Security Guide to Network Security Fundamentals Chapter 1 - PowerPoint PPT Presentation

1 / 58
About This Presentation
Title:

Security Guide to Network Security Fundamentals Chapter 1

Description:

Security+ Guide to Network Security Fundamentals Chapter 1 * * * * * * * * * * * * * * * * * * * * * * * * * * * Simplicity Information security is by its very nature ... – PowerPoint PPT presentation

Number of Views:1838
Avg rating:3.0/5.0
Slides: 59
Provided by: Ann1170
Category:

less

Transcript and Presenter's Notes

Title: Security Guide to Network Security Fundamentals Chapter 1


1
Security Guide to Network Security
FundamentalsChapter 1
2
  • ?????? ???? ????????
  • eyasa_at_usa.net?????? ??????????
  • 0564569838 ??????
  • 2152 ??? ??????

3
Learning Objectives
  • Understand network security
  • Understand security threat trends and their
    ramifications
  • Understand the goals of network security
  • Determine the factors involved in a secure
    network strategy

4
Understanding Network Security
  • Network security
  • Process by which digital information assets are
    protected
  • Goals
  • Maintain integrity
  • Protect confidentiality
  • Assure availability

5
Understanding Network Security
  • Security ensures that users
  • Perform only tasks they are authorized to do
  • Obtain only information they are authorized to
    have
  • Cannot cause damage to data, applications, or
    operating environment

6
Security Threats
  • Identity theft
  • Privacy concerns
  • Wireless access

7
To Offset Security Threats
  • Integrity
  • Assurance that data is not altered or destroyed
    in an unauthorized manner
  • Confidentiality
  • Protection of data from unauthorized disclosure
    to a third party
  • Availability
  • Continuous operation of computing systems

8
Quiz Give real example for each information
Security principles ?
  • Examples of Information Security Fundamental
    Principles
  • Confidentiality Exam questions prior to exam
    must hidden from students.
  • Integrity Students grades must not be modified
    by students.
  • Availability Student schedules system must be
    online and available during the beginning of the
    semester.

9
(No Transcript)
10
Information Security Layers
11
Security Vulnerabilities for Sale
  • Anyone can buy attack tools to take over computers

12
Examples of Security Breaches
13
(No Transcript)
14
Difficulties in Defending against Attacks
15
(No Transcript)
16
(No Transcript)
17
Information Security Terminology
  • Asset
  • Something that has a value
  • Threat
  • An event or object that may defeat the security
    measures in place and result in a loss
  • Threat agent
  • A person or thing that has the power to carry out
    a threat

18
Information Security Terminology
  • Vulnerability
  • Weakness that allows a threat agent to bypass
    security
  • Exploit
  • Takes advantage of a vulnerability
  • Risk
  • The likelihood that a threat agent will exploit a
    vulnerability
  • Realistically, risk cannot ever be entirely
    eliminated

19
Information Security Terminology (continued)
20
Information Security Terminology (continued)
21
Security RamificationsCosts of Intrusion
  • Causes of network security threats
  • Technology weaknesses
  • Configuration weaknesses
  • Policy weaknesses
  • Human error

22
  • Ramifications ??????

23
1-Technology Weaknesses
  • TCP/IP
  • Operating systems
  • Network equipment

24
2-Configuration Weaknesses
  • Unsecured accounts
  • System accounts with easily guessed passwords
  • Mis-configured Internet services
  • Unsecured default settings
  • Mis-configured network equipment
  • Trojan horse programs
  • Vandals ( ????????)
  • Viruses

25
3- Policy Weaknesses
  • Lack of a written security policy
  • Politics
  • High turnover
  • Concise access controls not applied
  • Software and hardware installation and changes do
    not follow policy
  • Proper security
  • Nonexistent disaster recovery plan

26
4- Human Error
  • Accident
  • Ignorance
  • Workload
  • Dishonesty
  • Impersonation ( ???????)
  • Disgruntled employees ( ???????? ????????)
  • Snoops ( ?????)
  • Denial-of-service attacks

27
Goals of Network Security
  • Achieve the state where any action that is not
    expressly permitted is prohibited
  • Eliminate theft
  • Determine authentication
  • Identify assumptions
  • Control secrets

28
Creating a Secure Network Strategy
  • Address both internal and external threats
  • Define policies and procedures
  • Reduce risk across across perimeter security, the
    Internet, intranets, and LANs

29
Creating a Secure Network Strategy
  • Human factors
  • Know your weaknesses
  • Limit access
  • Achieve security through persistence
  • Develop change management process
  • Remember physical security
  • Perimeter ( ????)security
  • Control access to critical network applications,
    data, and services

30
Creating a Secure Network Strategy
  • Firewalls
  • Prevent unauthorized access to or from private
    network
  • Create protective layer between network and
    outside world
  • Replicate network at point of entry in order to
    receive and transmit authorized data
  • Have built-in filters
  • Log attempted intrusions and create reports

31
Creating a Secure Network Strategy
  • Web and file servers
  • Access control
  • Ensures that only legitimate traffic is allowed
    into or out of the network
  • Passwords
  • PINs
  • Smartcards

32
Creating a Secure Network Strategy
  • Change management
  • Document changes to all areas of IT
    infrastructure
  • Encryption
  • Ensures messages cannot be intercepted or read by
    anyone other than the intended person(s)

