8/10/2019 Information Security Chapter 1
1/44
BlueCrest College
Information Security (BIT 327)
Chapter 1
Introduction to Information Security
0201849384
8/10/2019 Information Security Chapter 1
2/44
Learning Objectives Understand what information security is and how it came to
mean what it does today.
Comprehend the history of computer security and how itevolved into information security.
Understand the key terms and critical concepts of informationsecurity as presented in the chapter.
Outline the phases of the security systems development lifecycle.
Understand the role professionals involved in informationsecurity in an organizational structure.
Understand the business need for information security.
Understand a successful information security program is the
responsibility of an organizations general management and IT
management.
Understand the some threats posed to information security
and the more common attacks associated with those threats.
8/10/2019 Information Security Chapter 1
3/44
8/10/2019 Information Security Chapter 1
4/44
The History Of Information
Security
Computer security began immediately after thefirst mainframes were developed
Physical controls were needed to limit access toauthorized personnel to sensitive military
locations
Only rudimentary controls were available to
defend against physical theft, espionage, and
sabotage
8/10/2019 Information Security Chapter 1
5/44
The 1960s
Department of Defenses Advanced Research
Project Agency (ARPA) began examining the
feasibility of a redundant networked
communications
8/10/2019 Information Security Chapter 1
6/44
8/10/2019 Information Security Chapter 1
7/44
The 1970s and 80s
ARPANET grew in popularity as did its potentialfor misuse
Fundamental problems with ARPANET security
were identified
No safety procedures for dial-up connections
to the ARPANET
User identification and authorization to the
system were non-existent In the late 1970s the microprocessor expanded
computing capabilities and security threats
8/10/2019 Information Security Chapter 1
8/44
R-609The Start of the Study of
Computer Security
Information Security began with Rand Report
R-609
The scope of computer security grew from
physical security to include:
Safety of the data
Limiting unauthorized access to that data
Involvement of personnel from multiple levels of
the organization
8/10/2019 Information Security Chapter 1
9/44
The 1990s
Networks of computers became more
common, so too did the need to interconnect
the networks
Resulted in the Internet, the first
manifestation of a global network of networks
In early Internet deployments, security was
treated as a low priority
8/10/2019 Information Security Chapter 1
10/44
The Present
The Internet has brought millions of computer
networks into communication with each
othermany of them unsecured
Ability to secure each now influenced by the
security on every computer to which it is
connected
8/10/2019 Information Security Chapter 1
11/44
8/10/2019 Information Security Chapter 1
12/44
Critical Characteristics of Information
The value of information comes from the
characteristics it possesses:
Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
Possession
8/10/2019 Information Security Chapter 1
13/44
Components of an Information System
Information system (IS) is the entire set ofsoftware, hardware, data, people, procedures,
and networks necessary to use information as
a resource in the organisation
8/10/2019 Information Security Chapter 1
14/44
Bottom Up Approach
Security from a grass-roots effort - systemsadministrators attempt to improve the security
of their systems
Key advantage - technical expertise of theindividual administrators
Seldom works, as it lacks a number of critical
features: participant support
organizational staying power
8/10/2019 Information Security Chapter 1
15/44
Top-down Approach Initiated by upper management:
issue policy, procedures, and processes
dictate the goals and expected outcomes of theproject
determine who is accountable for each of therequired actions
This approach has strong upper management support,
a dedicated champion, dedicated funding, clear
planning, and the chance to influence organizationalculture
May also involve a formal development strategy
referred to as a systems development life cycle
Most successful top-down approach
8/10/2019 Information Security Chapter 1
16/44
8/10/2019 Information Security Chapter 1
17/44
The Systems Development Life
Cycle
Information security must be managed in a
manner similar to any other major system
implemented in the organization
Using a methodology
ensures a rigorous process
avoids missing steps
The goal is creating a comprehensive security
posture/program
h i l if l
8/10/2019 Information Security Chapter 1
18/44
The Security Systems Development Life Cycle
The same phases used in traditional SDLC may be
adapted to support specialized implementation of an IS
project
Investigation
Analysis
Logical design Physical design
Implementation
Maintenance & change
Identification of specific threats and creating controls tocounter them
SecSDLC is a coherent program rather than a
series of random, seemingly unconnected actions
8/10/2019 Information Security Chapter 1
19/44
8/10/2019 Information Security Chapter 1
20/44
Investigation
Identifies process, outcomes, goals, andconstraints of the project
Begins with enterprise information securitypolicy
Organizational feasibility analysis is performed
8/10/2019 Information Security Chapter 1
21/44
Analysis
Documents from investigation phase are studied
Analyzes existing security policies or programs,
along with documented current threats and
associated controls
Includes analysis of relevant legal issues that
could impact design of the security solution
The risk management task begins
8/10/2019 Information Security Chapter 1
22/44
8/10/2019 Information Security Chapter 1
23/44
Physical Design
Needed security technology is evaluated,
alternatives generated, and final design
selected
At end of phase, feasibility study determines
readiness of organization for project
8/10/2019 Information Security Chapter 1
24/44
Implementation
Security solutions are acquired, tested,
implemented, and tested again
Personnel issues evaluated; specific trainingand education programs conducted
Entire tested package is presented tomanagement for final approval
8/10/2019 Information Security Chapter 1
25/44
Maintenance and Change
Perhaps the most important phase, given theever-changing threat environment
Often, reparation and restoration of information
is a constant duel with an unseen adversary
Information security profile of an organization
requires constant adaptation as new threatsemerge and old threats evolve
8/10/2019 Information Security Chapter 1
26/44
Professionals involved in information security
within an organization
Senior Management Chief Information Officer (CIO)
Senior technology officer
Primarily responsible for advising senior executives onstrategic planning
Chief Information Security Officer (CISO)
Primarily responsible for assessment, management,
and implementation of IS in the organization
Usually reports directly to the CIO
8/10/2019 Information Security Chapter 1
27/44
Information Security Project Team
A number of individuals who are experienced
in one or more facets of required technicaland nontechnical areas:
Champion
Team leader Security policy developers
Risk assessment specialists
Security professionals
Systems administrators
End users
8/10/2019 Information Security Chapter 1
28/44
Data Ownership
Data owner: responsible for the security and
use of a particular set of information
Data custodian: responsible for storage,
maintenance, and protection of information
Data users: end users who work with
information to perform their daily jobs
supporting the mission of the organization
H C I f ti S it B A hi d
8/10/2019 Information Security Chapter 1
29/44
How Can Information Security Be Achieved
Access to
network resource
will be granted
through a unique
user ID and
password
Passwords
will be 8
characterslong
Passwords
should include
one non-alpha
and not foundin dictionary
Information Security is achieved by implementing a suitable set of controls, which
could be:
These controls need to be established in order to ensure that the specific security
objectives of the organization are met.
8/10/2019 Information Security Chapter 1
30/44
What is Information Security?
The concepts, techniques, technical measures, and
administrative measures used to protect information assets
from deliberate or inadvertent unauthorised acquisition,
damage, disclosure, manipulation, modification, loss, or use is
information security.
or
means protecting information and information systems from
unauthorised access, use, disclosure, modification or
destruction.
or
Implementing suitable controls - policies, practices,
procedures, organisational structures, software, etc, to
secure information for any information user.
8/10/2019 Information Security Chapter 1
31/44
The protection of information and its critical
elements, including systems and hardware
that use, store, and transmit that information
Necessary tools: policy, awareness, training,
education, technology
C.I.A. triangle was standard based on
confidentiality, integrity, and availability
C.I.A. triangle now expanded into list of criticalcharacteristics of information
8/10/2019 Information Security Chapter 1
32/44
Information Security Goals
Confidentiality - making sure that those who should
not see the information can not see it.
Integrity - making sure the information has not been
changed from how it was intended to be.
Availabilitymaking sure the information is available
for use when needed.
8/10/2019 Information Security Chapter 1
33/44
Confidentiality
Integrity Availability
Security Goals
8/10/2019 Information Security Chapter 1
34/44
Securing Components
Computer can be subject of an attack and/or the
object of an attack
When the subject of an attack, computer is used as an
active tool to conduct attack
When the object of an attack, computer is the entity
being attacked
8/10/2019 Information Security Chapter 1
35/44
8/10/2019 Information Security Chapter 1
36/44
Balancing security and access
8/10/2019 Information Security Chapter 1
37/44
Balancing Information Security and Access
Impossible to obtain perfect securityit is aprocess, not an absolute
Security should be considered balancebetween protection and availability
To achieve balance, level of security must
allow reasonable access, yet protect against
threats
8/10/2019 Information Security Chapter 1
38/44
The Need for Information Security
Business Needs First
Technology Needs Last
Information security performs three important functions
for an organization: Protects the organizations ability to function
Communities of interest must argue for information security in
terms of impact and cost
Enables the safe operation of applications implemented onthe organizations IT systems
Organizations must create integrated, efficient, and capable
applications
Organization need environments that safeguard applications
Protects the data the organization collects and
8/10/2019 Information Security Chapter 1
39/44
Protects the data the organization collects and
uses
One of the most valuable assets is data
Without data, an organization loses its record oftransactions and/or its ability to deliver value to its
customers
An effective information security program is essential
to the protection of the integrity and value of theorganizations data
Technology Needs
Safeguards the technological assets in use at the
organization
Organizations must have secure infrastructure services
based on the size and scope of the enterprise
8/10/2019 Information Security Chapter 1
40/44
Areas of Information System Security
Data security
Computer security
LAN or Network security
Internet security
8/10/2019 Information Security Chapter 1
41/44
Major Threats & Issues
Basic Threats
Theft of password
E-mail based threats
E-mail based extortion
Launch of malicious codes (trojans)
Corporate threats
8/10/2019 Information Security Chapter 1
42/44
p
Web defacement
Corporate espionage
Website based launch of malicious code cheating and fraud Exchange of criminal ideas and tools
Cyber harassment
Forge websites
Online threats
E-mail spamming
Theft of software and electronic records
Cyber stalking
E-mail bombing
Denial of service attacks
8/10/2019 Information Security Chapter 1
43/44
Protecting your computer and network
Physical security
Securing desktop computers
Securing laptops/notebooks/handheld computers
Securing network security
Software security
Protect against internet intruders with
firewalls and IDS
Protect against viruses and other malware
Protect against spyware and adware
Protect against unwanted email
8/10/2019 Information Security Chapter 1
44/44
General spam protection practices
Do not give out your email address indiscriminately
Leave your email signature line blank if you post to a
newsgroup
Do not reply to junk messages
Do not open obvious spam mails
Report to appropriate personsystems
administrator
Top Related