AIS Chapter 1 PDF

Summary

This document is an introduction to information security, outlining the history and key concepts in the field. It covers different eras, from the early days of mainframes to the modern era of cyber threats. It also explains the various layers involved in information security.

Full Transcript

1
Principles of Information Security, Fourth Edition

Chapter 1

Introduction to Information
Security
 The History of Information Security

Began immediately following development first
mainframes
Developed for code-breaking computations
During World War II
Multiple levels of security were implemented

Primary threats
Defending against physical theft, espionage, and
sabotage
 The 1960s
Advanced Research Project Agency
Principles of Information Security, Fourth Edition

(ARPA)
Examined feasibility of redundant
networked communications
Larry Roberts developed ARPANET
from its inception
Plan
Link computers
Resource sharing
Link 17 Computer Research Centers
Cost 3.4M

3
ARPANET is predecessor to the Internet
 The 1970s and 80s

ARPANET grew in popularity
Potential for misuse grew
Fundamental problems with ARPANET security
Individual remote sites were not secure from
unauthorized users
Vulnerability of password structure and formats
No safety procedures for dial-up connections to ARPANET
Non-existent user identification and authorization to
system
The 1970s and 80s (cont’d.)

Rand Report R-609
Paper that started the study of computer security
Information Security as we know it began

Scope of computer security grew from physical security to include:
Safety of data
Limiting unauthorized access to data
Involvement of personnel from multiple levels of an organization
 MULTICS

Early focus of computer security research
System called Multiplexed Information and
Computing Service (MULTICS)
First operating system created with security as its
primary goal
Several MULTICS key players created UNIX
Late 1970s
Microprocessor expanded computing capabilities
Mainframe presence reduced
Expanded security threats
The 1990s

Networks of computers became more common

Need to interconnect networks grew

Internet became first manifestation of a global
network of networks

In early Internet deployments, security was treated as
a low priority
2000 to Present

Millions of computer networks communicate

Many of the communication unsecured and became
more exposed to security threats.

Growing threat of cyber attacks has increased the need
for improved security
 What is Security?
Principles of Information Security, Fourth Edition

“The quality or state of being secure—to be free from danger”
A successful organization should have multiple layers of security
in place:
Physical security- To protect the physical items, objects, or
areas of an organization from unauthorized access and
misuse.

Personal security - To protect the individual or group of
individuals who are authorized to access the organization and
its operations.

10
Operations security – To protect the details of a particular
operation or series of activities.
 What is Security?
Principles of Information Security, Fourth Edition

Communications security – To protect an organization’s
communications media, technology, and content.

Network security – To protect networking components,
connections, and contents.

Information security, to protect the confidentiality,
integrity and availability of information assets, whether
in storage, processing, or transmission.

11
 What is Information Security? (cont’d.)
Principles of Information Security, Fourth Edition

The protection of information and its critical elements,
including systems and hardware that use, store, and
transmit that information

Necessary tools: policy, awareness, training, education,
technology

12
Principles of Information Security, Fourth Edition 13
 Key Information Security Concepts

Access- a subject or object’s ability to use, manipulate, modify, or
affect another subject or object.

Asset- the organizational resource that is being protected.

Exposure- a single instance of being open to damage.

Loss- When an organization’s information is stolen, it has suffered a
loss.

Exploit- to take advantage of weaknesses or vulnerability in a system.
 Key Information Security Concepts

Attack- an act that is an intentional or unintentional attempt
to cause damage or compromise to the information and/or
the systems that support it.

Control, Safeguard, or Countermeasure- security
mechanisms, policies, or procedures that can successfully
counter attacks, reduce risk, resolve vulnerabilities, and
otherwise improve the security within an organization

Hack - Good: to use computers or systems for enjoyment;
Bad: to illegally gain access to a computer or system.

Risk- the probability that something can happen.
 Key Information Security Concepts

Security Blueprint - the plan for the implementation of new
security measures in the organization.

Security Model - a collection of specific security rules that
represents the implementation of a security policy.

Subjects and Objects- an active entity that interacts with an
information system and causes information to move
through the system for a specific end purpose.

Threat- a category of objects, persons, or other entities that
represents a potential danger to an asset.
Figure 1-5 – Subject and Object of Attack

Figure 1-5 Computer as the Subject and Object of an Attack
Principles of Information Security, Fourth Edition 17
 Key Information Security Concepts

Threat Agent - a specific instance or component of a more
general threat.

Vulnerability - weaknesses or faults in a system or protection
mechanism that expose information to attack or damage.
Principles of Information Security, Fourth Edition 19
Critical Characteristics of Information
The value of information comes from the characteristics it
possesses:
Availability- Enables users who need to access information
to do so without interference or obstruction and in the
required format.

Accuracy- Free from mistake or error and having the value
that the end user expects

Authenticity- The quality or state of being genuine or
original, rather than a reproduction or fabrication
 Critical Characteristics of Information
Confidentiality- The quality or state of preventing disclosure
or exposure to unauthorized individuals or systems

Integrity- The quality or state of being whole, complete, and
uncorrupted.

Possession- The quality or state of having ownership or
control of some object or item
 Components of an Information System
Information system (IS) is entire set of components
necessary to use information as a resource in the
organization

Software
Hardware
Data
People
Procedures
Networks
Balancing Information Security and
Access
Impossible to obtain perfect security

Process, not an absolute

Security should be considered balance between protection
and availability

Must allow reasonable access, yet protect against threats
Figure 1-6 – Balancing Security and Access

Figure 1-8 Balancing Information Security and Access

24
 Approaches to Information Security
Principles of Information Security, Fourth Edition

Implementation: Bottom-Up Approach
Grassroots effort -systems administrators drive
Key advantage: technical expertise of individual
administrators
Seldom works
Lacks number of critical features:
Participant support
Organizational staying power

25
 Approaches to Information Security
Principles of Information Security, Fourth Edition

Implementation: Top-Down Approach

Initiated by upper management
Issue policy, procedures, and processes
Dictate goals and expected outcomes of project
Determine accountability for each required action
Most successful
Involves formal development strategy
Systems development life cycle

26
Figure 1-9 Approaches to Information Security Implementation

27
 Security Professionals and the Organization
28
Wide range of professionals required to support a diverse
information security program

Senior management is key component
Principles of Information Security, Fourth Edition

Additional administrative support and technical expertise
are required to implement details of IS program
 Senior Management
29 Chief Information Officer (CIO)
Senior technology officer
Primarily responsible for advising senior executives on
strategic planning

Chief Information Security Officer (CISO)
Principles of Information Security, Fourth Edition

Primarily responsible for assessment, management, and
implementation of IS in the organization
Usually reports directly to the CIO
 Information Security Project Team
30
A number of individuals who are experienced in one or more
facets of required technical and nontechnical areas:

Team leader
Security policy developers
Risk assessment specialists
Principles of Information Security, Fourth Edition

Security professionals
Systems administrators
End users
 Data Responsibilities
31
Data owner: responsible for the security and use of a
particular set of information

Data custodian: responsible for storage, maintenance, and
protection of information
Principles of Information Security, Fourth Edition

Data users: end users who work with information to perform
their daily jobs supporting the mission of the organization
 Communities of Interest
32 Group of individuals united by similar interests/values within
an organization

Information security management and professionals
Information technology management and professionals
Principles of Information Security, Fourth Edition

Organizational management and professionals