Information Security Chapter 1

8/10/2019 Information Security Chapter 1

1/44

BlueCrest College

Information Security (BIT 327)

Chapter 1

Introduction to Information Security

[email protected]

0201849384


2/44

Learning Objectives Understand what information security is and how it came to

mean what it does today.

Comprehend the history of computer security and how itevolved into information security.

Understand the key terms and critical concepts of informationsecurity as presented in the chapter.

Outline the phases of the security systems development lifecycle.

Understand the role professionals involved in informationsecurity in an organizational structure.

Understand the business need for information security.

Understand a successful information security program is the

responsibility of an organizations general management and IT

management.

Understand the some threats posed to information security

and the more common attacks associated with those threats.


3/44


4/44

The History Of Information

Security

Computer security began immediately after thefirst mainframes were developed

Physical controls were needed to limit access toauthorized personnel to sensitive military

locations

Only rudimentary controls were available to

defend against physical theft, espionage, and

sabotage


5/44

The 1960s

Department of Defenses Advanced Research

Project Agency (ARPA) began examining the

feasibility of a redundant networked

communications


6/44


7/44

The 1970s and 80s

ARPANET grew in popularity as did its potentialfor misuse

Fundamental problems with ARPANET security

were identified

No safety procedures for dial-up connections

to the ARPANET

User identification and authorization to the

system were non-existent In the late 1970s the microprocessor expanded

computing capabilities and security threats


8/44

R-609The Start of the Study of

Computer Security

Information Security began with Rand Report

R-609

The scope of computer security grew from

physical security to include:

Safety of the data

Limiting unauthorized access to that data

Involvement of personnel from multiple levels of

the organization


9/44

The 1990s

Networks of computers became more

common, so too did the need to interconnect

the networks

Resulted in the Internet, the first

manifestation of a global network of networks

In early Internet deployments, security was

treated as a low priority


10/44

The Present

The Internet has brought millions of computer

networks into communication with each

othermany of them unsecured

Ability to secure each now influenced by the

security on every computer to which it is

connected


11/44


12/44

Critical Characteristics of Information

The value of information comes from the

characteristics it possesses:

Availability

Accuracy

Authenticity

Confidentiality

Integrity

Utility

Possession


13/44

Components of an Information System

Information system (IS) is the entire set ofsoftware, hardware, data, people, procedures,

and networks necessary to use information as

a resource in the organisation


14/44

Bottom Up Approach

Security from a grass-roots effort - systemsadministrators attempt to improve the security

of their systems

Key advantage - technical expertise of theindividual administrators

Seldom works, as it lacks a number of critical

features: participant support

organizational staying power


15/44

Top-down Approach Initiated by upper management:

issue policy, procedures, and processes

dictate the goals and expected outcomes of theproject

determine who is accountable for each of therequired actions

This approach has strong upper management support,

a dedicated champion, dedicated funding, clear

planning, and the chance to influence organizationalculture

May also involve a formal development strategy

referred to as a systems development life cycle

Most successful top-down approach


16/44


17/44

The Systems Development Life

Cycle

Information security must be managed in a

manner similar to any other major system

implemented in the organization

Using a methodology

ensures a rigorous process

avoids missing steps

The goal is creating a comprehensive security

posture/program

h i l if l


18/44

The Security Systems Development Life Cycle

The same phases used in traditional SDLC may be

adapted to support specialized implementation of an IS

project

Investigation

Analysis

Logical design Physical design

Implementation

Maintenance & change

Identification of specific threats and creating controls tocounter them

SecSDLC is a coherent program rather than a

series of random, seemingly unconnected actions


19/44


20/44

Investigation

Identifies process, outcomes, goals, andconstraints of the project

Begins with enterprise information securitypolicy

Organizational feasibility analysis is performed


21/44

Analysis

Documents from investigation phase are studied

Analyzes existing security policies or programs,

along with documented current threats and

associated controls

Includes analysis of relevant legal issues that

could impact design of the security solution

The risk management task begins


22/44


23/44

Physical Design

Needed security technology is evaluated,

alternatives generated, and final design

selected

At end of phase, feasibility study determines

readiness of organization for project


24/44

Implementation

Security solutions are acquired, tested,

implemented, and tested again

Personnel issues evaluated; specific trainingand education programs conducted

Entire tested package is presented tomanagement for final approval


25/44

Maintenance and Change

Perhaps the most important phase, given theever-changing threat environment

Often, reparation and restoration of information

is a constant duel with an unseen adversary

Information security profile of an organization

requires constant adaptation as new threatsemerge and old threats evolve


26/44

Professionals involved in information security

within an organization

Senior Management Chief Information Officer (CIO)

