1. Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks Difficulties in defending against these attacks 1

2. Today’s Security Attacks Typical monthly security newsletter –Malicious programs –E-mail attachments –‘‘Booby-trapped’’ Web pages are growing at an increasing rate –Mac computers can be the victim of attackers 2

3. Today’s Security Attacks (cont’d.) Security statistics –45 million credit and debit card numbers stolen –Number of security breaches continues to rise 3

4. Difficulties in Defending Against Attacks Speed of attacks Greater sophistication of attacks Simplicity of attack tools Quicker detection of vulnerabilities –Zero day attack Delays in patching products Distributed attacks User confusion 4

5. Difficulties in Defending Against Attacks (cont’d.) 5 Difficulties in defending against attacks

6. Defining Information Security Information security –Tasks of guarding information that is in a digital format –Ensures that protective measures are properly implemented –Protect information that has value to people and organisations Value comes from the characteristics of the information 6

7. Defining Information Security (cont’d.) Characteristics of information that must be protected by information security –Confidentiality –Integrity –Availability Achieved through a combination of three entities –Products –People –Procedures 7

8. Understanding the Importance of Information Security Preventing data theft –Theft of data is one of the largest causes of financial loss due to an attack –Affects businesses and individuals Thwarting identity theft –Identity theft Using someone’s personal information to establish bank or credit card accounts 8

9. Who Are the Attackers? Divided into several categories –Hackers –Script kiddies –Spies –Employees –Cybercriminals –Cyberterrorists 9

10. Hackers Debated definition of hacker –Identify anyone who illegally breaks into or attempts to break into a computer system –Person who uses advanced computer skills to attack computers only to expose security flaws ‘‘White Hats’ 10

11. Script Kiddies Unskilled users Use automated hacking software Do not understand the technology behind what they are doing Often indiscriminately target a wide range of computers 11

12. Spies Person who has been hired to break into a computer and steal information Do not randomly search for unsecured computers Hired to attack a specific computer or system Goal –Break into computer or system –Take the information without drawing any attention to their actions 12

13. Employees Reasons for attacks by employees –Show company weakness in security –Retaliation –Money –Blackmail –Carelessness 13

14. Cybercriminals Loose-knit network of attackers, identity thieves, and financial fraudsters Motivated by money Financial cybercrime categories –Stolen financial data –Spam email to sell counterfeits, etc. 14

15. Cyberterrorists Motivated by ideology 15

16. Attacks and Defences Same basic steps are used in most attacks Protecting computers against these steps –Calls for five fundamental security principles 16

17. Steps of an Attack Probe for information Penetrate any defences Modify security settings Circulate to other systems Paralyse networks and devices 17

18. Defences Against Attacks Layering –If one layer is penetrated, several more layers must still be breached –Each layer is often more difficult or complicated than the previous –Useful in resisting a variety of attacks Limiting –Limiting access to information reduces the threat against it –Technology-based and procedural methods 18

19. Defences Against Attacks (cont’d.) Diversity –Important that security layers are diverse –Breaching one security layer does not compromise the whole system Obscurity –Avoiding clear patterns of behavior make attacks from the outside much more difficult Simplicity –Complex security systems can be hard to understand, troubleshoot, and feel secure about 19

20. Building a Comprehensive Security Strategy Block attacks –Strong security perimeter Part of the computer network to which a personal computer is attached –Local security important too Update defences –Continually update defenses to protect information against new types of attacks 20

21. Building a Comprehensive Security Strategy (cont’d.) Minimise losses –Realise that some attacks will get through security perimeters and local defenses –Make backup copies of important data –Business recovery policy Send secure information –‘‘Scramble’’ data so that unauthorized eyes cannot read it –Establish a secure electronic link between the sender and receiver 21

22. Summary Attacks against information security have grown exponentially in recent years Difficult to defend against today’s attacks Information security definition –That which protects the integrity, confidentiality, and availability of information Main goals of information security –Prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorism 22

23. Summary (cont’d.) Several types of people are typically behind computer attacks Five general steps that make up an attack Practical, comprehensive security strategy involves four key elements 23