Lecture 1 - Introduction to Information Security PDF

Summary

This lecture provides an introduction to information security management. It covers various aspects of information security, including different layers of security, the three main components of information security – confidentiality, integrity, and availability – and the different types of authentication techniques.

Full Transcript

LECTURE 1 –
INTRODUCTION TO INFORMATION SECURITY

1502373 - INFORMATION SECURITY MANAGEMENT

SPRING 2024-25

M5 - 220 [email protected] Dr. Saddaf Rubab
INTRODUCTION TO INFORMATION SECURITY MANAGEMENT

“Do not figure on opponents not attacking; worry about your own lack of
preparation."

BOOK OF THE FIVE RINGS
INFORMATION SECURITY MANAGEMENT

You can have all the protection mechanisms in place and still have security problems:
INFORMATION SECURITY MANAGEMENT

https://www.ekransystem.com/en/blog/real-life-examples-insider-threat-caused-breaches
EARLY FORMS OF INFORMATION SECURITY

Figure 1-1 The Enigma Source: Courtesy of National Security Agency
THE 1990S

 Networks of computers became more common; so too did the need to interconnect networks
 Internet became first manifestation of a global network of networks
 In early Internet deployments, security was treated as a low priority
2000 TO PRESENT

 The Internet brings millions of computer networks into communication with each other—many of them
unsecured
 Ability to secure a computer’s data influenced by the security of every computer to which it is
connected
 Growing threat of cyber attacks has increased the need for improved security
INFORMATION

 'Information is an asset which, like other important business assets, has value to an organization and
consequently needs to be suitably protected’
BS ISO 27002:2005
INFORMATION CAN BE
 Displayed  Stored

 Transmitted by post or using electronics means  Destroyed

 Shown on corporate videos  Processed
 Transmitted
 Displayed / published on web
 Used (for proper or improper
 Stolen proposes)
 Printed or written on paper  Corrupted
 Stored electronically  Lost
 Created  ‘…

Whatever form the information takes, or means by which it is shared or stored, it should always be
appropriately protected’
(BS ISO 27002:2005)
WHAT IS SECURITY

A successful organization should have multiple layers of security in place:

 Physical security
 Personal security
 Operations security
 Communications security
 Network security
 Information security

Each of these areas contribute to the information security program as a whole
WHAT IS INFORMATION SECURITY?

 What is Information Security?
 How do we achieve Information Security?
Policy
Technology
Training and Awareness Programs

Role of information security is to protect an organization’s information assets
 COMPONENTS OF AN INFORMATION SYSTEM

Information system (IS) is entire set of components necessary to use information as a resource in the
organization
 Software
 Hardware
 Data
 People
 Procedures
 Networks

To fully understand the importance of information security, you need to know the elements
of an information system
KEY INFORMATION SECURITY CONCEPTS

 Access
 Protection Profile or Security Posture
 Asset
 Risk
 Attack
 Subjects and Objects
 Control, Safeguard, or Countermeasure
 Threat
 Exploit
 Threat Agent
 Exposure
 Vulnerability
 Loss
COMPONENTS OF INFORMATION SECURITY
CONFIDENTIALITY

 Confidentiality of information ensures that only those with sufficient privileges may access certain
information
 To protect confidentiality of information, a number of measures may be used including:
Information classification
Secure document storage
Application of general security policies
Education of information custodians and end users
INTEGRITY

 Integrity is the quality or state of being whole, complete, and uncorrupted
 The integrity of information is threatened when it is exposed to corruption, damage, destruction, or
other disruption of its authentic state
 Corruption can occur while information is being compiled, stored, or transmitted
AVAILABILITY

 Availability is making information accessible to user access without interference or obstruction in the
required format
 A user in this definition may be either a person or another computer system
 Availability means availability to authorized users
KEY CONCEPTS OF INFORMATION SECURITY

Authentication
 Authentication occurs when a control provides proof that a user possesses the identity that he or she
claims
 Authentication deals with verifying the identity of a subject while access control deals with the ability of a subject
(individual or process running on a computer system) to interact with an object (file or hardware device).
 Three types of authentication
Something you know (password)
Something you have (token or card)
Something you are ( biometric)
KEY CONCEPTS OF INFORMATION SECURITY

Authorization

 After the identity of a user is authenticated, a process called authorization provides assurance that the
user (whether a person or a computer) has been specifically and explicitly authorized by the proper
authority to access, update, or delete the contents of an information asset
KEY CONCEPTS OF INFORMATION SECURITY

Access Control vs. Authentication

 Authentication – This proves that you (subject) are who you say you are.
 Access control – This deals with the ability of a subject to interact with an object.
 Once an individual has been authenticated, access controls then regulate what the individual can
actually do on the system.
KEY CONCEPTS OF INFORMATION SECURITY

Accountability
 Generates the requirement for actions of an entity to be traced uniquely to that individual to support
nonrepudiation, deference, fault isolation, etc
THE OPERATIONAL METHOD OF COMPUTER SECURITY AND
TECHNOLOGIES

 Protection = Prevention
Previous model

 Protection =
Prevention + (Detection + Response)
Includes operational aspects
SECURING THE COMPONENTS

 The computer can be either or both the subject of an attack and/or the object of an attack
 When a computer is
the subject of an attack, it is used as an active tool to conduct the attack
the object of an attack, it is the entity being attacked
CNSS SECURITY MODEL
BALANCING SECURITY AND ACCESS

 Security should be considered a
balance between protection and
availability
 To achieve balance, the level of
security must allow reasonable access,
yet protect against threats
ON GOING PROCESS

 It is impossible to obtain perfect security - it is not an absolute; it is a process
REFERENCES

 Chapter 01 - Michael, E. W., Herbert, J. M. (2017). Principles of Information Security. ISBN:
9781337102063
CASE STUDY 01

 The next day at SLS found everyone in technical support busy restoring computer systems to their former state
and installing new virus and worm control software. Amy found herself learning how to re-install desktop
computer operating systems and applications as SLS made a heroic effort to recover from the attack of the
previous day.
Discussion Questions
1. Do you think this event was caused by an insider or outsider? Explain your answer.
2. Other than installing virus and worm control software, what can SLS do to prepare for the next incident?
3. Do you think this attack was the result of a virus or a worm? Explain your answer.
4. Would it be ethical for Amy to open such a file?
5. If such an e-mail came in, what would be the best action to take?