You are on page 1of 6

Fundamentals of PC Security Chapter 1

I. CHALLENGES OF SECURING INFORMATION


A. TODAYS SECURITY ATTACKS
Malicious programs installing during the manufacturing process. E-mails that ask for bank account numbers and impersonate someone else. Bobby-trapped web pages that infects the surfers computer without the need to click or enter any information Mac computers have recently been targeted and the vulnerabilities lie within mainly unpatched systems A test involving computers with a weak password were shown to have been hit by an intrusion attempt 2,244 each day B. DIFFICULTIES IN DEFENDING AGAINST ATTACKS Speed of Attacks attackers can quickly scan systems for weaknesses and launch attacks quickly. Attack tools can initiate new attacks without any human initiative, thus increasing the speed of attack. (Attackers can launch attacks against millions of computers within minutes) Greater Sophistication of Attacks attacks are becoming more complex, which makes it difficult to detect and defend. Attackers use common Internet protocols for malicious data, making it difficult to distinguish attacks from legitimate traffic. Others vary their behavior so attacks appear different each time, to further avoid detection. (Attack tools vary their behavior so the same attack appears differently each time) Simplicity of Attack Tools Many attack tools are freely available and do not require any technical knowledge to use. They can be obtained through the Internet and have simple menu structures to easily select the desired attack. (Attacks no longer limited to highly skilled attackers) Quicker Detection of Vulnerabilities the number of security vulnerabilities double every year. A zero day attack occurs when an attacker discovers and exploits a previously unknown flaw, providing zero days of warning. This is a devastating attack because the attack runs rampant while time is spent trying to identify the vulnerability. (Attackers can discover security holes in hardware or software more quickly) Delays in Patching Products Software venders are often overwhelmed trying to keep pace with updating their products against attacks such as malware. Software vendors receive over 200,000 submissions of potential malware each month, and vendors would have to update every 10 minutes to keep users protected. The delays in patching products only add to the difficulties in defending against attacks. (Vendors are overwhelmed trying to keep pace by updating their products against attacks) Distributed Attacks Most attacks are now distributed and come from several different sources. Attackers can use thousands of computers in an attack against a single computer or network. This one against many approach makes it impossible to stop an attack by identifying and blocking a single source. (Attackers use thousands of computers in an attack against a single computer or network) User Confusion Users are often called upon to make difficult decisions regarding their computer systems, sometimes with little to no information to direct them. Users are inclined to answer yes to these questions with little understanding of the implications. (Users are required to make difficult security decisions with little or no instruction)

II. WHAT IS INFORMATION SECURITY?


A. DEFINING INFORMATION SECURITY
Information security used to describe the tasks of guarding information that is in a digital format. This digital information is typically manipulated by a microprocessor (like a PC), stored on a magnetic or optical storage device (like a hard drive or DVD), and transmitted over a network (like the Internet)

Information security cannot completely prevent attacks or guarantee that a system is secure; rather it creates a defense that attempts to ward off attacks and prevents the collapse of the system when an attack occurs. Thus information security is protection. It is intended to protect information that has value to people and organizations, and that value comes from the characteristics of the information. Three characteristics are: 1. Confidentiality ensures that only authorized parties can view the information 2. Integrity ensures that the information is correct and no unauthorized person or malicious software has altered that data 3. Availability ensures that data is accessible to authorized users Information security attempts to safe guard these 3 characteristics of information. The third objective of information security is to protect the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information. Information security is achieved through a combination of three entities. Information, hardware, software, and communications are protected in 3 layers: products, people, and procedures. These 3 layers interact with each other. Products Form the physical security around the data. May be as basic as door locks or as complicated as special hardware or software. People Those who implement and properly use security products to protect data. Procedures plans and policies established by an organization to ensure that people correctly use the products. For example, procedures tell people how to use products to protect information. Thus a more comprehensive definition of information security is that which protects the integrity, confidentiality, and availability of information. Asset something that has value Threat an event or object that may defeat the security measures in place and result in a loss. A threat by itself does not mean that security has been compromised; rather, it simply means that the potential for creating a loss is real. A loss can be the theft of information, a delay in information being transmitted, which results in a financial penalty, or the loss of good will or reputation. Threat agent person or thing that has the power to carry out a threat. It could be a person attempt to break into a secure computer network, or a force of nature that could destroy computer equipment and thus destroy information, or it could be a virus that attacks a computer network. Vulnerability weakness that allows a threat agent to bypass security. An example is a software defect in an operating system that allows an unauthorized user to gain access to a computer without a password. Exploiting taking advantage of a security vulnerability or weakness. A hacker who knows an e-mail system does not scan attachments for a virus and sends infected e-mail messages to users is exploiting the vulnerability. Risk the likelihood that a threat agent will exploit a vulnerability. There are 3 options when dealing with risks: accept the risk, diminish the risk, or transfer the risk.

