CIS 475 Computer Security Module 1 PDF

CIS 475 Computer Security Module 1 Learning Objectives Upon completion of this material, you should be able to: – Define information security – Recount the history of computer security and explain how it evolved into information security – Define key terms and critical concepts of information security – Describe the information security roles of professionals within an organization Introduction “Enterprise information security is a critical business capability that needs to be aligned with corporate expectations and culture that provides the leadership and insight to identify risks and implement effective controls.”—Martin Fisher, IT Security Manager, North side Hospital, Atlanta, Georgia Security professionals must review the origins of this field to understand its impact on our understanding of information security today The History of Information Security Computer security began immediately after the first mainframes were developed – Groups developing code-breaking computations during World War II created the first modern computers. – Multiple levels of security were implemented. Physical controls limiting access to sensitive military locations to authorized personnel Rudimentary in defending against physical theft, espionage, and sabotage The 1960s Advanced Research Projects Agency (ARPA) began to examine the feasibility of redundant networked communications. Larry Roberts developed the ARPANET from its inception. Figure 1-2 Development of the ARPANET Source. Courtesy of Dr. Lawrence Roberts. Used with permission. The 1970s and 80s (1 of 2) ARPANET grew in popularity, as did its potential for misuse. Fundamental problems with ARPANET security were identified. – No safety procedures for dial-up connections to ARPANET – Nonexistent user identification and authorization to system The 1970s and 80s (2 of 2) Information security began with RAND Report R- 609 (paper that started the study of computer security and identified the role of management and policy issues in it). The scope of computer security grew from physical security to include: – Securing the data – Limiting random and unauthorized access to data – Involving personnel from multiple levels of the organization in information security Figure 1-4 Illustration of computer network vulnerabilities from RAND Report R-609 Source. RAND Report R-609-1. Used with permission. MULTICS (1 of 2) Early focus of computer security research centered on a system called Multiplexed Information and Computing Service (MULTICS). First operating system to integrate security into its core functions. It was a mainframe, time-sharing operating system developed in the mid-1960s by General Electric (GE), Bell Labs, and the Massachusetts Institute of Technology (MIT). MULTICS (2 of 2) Several MULTICS key players created UNIX. – Primary purpose of UNIX was text processing. Late 1970s: The microprocessor expanded computing capabilities and security threats. Early 1980s: TCP/IP In 1988, the Defense Advanced Research Projects Agency (DARPA) created the Computer Emergency Response Team (CERT) to address network security. The 1990s Networks of computers became more common, as did the need to connect them to each other. Internet became the first global network of networks. Initially, network connections were based on de facto standards. In early Internet deployments, security was treated as a low priority. In 1993, DEFCON conference was established for those interested in information security. in the late 1990s and into 2000s, many large corporations began publicly integrating security into their organizations. 2000 to Present The Internet brings millions of unsecured computer networks into continuous communication with each other. Growing threat of cyber attacks has increased the awareness of need for improved security. – Nation-states engaging in information warfare The ability to secure a computer’s data was influenced by the security of every computer to which it is connected. Table 1-1 Key Dates in Information Security (1 of 2) Date Document 1968 Dr. Larry Roberts developed the ARPANET project. 1970 Willis H. Ware author the report Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security—RAND R.609 which was not declassified until 1979. I became known as the seminal work identifying the need for computer Security. 1973 Schell, Downey, and Popek examine the need for additional security in military systems in Preliminary Notes on the Design of Secure Military Computer Systems. 1975 The Federal Information Processing Standards (FIPS) examines DES (Digital Encryption Standard) In the Federal Register. 1978 Bisbey and Hollingsworth publish their study “Protection Analysis: Final Report,” which discussed the Protection Analysis project created by ARPA to better understand the vulnerabilities of operating system security and examine the possibility of automated vulnerability detection techniques in existing system software. Table 1-1 Key Dates in Information Security (2 of 2) Date Document 1979 Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents,” which discussed secure user IDs, secure group IDs, and the problems inherent in the systems. 1982 The US. Department of Defense Computer Security Evaluation Center publishes the first version of the Trusted Computer Security (TCSEC) documents, which came to be known as the Rainbow Series. 