Introduction to Information Security PDF

Summary

This document provides an introduction to information security, covering its history, key concepts, and approaches. It details security, computer security, physical security, communications security, and information security, among other topics.

Full Transcript

Introduction to Information Security
Security

A state of being secure and free from
danger or harm. Also, the actions taken
to make someone or something secure.
Computer Security

In the early days of computers,
this term specified the need to
secure the physical location of
computer technology from
outside threats.

This term later came to
represent all actions taken to
preserve computer systems
from losses.
Computer Security
It has evolved into the current concept
of information security as the scope of
protecting information in an
organization has expanded.

1. Securing the data.
2. Limiting random and unauthorized
access to that data.
3. Involving personnel from multiple levels
of the organization in information
security
Physical Security Communications Security Network Security Information Security
The protection of physical items, The protection of all A subset of communications Protection of the confidentiality,
objects, or areas from communications media, security; the protection of voice integrity, and availability of
unauthorized access and misuse. technology, and content. and data networking information assets, whether in
components, connections, and storage, processing, or
content. transmission, via the application
of policy, education, training and
awareness, and technology.
History of Information
Security
 During these early years, information security was a
straightforward process composed predominantly of physical
security and simple document classification schemes.

Before 1960
The primary threats to security were physical theft of equipment,
espionage against products of the systems, and sabotage.

The need for computer security arose during World War II when
the first mainframe computers were developed and used to aid
computations for communication code breaking ( ENIGMA)
1960s

The first documented security problem was recorded in 1960. systems administrator was working on
a MOTD (message of the day) file, and another administrator was editing the password file. A
software glitch mixed the two files, and the entire password file was printed on every output file.

In 1968, Dr. Larry Roberts developed the ARPANET

Department of Defense’s Advanced Research Projects Agency (ARPA) began examining the feasibility
of a redundant, networked communications system to support the military’s exchange of
information.
 In 1973, Internet pioneer Robert M.
Metcalfe identified fundamental problems with
ARPANET security.

1970s and
1980s In 1978, Richard Bisbey and Dennis Hollingworth, two
researchers in the Information Sciences Institute at
the University of Southern California, published a
study entitled “Protection Analysis: Final Report.” It
focused on a project undertaken by ARPA to
understand and detect vulnerabilities in operating
system security.
1990s
The Internet was made available to the general public.

After the Internet was commercialized, the technology
became pervasive, reaching almost every corner of the
globe with an expanding array of uses.

However, early Internet deployment treated security as a
low priority. In fact, many problems that plague e-mail on
the Internet today result from this early lack of security.

In the late 1990s and into the 2000s, many large
corporations began publicly integrating security into their
organizations. Antivirus products became extremely
popular.
 growing awareness of the need to
improve information security, as well as a
realization that information security is
important to national defense.
2000 to
Present
The growing threat of cyberattacks has
made governments and companies more
aware of the need to defend the
computerized control systems of utilities
and other critical infrastructure.
C.I.A Triangle
 C.I.A Triangle

CONFIDENTIALITY AN ATTRIBUTE OF INFORMATION THAT INTEGRITY AN ATTRIBUTE OF INFORMATION THAT AVAILABILITY AN ATTRIBUTE OF INFORMATION THAT
DESCRIBES HOW DATA IS PROTECTED FROM DISCLOSURE DESCRIBES HOW DATA IS WHOLE, COMPLETE, AND DESCRIBES HOW DATA IS ACCESSIBLE AND CORRECTLY
OR EXPOSURE TO UNAUTHORIZED INDIVIDUALS OR UNCORRUPTED. FORMATTED FOR USE WITHOUT INTERFERENCE OR
SYSTEMS. OBSTRUCTION.
Key Information
Security Concepts
1. Access

A subject or object’s ability to
use, manipulate, modify, or affect
another subject or object.

Authorized users have legal
access to a system, whereas
hackers must gain illegal access to
a system. Access controls
regulate this ability.
 2. Asset

The organizational resource that is being
protected.

