Information Security History

Questions and Answers

What is the primary focus when considering security in today's interconnected computer networks?

• Securing a computer's data based on the security of every computer it connects to. (correct)
• Limiting the number of devices connected to a single network.
• Restricting network access to authorized personnel only.
• Prioritizing physical security measures over digital safeguards.

Why is it crucial for security professionals to understand the origins and history of information security?

• To predict future cyber threats with certainty.
• To impress clients with historical anecdotes.
• To replicate past security measures without modification.
• To gain insight into the current impact and evolution of information security. (correct)

Which of the following best describes the state of security in the 1990s regarding the Internet?

• Security was based on a well-defined set of formal standards.
• Security protocols were universally adopted, preventing widespread misuse.
• Security was the highest priority due to the interconnected nature of networks.
• Security was generally treated as a low priority in early deployments. (correct)

In the context of information security, why is the concept of balance crucial?

To find the equilibrium between protection and accessibility. (D)

What was a key characteristic of computer security implementation during World War II?

Implementation of multiple layers of security. (B)

What is the significance of the Rand Report R-609 in the history of information security?

It initiated the formal study of computer security. (C)

What distinguishes the 'bottom-up' approach to information security implementation?

It relies heavily on the technical expertise of systems administrators. (A)

Which of the following best describes the role of a Chief Information Security Officer (CISO)?

Assessing, managing, and implementing information security within the organization. (B)

Which of the following represents a key element that expanded the scope of computer security beyond physical security in the 1970s and 80s?

Limiting unauthorized access to data and ensuring its safety. (C)

Which of the following actions is most aligned with the 'Implementation' phase of the Systems Development Life Cycle (SDLC)?

Creating needed software and testing ordered components. (A)

What role did Larry Roberts play in the evolution of computer networks?

He developed ARPANET from its initial conception. (D)

During which phase of the Security Systems Development Life Cycle (SecSDLC) are blueprints developed and incident response plans created?

Logical Design (D)

What is a primary objective of the 'Investigation' phase in the Systems Development Life Cycle (SDLC)?

Identifying the problem the system is being developed to solve. (A)

In the context of information security, what does the concept of 'attack' involve?

An action that exploits a vulnerability in a system to compromise its security. (C)

Which characteristic of information is primarily compromised when data is altered in an unauthorized manner?

Accuracy (C)

What is the primary goal of 'physical security' within a comprehensive security strategy?

To secure tangible assets and facilities from threats. (D)

Why is 'Maintenance and Change' considered the most important phase in the Security Systems Development Life Cycle (SecSDLC)?

Because it adapts to the ever-changing threat environment. (A)

Which of the following best describes the concept of 'security as a social science'?

Examining how human behavior influences system security. (D)

Which of the following scenarios highlights the importance of 'possession' as a critical characteristic of information?

Maintaining sole control over sensitive data. (B)

In an information system (IS), what role do 'Procedures' play?

They provide a set of instructions for a specific task. (A)

What is the main disadvantage of the bottom-up approach?

Limited participant support and organizational staying power. (B)

What is the meaning of 'nonrepudiation'?

The ability to prove that a message was sent and received, preventing the sender from denying having sent it. (C)

What does the term 'Exploit' refer to in the world of information security?

A tool or technique used to take advantage of a vulnerability. (D)

Which of the following is the initial step in the Security Systems Development Life Cycle (SecSDLC)?

Investigation. (C)

In the context of information security, how can a computer be considered a 'subject' of an attack?

It is used as the active tool to conduct the attack itself. (D)

How did the focus of computer security change in the 1970s and 1980s compared to earlier times?

Shifted from physical security to include the safety of electronic data. (C)

What is the significance of the MULTICS project in the history of information security?

It was one of the first operating systems designed with security as a primary goal. (B)

Within the context of information security, what does the term 'asset' typically refer to?

The hardware, software, data, or systems that hold value. (A)

In the Systems Development Life Cycle (SDLC), what occurs during the 'Analysis' phase?

