Foundations of Security Module 1 Simplifying Security. 1 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Scenario Franklin, an employee working for an organization, downloads free software from a website. After installing the software, however, Franklin's system reboots and starts to malfunction. What might have gone wrong with Franklin’s system? What would you have done in Franklin’s place? 2 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. May 23, 2011 Home‐computer Users at Risk Due to Use of ‘Folk Model’ Security EAST LANSING, Mich. — Most home computers are vulnerable to hacker attacks because the users either mistakenly think they have enough security in place or they don’t believe they have enough valuable information that would be of interest to a hacker. That’s the point of a paper published this month by Michigan State University’s Rick Wash, who says that most home‐computer users rely on what are known as “folk models.” Those are beliefs about what hackers or viruses are that people use to make decisions about security – to keep their information safe. Unfortunately, they don’t often work the way they should. “Home security is hard because people are untrained in security,” said Wash, an assistant professor in the Department of Telecommunication, Information Studies and Media. “But it isn’t because people are idiots. Rather they try their best to make sense of what’s going on and frequently make choices that leave them vulnerable.” http://news.msu.edu 3 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. May 23, 2011 8:21:51 PM ET 'Fakefrag' Trojan Scares You into Paying Up A devious new Trojan is putting the fear of hard drive failure into computer owners, and then rushing in to "save" the day — at your expense. Once the "Fakefrag" Trojan finds its way onto your system via specially crafted malicious Web pages, it gets to work on the task of making you believe all your files have been erased from your hard drive, the security firm Symantec reported. Scareware scams, which try to convince users they have a computer virus, and then trick them into purchasing fake antivirus software, are nothing new. However, Fakefrag takes the crime a step further: it actually moves your files from the "All Users" folder to a temporary location, and hides files in the "Current User" folder, Symantec said. http://www.msnbc.msn.com 4 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Module Objectives Security Incidents Layers of Security Essential Terminologies Security Risks to Home Users Computer Security What to Secure? Why Security? What Makes a Home Computer Vulnerable? Potential Losses Due to Security Attacks What Makes a System Secure? Elements of Security Benefits of Computer Security Awareness Fundamental Concepts of Security Basic Computer Security Mechanisms 5 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow Essential Terminologies Elements of Security Computer Security Security Risks to Home Users Layers of Security What Makes a Home Computer Vulnerable? Potential Losses Due to Security Attacks Benefits of Computer Security Awareness 6 What to Secure? Basic Computer Security Mechanisms Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Security Incident Occurrences Over Time Security Incident Occurrences Over Time Report on January, 2011 900 787 800 700 600 604 537 511 500 409 400 300 200 100 0 141 6 14 23 2002 2003 2004 10 2005 2006 Years 2007 2008 2009 2010 2011 http://datalossdb.org 7 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Security Incidents by Breach Type - 2011 A security incident is “Any real or suspected adverse event in relation to the security of computer systems or computer networks.” http://www.cert.org 40% 10% 10% 10% Stolen Laptop Stolen Document Lost Laptop 10% Hack Web 10% 10% Disposal Unknown Document http://datalossdb.org 8 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Essential Terminologies Threat An action or event that has the potential to compromise and/or violate security Cracker, Attacker, or Intruder An individual who breaks into computer systems in order to steal, change, or destroy information Exploit A defined way to breach the security of an IT system through vulnerability Vulnerability Existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system Attack Data Theft Any action derived from intelligent threats to violate the security of the system Any action of stealing the information from the users’ system 9 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Computer Security Security is a state of well‐ being of information and infrastructure 1 Computer security refers to the protection of computer systems and the information a user stores or processes Users should focus on various security threats and countermeasures in order to protect their information assets 2 3 10 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Why Security? Computer security is important for protecting the confidentiality, integrity, and availability of computer systems and their resources Computer administration and management have become more complex which produces more attack avenues Evolution of technology has focused on the ease of use while the skill level needed for exploits has decreased Network environments and network‐based applications provide more attack paths 11 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Potential Losses Due to Security Attacks Misuse of computer resources Financial loss Unavailability of resources Data loss/theft Identity theft Loss of trust 12 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow Essential Terminologies Elements of Security Computer Security Security Risks to Home Users Layers of Security What Makes a Home Computer Vulnerable? Potential Losses Due to Security Attacks Benefits of Computer Security Awareness 13 What to Secure? Basic Computer Security Mechanisms Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Elements of Security Confidentiality is “ensuring that information is accessible only to those authorized to have access” (ISO‐17799) Confidentiality Integrity is “ensuring that the information is accurate, complete, reliable, and is in its original form” Authenticity Authenticity is “the identification and assurance