60304756 whitman-ch01-1
-
date post
22-Oct-2014 -
Category
Technology
-
view
632 -
download
0
description
Transcript of 60304756 whitman-ch01-1
![Page 1: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/1.jpg)
![Page 2: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/2.jpg)
Principles of Information Security, 3rd Edition 2
Define information security Relate the history of computer security and how it
evolved into information security Define key terms and critical concepts of information
security as presented in this chapter Discuss the phases of the security systems
development life cycle Present the roles of professionals involved in
information security within an organization
Learning ObjectivesUpon completion of this material, you should be able to:
![Page 3: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/3.jpg)
Principles of Information Security, 3rd Edition 13
What is Security?
“The quality or state of being secure—to be free from danger” or Protection against adversary
A successful organization should have multiple layers of security in place: Physical security Personal security Operations security Communications security Network security Information security
![Page 4: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/4.jpg)
Principles of Information Security, 3rd Edition 14
What is Security? (continued) The protection of information and its critical elements, including systems
and hardware that use, store, and transmit that information
CNSS/NSTISSC-STD’s
To protect -Necessary tools: policy, awareness, training, education, technology
NSTISSC model evolved from CIA-since Mainframe
C.I.A. triangle was standard based on confidentiality, integrity, and availability
Lack of CIA – growing environment
C.I.A. triangle now expanded into list of critical characteristics of information
![Page 5: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/5.jpg)
Principles of Information Security, 3rd Edition 15
![Page 6: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/6.jpg)
Principles of Information Security, 3rd Edition 16
Critical Characteristics of Information The value of information comes from the characteristics it
possesses: Changes-value ><
Availability Authorized users-access infr. Without obstruction Eg:research library-check/ specified format
Accuracy Accuracy-free mistakes/expected end user value Eg:bank a/c
![Page 7: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/7.jpg)
Authenticity State of being genuine or original Information authentic-without change eg:Spoofing,Phising
Confidentiality Disclosure /exposure to unauthorized user Measures
Classification
Storage
Poloices
Education
Eg: salami theft
Principles of Information Security, 3rd Edition 17
![Page 8: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/8.jpg)
Integrity Whole,complete,noncorruptted Viruses-file size File hashing-hash value-algorithm Noise in transmission Prevent – algorithm,error correcting code
Utility-meaningful manner Possession
Principles of Information Security, 3rd Edition 18
![Page 9: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/9.jpg)
Principles of Information Security, 3rd Edition 19
Figure 1-4 – NSTISSC Security ModelNSTISSC Security Model
![Page 10: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/10.jpg)
Principles of Information Security, 3rd Edition 20
Components of an Information System
Information system (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization
![Page 11: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/11.jpg)
Principles of Information Security, 3rd Edition 21
Securing Components
Computer can be subject of an attack and/or the object of an attack
When the subject of an attack, computer is used as an active tool to conduct attack
When the object of an attack, computer is the entity being attacked
Direct/inderect
![Page 12: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/12.jpg)
Principles of Information Security, 3rd Edition 22
Figure 1-5 – Subject and Object of Attack
![Page 13: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/13.jpg)
Principles of Information Security, 3rd Edition 23
Balancing Information Security and Access
Impossible to obtain perfect security—it is a process, not an absolute
Security should be considered balance between protection and availability
To achieve balance, level of security must allow reasonable access, yet protect against threats
![Page 14: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/14.jpg)
Principles of Information Security, 3rd Edition 24
Figure 1-6 – Balancing Security and Access
![Page 15: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/15.jpg)
Principles of Information Security, 3rd Edition 25
Approaches to Information Security Implementation: Bottom-Up Approach
Grassroots effort: systems administrators attempt to improve security of their systems
Key advantage: technical expertise of individual administrators
Seldom works, as it lacks a number of critical features:
Participant support
Organizational staying power
![Page 16: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/16.jpg)
Principles of Information Security, 3rd Edition 26
Approaches to Information Security Implementation: Top-Down Approach
Initiated by upper management
Issue policy, procedures, and processes
Dictate goals and expected outcomes of project
Determine accountability for each required action
The most successful also involve formal development strategy referred to as systems development life cycle
![Page 17: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/17.jpg)
Principles of Information Security, 3rd Edition 27
![Page 18: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/18.jpg)
Securing system development life cycle
SDLC consider-system and information
Check custom/COTS
Organization decide-General SDLC/Tailored SDLC
NIST recommends IT security steps.
Principles of Information Security, 3rd Edition 36
![Page 19: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/19.jpg)
Securing system development life cycle……
Investigation/Analysis Phase:
Security Categorization(low,modrate,high) Depends on system assists to select security controls over
information.
