CSCU Module 01 Foundations of Security PDF

Foundations of Security
Module 1
Simplifying Security.
1 CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Scenario
Franklin,anemployeeworkingforan
organization,downloadsfreesoftware
fromawebsite.Afterinstallingthe
software,however,Franklin'ssystem
rebootsandstartstomalfunction.
What might have gone

wrong with Franklins system?
What would you have done in

Franklins place?
May23,2011
HomecomputerUsersatRiskDuetoUseofFolkModelSecurity
EASTLANSING,Mich. Mosthomecomputersarevulnerabletohackerattacksbecausetheuserseithermistakenlythinktheyhave
enoughsecurityinplaceortheydontbelievetheyhaveenoughvaluableinformationthatwouldbeofinteresttoahacker.
ThatsthepointofapaperpublishedthismonthbyMichiganStateUniversitysRickWash,whosaysthatmosthomecomputerusersrely
onwhatareknownasfolkmodels.Thosearebeliefsaboutwhathackersorvirusesarethatpeopleusetomakedecisionsaboutsecurity
tokeeptheirinformationsafe.
Unfortunately,theydontoftenworkthewaytheyshould.
Homesecurityishardbecausepeopleareuntrainedinsecurity,saidWash,anassistantprofessorintheDepartmentof
Telecommunication,InformationStudiesandMedia.Butitisntbecausepeopleareidiots.Rathertheytrytheirbesttomake senseof
whatsgoingonandfrequentlymakechoicesthatleavethemvulnerable.
http://news.msu.edu
May23,20118:21:51PMET
'Fakefrag'TrojanScaresYouintoPayingUp
AdeviousnewTrojanisputtingthefearofharddrivefailure
intocomputerowners,andthenrushinginto"save"theday
atyourexpense.
Oncethe"Fakefrag"Trojanfindsitswayontoyoursystemvia
speciallycraftedmaliciousWebpages,itgetstoworkonthe
taskofmakingyoubelieveallyourfileshavebeenerasedfrom
yourharddrive,thesecurityfirmSymantecreported.
Scareware scams,whichtrytoconvinceuserstheyhavea
computervirus,andthentrickthemintopurchasingfake
antivirussoftware,arenothingnew.However,Fakefrag takes
thecrimeastepfurther:itactuallymovesyourfilesfromthe
"AllUsers"foldertoatemporarylocation,andhidesfilesinthe
"CurrentUser"folder,Symantecsaid.
http://www.msnbc.msn.com
Module Objectives
SecurityIncidents LayersofSecurity
EssentialTerminologies SecurityRiskstoHomeUsers
ComputerSecurity WhattoSecure?
WhatMakesaHomeComputer
WhySecurity?
Vulnerable?
PotentialLossesDuetoSecurity WhatMakesaSystemSecure?
Attacks
BenefitsofComputerSecurity
ElementsofSecurity Awareness
FundamentalConceptsofSecurity BasicComputerSecurityMechanisms
Module Flow
Potential
Essential Computer LossesDue
Terminologies Security toSecurity
Attacks
Security
Elementsof Layersof Whatto
Risksto
Security Security Secure?
HomeUsers
WhatMakes Benefitsof Basic

aHome Computer Computer
Computer Security Security
Vulnerable? Awareness Mechanisms
Security Incident Occurrences Over Time
ReportonJanuary,2011
Security Incident Occurrences Over Time
900
800 787
700
604
600 537
511
500
409
400
300
200 141
100 23
6 14 10
0
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
Years http://datalossdb.org
Security Incidents by Breach Type - 2011
AsecurityincidentisAnyrealorsuspectedadverseevent inrelationtothe
securityofcomputersystemsorcomputernetworks.
http://www.cert.org
40%
10% 10% 10% 10% 10% 10%
Stolen Stolen Lost Hack Web Disposal Unknown

