notfollowingany
standardsecurity
policiesorguidelines
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
DataAccessControls
Ensurethatunauthorizedusersdonot
getintothesystem
Monitorsystemactivitiessuchaswhois
accessingthedataandforwhatpurpose
Forcelegaluserstobeconsciousabout
security
Defineaccessrulesbasedonthesystem
securitylevels
SystemandSecurity
Administration
SystemDesign
Performregularsystemandsecurity
administrationtaskssuchasconfiguring
systemsettings,implementingsecurity
policies,monitoringsystemstate,etc.
Deployvarioussecuritycharacteristicsin
systemhardwareandsoftwaredesign
suchasmemorysegmentation,privilege
isolation,etc.
22
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Ithelpspreventthelossofinformation storedonthesystems
Ithelpsuserstopreventcybercriminalsfromusingtheirsystems inorderto
launchattacksontheothercomputersystems
Ithelpsusersminimizelossesincaseofanaccident thatcausesphysicaldamage
tocomputersystems
Itenablesuserstoprotectsensitiveinformationandcomputingresources from
unauthorizedaccess
23
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Module Summary
Securityisastateofwellbeingofinformationandinfrastructures
Computersecurityistheprotectionofcomputingsystemsandthedatathatthey
storeoraccess
Confidentiality,integrity,nonrepudiation,authenticity,andavailabilityarethe
elementsofsecurity
Securityrisktohomeusersarisefromvariouscomputerattacksandaccidents
causingphysicaldamagetocomputersystems
Computersecurityawarenesshelpsminimizethechancesofcomputerattacksand
preventthelossofinformationstoredonthesystems
24
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
25
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.