SEC 250
WEEK 1
AGENDA
INTRODUCTIONS
INTRODUCTIONS
INTRODUCTIONS
THIS COURSE
In this introductory course, we will discuss & explore security topics, vulnerabilities, targets, risks methods to exploit vulnerabilities and means to security systems.
Also, don’t sweat it if you’re not familiar with terms! As we progress through this course, we’ll pick them up as we move forward.
WITH THAT …
What do we “know” about computer & network security?
RECENT SECURITY EVENTS
Data Breaches,
Malware attacks,
Software vulnerabilities,
Social engineering,
Emerging technologies,
Examples:
Targeted advertising (Malvertising?),
Voting machines.
FROM THE BOOK …
What is Security?
Security protecting what you or others have. This same idea applies to entities like government departments, agencies, companies, institutes, and so on, irrespective of their size or function.
The security of not only physical assets, but of non-physical assets as well are important and necessary. Some of these non-physical assets include confidential information and data; intellectual property; research data with the potential of high value realization and high investment; and the security of your customers or end users when at your facility or while using your systems. The security of the installations with high defense or strategic value, like nuclear installations, nuclear sources, chemical and biological laboratories, and areas with high-level political and administrative dignitaries, are of significance.
“JOE SPEAK”TM
What is Security?
Knowledge, techniques, tools, methods and persistence to protect stuff you and/or others place value upon based on risk, priority and means.
SCENARIO
What are the security concerns if someone finds/steals/borrows your ID card?
How could the system be improved so even if someone has your ID card, they can’t use it effectively?
Why isn’t such a system in place?
SCENARIO - MORE
What are the security concerns if someone finds/steals/borrows your ID card?
How could the system be improved so even if someone has your ID card, they can’t use it effectively?
Why isn’t such a system in place?
THE ECONOMICS OF SECURITY
Security costs money, but does not generate profit.
Some examples -
CAN YOU “NOT CARE” ABOUT SECURITY?
Um … no!
What are the risks?
SECURITY CAMERAS – PRO/CON
Are security cameras a positive?
SECURITY: DAY-TO-DAY LIFE
Airport TSA: non-existent before 2001
Shopping online started ~ 1995
How many of you do $$ transactions on their phone?
What will security look like 10 years from now?
SECURITY FACTORS
What is the primary factor in “weak security”?
SECURITY FACTORS
What is the primary factor in “weak security”?
Yep, it’s us humans!
HOW IS SECURITY IMPLEMENTED?
Some examples of ways to secure:
TWO MAJOR APPROACHES
Things to live by …
1) Limit access to only those who need it
2) Transform data so it is only readable to those who need it.
DEFENSE-IN-DEPTH
Just like modern life … Information Systems (ISs) have become increasingly complex , comprised of multiple components/protocols operating at multiple layers/levels of technology.
Security has become increasingly complex as vulnerabilities have been discovered for all layers of an Information System
Thus, all layers/devices/communications need to be secured.
DEFENSE IN DEPTH
.
A multi-layered defense that will allow us to still mount a successful defense should one or more of our defensive measures fail | |
QUICK EVOLUTION OF COMPUTER & INFO SECURITY
1950s-60s: Physical Security, & protect the mainframe
Mid-1960’s: Multi-User timesharing systems developed. Multiple users sharing the same hardware and OS. Protection was put in so that data was only seen by the right user
1969: ARPANET/Internet
1973: UNIX written in C with TCP/IP included
NETWORKS - PCS
Mid 70s – 80s: PCs/LANs, WANS : most proprietary except Internet
Until mid 1990’s: EDU campuses only had a few machines connected to the Internet
Viruses were starting to be an issue, but were transported on floppy disks rather than network.
WWW
INFORMATION SECURITY
Information security is meant to protect information and information systems from unauthorized users accessing, using, modifying, or destroying the information.
TOOLS, STANDARDS, GUIDELINES
Various tools are developed daily to combat the compromise of information security.
Several standards and guidelines have been implemented to reduce the propensity for information security breaches.
We’ll explore them throughout this course.
WHAT DOES SECURITY INCLUDE?
Information security also spans to aspects like hardware and infrastructure, the operating system, networks, applications, software systems, utilities, and tools.
Other important contributors (favorable or adverse) to the field of information security are human beings, particularly employees, contractors, system providers, hackers*.
INFORMATION SECURITY TODAY
Information is anything that is communicated in any form.
Any compromise of information can have a significant impact on the parties involved, including the loss of reputation, finances, or other consequences.
Pro Tip: All forms of technology are all under attack.
STATISTICS RE: SMARTPHONES
“The Norton Report3 (for 2013), now in its fourth year, is an annual research study, commissioned by Symantec, which examines consumers’ online behaviors, attitudes, security habits, and the dangers and financial cost of cybercrime.” The Norton Report highlights the following information3:
Consumers are more mobile than ever, but are leaving security behind. Despite the fact that 63% of those surveyed own smartphones and 30% own tablets, nearly one out of two users don’t take basic precautions such as using passwords, having security software, or backing up files on their mobile device.
Cybercrime continues to be a growing global concern. Both the total global direct cost of cybercrime (US $113 billion; up from $110 billion) and the average cost per victim of cybercrime ($298; up from $197) increased this year.
As people are now constantly connected, the lines are blurring between their personal and work lives, across multiple devices and storage solutions. Nearly half (49%) of the respondents report using their personal devices (PCs, laptops, smartphones, tablets) for work-related activities.”
SCENARIO: IS THE SECURITY ADEQUATE?
A hospital provides the security required by it’s vendor in order to satisfy government regulations. Records were kept on a server, secured with passwords and firewalls.
Later, hospital records are compromised and an attacker gets away with a list of hospital patients and their current medications. It was discovered that a former employee worked at a another hospital using the same application. There was a flaw in the application that allowed her to access the records of the previous hospital as well.
What’s the potential damage?
Who is liable?
GROUP ACTIVITY - CIA
Confidentiality –roughly equivalent to privacy. Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can in fact get it:
Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit.
Availability For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly
Someone has your student ID card. Which of these is affected and how?
WHERE CAN WE LEARN MORE?
Just some Applicable Standards and Certifications
REVIEW & WRAP UP
As we can see, the very term ‘security’ conjures up many facets with many perspectives.
We’ll start digging deeper each week, exploring further
To cyber means to dig deep & stretch yourself, while loving the process along the way! >:)