Laptop Document Laptop Document
http://datalossdb.org
Essential Terminologies
Threat Exploit Vulnerability
Anactionoreventthat Adefinedwaytobreach Existenceofaweakness,

hasthepotentialto thesecurityofanIT design,orimplementation
compromiseand/or systemthrough errorthatcanleadtoan
violatesecurity vulnerability unexpected,undesirable
eventcompromisingthe
securityofthesystem
Cracker,Attacker,
Attack DataTheft
orIntruder
Anindividualwhobreaks Anyactionderivedfrom Anyactionofstealing
intocomputersystemsin intelligentthreatsto theinformationfromthe
ordertosteal,change,or violatethesecurityofthe userssystem
destroyinformation system
Computer Security
Securityisastateofwell Computersecurityrefersto Usersshouldfocuson

beingofinformation and theprotectionofcomputer varioussecuritythreatsand
infrastructure systems andthe countermeasures inorderto
informationauserstoresor protecttheirinformation
processes assets
1 2 3
Why Security?
Computersecurityis Computeradministration
importantforprotectingthe andmanagementhave
confidentiality,integrity,and becomemorecomplex
availability ofcomputer whichproducesmoreattack
systemsandtheirresources avenues
Evolutionoftechnologyhas
Networkenvironmentsand
focusedontheeaseofuse
networkbasedapplications
whiletheskilllevelneeded
providemoreattackpaths
forexploitshasdecreased
Potential Losses Due to
Security Attacks
Misuseofcomputer
resources Financialloss
Unavailabilityof
Dataloss/theft
resources
Lossoftrust Identitytheft
Module Flow
Potential
Attacks
Security
Risksto
HomeUsers

Elements of Security
Confidentiality isensuring Integrity isensuringthatthe Nonrepudiation isensuringthata
thatinformationisaccessible informationisaccurate, partytoacontractoracommunication
onlytothoseauthorizedto complete,reliable,andisinits cannotdenytheauthenticityoftheir
haveaccess(ISO17799) originalform signatureonadocument
Non
Confidentiality Authenticity Integrity Availability
Repudiation
Authenticity isthe Availability isensuringthatthe

identificationandassurance informationisaccessibleto
oftheoriginofinformation authorizedpersonswhen
requiredwithoutdelay
The Security, Functionality, and Ease
of Use Triangle
Applications/softwareproductsbydefaultarepreconfiguredforeaseofuse,whichmakesthe
uservulnerabletovarioussecurityflaws
Similarly,increasedfunctionality(features) inanapplicationmakeitdifficulttouseinaddition
tobeinglesssecure
Movingtheballtoward
securitymeansmoving
awayfromthe Security
functionalityandeaseof (Restrictions)
use
Ease of Functionality
Use (Features)
Fundamental Concepts of Security
Precaution
Adheringtothepreventativemeasures while
usingcomputersystemandapplications
Maintenance
Managingallthechangesinthecomputer
applicationsandkeepingthemuptodate
Reaction
Actingtimelywhensecurityincidents occur
Layers of Security Layer 5
Layer 4
Layer 3
User
Layer 2
Security
Application
Layer 1 Ensuresthatavalid
Security userisloggedin
System
Coverstheuseof andthatthe
Security loggedinuseris
Network software,
Protectsthesystem hardware,and allowedtousean
Security anditsinformation procedural application/
Physical
Protectsthe fromtheft, methodstoprotect program
Security corruption,
networksand applicationsfrom
Safeguardsthe theirservicesfrom unauthorized externalthreats
personnel, unauthorized access,ormisuse
hardware,programs, modification,
networks,anddata destruction,or
fromphysical disclosure
threats
Security Risks to Home Users
Homecomputersarepronetovariouscyberattacks astheyprovideattackerseasy
targetsduetoalowlevelofsecurityawareness
Securityrisktohomeusersarisefromvariouscomputerattacks andaccidents
causingphysicaldamagetocomputersystems
ComputerAttacks ComputerAccidents
Malwareattacks Harddiskorothercomponentfailures
Emailattacks Powerfailureandsurges
Mobilecode(Java/JavaScript/ActiveX)attacks
Theftofacomputingdevice
Denialofserviceandcrosssitescriptingattacks
Identitytheftandcomputerfrauds
Packetsniffing
Beinganintermediaryforanotherattack
(zombies)
Note:Thesethreatsandtheircountermeasureswillbediscussedindetailinthelatermodules
What to Secure?
Hardware Software
Laptops,DesktopPCs,CPU, Operatingsystemandsoftware
harddisk,storagedevices, applications
cables,etc.
Information Communications
Personalidentificationsuchas Emails,instantmessengers,and
SocialSecurityNumber(SSN), browsingactivites
passwords,creditcardnumbers,
etc.
Module Flow
Potential
Attacks
Security
Risksto
HomeUsers