Preliminary Risk Assesment Define threat environment where system works
Principles of Information Security, 3rd Edition 37
![Page 20: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/20.jpg)
Securing system development life cycle……
Logical/Physical design Phase: Risk Assesment:
Builds on intial RA Security assurance Requirement Analysis
Development activities required Evidence of confidential-inf.security is effective
Security Functional Requirement Analysis System security environment Security functional requirements
Cost: s/w,h/w,people
Principles of Information Security, 3rd Edition 38
![Page 21: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/21.jpg)
Securing system development life cycle…… Security Planning:
Agreed upon plans like Contigency plan CM plan Incident response plan…..
Security Control Development: Assure security plan is
Designed Developed implemented
Principles of Information Security, 3rd Edition 39
![Page 22: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/22.jpg)
Securing system development life cycle……
Developmental security test and evalution: Test the implemented plan Some cannot till deployment
Other planning Components: Ensures necessary components Contract type Participation of fn. Groups, certifier
Principles of Information Security, 3rd Edition 40
![Page 23: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/23.jpg)
Securing system development life cycle…… Implementation Phase:
Inspection and Acceptance: Verifies and Validates-functionality in deliverables
System Integration: Ensures integrity in deployment environment
Security certification: Uncovers vulnerabilities Ensures controls implemented effectively through
Procedures Validation techniques
Security Acceriditation Provides authorization of infr.to store, transmit… Granted by senior official.
Principles of Information Security, 3rd Edition 41
![Page 24: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/24.jpg)
Securing system development life cycle…… Maintenance and Change Phase:
CM and Control: Ensures adequate consideration to inf.sec while changes
Continuous Monitoring: Ensures continuous control effectivness
Information Preservation: Current legal requirements Accommodate future technology
Media Sanitization: Unwanted data deleted,erased.
H/w and s/w disposal:
Principles of Information Security, 3rd Edition 42
![Page 25: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/25.jpg)
Principles of Information Security, 3rd Edition 51
Senior Management
Chief Information Officer (CIO)
Senior technology officer
Primarily responsible for advising senior executives on strategic planning
Chief Information Security Officer (CISO)/ manager
Primarily responsible for assessment, management, and implementation of IS in the organization
Usually reports directly to the CIO
![Page 26: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/26.jpg)
Principles of Information Security, 3rd Edition 52
Information Security Project Team
A number of individuals who are experienced in one or more facets of required technical and nontechnical areas: Champion-support financially,adminstrative Team leader-proj,people.manage,technical requirements Security policy developers Risk assessment specialists Security professionals Systems administrators End users
![Page 27: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/27.jpg)
Principles of Information Security, 3rd Edition 53
Data Ownership
Data owner: responsible for the security and use of a particular set of information
Data custodian: responsible for storage, maintenance, and protection of information
Data users: end users who work with information to perform their daily jobs supporting the mission of the organization
![Page 28: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/28.jpg)
54
Communities of Interest Group of individuals united by similar interests/values within an
organization or who share common goals to meet organization objective
Information security management and professionals
Protect infr. From attack
Information technology management and professionals
Focus on cost, ease of use.
Organizational management and professionals/users/sec subjects
Execution,production,hr....
![Page 29: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/29.jpg)
Principles of Information Security, 3rd Edition 55
Information Security: Is it an Art or a Science?
Implementation of information security often described as combination of art and science
“Security artesan” idea: based on the way individuals perceive systems technologists since computers became commonplace
![Page 30: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/30.jpg)
Principles of Information Security, 3rd Edition 56
Security as Art
Eg:painter
No hard and fast rules nor many universally accepted complete solutions
No manual for implementing security through entire system
![Page 31: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/31.jpg)
Principles of Information Security, 3rd Edition 57
Security as Science
Dealing with technology designed to operate at high levels of performance
Specific conditions cause virtually all actions that occur in computer systems
Nearly every fault, security hole, and systems malfunction are a result of interaction of specific hardware and software
If developers had sufficient time, they could resolve and eliminate faults
![Page 32: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/32.jpg)
Principles of Information Security, 3rd Edition 58
Security as a Social Science
Social science examines the behavior of individuals interacting with systems
Security begins and ends with the people that interact with the system
Security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles
![Page 33: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/33.jpg)
Principles of Information Security, 3rd Edition 60
Summary
Information security is a “well-informed sense of assurance that the information risks and controls are in balance”
Computer security began immediately after first mainframes were developed
Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information
![Page 34: 60304756 whitman-ch01-1](https://reader033.fdocuments.in/reader033/viewer/2022061106/54478527afaf9f1e708b45a1/html5/thumbnails/34.jpg)
Principles of Information Security, 3rd Edition 61
Summary (continued)
Security should be considered a balance between protection and availability
Information security must be managed similarly to any major system implemented in an organization using a methodology like SecSDLC
Implementation of information security often described as a combination of art and science