0% found this document useful (0 votes)

79 views

CHP 1 - Introduction To Computer and Network Security

The document provides an overview of key concepts in computer and network security. It outlines objectives such as explaining relationships among information security components, defining important terms, and identifying common threats. The document discusses what information security entails, including protecting systems, hardware, data and networks. It also outlines security models like the CIA triad and McCumber cube. Additionally, the document examines threats to information security, such as hackers and malicious code. Specific attacks like password cracking, denial-of-service attacks and spoofing are also summarized.

Uploaded by

hariz

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

79 views

CHP 1 - Introduction To Computer and Network Security

Uploaded by

hariz

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 66

IAS2253

Chapter One
Introduction to Computer and Network
Security

Objectives
Explain the relationships among the component
parts of information security, especially network
security
Define the key terms and critical concepts of
information and network security
Explain the business need for information and
network security
Identify the threats posed to information and
network security, as well as the common attacks
associated with those threats
2013 Course Technology/Cengage Learning. All Rights Reserved.

Objectives (contd.)
Distinguish between threats to information from
within systems and attacks against information
from within systems
Describe the organizational roles of information
and network security professionals
Define managements role in the development,
maintenance, and enforcement of information
security policy, standards, practices, procedures,
and guidelines

2013 Course Technology/Cengage Learning. All Rights Reserved.

Objectives (contd.)
Discuss how an organization institutionalizes
policies, standards, and practices using education,
training, and awareness programs

2013 Course Technology/Cengage Learning. All Rights Reserved.

Introduction
Network security
Critical to day-to-day IT operations of nearly every
organization

Information security
Field has matured in last 20 years
Large in scope

2013 Course Technology/Cengage Learning. All Rights Reserved.

What is Information Security?

Protection of information and its critical elements
Systems and hardware that use, store, and transmit
information

Information security includes:

Information security management
Computer and data security
Network security

2013 Course Technology/Cengage Learning. All Rights Reserved.

What is Information Security? (contd.)

Security layers
Network security
Protect components, connections, and contents

Physical items or areas

Personal security
Protect people

Operations security
Protect details of activities

Communications security
Protect media, technology, and content
2013 Course Technology/Cengage Learning. All Rights Reserved.

Information Security Terminology

Access
Ability to use, modify, or affect another object

Asset
Organizational resource being protected

Attack
Act that causes damage to information or systems

Control, safeguard, or countermeasure

Security mechanisms, policies, or procedures

2013 Course Technology/Cengage Learning. All Rights Reserved.

Information Security Terminology

(contd.)
Exploit
Technique used to compromise a system

Exposure
Condition or state of being exposed to attack

Intellectual property
Works of the mind
Inventions, literature, art, logos, and other creative
works

Loss
Single instance of damage to an information asset
2013 Course Technology/Cengage Learning. All Rights Reserved.

Information Security Terminology

(contd.)
Protection profile or security posture
Set of controls that protect an asset

Risk
Probability that something unwanted will happen

Subject
Agent used to conduct the attack

Object
Target entity of an attack

2013 Course Technology/Cengage Learning. All Rights Reserved.

Figure 1-2 Computer as the subject and object of an attack

Cengage Learning 2013

2013 Course Technology/Cengage Learning. All Rights Reserved.

Information Security Terminology

(contd.)
Threat
Entity presenting danger to an asset

Threat agent
Specific instance of a threat
Examples: lightning strike, tornado, or specific
hacker

Vulnerability
Weakness or fault in a system
Opens up the possibility of attack or damage

2013 Course Technology/Cengage Learning. All Rights Reserved.

Critical Characteristics of Information

Characteristics of information determine its value
Availability
Ability to access information without obstruction

Accuracy
Information is free from errors

Authenticity
Quality or state of being genuine

Confidentiality
Protection from disclosure to unauthorized
individuals or systems
2013 Course Technology/Cengage Learning. All Rights Reserved.

Critical Characteristics of Information

(contd.)
Data owners
Responsible for the security and use of a particular
set of information

Data custodians
Responsible for information storage, maintenance,
and protections

Data users
End users who work with information

Integrity
Information remains whole, complete, uncorrupted
2013 Course Technology/Cengage Learning. All Rights Reserved.