of the origin of information” Integrity Non‐repudiation is “ensuring that a party to a contract or a communication cannot deny the authenticity of their signature on a document” Availability Non‐ Repudiation Availability is “ensuring that the information is accessible to authorized persons when required without delay” 14 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. The Security, Functionality, and Ease of Use Triangle Applications/software products by default are preconfigured for ease of use, which makes the user vulnerable to various security flaws Similarly, increased functionality (features) in an application make it difficult to use in addition to being less secure Moving the ball toward security means moving away from the functionality and ease of use Security (Restrictions) Ease of Use Functionality (Features) 15 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Fundamental Concepts of Security Precaution Maintenance Adhering to the preventative measures while using computer system and applications Managing all the changes in the computer applications and keeping them up to date Reaction Acting timely when security incidents occur 16 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Layers of Security Layer 5 Layer 4 Layer 3 Layer 2 Layer 1 Physical Security Safeguards the personnel, hardware, programs, networks, and data from physical threats Network Security Protects the networks and their services from unauthorized modification, destruction, or disclosure System Security Protects the system and its information from theft, corruption, unauthorized access, or misuse 17 Application Security Covers the use of software, hardware, and procedural methods to protect applications from external threats User Security Ensures that a valid user is logged in and that the logged‐in user is allowed to use an application/ program Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Security Risks to Home Users Home computers are prone to various cyber attacks as they provide attackers easy targets due to a low level of security awareness Security risk to home users arise from various computer attacks and accidents causing physical damage to computer systems Computer Accidents Computer Attacks Malware attacks Hard disk or other component failures Email attacks Power failure and surges Mobile code (Java/JavaScript/ActiveX) attacks Theft of a computing device Denial of service and cross‐site scripting attacks Identity theft and computer frauds Packet sniffing Being an intermediary for another attack (zombies) Note: These threats and their countermeasures will be discussed in detail in the later modules 18 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. What to Secure? Hardware Software Laptops, Desktop PCs, CPU, hard disk, storage devices, cables, etc. Operating system and software applications Information Communications Personal identification such as Social Security Number (SSN), passwords, credit card numbers, etc. Emails, instant messengers, and browsing activites 19 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow Essential Terminologies Elements of Security Computer Security Security Risks to Home Users Layers of Security What Makes a Home Computer Vulnerable? Potential Losses Due to Security Attacks Benefits of Computer Security Awareness 20 What to Secure? Basic Computer Security Mechanisms Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. What Makes a Home Computer Vulnerable? Low level of security awareness Default computer and application settings None or very little investment in security systems 21 Increasing online activities Not following any standard security policies or guidelines Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. What Makes a System Secure? System security measures help protect computers and information stored in the systems from accidental loss, malicious threats, unauthorized access, etc. System Access Controls Data Access Controls Ensure that unauthorized users do not get into the system Monitor system activities such as who is accessing the data and for what purpose Force legal users to be conscious about security Define access rules based on the system security levels System and Security Administration System Design Perform regular system and security administration tasks such as configuring system settings, implementing security policies, monitoring system state, etc. Deploy various security characteristics in system hardware and software design such as memory segmentation, privilege isolation, etc. 22 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Benefits of Computer Security Awareness Computer security awareness helps minimize the chances of computer attacks It helps prevent the loss of information stored on the systems It helps users to prevent cybercriminals from using their systems in order to launch attacks on the other computer systems It helps users minimize losses in case of an accident that causes physical damage to computer systems It enables users to protect sensitive information and computing resources from unauthorized access 23 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Module Summary Security is a state of well‐being of information and infrastructures Computer security is the protection of computing systems and the data that they store or access Confidentiality, integrity, non‐repudiation, authenticity, and availability are the elements of security Security risk to home users arise from various computer attacks and accidents causing physical damage to computer systems Computer security awareness helps minimize the chances of computer attacks and prevent the loss of information stored on the systems 24 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Basic Computer Security Checklist Use of strong passwords Use of anti‐virus systems Regular update of operating system and other installed applications Regular backup of important files Use of encryption techniques and digital signatures Use of firewall and intrusion detection systems Following standard guidelines for Internet activities Physical security of computing infrastructure Awareness of current security scenario and attack techniques 25 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
