Security Awareness Challenges of Security

1
Security AwarenessChallenges of Security

• No single simple solution to protecting computers
  and securing information
• Different types of attacks
• Difficulties in defending against these attacks

2
Todays Security Attacks

• Typical monthly security newsletter
• Malicious programs
• E-mail attachments
• Booby-trapped Web pages are growing at an
  increasing rate
• Mac computers can be the victim of attackers

3
Todays Security Attacks (contd.)

• Security statistics
• Millions of credit and debit card numbers stolen
• Number of security breaches continues to rise

4
Difficulties in Defending Against Attacks

• Speed of attacks
• Greater sophistication of attacks
• Simplicity of attack tools
• Quicker vulnerabilities detected
• Delays in patching products
• Distributed attacks
• User confusion

5
Who Are the Attackers?

• Divided into several categories
• Hackers
• Script kiddies
• Spies
• Employees
• Cybercriminals
• Cyberterrorists

6
Hackers

• Debated definition of hacker
• Identify anyone who illegally breaks into or
  attempts to break into a computer system
• Person who uses advanced computer skills to
  attack computers only to expose security flaws
• White Hats

7
Script Kiddies

• Unskilled users
• Use automated hacking software
• Do not understand the technology behind what they
  are doing
• Often indiscriminately target a wide range of
  computers

8
Spies

• Person who has been hired to break into a
  computer and steal information
• Do not randomly search for unsecured computers
• Hired to attack a specific computer or system
• Goal
• Break into computer or system
• Take the information without drawing any
  attention to their actions

9
Employees

• Reasons for attacks by employees
• Show company weakness in security
• Retaliation
• Money
• Blackmail
• Carelessness

10
Cybercriminals

• Loose-knit network of attackers, identity
  thieves, and financial fraudsters
• Motivated by money
• Financial cybercrime categories
• Stolen financial data
• Spam email to sell counterfeits, etc.

11
Cyberterrorists

• Motivated by ideology

12
Attacks and Defences

• Same basic steps are used in most attacks
• Protecting computers against these steps
• Calls for five fundamental security principles

13
Steps of an Attack

• Probe for information
• Penetrate any defences
• Modify security settings
• Circulate to other systems
• Paralyse networks and devices

14
Defences Against Attacks

• Layering
• If one layer is penetrated, several more layers
  must still be breached
• Each layer is often more difficult or complicated
  than the previous
• Useful in resisting a variety of attacks
• Limiting
• Limiting access to information reduces the threat
  against it
• Technology-based and procedural methods

15
Defences Against Attacks (contd.)

• Diversity
• Important that security layers are diverse
• Breaching one security layer does not compromise
  the whole system
• Obscurity
• Avoiding clear patterns of behavior make attacks
  from the outside much more difficult
• Simplicity
• Complex security systems can be hard to
  understand, troubleshoot, and feel secure about

16
Building a Comprehensive Security Strategy

• Block attacks
• Strong security perimeter
• Part of the computer network to which a personal
  computer is attached
• Local security important too
• Update defences
• Continually update defenses to protect
  information against new types of attacks

17
Building a Comprehensive Security Strategy
(contd.)

• Minimise losses
• Realise that some attacks will get through
  security perimeters and local defenses
• Make backup copies of important data
• Business recovery policy
• Send secure information
• Scramble data so that unauthorized eyes
  cannot read it
• Establish a secure electronic link between the
  sender and receiver

18
Summary

• Attacks against information security have grown
  exponentially in recent years
• Difficult to defend against todays attacks
• Information security definition
• That which protects the integrity,
  confidentiality, and availability of information
• Main goals of information security
• Prevent data theft, thwart identity theft, avoid
  the legal consequences of not securing
  information, maintain productivity, and foil
  cyberterrorism

19
Summary (contd.)

• Several types of people are typically behind
  computer attacks
• Five general steps that make up an attack
• Practical, comprehensive security strategy
  involves four key elements