Chapter 1: Information Security Fundamentals

Mission College CIT 016Security+

2

Objectives Identify the challenges for information

security Define information security Explain the importance of information

security

3

Objectives List and define information security

terminology Describe the CompTIA Security+

certification exam Describe information security careers

4

Challenge of keeping networks and computers secure has never been greater

A number of trends illustrate why security is becoming increasingly difficult

Many trends have resulted in security attacks growing at an alarming rate

Challenges for Information Security

5

Computer Emergency Response Team (CERT) security organization compiles statistics regarding number of reported attacks, including: Speed of attacks Sophistication of attacks Faster detection of weaknesses Distributed attacks Difficulties of patching

Identifying the Challenges for Information Security (continued)

6

Challenges for Information Security

7

Challenges for Information Security

8

Information security: Tasks of guarding digital information, which

is typically processed by a computer (such as a personal computer), stored on a magnetic or optical storage device (such as a hard drive or DVD), and transmitted over a network spacing

Defining Information Security

9

Ensures that protective measures are properly implemented

Is intended to protect information Involves more than protecting the

information itself

Defining Information Security

10

Defining Information Security

11

Three characteristics of information must be protected by information security:

1. Confidentiality2. Integrity3. Availability

Center of diagram shows what needs to be protected (information)

Information security achieved through a combination of the three above entities

Defining Information Security

12

Importance of Information Security

Information security is important to businesses: Prevents data theft Avoids legal consequences of not securing

information Maintains productivity Foils cyberterrorism Thwarts identity theft

13

Preventing Data Theft

Security often associated with theft prevention

Drivers install security systems on their cars to prevent the cars from being stolen

Same is true with information security―businesses cite preventing data theft as primary goal of information security

14

Preventing Data Theft (continued) Theft of data is single largest cause of

financial loss due to a security breach One of the most important objectives of

information security is to protect important business and personal data from theft

15

Avoiding Legal Consequences In recent years, a number of federal

and state laws have been enacted to protect the privacy or electronic data.

Businesses that fail to protect data may face serious penalties

Laws include: The Health Insurance Portability and

Accountability Act of 1996 (HIPAA) The Sarbanes-Oxley Act of 2002 (Sarbox) The Gramm-Leach-Bliley Act (GLBA) USA PATRIOT Act 2001

16

HIPAA Health Insurance Portability and Accounting

Act (1996) Title I of HIPAA protects health insurance

coverage for workers and their families when they change or lose their jobs.

Title II, the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

The AS provisions also address the security and privacy of health data.

http://en.wikipedia.org/wiki/HIPAA

17

Sarbanes-Oxley Act of 2002 Federal law passed in response to a

number of major corporate and accounting scandals.

SOX or SarbOX requires stringent reporting requirements and internal controls on electronic financial reporting systems.

Corporate officers who knowingly certify a false financial report can be fined up to $5 million and serve 20 yrs. in prison.http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act

18

Gramm-Leach-Bliley Act (GLBA) The GLBA requires banks and financial

institutions to alert customers of their policies and practices in disclosing customer information.

The GLBA also states that all electronic and paper data containing personally identifiable financial information must be protected.

The Gramm-Leach-Bliley Act (GLBA) also allowed commercial and investment banks to consolidate.

http://www.consumerprivacyguide.org/law/glb.shtmlhttp://en.wikipedia.org/wiki/Gramm-Leach-Bliley_Act

19

US Patriot Act (2001) Designed to broaden the surveillance of

law enforcement agencies so they can detect and suppress terrorism.

The US Patriot Act also authorizes law enforcement to install electronic monitoring devices to assess computer and telephone usage.

http://en.wikipedia.org/wiki/Patriot_Acthttp://www.epic.org/privacy/terrorism/usapatriot/http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.03162:

20

Maintaining Productivity

After an attack on information security, clean-up efforts divert resources, such as time and money away from normal activities

A Corporate IT Forum survey of major corporations showed: Each attack costs a company an average of

$213,000 in lost man-hours and related costs

One-third of corporations reported an average of more than 3,000 man-hours lost

21

Maintaining Productivity

22

An area of growing concern among defense experts are surprise attacks by terrorist groups using computer technology and the Internet (cyberterrorism)

These attacks could cripple a nation’s electronic and commercial infrastructure

Our challenge in combating cyberterrorism is that many prime targets are not owned and managed by the federal government

http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/

Foiling Cyberterrorism

23

Thwarting Identity Theft Identity theft involves using someone’s

personal information, such as social security numbers, to establish bank or credit card accounts that are then left unpaid, leaving the victim with the debts and ruining their credit rating

National, state, and local legislation continues to be enacted to deal with this growing problem The Fair and Accurate Credit Transactions

Act of 2003 is a federal law that addresses identity theft

Consumers can receive a free copy of their credit report once every year.

24

Information Security Terminology

25

Exploring the CompTIA Security+ Certification Exam

Since 1982, the Computing Technology Industry Association (CompTIA) has been working to advance the growth of the IT industry

CompTIA is the world’s largest developer of vendor-neutral IT certification exams

The CompTIA Security+ certification tests for mastery in security concepts and practices

26

Exploring the CompTIA Security+ Certification Exam

Exam was designed with input from security industry leaders, such as VeriSign, Symantec, RSA Security, Microsoft, Sun, IBM, Novell, and Motorola

The Security+ exam is designed to cover a broad range of security topics categorized into five areas or domains1. General Security Concepts – 30%2. Communication Security – 20%3. Infrastructure Security – 20%4. Basics of Cryptography – 15% 5. Operational and Organizational Security 15%

27

Information security is one of the fastest growing career fields

As information attacks increase, companies are becoming more aware of their vulnerabilities and are looking for ways to reduce their risks and liabilities

Surveying Information Security Careers

28

Surveying Information Security Careers

Sometimes divided into three general roles: Security manager develops corporate

security plans and policies, provides education and awareness, and communicates with executive management about security issues

Security engineer designs, builds, and tests security solutions to meet policies and address business needs

Security administrator configures and maintains security solutions to ensure proper service levels and availability

29

Summary The challenge of keeping computers

secure is becoming increasingly difficult Attacks can be launched without human

intervention and infect millions of computers in a few hours

Information security protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures

30

Summary (continued) Information security has its own set of

terminology A threat is an event or an action that can

defeat security measures and result in a loss

CompTIA has been working to advance the growth of the IT industry and those individuals working within it

CompTIA is the world’s largest developer of vendor-neutral IT certification exams