What Makes a Home Computer
Vulnerable?
Lowlevelof Defaultcomputerand Increasingonline
securityawareness applicationsettings activities
Noneorverylittle Notfollowingany
investmentin standardsecurity
securitysystems policiesorguidelines
What Makes a System Secure?
Systemsecuritymeasureshelpprotect computersandinformationstoredinthesystems
fromaccidentalloss,maliciousthreats,unauthorizedaccess,etc.
SystemAccessControls DataAccessControls
Ensurethatunauthorizedusersdonot Monitorsystemactivitiessuchaswhois
getintothesystem accessingthedataandforwhatpurpose
Forcelegaluserstobeconsciousabout Defineaccessrulesbasedonthesystem
security securitylevels
SystemandSecurity
SystemDesign
Administration
Performregularsystemandsecurity Deployvarioussecuritycharacteristicsin
administrationtaskssuchasconfiguring systemhardwareandsoftwaredesign
systemsettings,implementingsecurity suchasmemorysegmentation,privilege
policies,monitoringsystemstate,etc. isolation,etc.
Benefits of Computer Security
Awareness
Computersecurityawarenesshelpsminimizethechancesofcomputerattacks
Ithelpspreventthelossofinformation storedonthesystems
Ithelpsuserstopreventcybercriminalsfromusingtheirsystems inorderto
launchattacksontheothercomputersystems
Ithelpsusersminimizelossesincaseofanaccident thatcausesphysicaldamage
tocomputersystems
Itenablesuserstoprotectsensitiveinformationandcomputingresources from
unauthorizedaccess
Module Summary
Securityisastateofwellbeingofinformationandinfrastructures
Computersecurityistheprotectionofcomputingsystemsandthedatathatthey
storeoraccess
Confidentiality,integrity,nonrepudiation,authenticity,andavailabilityarethe
elementsofsecurity
Securityrisktohomeusersarisefromvariouscomputerattacksandaccidents
causingphysicaldamagetocomputersystems
Computersecurityawarenesshelpsminimizethechancesofcomputerattacksand
preventthelossofinformationstoredonthesystems
Basic Computer Security Checklist
Useofstrongpasswords
Useofantivirussystems
Regularupdateofoperatingsystemandotherinstalledapplications
Regularbackupofimportantfiles
Useofencryptiontechniquesanddigitalsignatures
Useoffirewallandintrusiondetectionsystems
FollowingstandardguidelinesforInternetactivities
Physicalsecurityofcomputinginfrastructure
Awarenessofcurrentsecurityscenarioandattacktechniques

CSCU Module 01 Foundations of Security PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSCU Module 01 Foundations of Security PDF

Uploaded by

Copyright:

Available Formats

Foundations of Security

What might have gone

What would you have done in

WhatMakes Benefitsof Basic

10% 10% 10% 10% 10% 10%

Stolen Stolen Lost Hack Web Disposal Unknown

Anactionoreventthat Adefinedwaytobreach Existenceofaweakness,

Securityisastateofwell Computersecurityrefersto Usersshouldfocuson

WhatMakes Benefitsof Basic

Authenticity isthe Availability isensuringthatthe

WhatMakes Benefitsof Basic

You might also like