Critical Characteristics of Information

(contd.)
Utility
Information has value for some purpose or end

Possession
Ownership or control of some object or item

Privacy
Information is used in accordance with legal
requirements

2013 Course Technology/Cengage Learning. All Rights Reserved.

Security Models
Information security model
Maps security goals to concrete ideas

C.I.A. triad
Original basis of computer security

Figure 1-3 C.I.A. triad

Cengage Learning 2013

2013 Course Technology/Cengage Learning. All Rights Reserved.

Security Models (contd.)

McCumber cube
Graphical description of architectural approach
Widely used in computer and information security
27 cells represent areas to address to secure
information systems

2013 Course Technology/Cengage Learning. All Rights Reserved.

Security Models (contd.)

Figure 1-4 McCumber cube

Cengage Learning 2013

2013 Course Technology/Cengage Learning. All Rights Reserved.

Balancing Information Security and

Access
Information security must balance protection and
availability
Allow reasonable access
Protect against threats

Imbalance occurs when:

Needs of end user are undermined

2013 Course Technology/Cengage Learning. All Rights Reserved.

Business Needs First

Important organizational functions of an information
security program

Protects organizations ability to function

Enables safe operation of applications
Protects data
Safeguards technology assets

2013 Course Technology/Cengage Learning. All Rights Reserved.

Business Needs First (contd.)

Protecting the functionality of an organization
General management and IT management are
responsible
More to do with management than technology

Enabling safe operation of applications

Securing storage of business-critical data
Ensuring integrity of key business transactions
Making communications constantly available

2013 Course Technology/Cengage Learning. All Rights Reserved.

Business Needs First (contd.)

Protecting data that organizations collect and use
Data in motion
Data at rest

Safeguarding technology assets in organizations

Security should match size and scope of asset
Examples of assets: firewalls; caching network
appliances

2013 Course Technology/Cengage Learning. All Rights Reserved.

Threats to Information Security

Wide range of threats pervade interconnected
world
Threats are relatively well researched
See Table 1-1
12 categories of danger to an organizations people,
information, and systems

2013 Course Technology/Cengage Learning. All Rights Reserved.

Table 1-1 Threats to information security

Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.

Common Threats
Cracker
Individual who cracks (removes) software
protection

Cyberterrorist
Hacks systems to conduct terrorist activities

Hackers
Gain access without authorization

Hacktivist or cyberactivist
Disrupts or interferes with operations to protest
against an organization or government agency
2013 Course Technology/Cengage Learning. All Rights Reserved.

Common Threats (contd.)

Malicious code or malicious software
Computer viruses
Macro or boot virus

Worms
Trojan horses
Backdoor, trap door, or maintenance hook
Rootkit

Packet monkeys
Phreaker
Hacker who targets public telephone network
2013 Course Technology/Cengage Learning. All Rights Reserved.

Common Threats (contd.)

Script kiddies
Hackers of limited skill who use expertly written
software to attack a system

Shoulder surfing
Observing passwords of others

Software piracy
Unlawful use or duplication of software IP

2013 Course Technology/Cengage Learning. All Rights Reserved.

Attacks on Information Security

Threats are always present
Attacks occur through specific actions
May cause business loss

2013 Course Technology/Cengage Learning. All Rights Reserved.

Malicious Code
State-of-the-art malicious code attack
Polymorphic (or multivector) worm
Uses several attack vectors to exploit variety of
vulnerabilities
See Table 1-2 for known attack vectors

2013 Course Technology/Cengage Learning. All Rights Reserved.

Table 1-2 Attack replication vectors

Cengage Learning 2013

2013 Course Technology/Cengage Learning. All Rights Reserved.

Password Attacks
Password cracking
Attempt to bypass access controls
Guessing passwords

Rainbow tables
Used when the hash of the users password is known

Brute force attacks

Trying every possible combination

Dictionary
Trying specific, commonly used passwords
2013 Course Technology/Cengage Learning. All Rights Reserved.

Denial-of-Service (DoS) and

Distributed Denial-of-Service (DDoS)
Attacks
Denial-of-service attack
Attacker sends large number of requests to a target
Target system cannot handle volume of requests
System crashes
Or cannot handle legitimate requests

Distributed denial-of-service attack

Coordinated stream of requests against a target
Occurs from many locations simultaneously

2013 Course Technology/Cengage Learning. All Rights Reserved.

Figure 1-5 Denial-of-service attacks

Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.