33
Creating a Secure Network Strategy
  • Intrusion detection system (IDS)
  • Provides 24/7 network surveillance
  • Analyzes packet data streams within the network
  • Searches for unauthorized activity

34
Simplicity
  • Information security is by its very nature
    complex
  • Complex security systems can be hard to
    understand, troubleshoot, and feel secure about
  • As much as possible, a secure system should be
    simple for those on the inside to understand and
    use
  • Complex security schemes are often compromised to
    make them easier for trusted users to work with
  • Keeping a system simple from the inside but
    complex on the outside can sometimes be difficult
    but reaps a major benefit

35
Who Are the Attackers?
  • The types of people behind computer attacks are
    generally divided into several categories
  • Hackers
  • Script kiddies
  • Spies
  • Employees
  • Cybercriminals
  • Cyberterrorists

36
The NSA Hacker
  • Gary McKinnon hacked into NASA and the US
    Military
  • He was looking for evidence about UFOs

37
Hackers
  • Hacker
  • Anyone who illegally breaks into or attempts to
    break into a computer system
  • Although breaking into another persons computer
    system is illegal
  • Some hackers believe it is ethical as long as
    they do not commit theft, vandalism, or breach
    any confidentiality
  • Ethical Hacker
  • Has permission from the owner to test security of
    computers by attacking them

38
Script Kiddies
  • Unskilled users
  • Download automated hacking software (scripts)
    from Web sites and use it to break into computers
  • Image from ning.com

39
Spies
  • Computer spy
  • A person who has been hired to break into a
    computer and steal information
  • Excellent computer skills

40
Employees
  • The largest information security threat
  • Motives
  • An employee might want to show the company a
    weakness in their security
  • Disgruntled employees may be intent on
    retaliating against the company
  • Industrial espionage
  • Blackmailing

41
Cybercriminals
  • A loose-knit network of attackers, identity
    thieves, and financial fraudsters
  • More highly motivated, less risk-averse, better
    funded, and more tenacious than hackers
  • Many security experts believe that cybercriminals
    belong to organized gangs of young and mostly
    Eastern European attackers
  • Cybercriminals have a more focused goal that can
    be summed up in a single word money

42
Cybercriminals
  • Cybercrime
  • Targeted attacks against financial networks,
    unauthorized access to information, and the theft
    of personal information
  • Financial cybercrime is often divided into two
    categories
  • Trafficking in stolen credit card numbers and
    financial information
  • Using spam to commit fraud

43
Cyberterrorists
  • Their motivation may be defined as ideology, or
    attacking for the sake of their principles or
    beliefs
  • Goals of a cyberattack
  • To deface electronic information and spread
    misinformation and propaganda
  • To deny service to legitimate computer users
  • To commit unauthorized intrusions into systems
    and networks that result in critical
    infrastructure outages and corruption of vital
    data

44
Security Tradeoffs
Security
COST
Ease of use
Functionality
45
Steps of an Attack
  • The five steps that make up an attack
  • Probe for information
  • Penetrate any defenses
  • Modify security settings
  • Circulate to other systems
  • Paralyze networks and devices

46
(No Transcript)
47
Defenses against Attacks
  • Although multiple defenses may be necessary to
    withstand an attack
  • These defenses should be based on five
    fundamental security principles
  • Layering
  • Limiting
  • Diversity
  • Obscurity
  • Simplicity

48
Layering
  • Information security must be created in layers
  • One defense mechanism may be relatively easy for
    an attacker to circumvent
  • Instead, a security system must have layers,
    making it unlikely that an attacker has the tools
    and skills to break through all the layers of
    defenses
  • A layered approach can also be useful in
    resisting a variety of attacks
  • Layered security provides the most comprehensive
    protection

49
Limiting
  • Limiting access to information reduces the threat
    against it
  • Only those who must use data should have access
    to it
  • In addition, the amount of access granted to
    someone should be limited to what that person
    needs to know
  • Some ways to limit access are technology-based,
    while others are procedural

50
Diversity
  • Layers must be different (diverse)
  • If attackers penetrate one layer, they cannot use
    the same techniques to break through all other
    layers
  • Using diverse layers of defense means that
    breaching one security layer does not compromise
    the whole system

51
Obscurity ??????
52
Information Security Careers and the Security
Certification
53
Surveying Information Security Careers and the
Security Certification
  • Today, businesses and organizations require
    employees and even prospective applicants
  • To demonstrate that they are familiar with
    computer security practices
  • Many organizations use the CompTIA Security
    certification to verify security competency

54
(No Transcript)
55
CompTIA Security Certification
  • The CompTIA Security (2008 Edition)
    Certification is the premiere vendor-neutral
    credential
  • The Security exam is an internationally
    recognized validation of foundation-level
    security skills and knowledge
  • Used by organizations and security professionals
    around the world
  • The skills and knowledge measured by the
    Security exam are derived from an industry-wide
    Job Task Analysis (JTA)

56
CompTIA Security Certification (continued)
  • The six domains covered by the Security exam
  • Systems Security, Network Infrastructure, Access
    Control, Assessments and Audits, Cryptography,
    and Organizational Security

57
(No Transcript)
58
Quiz What Information security protect ?
  • Information Security protects
  • the integrity, confidentiality, and availability
    of information
  • on the devices which store, manipulate, and
    transmit the information
  • through products, people and procedures
Write a Comment
User Comments (0)
About PowerShow.com