CSCU Module 01 Foundations of Security

Foundations of Security
Module 1
Simplifying Security.
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Scenario
Franklin,anemployeeworkingforan
organization,downloadsfreesoftware
fromawebsite.Afterinstallingthe
software,however,Franklin'ssystem
rebootsandstartstomalfunction.
What might have gone
wrong with Franklins system?
What would you have done in
Franklins place?
May23,2011
HomecomputerUsersatRiskDuetoUseofFolkModelSecurity
EASTLANSING,Mich. Mosthomecomputersarevulnerabletohackerattacksbecausetheuserseithermistakenlythinktheyhave
enoughsecurityinplaceortheydontbelievetheyhaveenoughvaluableinformationthatwouldbeofinteresttoahacker.
ThatsthepointofapaperpublishedthismonthbyMichiganStateUniversitysRickWash,whosaysthatmosthomecomputerusersrely
onwhatareknownasfolkmodels.Thosearebeliefsaboutwhathackersorvirusesarethatpeopleusetomakedecisionsaboutsecurity
tokeeptheirinformationsafe.
Unfortunately,theydontoftenworkthewaytheyshould.
Homesecurityishardbecausepeopleareuntrainedinsecurity,saidWash,anassistantprofessorintheDepartmentof
Telecommunication,InformationStudiesandMedia.Butitisntbecausepeopleareidiots.Rathertheytrytheirbesttomake senseof
whatsgoingonandfrequentlymakechoicesthatleavethemvulnerable.
http://news.msu.edu
May23,20118:21:51PMET
'Fakefrag'TrojanScaresYouintoPayingUp
AdeviousnewTrojanisputtingthefearofharddrivefailure
intocomputerowners,andthenrushinginto"save"theday
atyourexpense.
Oncethe"Fakefrag"Trojanfindsitswayontoyoursystemvia
speciallycraftedmaliciousWebpages,itgetstoworkonthe
taskofmakingyoubelieveallyourfileshavebeenerasedfrom
yourharddrive,thesecurityfirmSymantecreported.
Scareware scams,whichtrytoconvinceuserstheyhavea
computervirus,andthentrickthemintopurchasingfake
antivirussoftware,arenothingnew.However,Fakefrag takes
thecrimeastepfurther:itactuallymovesyourfilesfromthe
"AllUsers"foldertoatemporarylocation,andhidesfilesinthe
"CurrentUser"folder,Symantecsaid.
http://www.msnbc.msn.com
Module Objectives
SecurityIncidents
LayersofSecurity
EssentialTerminologies
SecurityRiskstoHomeUsers
ComputerSecurity
WhattoSecure?
WhySecurity?
WhatMakesaHomeComputer
Vulnerable?
PotentialLossesDuetoSecurity
Attacks
WhatMakesaSystemSecure?
ElementsofSecurity
BenefitsofComputerSecurity
Awareness
FundamentalConceptsofSecurity
BasicComputerSecurityMechanisms
Module Flow
Essential
Terminologies
Elementsof
Security
Computer
Security
Security
Risksto
HomeUsers
Layersof
Security
WhatMakes
aHome
Computer
Vulnerable?
Potential
LossesDue
toSecurity
Attacks
Benefitsof
Computer
Security
Awareness
Whatto
Secure?
Basic
Computer
Security
Mechanisms
Security Incident Occurrences Over Time
Security Incident Occurrences Over Time
ReportonJanuary,2011
900
787
800
700
600
604
537
511
500
409
400
300
200
100
0
141
6
14
23
2002
2003
2004
10
2005
2006
Years
2007
2008
2009
2010
2011
http://datalossdb.org
7
Security Incidents by Breach Type - 2011