B. INFORMATION SECURITY TERMINOLOGY


C. UNDERSTANDING THE IMPORTANCE OF INFORMATION SECURITY


The main goals of information security are to prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorism. 1. Preventing Data Theft Preventing data theft is often cited by businesses as the primary goal of information security. Business data theft often involves stealing proprietary information such as research or a list of customers that competitors are eager to acquire. The theft of data is one of the largest causes of financial lost due to an attack. Data theft is not limited to businesses. Individuals are often victims of data thievery.

2. Thwarting Identity Theft Identity theft involves using someones personal information, such as a Social Security Number, to establish bank or credit card accounts that are then left unpaid, leaving the victim with the debts and ruining their credit rating. Credit agencies now identify patterns common to identity theft to prevent its occurrence, and consumers can now receive a free copy of their credit report each year. The best defense against identity theft is to prevent private data from being stolen. 3. Avoiding Legal Consequences The Health Insurance Portability and Accountability Act of 1996 (HIPAA) healthcare enterprises must guard protected health information and implement policies and procedures to safeguard it, whether its paper or electronic format. The Sarbanes-Oxley Act of 2002 (Sarbox) attempts to fight corporate corruption and covers the corporate officers, auditors, and attorneys of publicly traded companies. Stringent reporting requirements and internal controls on electronic financial reporting systems are required. The Gramm-Leach-Bliley Act (GLBA) Like HIPAA, it protects private data. It requires banks and financial institutions to alter consumers of their policies and practices in disclosing customer information. All electronic and paper containing personally identifiable financial information must be protected. USA Patriot Act (2001) designed to broaden the surveillance of law enforcement agencies so they can detect and suppress terrorism. Businesses, organizations, and colleges must provide information including records and documents, to law enforcement agencies under a valid court order, subpoena, or other authorized agency. The California Database Security Breach Act (2003) It requires businesses to inform California residents within 48 hours if a breach of personal information has or is believed to have occurred. It defines personal information such as a name, Social Security number, drivers license number, state ID card, account number, credit card number, or debit card number and required security access codes. 40 other states now have similar laws. Childrens Online Privacy Protection Act of 1998 (COPPA) requires operators of online services or Web sites designed for children under the age of 13 to obtain parental consent prior to the collection, use, disclosure, or display of a childs personal information. COPPA also prohibits sites from limiting childrens participation in an activity unless they disclose more personal information than is reasonably necessary to participate. 4. Maintaining Productivity Employees cannot be productive and complete important tasks during an attack and its aftermath because computers and networks cannot function properly. 5. Foiling Cyberterrorism Cyberterrorism - attacks launched by cyberterrorists that could cripple a nations electronic and commercial infrastructure. Utility companies, telecommunications, and financial services are considered prime targets of cyberterrorists because they can significantly disrupt business and personal activities by destroying a few targets.

III. WHO ARE THE ATTACKERS?


A. HACKERS
Some use the term hacker in a generic sense to identify anyone who illegally breaks into or attempts to break into a computer system. Used this way hacker is synonymous with attacker. Others use the term more narrowly to mean a person who uses advanced computer skills to attack computers only to expose security flaws.

Some hackers believe it is ethical as long as they do not commit theft, vandalism, or breach any confidentiality. These hackers who call themselves White Hats claim their motive is to improve security by seeking out security holes so they can be fixed. Script Kiddies want to break into computers to create damage. Script kiddies, unlike hackers, are unskilled users and do their work by downloading automated hacking software (scripts) from Web sites and using it to break into computers. Because script kiddies do not understand the technology behind what they are doing, they often indiscriminately target a wide range of computers, causing problems for a large audience. A computer spy is a person who has been hired to break into a computer and steal information. They are hired to attack a specific computer or system that contains sensitive information. Their goal is to break into that computer or system and take the information without drawing any attention to their actions. Employees are one of the largest information security threats to a business. This can be brought on by carelessness, offering of money, being blackmailed, or being disgruntled into retaliation. Cybercriminals are a loose-knit network of attackers, identity thieves, and financial fraudsters. Many security experts believe that cybercriminals belong to organized gangs of young and mostly Eastern European attackers due to strong technical universities, low incomes, unstable legal system, and tense political relations. Cybercriminals have a more focused goal, which is money. Targeting attacks against financial networks, unauthorized access to information, and the theft of personal information is sometimes known as cybercrime. Financial cybercrime is divided into two categories. The first uses stolen credit card data, online financial account information such as PayPal accounts or Social Security numbers. Once obtained this information is usually posted on a cybercrime Web site for sale to other cybercriminals. They then purchase online goods and is shipped to Americans whose homes serve as drop-off points. Then the Americans send the goods overseas (called re-shipping) before anyone is aware that a stolen credit card number was used. Once the goods are received, it is then sold on the black market. The second category involves sending millions of spam e-mails to peddle counterfeit drugs, pirated software, fake watches, and pornography. Cyberterrorists their motivation may be defined as ideology, or attacks for the sake of their principles or beliefs. 1. To deface electronic information and spread misinformation and propaganda 2. To deny service to legitimate computer users 3. To commit unauthorized intrusions into systems and networks that result in critical infrastructure outages and corruption of vital data.

