Ch2 Introduction to Information Security (3).pdf

Chapter 2
Introduction to Information
Security

Learning Objectives:
Upon completion of this chapter you should be
able to:
– Understand what information security is and how it
came to mean what it does today.
– Comprehend the history of computer security and how
it evolved into information security.
– Understand the key terms and critical concepts of
information security as presented in the chapter.
– Outline the phases of the security systems
development life cycle.
– Understand the role professionals involved in
information security in an organizational structure.

What Is Information Security?
Information security in today’s enterprise
is a “well-informed sense of assurance
that the information risks and controls are
in balance.” –Jim Anderson, Inovant (2002)

The History Of Information
Security
 Computer security began immediately after the first
mainframes were developed.
 Groups developing code-breaking computations during
World War II created the first modern computers
 Physical controls were needed to limit access to
authorized personnel to sensitive military locations
 Only rudimentary controls were available to defend
against physical theft, espionage, and sabotage

The 1960s
Department of Defense’s Advanced
Research Project Agency (ARPA) began
examining the feasibility of a redundant
networked communications.
Larry Roberts developed the project from
its inception.
Objectives: develop networking and
resource sharing

The 1970s and 80s
 ARPANET grew in popularity as did its potential
for misuse
 Fundamental problems with ARPANET security
were identified
– No safety procedures for dial-up connections to the
ARPANET
– User identification and authorization to the system
were non-existent
 In the late 1970s the microprocessor expanded
computing capabilities and security threats

The Start of the Study of Computer
Security
Information Security began with Rand
Report R-609
The scope of computer security grew from
physical security to include:
– Safety of the data
– Limiting unauthorized access to that data
– Involvement of personnel from multiple levels
of the organization

The 1990s
Networks of computers became more
common, so too did the need to interconnect
the networks.
Resulted in the Internet, the first manifestation
of a global network of networks.
In early Internet deployments, security was
treated as a low priority.

The Present
The Internet has brought millions of
computer networks into communication
with each other – many of them
unsecured.
Ability to secure each now influenced by
the security on every computer to which it
is connected.

What Is Security?
 “The quality or state of being secure--to be
free from danger”
 To be protected from adversaries
 A successful organization should have multiple
layers of security in place:
– Physical security
– Personal security
– Operations security
– Communications security
– Network security

What Is Information Security?
 The protection of information and its critical
elements, including the systems and hardware
that use, store, and transmit that information
 Tools, such as policy, awareness, training,
education, and technology are necessary
 The C.I.A. triangle was the standard based on
confidentiality, integrity, and availability
 The C.I.A. triangle has expanded into a list of
critical characteristics of information

Critical Characteristics Of
Information
The value of information comes from the
characteristics it possesses.
– Availability
– Accuracy
– Authenticity
– Confidentiality
– Integrity
– Utility
– Possession

Components of an Information
System
 To fully understand the importance of information
security, you need to know the elements of an
information system.
 An Information System (IS) is much more than
computer hardware; it is the entire set of software,
hardware, data, people, and procedures
necessary to use information as a resource in the
organization.

Securing the Components
The computer can be either or both the
subject of an attack and/or the object of
an attack
When a computer is
– the subject of an attack, it is used as an
active tool to conduct the attack
– the object of an attack, it is the entity being
attacked

Figure 1-5 – Subject and
Object of Attack

Balancing Security and Access
It is impossible to obtain perfect security -
it is not an absolute; it is a process.
Security should be considered a balance
between protection and availability.
To achieve balance, the level of security
must allow reasonable access, yet protect
against threats.

Security Implementation:
1) Bottom-up Approach
Security from a grass-roots effort - systems
administrators attempt to improve the
security of their systems.
Key advantage - technical expertise of the
individual administrators.
Seldom works, as it lacks a number of
critical features:
– participant support
– organizational staying power

Figure 1-7 – Approaches to
Security Implementation

2) Top-down Approach
 Initiated by upper management:
– issue policy, procedures, and processes
– dictate the goals and expected outcomes of the project
– determine who is accountable for each of the required
actions
 This approach has strong upper management support,
a dedicated champion, dedicated funding, clear
planning, and the chance to influence organizational
culture
 May also involve a formal development strategy
referred to as a systems development life cycle
– Most successful top-down approach

The Systems Development
Life Cycle
Information security must be managed in a
manner similar to any other major system
implemented in the organization.
Using a methodology
– ensures a rigorous process
– avoids missing steps
The goal is creating a comprehensive
security posture/program