Spoofing
Technique used to gain unauthorized access to
computers
Intruder sends messages with fake IP address of a
trusted host
Modifies the packet headers with the trusted IP

Newer routers and firewalls can offer protection

2013 Course Technology/Cengage Learning. All Rights Reserved.

Figure 1-6 IP spoofing

Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.

Man-in-the-Middle Attacks

Attacker monitors packets from the network

Modifies packets using IP spoofing techniques
Inserts packets back into network
Can be used to eavesdrop, modify, reroute, forge,
divert data

2013 Course Technology/Cengage Learning. All Rights Reserved.

Figure 1-7 Man-in-the-middle attack

Cengage Learning 2013
2013 Course Technology/Cengage Learning. All Rights Reserved.

E-Mail Attacks
Spam
Malicious code may be embedded in attachments

Mail bomb
Attacker reroutes large quantities of e-mail to the
target system
Poorly-configured e-mail systems at risk

2013 Course Technology/Cengage Learning. All Rights Reserved.

Sniffers
Program or device monitoring data traveling over a
network
Can be used for legitimate functions
Also for stealing information

Unauthorized sniffers virtually impossible to detect

Shows all data going by including passwords

2013 Course Technology/Cengage Learning. All Rights Reserved.

Social Engineering
Process of using social skills to convince people to
reveal access credentials
Usually involves impersonation
New employee
Employee who needs assistance
Someone higher in organizational hierarchy

2013 Course Technology/Cengage Learning. All Rights Reserved.

Buffer Overflow
Application error
Occurs when more data is sent to a buffer than it
can handle
Attacker can take advantage of the consequence of
the failure

2013 Course Technology/Cengage Learning. All Rights Reserved.

Timing Attacks
Measuring the time required to access a Web page
Deducing that the user has visited the site before
Presence of the page in browsers cache

Another type of timing attack:

Side channel attack on cryptographic algorithms

2013 Course Technology/Cengage Learning. All Rights Reserved.

Security Professionals and the

Organization
Information security program
Supported by wide range of professionals
Administrative support also required

Executive management
Chief information officer (CIO)
Chief information security officer (CISO)

2013 Course Technology/Cengage Learning. All Rights Reserved.

Security Professionals and the

Organization (contd.)
Information security project team

Champion
Team leader
Security policy developers
Risk assessment specialists
Security professionals
Systems, network, and storage administrators
End users

2013 Course Technology/Cengage Learning. All Rights Reserved.

Information Security Policy, Standards,

and Practices
Policy
Guidance implemented by senior management
Regulates activities
Similar to laws

Standards
Detailed description of how to comply with policy
De facto standards
De jure standards

2013 Course Technology/Cengage Learning. All Rights Reserved.

Figure 1-8 Policies, standards, and practices

Cengage Learning 2013

2013 Course Technology/Cengage Learning. All Rights Reserved.

Information Security Policy, Standards,

and Practices (contd.)
Management policy
Basis for information security planning, design, and
deployment

Criteria for effective policy

Dissemination
Review
Comprehension
Compliance
Uniformity

Enterprise Information Security Policy

(EISP)
Other names for EISP
General security policy
IT security policy
Information security policy

Supports mission and vision of the organization

Executive-level document
Guides the security program
Addresses legal compliance

Table 1-3 Components of the EISP

Issue-Specific Security Policy (ISSP)

States organizations position on each issue
Examples of topics

Use of company-owned networks and the Internet

Use of e-mail
Prohibitions against hacking
Use of personal equipment on company networks

Table 1-4 Components of

the ISSP
Cengage Learning 2013

Systems-Specific Policy (SysSP)

Managerial guidance SysSPs
Guides technology implementation and configuration
Regulates behavior of people in organization

Technical specification SysSPs

Access control lists
Capability table
Access control matrix

Configuration rule policies

Specific instructions to regulate security system

Frameworks and Industry Standards in

Information Security
Security blueprint
Used to implement the security program
Basis for design, selection, and implementation of
program elements