B. SCRIPT KIDDIES

C. SPIES

D. EMPLOYEES

E. CYBERCRIMINALS

F. CYBERTERRORISTS

III. ATTACKS AND DEFENSES


A. STEPS OF AN ATTACK
1. Probe for Information probe of any information that can be used to attack it. This type of reconnaissance is essential to provide information, such as type of hardware that is used, the version of software, and even personal information about the users. 2. Penetrate Any Defenses once a potential system has been identified and information has been gathered, the next step is to launch an attack to penetrate the defenses. These attacks come in a variety of forms, such as manipulating or breaking a password. 3. Modify Security Settings is the next step after the system has been penetrated. This allows the attacker to reenter the compromised system more easily.

4. Circulate to Other Systems once the network or system has been compromised; the attacker then uses it as a base to attack other networks and computers. The same tools are then used to probe for information on other systems. 5. Paralyze networks and Devices if the attacker chooses, he or she may also work to maliciously damage the infected computer or network. This may include deleting or modifying files, stealing valuable information, crashing the computer, or performing denial of service attacks.

B. DEFENSES AGAINST ATTACKS


1. Layering A layered approach has the advantage of creating a barrier of multiple defenses that can be coordinated to thwart a variety of attacks. A security system must have layers, making it unlikely that an attacker has the tools and skills to break through all the layers of defenses. A layered approach can also be useful in resisting a variety of attacks. Layered security provides the most comprehensive protection. 2. Limiting Limiting access to information reduces the threat against it. Only those who must use data should have access to it. In addition, the amount of access granted to someone should be limited to what that person needs to know. Some ways to limit are technology-based, such as assigning file permissions so that a user can only read but not modify a file, while others are procedural, such as prohibiting an employee from removing a sensitive document from the premises. The key is that access must be restricted to the bare minimum. 3. Diversity Diversity is closely related to layering. It is important that the layers be different (diverse) so that if attackers penetrate one layer, they cannot use the same techniques to break through all other layers. Using diverse layers of defense means that breaching one security layer does not compromise the whole system. Diversity may be achieved in several ways. 4. Obscurity Obscuring what does on inside a system or organization and avoiding clear patterns of behavior make attacks from the outside much more difficult. An example is not revealing the type of computer, operating system, software, and network connection a computer uses. If this information is hidden, it takes much more effort to acquire the information and an attacker will then move on to another computer in which the information is easily available. 5. Simplicity The more complex something becomes, the more difficult it is to understand. Complex systems allow many opportunities for something to go wrong. Complex security systems can be hard to understand, troubleshoot, and feel secure about. As much as possible, a secure system should be simple for those on the inside to understand and use. In short, keeping a system simple from the inside by complex from the outside can sometimes be difficult but reaps a major benefit.

C. BUILDING A COMPREHENSIVE SECURITY STRATEGY


There are 4 key elements to creating a practical security strategy: block attacks, update defenses, minimize losses, and send secure information. 1. Block Attacks Effective information security blocks attacks by having a strong security perimeter, much like a castle. Usually this security perimeter is part of the computer network to which a personal computer is attached. If attacks are blocked by the network security perimeter, the attacker will be unable to reach the personal computer on which the data is stored. Security devices can be added to a computer network that will continually analyze traffic coming into the network from the outside and block unauthorized or malicious traffic.

As important as a strong network security perimeter is to blocking attacks, some attacks will slip through the defense. It is vital to have local security on all of the personal computers as well to defend against any attack that breaches the perimeter. 2. Update Defenses New types of online attacks appear on a regular basis. It is essential that users today be resourceful in continually updating defenses to protect their information. This involves updating defensive hardware and software as well as applying operating system patches on a regular basis. 3. Minimize Losses It is important to realize that some attacks will get through security perimeters and local defenses. It is important that action be taken in advance in order to minimize losses. This may involve keeping backup copies of important data stored in a safe place. Or, for an organization it may be having an entire business recovery policy that details what to do in the event of a successful attack. 4. Send Secure Information As users send e-mail and other information out over the Internet, it is important that it be protected and kept secure. This might involve scrambling the data so that unauthorized eyes cannot read it. In other instances it might require reestablishing a secure electronic link between the sender and receiver that would prevent an attacker from being able to reach the information. It often involves taking proactive steps to thwart attackers.