Determining what the new system is expected to do and how it will interact with existing systems. (A)

What is the primary purpose of performing a feasibility analysis at the end of the Logical Design phase in the Security Systems Development Life Cycle (SecSDLC)?

To determine whether the project should be continued or outsourced. (C)

What is the description of Information Security by Jim Anderson?

A well-informed sense of assurance that information risks and controls are in balance. (B)

Which of the following correctly describes the purpose of policies within information security?

To define rules, expectations, and processes in place to protect information assets. (B)

What was the main purpose of ARPANET in its inception?

To examine the feasibility of redundant networked communications. (B)

Which of the following is an example of a 'control' or 'countermeasure' in the context of information security?

A security awareness training program for employees. (D)

What does the concept of 'Communities of Interest' refer to in the context of information security?

Individuals who share similar values in an organization. (D)

What is a characteristic of top-down approach?

Most successful and dictates policy, procedures, and processes. (D)

What is a characteristic of bottom-up approach?

Relies heavily on the technical initiative of individual administrators. (B)

Flashcards

Information Security

A well-informed sense of assurance that information risks and controls are balanced.

What is Security?

The protection of information and its critical elements, ensuring systems and hardware usage is secure.

Information System (IS)

A component of information systems- Software, Hardware, Data, People, Procedures and Networks.

Logical Design: Business Need

The main factor in logical design for SDLC.

End of System's Life

When current systems can no longer support an organization's mission, these actions are taken.

Chief Information Officer (CIO)

A senior management role responsible for advising senior executives on strategic planning.

Chief Information Security Officer (CISO)

A senior management role primarily responsible for assessment, management, and implementation of Information Security in an organization.

InfoSec Project Team

Individuals experienced in technical and nontechnical areas

Exploit

The action that takes advantage of a vulnerability.

Attack

The act of the potential to cause loss, damage, or destruction.

Security Vulnerability

A potential weakness in an asset or control

Investigation

First part of the SDLC process - defines the problem the system will solve.

Methodology

A formal approach to solving logical problems

Last for product ...

What is useful life?

Is Information Security and Art or a Science?

Information security requires skills from art, science and social science.

Rudimentary Security

Defense against physical theft, espionage and sabotage

Mailing Tapes

Original communication was done how?

De Facto Standards

The early Internet was initially based on what?

Larry Roberts

Developed ARPANET from it's inception

Interconnected Security

The ability to secure a computer's data is influenced by this.

Rand Report R-609

This paper started the study of computer security.

MULTICS

Early focus of computer security.

Traditional SDLC

What does SDLC stand for?

The Security Systems Development Life Cycle.

The definition of SecDLC.

Data Owner

Who is responsible for the security and use of a particular set of information within an organization?

Reasonable access

What kind of access is needed yet protect against threats?

De Facto Standards

What standards was it on?

Study Notes

Introduction to Information Security

• Information security is described as a "well-informed sense of assurance that the information risks and controls are in balance".
• Jim Anderson from Inovant, created this definition of Information Security in 2002.
• Security professional must understand the history of information security and how it shapes our current understanding.

The History of Information Security

• Immediately followed the development of mainframes.
• Code-breaking computations was an early use.
• World War II saw multiple levels of security implemented.
• Early security implementations were rudimentary using physical controls.
• Focus was physical theft, espionage, and sabotage.

The 1960s

• Mailing tapes were used for original communication.

• The Advanced Research Project Agency (ARPA) was created.

• The agency examined the feasibility of redundant networked communications.

• Larry Roberts developed ARPANET from its inception

• The ARPANET plan included linking computers, resource sharing and linking of 17 computer research centers with a cost of $3.4M.

• ARPANET is a predecessor to the Internet.

The 1970s and 80s

• ARPANET grew in popularity which increased potential for misuse.
• There were fundamental problems with ARPANET security.
• Individual remote sites were not secure from unauthorized users.
• There were vulnerabilities present in the password structure and formats.
• There were no safety procedures for dial-up connections to ARPANET.
• There was non-existent user identification and authorization to the system.
• Paper R-609, otherwise known as the Rand Report, started the study of computer security which gave birth to current practices.
• The scope of computer security grew from physical security.
• Evolved to include: safety of data, limiting unauthorized access to data, and involvement of personnel from multiple levels of an organization.