Security framework
Outline of overall information security strategy
Roadmap for planned changes to the environment

Security models
Can be used to develop a security blueprint

The ISO 27000 series

One of the most widely referenced security models
Gives recommendations for information security
management
See Figure 1-9 for overall methodology

Figure 1-9 ISO/IEC 27002

major process steps
Cengage Learning 2013

NIST Security Models

Available from csrc.nist.gov
Publicly available
Free
Reviewed by government and industry
professionals
Many documents available

IETF Security Architecture

Security area working group
Acts as advisory board for IETF

RFC 2196: Site security handbook

Good reference
Covers five basic areas of security

Benchmarking and Best Business

Practices
Methods used by some organizations
To assess security practices

Federal Agency Security Practices Web site

Popular resource for best practices

SANS Institute
Cooperative information security research
organization

Benchmarking and Best Business

Practices (contd.)
Spheres of security
Shows that information is at risk from various
sources
Illustrated in Figure 1-10

Defense in depth
Layered implementation of security
Organization establishes multiple layers of security
controls

Figure 1-10 Spheres of security

Cengage Learning 2013

Figure 1-11 Defense in depth

Cengage Learning 2013

Benchmarking and Best Business

Practices (contd.)
Redundancy
Implementing multiple types of technology
Prevents failure of one system from compromising
security of another system

Security perimeter
Defines the boundary between organizations
security and outside world
Both electronic and physical

Figure 1-12 Security perimeters

Cengage Learning 2013

Summary
Information security is the protection of information
Information value comes from its characteristics

A threat is an object, person, or entity that

represents a danger to an asset
An attack is an action that takes advantage of a
vulnerability to compromise a controlled system
Security models include the C.I.A. triad and the
McCumber cube

Summary (contd.)
Information security functions

Protects organizations ability to function

Enables safe operation of applications
Protects data
Safeguards technology assets

Many types of professionals support an information

security program
Management policy is the basis for all information
security planning