Key Information An asset can be logical, such as a Web site,
software information, or data; or an asset can be
Security Concepts physical, such as a person, computer system,
hardware, or other tangible object.

Assets, particularly information assets, are the
focus of what security efforts are attempting to
protect.
Key Information Security
Concepts
3. Attack

An intentional or unintentional act that can damage or
otherwise compromise information and the systems
that support it.

Attacks can be active or passive, intentional or
unintentional, and direct or indirect.
Key Information
Security
Concepts
4. Control, safeguard, or
countermeasure

Security mechanisms,
policies, or procedures that
can successfully counter improve security within an
attacks, reduce risk, resolve organization.
vulnerabilities, and
otherwise
Key Information Security
Concepts

5. Exploit

Threat agents may attempt
to exploit a system or other
A technique used to
information asset by using
compromise a system.
it illegally for their personal
gain.
Key Information
Security Concepts
6. Exposure
A condition or state of being exposed; in
information security, exposure exists when
a vulnerability is known to an attacker.

7. Loss
A single instance of an information asset
suffering damage or destruction,
unintended or unauthorized modification
or disclosure, or denial of use.
When an organization’s information is
stolen, it has suffered a loss.
 Key Information Security Concepts

8. Protection The entire set of controls and safeguards, including policy,
profile or security education, training and awareness, and technology, that the
organization implements to protect the asset.
posture

The probability of an unwanted occurrence, such as an
adverse event or loss. Organizations must minimize risk to
9. Risk match their risk appetite—the quantity and nature of risk
they are willing to accept.
Key Information Security
Concepts

10. Subjects and objects 11. Threat
A computer can be either the A category of objects, people,
subject of an attack (an agent or other entities that
entity used to conduct the represents a danger to an asset.
attack) or the object of an Threats are always present and
attack (the target entity) can be purposeful or
undirected.
Key Information Security
Concepts

The specific instance or a
12. Threat Agent component of a threat.

A weakness or fault in a system
13. Vulnerability or protection mechanism that
opens it to attack or damage.
 The expanded C.I.A. triangle (Confidentiality, Integrity &
Availability)

Accuracy: An attribute of information that describes how data is
Critical free of errors and has the value that the user expects.

Characteristics Authenticity: An attribute of information that describes how
of Information data is genuine or original rather than reproduced or fabricated.

Possession: An attribute of information that describes how the
data’s ownership or control is legitimate or authorized.

Utility: An attribute of information that describes how data has
value or usefulness for an end purpose.
CNSS Security Model

McCumber Cube
A graphical representation of the
architectural approach widely used in
computer and information security;
commonly shown as a cube composed
of 3×3×3 cells, similar to a Rubik’s Cube.

created by John McCumber in 1991

The McCumber Cube
Information System

The entire set of software, hardware,
data, people, procedures, and networks
that enable the use of information
resources in the organization.
 Components of an Information System

It is the physical technology that houses and executes the software, stores and
transports the data, and provides interfaces for the entry and removal of
1. Hardware information from the system.

Data stored, processed, and transmitted by a computer system must be
protected.
Data is often the most valuable asset of an organization and therefore is the
2. Data main target of intentional attacks.
Components of an Information System

3. People

Though often overlooked in computer security considerations, people
have always been a threat to information security.

4. Procedures

Procedures are written instructions for accomplishing a specific task.
When an unauthorized user obtains an organization’s procedures, it
poses a threat to the integrity of the information.
 Components of an Information System

Networking is the IS component that created much of the need for
5. Networks increased computer and information security.

Programs, applications and Operating Systems that enable the users
6. Software to perform specific task and manipulate data.
Approaches in Information Security

bottom-up approach A method of establishing security policies that
begins as a grassroots effort in which systems administrators attempt to
improve the security of their systems.

top-down approach A methodology of establishing security policies that is
initiated by upper management
Approaches
in
Information
Security