AsecurityincidentisAnyrealorsuspectedadverseevent inrelationtothe
securityofcomputersystemsorcomputernetworks.
http://www.cert.org
40%
10%
10%
10%
Stolen
Laptop
Stolen
Document
Lost
Laptop
10%
Hack
Web
10%
10%
Disposal Unknown
Document
http://datalossdb.org
Essential Terminologies
Threat
Anactionoreventthat
hasthepotentialto
compromiseand/or
violatesecurity
Cracker,Attacker,
orIntruder
Anindividualwhobreaks
intocomputersystemsin
ordertosteal,change,or
destroyinformation
Exploit
Vulnerability
Adefinedwaytobreach
thesecurityofanIT
systemthrough
vulnerability
Existenceofaweakness,
design,orimplementation
errorthatcanleadtoan
unexpected,undesirable
eventcompromisingthe
securityofthesystem
Attack
DataTheft
Anyactionderivedfrom
intelligentthreatsto
violatethesecurityofthe
system
Anyactionofstealing
theinformationfromthe
userssystem
Computer Security
Securityisastateofwell
beingofinformation and
infrastructure
Computersecurityrefersto
theprotectionofcomputer
systems andthe
informationauserstoresor
processes
Usersshouldfocuson
varioussecuritythreatsand
countermeasures inorderto
protecttheirinformation
assets
10
Why Security?
Computersecurityis
importantforprotectingthe
confidentiality,integrity,and
availability ofcomputer
systemsandtheirresources
Computeradministration
andmanagementhave
becomemorecomplex
whichproducesmoreattack
avenues
Evolutionoftechnologyhas
focusedontheeaseofuse
whiletheskilllevelneeded
forexploitshasdecreased
Networkenvironmentsand
networkbasedapplications
providemoreattackpaths
11
Potential Losses Due to

Security Attacks
Misuseofcomputer
resources
Financialloss
Unavailabilityof
resources
Dataloss/theft
Identitytheft
Lossoftrust
12
Module Flow
Essential
Terminologies
Elementsof
Security
Computer
Security
Security
Risksto
HomeUsers
Layersof
Security
WhatMakes
aHome
Computer
Vulnerable?
Potential
LossesDue
toSecurity
Attacks
Benefitsof
Computer
Security
Awareness
13
Whatto
Secure?
Basic
Computer
Security
Mechanisms
Elements of Security
Confidentiality isensuring
thatinformationisaccessible
onlytothoseauthorizedto
haveaccess(ISO17799)
Confidentiality
Integrity isensuringthatthe
informationisaccurate,
complete,reliable,andisinits
originalform
Authenticity
Authenticity isthe
identificationandassurance
oftheoriginofinformation
Integrity
Nonrepudiation isensuringthata
partytoacontractoracommunication
cannotdenytheauthenticityoftheir
signatureonadocument
Availability
Non
Repudiation
Availability isensuringthatthe
informationisaccessibleto
authorizedpersonswhen
requiredwithoutdelay
14
The Security, Functionality, and Ease

of Use Triangle
Applications/softwareproductsbydefaultarepreconfiguredforeaseofuse,whichmakesthe
uservulnerabletovarioussecurityflaws
Similarly,increasedfunctionality(features) inanapplicationmakeitdifficulttouseinaddition
tobeinglesssecure
Movingtheballtoward
securitymeansmoving
awayfromthe
functionalityandeaseof
use
Security
(Restrictions)
Ease of
Use
Functionality
(Features)
15
Fundamental Concepts of Security

Precaution
Maintenance
Adheringtothepreventativemeasures while
usingcomputersystemandapplications
Managingallthechangesinthecomputer
applicationsandkeepingthemuptodate
Reaction
Actingtimelywhensecurityincidents occur
16
Layers of Security
Layer 5
Layer 4
Layer 3
Layer 2
Layer 1
Physical
Security
Network
Security
Protectsthe
networksand
Safeguardsthe
theirservicesfrom
personnel,
unauthorized
hardware,programs, modification,
networks,anddata
destruction,or
fromphysical
disclosure
threats
System
Security
Protectsthesystem
anditsinformation
fromtheft,
corruption,
unauthorized
access,ormisuse
17
Application
Security
Coverstheuseof
software,
hardware,and
procedural
methodstoprotect
applicationsfrom
externalthreats
User
Security
Ensuresthatavalid
userisloggedin
andthatthe
loggedinuseris
allowedtousean
application/
program
Security Risks to Home Users