The War Within - An Anatomy ..
100% (3)
The War Within - An Anatomy ..
30 pages
Bionic Turtle FRM Practice Questions P1.T1. Foundations of Risk Chapter 1. The Building Blocks of Risk Management
100% (1)
Bionic Turtle FRM Practice Questions P1.T1. Foundations of Risk Chapter 1. The Building Blocks of Risk Management
17 pages
SCDL - Marketing Management
100% (1)
SCDL - Marketing Management
20 pages
Lecture 1 Introduction To The Management of Information Security
No ratings yet
Lecture 1 Introduction To The Management of Information Security
47 pages
Cyb 309 - Systems Security - Lecture I
No ratings yet
Cyb 309 - Systems Security - Lecture I
37 pages
WRAT5 + SATA Answer Sheets
100% (2)
WRAT5 + SATA Answer Sheets
9 pages
265 - DCCN Lecture Notes
100% (1)
265 - DCCN Lecture Notes
132 pages
The Law School Manifesto
0% (1)
The Law School Manifesto
14 pages
J. Heifetz, D.Oistrakh, J.Szigeti - Their Contributions To The Violin Repertoire PDF
50% (2)
J. Heifetz, D.Oistrakh, J.Szigeti - Their Contributions To The Violin Repertoire PDF
65 pages
Introduction To Computer
No ratings yet
Introduction To Computer
30 pages
Wireless Network Lecture 1
100% (1)
Wireless Network Lecture 1
42 pages
L3 Computer Crime and Computer Crime Act
No ratings yet
L3 Computer Crime and Computer Crime Act
47 pages
Autonomic Computing
No ratings yet
Autonomic Computing
32 pages
Unit I
No ratings yet
Unit I
63 pages
Introduction To Computer Security
No ratings yet
Introduction To Computer Security
38 pages
Software Quality and Assurance
No ratings yet
Software Quality and Assurance
8 pages
TSA2151 Lec01
No ratings yet
TSA2151 Lec01
32 pages
Unit 1 Introduction To Computer Security: COSC 4035
0% (1)
Unit 1 Introduction To Computer Security: COSC 4035
47 pages
Chapter-1 Basics of Internet
No ratings yet
Chapter-1 Basics of Internet
20 pages
Multimedia Full Notes
100% (2)
Multimedia Full Notes
113 pages
Chapter 1 Graphical User Interface (GUI)
No ratings yet
Chapter 1 Graphical User Interface (GUI)
53 pages
03 SystemAdministration
No ratings yet
03 SystemAdministration
30 pages
Distributed Systems: - CSE 380 - Lecture Note 13 - Insup Lee
No ratings yet
Distributed Systems: - CSE 380 - Lecture Note 13 - Insup Lee
24 pages
Lesson 1 Introduction To Information Security
No ratings yet
Lesson 1 Introduction To Information Security
42 pages
Protection and Security Operating System
No ratings yet
Protection and Security Operating System
15 pages
It Security
No ratings yet
It Security
33 pages
Introduction To Computer
No ratings yet
Introduction To Computer
11 pages
Cloud-Computing-unit 3
100% (1)
Cloud-Computing-unit 3
35 pages
Lecture 8 - Documentation, Hypertext and MHEG
No ratings yet
Lecture 8 - Documentation, Hypertext and MHEG
49 pages
Unit Iii Iaia
No ratings yet
Unit Iii Iaia
16 pages
Lecture 1 - Introduction To Networking
No ratings yet
Lecture 1 - Introduction To Networking
37 pages
Morley15e PPT Ch12 REV
No ratings yet
Morley15e PPT Ch12 REV
52 pages
Virtualization Technologies
No ratings yet
Virtualization Technologies
30 pages
Chapter 7
No ratings yet
Chapter 7
26 pages
Operating System Support in Distributed Systems
No ratings yet
Operating System Support in Distributed Systems
4 pages
Advanced Software Engineering
No ratings yet
Advanced Software Engineering
53 pages
Unit Iv Grid Middleware Packages: Globus Toolkit (GT4) Architecture
No ratings yet
Unit Iv Grid Middleware Packages: Globus Toolkit (GT4) Architecture
19 pages
Communication in Distributed Systems PDF
No ratings yet
Communication in Distributed Systems PDF
2 pages
Introduction To Computer Security
0% (1)
Introduction To Computer Security
39 pages
Module 1
100% (1)
Module 1
39 pages
Confidentiality, Integrity, and Availability in Network Systems: A Review of Related Literature
No ratings yet
Confidentiality, Integrity, and Availability in Network Systems: A Review of Related Literature
10 pages
Unit 1-Fundamentals of DBMS
No ratings yet
Unit 1-Fundamentals of DBMS
53 pages
Communication Hardware & Communication Software
No ratings yet
Communication Hardware & Communication Software
16 pages
Chapter 4 Physical and Logical Security
No ratings yet
Chapter 4 Physical and Logical Security
22 pages
A Information Technology Devices
No ratings yet
A Information Technology Devices
21 pages
Platform Technologies - P4
No ratings yet
Platform Technologies - P4
38 pages
Ethics and Information Security: Presented by
No ratings yet
Ethics and Information Security: Presented by
15 pages
Unit 1 Fundamentals of Data Warehouse
No ratings yet
Unit 1 Fundamentals of Data Warehouse
21 pages
6-7 - Computing Components
No ratings yet
6-7 - Computing Components
40 pages
Database Security
No ratings yet
Database Security
38 pages
Networking Midterm Preparation
No ratings yet
Networking Midterm Preparation
2 pages
Istributed Perating Ystems: Jyotsna Singh
No ratings yet
Istributed Perating Ystems: Jyotsna Singh
25 pages
Unit 38 DatabaseManagementSyst
No ratings yet
Unit 38 DatabaseManagementSyst
27 pages
Chapter 1 Introduction To Network Security
No ratings yet
Chapter 1 Introduction To Network Security
21 pages
06 - Utility Programs
No ratings yet
06 - Utility Programs
51 pages
2.5.1 Information System Security
No ratings yet
2.5.1 Information System Security
32 pages
Database Applications PDF
No ratings yet
Database Applications PDF
34 pages
Internet Programming Notes
100% (1)
Internet Programming Notes
3 pages
Cloud Computing Assignment 1
No ratings yet
Cloud Computing Assignment 1
7 pages
Unit 4 Managing & Securing The Cloud
No ratings yet
Unit 4 Managing & Securing The Cloud
11 pages
Chapter 3 - Naming and Threads-1
No ratings yet
Chapter 3 - Naming and Threads-1
21 pages
CNS PDF
No ratings yet
CNS PDF
213 pages
Chapter 1 Introduction
No ratings yet
Chapter 1 Introduction
77 pages
Chapter 6. - OS Database Security) OL - Edited2
No ratings yet
Chapter 6. - OS Database Security) OL - Edited2
49 pages
Equity of Cybersecurity in the Education System: High Schools, Undergraduate, Graduate and Post-Graduate Studies.
From Everand
Equity of Cybersecurity in the Education System: High Schools, Undergraduate, Graduate and Post-Graduate Studies.
Joseph O. Esin
No ratings yet
Lecture 1
No ratings yet
Lecture 1
42 pages
012 - Defence of Insanity in Indian Criminal Law (325-383)
No ratings yet
012 - Defence of Insanity in Indian Criminal Law (325-383)
59 pages
chp 14 narrative analysis
No ratings yet
chp 14 narrative analysis
4 pages
4 Risk ManagingMind
No ratings yet
4 Risk ManagingMind
17 pages
CRANFIELD - PHD Programme Brochure
No ratings yet
CRANFIELD - PHD Programme Brochure
8 pages
Employment Contract Agreement
100% (1)
Employment Contract Agreement
4 pages
TOPIC 1-The School Environment
No ratings yet
TOPIC 1-The School Environment
6 pages
Italo 3 Product Sheet
No ratings yet
Italo 3 Product Sheet
11 pages
BBS111S - Basic Business Statistics 1a - 1ST Opp - June 2018
No ratings yet
BBS111S - Basic Business Statistics 1a - 1ST Opp - June 2018
7 pages
XD - Windows 7 Optimization Guide
No ratings yet
XD - Windows 7 Optimization Guide
9 pages
English 9 Quarter 1 Reviewer
89% (9)
English 9 Quarter 1 Reviewer
4 pages
04COLUMBUS STREET GI Gang - Injun - OVB - 85x11
No ratings yet
04COLUMBUS STREET GI Gang - Injun - OVB - 85x11
1 page
Belt Conveyors: Mechanical Engineering Department Carlos III University
No ratings yet
Belt Conveyors: Mechanical Engineering Department Carlos III University
19 pages
Class:12 Subject: English Unit 1 Part - A I. Multiple Choice Questions
No ratings yet
Class:12 Subject: English Unit 1 Part - A I. Multiple Choice Questions
6 pages
The Awakening By:: Kate Chopin: PPT: BY: Will Zorn
No ratings yet
The Awakening By:: Kate Chopin: PPT: BY: Will Zorn
8 pages
Termination Agreement
No ratings yet
Termination Agreement
2 pages
Graphic Organizers
100% (1)
Graphic Organizers
10 pages
Calendar and Community
No ratings yet
Calendar and Community
2 pages
EXFO Spec-Sheet MAX-800-Series v1 en
No ratings yet
EXFO Spec-Sheet MAX-800-Series v1 en
18 pages
The Ozymandias Principles - Harry Foster PDF
No ratings yet
The Ozymandias Principles - Harry Foster PDF
215 pages
Analisis Kualitas Sensorik Sirup Pisang Mas (Musa Paradisiaca, L.) Dengan PENAMBAHAN DAUN MIANA (Coleus Blumei Benth)
No ratings yet
Analisis Kualitas Sensorik Sirup Pisang Mas (Musa Paradisiaca, L.) Dengan PENAMBAHAN DAUN MIANA (Coleus Blumei Benth)
8 pages
12061-Article Text-23845-1-10-20231110
No ratings yet
12061-Article Text-23845-1-10-20231110
11 pages
ADDIE Model of Instructional Design: DR MD Aktaruzzaman
No ratings yet
ADDIE Model of Instructional Design: DR MD Aktaruzzaman
12 pages
Buy Ebook A Short Textbook of Psychiatry 20th Year Edition Niraj Ahuja Cheap Price
100% (2)
Buy Ebook A Short Textbook of Psychiatry 20th Year Edition Niraj Ahuja Cheap Price
84 pages
Chandigarhicai
No ratings yet
Chandigarhicai
225 pages