MULTICS

• Early focus of computer security research resulted in system called Multiplexed Information and Computing Service (MULTICS).
• The first operating system created with security as its primary goal.
• Mainframe, time-sharing OS developed in mid-1960s included GE, Bell Labs, and MIX.
• Several MULTICS key players created UNIX.
• In the late 1970s, the microprocessor expanded computing capabilities, reducing mainframe presence while expanding security threats.

The 1990s

• Networks of computers became more common.
• Need to interconnect networks grew.
• Internet became first manifestation of a global network of networks.
• Internet was initially based on de facto standards.
• In early Internet deployments, security was treated as a low priority.

2000 to Present

• Millions of computer networks communicate.
• Many of the communications are unsecured.
• The ability to secure a computer’s data is influenced by the security of every computer to which it is connected.
• A growing threat of cyber attacks has increased the need for improved security.

What is Security?

• The quality or state of being secure, or freedom from danger.
• A successful organization should have multiple layers of security in place.
• This includes physical, personal, operations, communications, network, and information security.
• The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information.
• Necessary tools include policy, awareness, training, education, and technology.
• CIA triangle, consisting of confidentiality, integrity, and availability.
• Critical characteristics of information have since expanded.

Key Information Security Concepts

• Access: A subject's ability to interact with an object.
• Asset: The organizational resource that is being protected.
• Attack: An act, intentional or unintentional, that may damage or compromise assets.
• Control, Safeguard, or Countermeasure: Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and improve security within an organization.
• Exploit: A technique to compromise a system.
• Exposure: Exists when a vulnerability is known to an attacker.

Key Information Security Concepts: Computer Attacks

• Computers can be either the subject or the object of an attack.
• The subject of the attack involves the computer being used as an active tool to conduct the attack.
• The object of the attack involves the computer is the entity being attacked.

Critical Characteristics of Information

• The value of information comes from its characteristics
• Availability, accuracy, authenticity, confidentiality, integrity, utility, and possession must be considered.

Components of an Information System

• Information system (IS) constitutes the entire set of components which includes software, hardware, data, people, procedures and networks necessary to use information as a resource in the organization.

Balancing Information Security and Access

• It is impossible to obtain perfect security.
• Security is a process, not an absolute.
• Security should be considered balance between protection and availability.
• There has to be reasonable access while protecting against threats.

Approaches to Information Security Implementation: Bottom-Up Approach

• Grassroots effort where systems administrators drive.
• The key advantage is the presence of technical expertise of individual administrators.
• Seldom works and lacks a number of critical features.
• There is a lack of participant support and organizational staying power.

Approaches to Information Security Implementation: Top-Down Approach

• Top-down initiated by upper management.
• There is issue policy, procedures, and processes.
• Dictates goals and expected outcomes of project and determines accountability for each required action.
• Top-Down is the most successful approach to InfoSec implimentation
• Involves formal development strategy and systems development life cycle.

The Systems Development Life Cycle - SDLC

• SDLC is a methodology for design and implementation of information system and a formal approach to problem solving based on structured sequence of procedures.
• Using a methodology ensures a rigorous process and increases probability of success.
• Traditional SDLC consists of six general phases.

Investigation - SDLC Phase

• The investigation phase answers the question: What problem is the system being developed to solve?
• Objectives, constraints, and scope of project specified.
• Preliminary cost-benefit analysis developed during this phase.
• Feasibility analysis is performed assessing economic, technical, and behavioral feasibilities is completed at the end.

Analysis - SDLC Phase

• The analysis phases assesses consist of: the organization, current systems, and capability to support proposed systems.
• Determine what new system is expected to do.
• Determine how it will interact with existing systems.
• The analysis phases ends with documentation.

Logical Design - SDLC Phase

• The main factor in logical design is business need, which dictates the applications capable of providing needed services are selected.
• Necessary data support and structures identified.
• Technologies to implement physical solution determined.
• Feasibility analysis performed at the end.