Homecomputersarepronetovariouscyberattacks astheyprovideattackerseasy
targetsduetoalowlevelofsecurityawareness
Securityrisktohomeusersarisefromvariouscomputerattacks andaccidents
causingphysicaldamagetocomputersystems
ComputerAccidents
ComputerAttacks
Malwareattacks
Harddiskorothercomponentfailures
Emailattacks
Powerfailureandsurges
Mobilecode(Java/JavaScript/ActiveX)attacks
Theftofacomputingdevice
Denialofserviceandcrosssitescriptingattacks
Identitytheftandcomputerfrauds
Packetsniffing
Beinganintermediaryforanotherattack
(zombies)
Note:Thesethreatsandtheircountermeasureswillbediscussedindetailinthelatermodules
18
What to Secure?
Hardware
Software
Laptops,DesktopPCs,CPU,
harddisk,storagedevices,
cables,etc.
Operatingsystemandsoftware
applications
Information
Communications
Personalidentificationsuchas
SocialSecurityNumber(SSN),
passwords,creditcardnumbers,
etc.
Emails,instantmessengers,and
browsingactivites
19
Module Flow
Essential
Terminologies
Elementsof
Security
Computer
Security
Security
Risksto
HomeUsers
Layersof
Security
WhatMakes
aHome
Computer
Vulnerable?
Potential
LossesDue
toSecurity
Attacks
Benefitsof
Computer
Security
Awareness
20
Whatto
Secure?
Basic
Computer
Security
Mechanisms
What Makes a Home Computer

Vulnerable?
Lowlevelof
securityawareness
Defaultcomputerand
applicationsettings
Noneorverylittle
investmentin
securitysystems
21
Increasingonline
activities
Notfollowingany
standardsecurity
policiesorguidelines
What Makes a System Secure?

Systemsecuritymeasureshelpprotect computersandinformationstoredinthesystems
fromaccidentalloss,maliciousthreats,unauthorizedaccess,etc.
SystemAccessControls
DataAccessControls
Ensurethatunauthorizedusersdonot
getintothesystem
Monitorsystemactivitiessuchaswhois
accessingthedataandforwhatpurpose
Forcelegaluserstobeconsciousabout
security
Defineaccessrulesbasedonthesystem
securitylevels
SystemandSecurity
Administration
SystemDesign
Performregularsystemandsecurity
administrationtaskssuchasconfiguring
systemsettings,implementingsecurity
policies,monitoringsystemstate,etc.
Deployvarioussecuritycharacteristicsin
systemhardwareandsoftwaredesign
suchasmemorysegmentation,privilege
isolation,etc.
22
Benefits of Computer Security

Awareness
Computersecurityawarenesshelpsminimizethechancesofcomputerattacks
Ithelpspreventthelossofinformation storedonthesystems
Ithelpsuserstopreventcybercriminalsfromusingtheirsystems inorderto
launchattacksontheothercomputersystems
Ithelpsusersminimizelossesincaseofanaccident thatcausesphysicaldamage
tocomputersystems
Itenablesuserstoprotectsensitiveinformationandcomputingresources from
unauthorizedaccess
23
Module Summary
Securityisastateofwellbeingofinformationandinfrastructures
Computersecurityistheprotectionofcomputingsystemsandthedatathatthey
storeoraccess
Confidentiality,integrity,nonrepudiation,authenticity,andavailabilityarethe
elementsofsecurity
Securityrisktohomeusersarisefromvariouscomputerattacksandaccidents
causingphysicaldamagetocomputersystems
Computersecurityawarenesshelpsminimizethechancesofcomputerattacksand
preventthelossofinformationstoredonthesystems
24
Basic Computer Security Checklist

Useofstrongpasswords
Useofantivirussystems
Regularupdateofoperatingsystemandotherinstalledapplications
Regularbackupofimportantfiles
Useofencryptiontechniquesanddigitalsignatures
Useoffirewallandintrusiondetectionsystems
FollowingstandardguidelinesforInternetactivities
Physicalsecurityofcomputinginfrastructure
Awarenessofcurrentsecurityscenarioandattacktechniques
25

CSCU Module 01 Foundations of Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSCU Module 01 Foundations of Security

Uploaded by

Copyright:

Available Formats

Foundations of Security

Security Incident Occurrences Over Time

Security Incident Occurrences Over Time

Security Incidents by Breach Type - 2011

Potential Losses Due to

The Security, Functionality, and Ease

Fundamental Concepts of Security

Security Risks to Home Users

What Makes a Home Computer

What Makes a System Secure?

Benefits of Computer Security

Basic Computer Security Checklist

You might also like