1982 Grampp and Morris write “The UNIX System: UNIX Operating System Security.” In this report the authors examined four “important handles to computer security”: physical control of primes and computer facilities, management commitment to security objectives, education of employees, and administrative procedures aimed at increased security. 1984 Reeds and Weinberger publish “File Security and the UNIX System Crypt Command.” Their premise was: “No technique can be secure against wiretapping or is equivalent on the computer. Therefore no technique can be secure against the system administrator or other privileged users... the naive user have no chance.” 1992 Researchers for the Internet Engineering Task force, working at the Naval Research Laboratory, develop the Simple Internet Protocol Plus (SIPP) Security protocols, creating what is now known as IPSEC security. What Is Security? (1 of 2) “A state of being secure and free from danger or harm; the actions taken to make someone or something secure.” Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements. A successful organization should have multiple layers of security in place to protect: – Operations – Physical infrastructure – People – Functions – Communications – Information What Is Security? (2 of 2) The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information. Figure 1-5 Components of information security Includes information security management, data security, and network security Figure 1-6 The C.I.A. triad The C.I.A. triad Is a standard based on confidentiality, integrity, and availability, now viewed as inadequate. CIA is considered insufficient for the dynamic information security landscape. To address evolving threats like damage, theft, and unauthorized access, a more comprehensive model has emerged emphasizing critical characteristics of information security Key Information Security Concepts Access: The ability to use or interact with a system, data, or resource. Asset: Anything valuable to an organization, such as data, systems, or physical devices. Attack: An intentional action to exploit vulnerabilities and harm a system or asset. Control, safeguard, or countermeasure: Measures taken to reduce risks or protect systems from attacks. Exploit: A method or tool used to take advantage of a system's vulnerability. Exposure: The condition of being at risk of harm due to vulnerabilities. Loss: Damage or harm resulting from a successful attack, such as stolen data or financial costs. Key Information Security Concepts Protection profile or security posture: The overall security level of an organization, based on its protections and defenses. Risk: The likelihood and potential impact of a threat exploiting a vulnerability. Subjects and objects of attack: The attacker (subject) targets a resource or system (object). Threat: A potential danger that could harm a system or asset. Threat agent: The entity, such as a person or software, that carries out the threat. Threat event: An actual occurrence of a threat exploiting a vulnerability. Threat source: The origin of the threat, such as hackers, malware, or natural disasters. Vulnerability: A weakness in a system or process that can be exploited by threats. Figure 1-7 Key concepts in information security Source. (top left to bottom right): © iStockphoto/tadija, Internet Explorer, © iStockphoto/darrenwise , Internet Explorer, Microsoft Excel. Figure 1-8 Computer as the subject and object of an attack Critical Characteristics of Information The value of information comes from the characteristics it possesses: – Availability – Accuracy – Authenticity – Confidentiality – Integrity – Utility – Possession Critical Characteristics of Information Availability: Availability enables authorized users—people or computer systems—to access information without interference or obstruction and to receive it in the required format. Accuracy: Information has accuracy when it is free from mistakes or errors and has the value that the end user expects. If information has been intentionally or unintentionally modified, it is no longer accurate. Authenticity: Authenticity of information is the quality or state of being genuine or original, rather than a reproduction or fabrication. Common problem: Email spoofing Critical Characteristics of Information Confidentiality: Information has confidentiality when it is protected from disclosure or exposure to unauthorized individuals or systems. Integrity: Information has integrity when it is whole, complete, and uncorrupted. Utility: The utility of information is the quality or state of having value for some purpose or end. If information is available but is not in a meaningful format to the end user, it is not useful. Possession: The possession of information is the quality or state of ownership or control. Information is said to be in one’s possession if one obtains it, independent of format or other characteristics. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always lead to a breach of confidentiality. CNSS Security Model Figure 1-9 The McCumber Cube The McCumber Cube expands on the CIA Triad by introducing two additional dimensions. The cube has three dimensions, forming a 3x3x3 structure with 27 cells, representing areas crucial for securing information systems. Each room represents a different combination of three things: What you're protecting: Confidentiality, Integrity or Availability. Components of an Information System Information system (IS) is the entire set of people, procedures, and technology that enable business to use information. – Software – Hardware – Data – People – Procedures – Networks Balancing Information Security and Access Impossible to obtain perfect information security—it is a process, not a goal. Security should be considered a balance between protection and availability. To achieve balance, the level of security must allow reasonable access, yet protect against threats. Approaches to Information Security Implementation: Bottom-Up Approach Grassroots effort: Systems administrators attempt to improve security of their systems. Key advantage: technical expertise of individual administrators Seldom works, as it lacks a number of critical features: – Participant support – Organizational staying power Approaches to Information Security Implementation: Top-Down Approach Initiated by upper management – Issue policy, procedures, and processes – Dictate goals and expected outcomes of project – Determine accountability for each required action This approach has – strong upper-management support, – a dedicated champion, – usually dedicated funding, – a clear planning and implementation process, – and the means of influencing organizational culture. Figure 1-12 Approaches to information security implementation Security Professionals and the Organization Wide range of professionals are required to support a diverse information security program. Senior management is the key component. Additional administrative support and technical expertise are required to implement details of the IS program. Senior Management Chief information officer (CIO) – Senior technology officer – Primarily responsible for advising the senior executives on strategic planning Chief information security officer (CISO) – Has primary responsibility for assessment, management, and implementation of IS in the organization – Usually reports directly to the CIO Information Security Project Team A small functional team of people who are experienced in one or multiple facets of required technical and nontechnical areas: – Champion – Team leader – Security policy developers – Risk assessment specialists – Security professionals – Systems administrators – End users Information Security Project Team  Champion:  A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization.  Team leader:  A project manager, who understands project management, personnel management, and information security technical requirements.  Security policy developers:  Individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies.  Risk assessment specialists:  Individuals who understand financial risk assessment techniques, the value of organizational assets, and the security Information Security Project Team  Security professionals:  Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint.  Systems administrators:  Individuals whose primary responsibility is administering the systems that house the information used by the organization.  End users:  Those whom the new system will most directly impact. Data Responsibilities Data owners: senior management responsible for the security and use of a particular set of information Data custodians: responsible for the information and systems that process, transmit, and store it Data users: individuals with an information security role Communities of Interest Group of individuals united by similar interests/values within an organization – Information security management and professionals  protect the organization’s information systems and stored information from attacks – Information technology management and professionals  focus on operating the technology operations with a focus on cost and not necessarily on security – Organizational management and professionals Information Security: Is It an Art or a Science? Implementation of information security is often described as a combination of art and science. “Security artisan” idea: based on the way individuals perceive system technologists and their abilities. Security as Art No hard and fast rules nor many universally accepted complete solutions No manual for implementing security through entire system Security as Science Dealing with technology designed for rigorous performance levels. Specific conditions cause virtually all actions in computer systems. Almost every fault, security hole, and systems malfunction is a result of interaction of specific hardware and software. If developers had sufficient time, they could resolve and eliminate faults. Security as a Social Science Social science examines the behavior of individuals interacting with systems. Security begins and ends with the people that interact with the system, intentionally or otherwise. Security administrators can greatly reduce the levels of risk caused by end users and create more acceptable and supportable security profiles. Summary (1 of 2) Computer security began immediately after the first mainframes were developed. Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information. Security should be considered a balance between protection and availability. Summary (2 of 2) Implementation of information security is often described as a combination of art and science. References Whitman, M., & Mattord, H. (2017). Principles of information security (6th ed.). CENGAGE Learning Custom Publishing.

CIS 475 Computer Security Module 1 PDF

Document Details

Tags

Related

Summary

Full Transcript