Chapter 1-Introduction to Information Security L1-Introduction.pdf

Full Transcript

# Principles of Information Security, Fifth Edition

## Chapter 1: Introduction to Information Security

### Lesson 1 - Introduction

**Learning Objectives:**
- Define information security
- Recount the history of computer security and how it evolved into information security

### Introduction

Information security is a "well-informed sense of assurance that the information risks and controls are in balance." -Jim Anderson, Emagined Security, Inc.

Security professionals must review the origins of this field to understand its impact on our understanding of information security today.

## The History of Information Security

Computer security began immediately after the first mainframes were developed.

- Groups developing code-breaking computations during World War II created the first modern computers.
- Multiple levels of security were implemented.

**Physical controls limiting access to sensitive military locations to authorized personnel**

Rudimentary in defending against physical theft, espionage, and sabotage.

| Date | Document |
|---|---|
| 1968 | Maurice Wilkes discusses password security in Time-Sharing Computer Systems. |
| 1970 | Willis H. Ware authors the report Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security-RAND Report R-609, which was not declassified until 1979. It became known as the seminal work identifying the need for computer security. |
| 1973 | Schell, Downey, and Popek examine the need for additional security in military systems in Preliminary Notes on the Design of Secure Military Computer Systems. |
| 1975 | The Federal Information Processing Standards (FIPS) examines DES (Digital Encryption Standard) in the Federal Register. |
| 1978 | Bisbey and Hollingworth publish their study "Protection Analysis: Final Report," which discussed the Protection Analysis project created by ARPA to better understand the vulnerabilities of operating system security and examine the possibility of automated vulnerability detection techniques in existing system software. |
| 1979 | Morris and Thompson author "Password Security: A Case History," published in the Communications of the Association for Computing Machinery (ACM). The paper examined the design history of a password security scheme on a remotely accessed, time-sharing system. |
| 1979 | Dennis Ritchie publishes "On the Security of UNIX" and "Protection of Data File Contents," which discussed secure user IDs, secure group IDs, and the problems inherent in the systems. |
| 1982 | The U.S. Department of Defense Computer Security Evaluation Center publishes the first version of the Trusted Computer Security (TCSEC) documents, which came to be known as the Rainbow Series. |
| 1984 | Grampp and Morris write "The UNIX System: UNIX Operating System Security." In this report, the authors examined four "important handles to computer security": physical control of premises and computer facilities, management commitment to security objectives, education of employees, and administrative procedures aimed at increased security. |
| 1984 | Reeds and Weinberger publish "File Security and the UNIX System Crypt Command." Their premise was: "No technique can be secure against wiretapping or its equivalent on the computer. Therefore no technique can be secure against the system administrator or other privileged users... the naive user has no chance." |
| 1992 | Researchers for the Internet Engineering Task Force, working at the Naval Research Laboratory, develop the Simple Internet Protocol Plus (SIPP) Security protocols, creating what is now known as IPSEC security. |

### The 1960s

The Advanced Research Projects Agency (ARPA) began to examine the feasibility of redundant networked communications.

Larry Roberts developed the ARPANET from its inception.

### The 1970s and 80s

The ARPANET grew in popularity, as did its potential for misuse.

Fundamental problems with ARPANET security were identified.

- No safety procedures for dial-up connections to ARPANET
- Nonexistent user identification and authorization to system

Information security began with Rand Report R-609 (paper that started the study of computer security and identified the role of management and policy issues in it).

The scope of computer security grew from physical security to include:

- Securing the data
- Limiting random and unauthorized access to data
- Involving personnel from multiple levels of the organization in information security

_Figure 1-4 Illustration of computer network vulnerabilities from Rand Report R-609_

### MULTICS

Early focus of computer security research centered on a system called Multiplexed Information and Computing Service (MULTICS).

The first operating system was created with security integrated into core functions.

The mainframe, time-sharing OS was developed in the mid-1960s by General Electric (GE), Bell Labs, and Massachusetts Institute of Technology (MIT).

Several MULTICS key players created UNIX.

- Primary purpose of UNIX was text processing.

Late 1970s: The microprocessor expanded computing capabilities and security threats.

### The 1990s

Networks of computers became more common, as did the need to connect them to each other.

The Internet became the first global network of networks.

Initially, network connections were based on de facto standards.

In early Internet deployments, security was treated as a low priority.

In 1993, DEFCON conference was established for those interested in information security.

### 2000 to Present

The Internet brings millions of unsecured computer networks into continuous communication with each other.

The ability to secure a computer's data was influenced by the security of every computer to which it is connected.

Growing threat of cyber attacks has increased the awareness of need for improved security.

- Nation-states engaging in information warfare

### What Is Security?

"A state of being secure and free from danger or harm; the actions taken to make someone or something secure."

A successful organization should have multiple layers of security in place to protect:

- Operations
- Physical infrastructure
- People
- Functions
- Communications
- Information

### What Is Security? (cont'd)

The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information

Includes information security management, data security, and network security

**C.I.A. triangle**

- Is a standard based on confidentiality, integrity, and availability, now viewed as inadequate.
- Expanded model consists of a list of critical characteristics of information.

_Figure 1-5 Components of information security_

_Figure 1-6 The C.I.A. triangle_

### Key Information Security Concepts

- Access
- Asset
- Attack
- Control, safeguard, or countermeasure
- Exploit
- Exposure
- Loss
- Protection profile or security posture
- Risk
- Subjects and objects
- Threat
- Threat agent
- Vulnerability

_Figure 1-7 Key concepts in information security_

### Key Information Security Concepts (cont'd)

A computer can be the subject of an attack and/or the object of an attack.

- When subjected to an attack, the computer is used as an active tool to conduct the attack.
- When the object of an attack, the computer is the entity being attacked.