Figure 1-8 – SDLC Waterfall
Methodology

SDLC and the SecSDLC
The SecSDLC may be
– event-driven - started in response to some
occurrences or
– plan-driven - as a result of a carefully developed
implementation strategy
At the end of each phase comes a structured
review

1) Investigation
What is the problem the system is being
developed to solve?
– The objectives, constraints, and scope of the
project are specified
– A preliminary cost/benefit analysis is
developed
– A feasibility analysis is performed to assess
the economic, technical, and behavioral
feasibilities of the process

2) Analysis
 Consists primarily of
– assessments of the organization
– the status of current systems
– capability to support the proposed systems
 Analysts begin to determine
– what the new system is expected to do
– how the new system will interact with existing systems
 Ends with the documentation of the findings and
a feasibility analysis update

3) Logical Design
 Based on business need, applications are
selected capable of providing needed services
 Based on applications needed, data support and
structures capable of providing the needed inputs
are identified
 Finally, based on all of the above, select specific
ways to implement the physical solution are
chosen
 At the end, another feasibility analysis is
performed

4) Physical Design
Specific technologies are selected to
support the alternatives identified and
evaluated in the logical design.
Selected components are evaluated based
on a make-or-buy decision.
Entire solution is presented to the end-user
representatives for approval.

5) Implementation
Components are ordered, received,
assembled, and tested
Users are trained and documentation
created
Users are then presented with the system
for a performance review and acceptance
test

6) Maintenance and Change
Tasks necessary to support and modify the
system for the remainder of its useful life.
The life cycle continues until the process
begins again from the investigation phase.
When the current system can no longer
support the mission of the organization, a
new project is implemented.

Security Systems Development Life
Cycle (SecSDLC)
The same phases used in the traditional
SDLC adapted to support the specialized
implementation of a security project
Basic process is identification of threats
and controls to counter them
The SecSDLC is a coherent program
rather than a series of random, seemingly
unconnected actions

1) Investigation
Identifies process, outcomes and goals of
the project, and constraints
Begins with a statement of program
security policy
Teams are organized, problems analyzed,
and scope defined, including objectives,
and constraints not covered in the program
policy
An organizational feasibility analysis is
performed

2) Analysis
Analysis of existing security policies or
programs, along with documented current
threats and associated controls.
Includes an analysis of relevant legal
issues that could impact the design of the
security solution.
The risk management task (identifying,
assessing, and evaluating the levels of
risk) also begins.

3) Logical & Physical Design
 Creates blueprints for security
 Critical planning and feasibility analyses to
determine whether or not the project should
continue
 In physical design, security technology is
evaluated, alternatives generated, and final
design selected
 At end of phase, feasibility study determines
readiness so all parties involved have a chance
to approve the project

4) Implementation
The security solutions are acquired (made
or bought), tested, and implemented, and
tested again.
Personnel issues are evaluated and
specific training and education programs
conducted.
Finally, the entire tested package is
presented to upper management for final
approval.

5) Maintenance and Change
The maintenance and change phase is
perhaps most important, given the high
level of ingenuity in today’s threats.
The reparation and restoration of
information is a constant duel with an
often unseen adversary.
As new threats emerge and old threats
evolve, the information security profile of
an organization requires constant
adaptation.

Security Professionals and the
Organization
It takes a wide range of professionals to
support a diverse information security
program.
To develop and execute specific security
policies and procedures, additional
administrative support and technical
expertise is required.

Senior Management
 Chief Information Officer (CIO)
– the senior technology officer
– primarily responsible for advising the senior
executive(s) for strategic planning
 Chief Information Security Officer(CISO)
– responsible for the assessment, management, and
implementation of securing the information in the
organization
– may also be referred to as the Manager for Security,
the Security Administrator, or a similar title

Security Project Team
A number of individuals who are experienced in
one or multiple requirements of both the
technical and non-technical areas:
– The team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users

Data Ownership
Data Owner - responsible for the security
and use of a particular set of information
Data Custodian - responsible for the
storage, maintenance, and protection of
the information.
Data Users - the end systems users who
work with the information to perform their
daily jobs supporting the mission of the
organization.

Information Security: Is it an
Art or a Science?
With the level of complexity in today’s
information systems, the implementation
of information security has often been
described as a combination of art and
science.

Ch2 Introduction to Information Security (3).pdf

More Related Content

Similar to Ch2 Introduction to Information Security (3).pdf

Recently uploaded

Ch2 Introduction to Information Security (3).pdf