Senior technology officer

Primarily responsible for advising senior executives onstrategic planning

Chief Information Security Officer (CISO)

Primarily responsible for assessment, management,

and implementation of IS in the organization

Usually reports directly to the CIO


27/44

Information Security Project Team

A number of individuals who are experienced

in one or more facets of required technicaland nontechnical areas:

Champion

Team leader Security policy developers

Risk assessment specialists

Security professionals

Systems administrators

End users


28/44

Data Ownership

Data owner: responsible for the security and

use of a particular set of information

Data custodian: responsible for storage,

maintenance, and protection of information

Data users: end users who work with

information to perform their daily jobs

supporting the mission of the organization

H C I f ti S it B A hi d


29/44

How Can Information Security Be Achieved

Access to

network resource

will be granted

through a unique

user ID and

password

Passwords

will be 8

characterslong

Passwords

should include

one non-alpha

and not foundin dictionary

Information Security is achieved by implementing a suitable set of controls, which

could be:

These controls need to be established in order to ensure that the specific security

objectives of the organization are met.


30/44

What is Information Security?

The concepts, techniques, technical measures, and

administrative measures used to protect information assets

from deliberate or inadvertent unauthorised acquisition,

damage, disclosure, manipulation, modification, loss, or use is

information security.

or

means protecting information and information systems from

unauthorised access, use, disclosure, modification or

destruction.

or

Implementing suitable controls - policies, practices,

procedures, organisational structures, software, etc, to

secure information for any information user.


31/44

The protection of information and its critical

elements, including systems and hardware

that use, store, and transmit that information

Necessary tools: policy, awareness, training,

education, technology

C.I.A. triangle was standard based on

confidentiality, integrity, and availability

C.I.A. triangle now expanded into list of criticalcharacteristics of information


32/44

Information Security Goals

Confidentiality - making sure that those who should

not see the information can not see it.

Integrity - making sure the information has not been

changed from how it was intended to be.

Availabilitymaking sure the information is available

for use when needed.


33/44

Confidentiality

Integrity Availability

Security Goals


34/44

Securing Components

Computer can be subject of an attack and/or the

object of an attack

When the subject of an attack, computer is used as an

active tool to conduct attack

When the object of an attack, computer is the entity

being attacked


35/44


36/44

Balancing security and access


37/44

Balancing Information Security and Access

Impossible to obtain perfect securityit is aprocess, not an absolute

Security should be considered balancebetween protection and availability

To achieve balance, level of security must

allow reasonable access, yet protect against

threats


38/44

The Need for Information Security

Business Needs First

Technology Needs Last

Information security performs three important functions

for an organization: Protects the organizations ability to function

Communities of interest must argue for information security in

terms of impact and cost

Enables the safe operation of applications implemented onthe organizations IT systems

Organizations must create integrated, efficient, and capable

applications

Organization need environments that safeguard applications

Protects the data the organization collects and


39/44

Protects the data the organization collects and

uses

One of the most valuable assets is data

Without data, an organization loses its record oftransactions and/or its ability to deliver value to its

customers

An effective information security program is essential

to the protection of the integrity and value of theorganizations data

Technology Needs

Safeguards the technological assets in use at the

organization

Organizations must have secure infrastructure services

based on the size and scope of the enterprise


40/44

Areas of Information System Security

Data security

Computer security

LAN or Network security

Internet security


41/44

Major Threats & Issues

Basic Threats

Theft of password

E-mail based threats

E-mail based extortion

Launch of malicious codes (trojans)

Corporate threats


42/44

p

Web defacement

Corporate espionage

Website based launch of malicious code cheating and fraud Exchange of criminal ideas and tools

Cyber harassment

Forge websites

Online threats

E-mail spamming

Theft of software and electronic records

Cyber stalking

E-mail bombing

Denial of service attacks


43/44

Protecting your computer and network

Physical security

Securing desktop computers

Securing laptops/notebooks/handheld computers

Securing network security

Software security

Protect against internet intruders with

firewalls and IDS

Protect against viruses and other malware

Protect against spyware and adware

Protect against unwanted email


44/44

General spam protection practices

Do not give out your email address indiscriminately

Leave your email signature line blank if you post to a

newsgroup

Do not reply to junk messages

Do not open obvious spam mails

Report to appropriate personsystems

administrator

Information Security Chapter 1

Documents

Transcript of Information Security Chapter 1