Physical Design - SDLC Phase

• Technologies to support the alternatives identified and evaluated in the logical design are selected.
• Components evaluated on make-or-buy decision.
• Feasibility analysis performed.
• The entire solution is then presented to end-user representatives for approval.

Implementation - SDLC Phase

• Needed software is created.
• Components are ordered, received, and tested.
• Users are trained and documentation is created.
• Feasibility analysis prepared.
• Users are presented with system for performance review and acceptance test.

Maintenance and Change - SDLC Phase

• The longest and most expensive phase.
• Necessary for support and modification of the system.
• Lasts for product useful life.
• The life cycle continues.
• Process begins again from the investigation phase
• When the current system can no longer support the organization's mission, a new project is implemented.

Security Systems Development Life Cycle

• Has the same phases that are used in traditional SDLC, but needs to be adapted to support implementation of an IS project.
• Identify specific threats and create controls to counter them.
• SecSDLC is a coherent program where actions are not random or unconnected.

Investigation - SecSDLC

• Identifies process, outcomes, goals, and constraints of the project.
• Begins with Enterprise Information Security Policy (EISP).
• Organizational feasibility analysis is performed.

Analysis - SecSDLC

• Documents from investigation phase are studied.
• Analysis of existing security policies or programs.
• Analysis of documented current threats and associated controls.
• Analysis of relevant legal issues that could impact design of the security solution.
• Risk management task begins.

Logical Design - SecSDLC

• Creates and develops blueprints for information security.
• Incident response actions planned.
• Considers continuity planning, incident response, and disaster recovery.
• Feasibility analysis to determine whether project should be continued or outsourced.

Physical Design - SecSDLC

• Needed security technology is evaluated.
• Alternatives are generated.
• Final design is selected.
• At end of phase, feasibility study determines readiness of organization for project.

Implementation - SecSDLC

• Security solutions are acquired, tested, implemented, and tested again.
• Personnel issues are evaluated and specific training and education programs are conducted.
• The entire tested package is presented to management for final approval.

Maintenance and Change - SecSDLC

• Perhaps the most important phase given the ever-changing threat environment.
• Often, repairing damage and restoring information is a constant duel with an unseen adversary.
• Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve.

Security Professionals and the Organization

• Wide range of professionals are required to support a diverse information security program.
• Senior management is key component.
• Additional administrative support and technical expertise is required to implement details of IS program.

Senior Management

• Chief Information Officer (CIO): Senior technology officer primarily responsible for advising senior executives on strategic planning.
• Chief Information Security Officer (CISO): Primarily responsible for assessment, management, and implementation of IS in the organization, usually reports directly to the CIO.

Information Security Project Team

• A number of individuals who are experienced in one or more facets of required technical and nontechnical areas.
• The team could consist of: Champion, Team leader, Security policy developers, Risk assessment specialists, Security professionals, Systems administrators and End users.

Data Responsibilities

• Data owner: responsible for the security and use of a particular set of information.
• Data custodian: responsible for storage, maintenance, and protection of information.
• Data users: end users who work with information to perform their daily jobs supporting the mission of the organization.

Communities of Interest

• Group of individuals united by similar interests/values within an organization.
• This could include Information security management professionals, information technology management and professionals, or organizational management and professionals.

Is Information Security an Art of Science?

• Implementation of information security is often described as combination of art and science.
• "Security artisan" idea: based on the way individuals perceive systems, since technologists became commonplace.

Security as Art

• There are no hard and fast rules nor many universally accepted complete solutions
• Has no manual for implementing security through entire system.

Security as Science

• Deals with technology designed to operate at high levels of performance.
• Specific conditions cause virtually all actions that occur in computer systems.
• Nearly every fault, security hole, and systems malfunction are a result of interaction of specific hardware and software.
• If developers had sufficient time, they could resolve and eliminate faults.

Security as a Social Science

• Social science examines the behavior of individuals interacting with systems.
• Security begins and ends with the people that interact with the system.
• Security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles.