Intro to Information Security PDF

Intro. to Information Security Caraga State University – Main Campus College of Computing and Information Sciences IT 107 – Information Assurance and Security I Learning Objectives Understand the definition of information security Comprehend the history of computer security and how it evolved into information security Understand the key terms and critical concepts of information security as presented in the chapter Outline the phases of the security systems development life cycle Understand the roles of professionals involved in information security within an organization IT 107 – Information Assurance and Security I Introduction Information security: a “well-informed sense of assurance that the information risks and controls are in balance.” —Jim Anderson, Inovant (2002) Necessary to review the origins of this field and its impact on our understanding of information security today IT 107 – Information Assurance and Security I The History of Information Security Began immediately after the first mainframes were developed Created to aid code-breaking computations during World War II Physical controls to limit access to sensitive military locations to authorized personnel: badges, keys, and facial recognition Rudimentary in defending against physical theft, espionage, and sabotage IT 107 – Information Assurance and Security I The Enigma Machine The Enigma machine is a cipher device developed and used in the early - to mid-20th century to protect commercial, diplomatic, and military communication. It was employed extensively by Nazi Germany during World War II, in all branches of the German military. The Germans believed, erroneously, that use of the Enigma machine enabled them to communicate securely and thus enjoy a huge advantage in World War II. The Enigma machine was considered to be so secure that even the most top-secret messages were enciphered on its electrical circuits. ITE 112 – Computer Applications for Environmental Science The History of Information Security One of 1st documented problems (early 1960’s) Additional mainframes online Advanced Research Procurement Agency (ARPA) began to examine feasibility of redundant networked communications Larry Roberts developed ARPANET from its inception ARPANET is the first Internet IT 107 – Information Assurance and Security I ARPANET Program Plan (June 3, 1968) IT 107 – Information Assurance and Security I ARPANET ARPANET grew in popularity as did its potential for misuse Fundamental problems with ARPANET security were identified: ▪ No safety procedures for dial-up connections to ARPANET ▪ Non-existent user identification and authorization to system ▪ Individual remote users’ sites did not have sufficient controls and safeguards to protect data against unauthorized remote users ▪ Phone numbers were widely distributed and openly publicized on the walls of rest rooms and phone booths, giving hackers easy access to ARPANET. IT 107 – Information Assurance and Security I The Paper that Started the Study of Computer Security Information security began with Rand Report R-069 Scope of computer security grew from physical security to include: ▪ Safety of data ▪ Limiting unauthorized access to data ▪ Involvement of personnel from multiple levels of an organization IT 107 – Information Assurance and Security I The History of Information Security Multics ▪ Operating System ▪ Security primary goal ▪ Did not go very far ▪ Several developers created Unix Late 1970’s: Microprocessor expanded computing capabilities and security threats ▪ From mainframe to PC ▪ Decentralized computing ▪ Need for sharing resources increased ▪ Major changed computing IT 107 – Information Assurance and Security I The History of Information Security (The 1990’s) Networks of computers became more common; so too did the need to interconnect networks Internet became first manifestation of a global network of networks In early Internet deployments, security was treated as a low priority Many of the problems that plague e-mail on the Internet are the result to this early lack of security IT 107 – Information Assurance and Security I The History of Information Security (The Present) The Internet brings millions of computer networks into communication with each other—many of them unsecured Ability to secure a computer’s data influenced by the security of every computer to which it is connected IT 107 – Information Assurance and Security I What is Security? “The quality or state of being secure—to be free from danger” A successful organization should have multiple layers of security in place: ▪ Physical security ▪ Personal security ▪ Operations security ▪ Communications security ▪ Network security ▪ Information security IT 107 – Information Assurance and Security I What is Information Security? The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology C.I.A. triangle was standard based on confidentiality, integrity, and availability C.I.A. triangle now expanded into list of critical characteristics of information IT 107 – Information Assurance and Security I Components of Information Security IT 107 – Information Assurance and Security I Critical Characteristics of Information The value of information comes from the characteristics it possesses: ▪ Timeliness No value if it is too late ▪ Availability No interference or obstruction Required format ▪ Accuracy Free from mistakes ▪ Authenticity Quality or state of being genuine, i.e., sender of an email IT 107 – Information Assurance and Security I Critical Characteristics of Information ▪ Confidentiality Disclosure or exposure to unauthorized individuals ▪ Integrity Whole, completed, uncorrupted Cornerstone Size of the file, hash values, error-correcting codes, retransmission ▪ Utility Having value for some purposes ▪ Possession Ownership Breach of confidentiality results in the breach of possession, not in reverse IT 107 – Information Assurance and Security I NSTISSC Security Model IT 107 – Information Assurance and Security I Components of an Information System Information System (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization. Software ▪ Perhaps the most difficult to secure ▪ Easy target ▪ Exploitation substantial portion of attacks on information Hardware ▪ Physical technology that houses and executes the software ▪ Securing physical location is important ▪ Before Sept. 11, 2001, laptop thefts in airports were common IT 107 – Information Assurance and Security I Components of an Information System Information System (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization Data ▪ Often most valuable assets ▪ Main target of intentional attacks People ▪ Weakest link ▪ Often overlooked in computer security considerations ▪ Social engineering attack ▪ Must be well trained and informed IT 107 – Information Assurance and Security I Components of an Information System Information System (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization Procedures ▪ Frequently overlooked component of an Information System ▪ When exposed, this poses a threat to the integrity of the information Networks ▪ LAN -> other networks (Internet) = New security challenges ▪ Locks and keys is good, but when computer systems are networked, this is no longer enough IT 107 – Information Assurance and Security I Balancing Information Security and Access Impossible to obtain perfect security – it is a process, not an absolute/goal Security should be considered balance between protection and availability To achieve balance, level of security must allow reasonable access, yet protect against threats IT 107 – Information Assurance and Security I Approaches to Information Security Implementation Securing information assets is in fact an incremental process that requires coordination, time, and patience. Bottom-Up Approach ▪ System administrators attempt to improve the security of their systems (grassroots effort) ▪ Key advantage: technical expertise of individual administrators ▪ Problem: seldom works, lack of critical features such as participant support and organization staying power IT 107 – Information Assurance and Security I Approaches to Information Security Implementation Securing information assets is in fact an incremental process that requires coordination, time, and patience. Top-Down Approach ▪ Project is initiated by upper-level managers who issue policy, procedures and processes, dictate the goals and expected outcomes, and determine accountability for each action ▪ The most successful kind of top-down approach also involves a formal development strategy referred to as a systems development life cycle IT 107 – Information Assurance and Security I Approaches to Information Security Implementation IT 107 – Information Assurance and Security I The Systems Development Life Cycle Systems Development Life Cycle (SDLC) is methodology and design for implementation of information security within an organization Methodology is formal approach to problem-solving based on structured sequence of procedures Using a methodology ensures a rigorous process with a clearly defined goal and increases the probability of success Traditional SDLC consists of six general phases IT 107 – Information Assurance and Security I SDLC Waterfall Methodology IT 107 – Information Assurance and Security I The Security Systems Development Life Cycle The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project Identification of specific threats and creating controls to counter them The SecSDLC unifies this process and makes it a coherent program rather than a series of random, seemingly unconnected actions IT 107 – Information Assurance and Security I SDLC and SecSLDC Phase Summary Steps common to both Steps unique to the Phases SDLC and SecSDLC SecSDLC Outline project scope and goals Management defines project Estimate costs processes and goals and Phase 1: Investigation Evaluate existing resources documents these in the Analyze feasibility program security policy Develop preliminary system Analyze existing security requirements policies and programs Assess current system against Analyze current threats and plan developed in Phase 1 Phase 2: Analysis controls Study integration of new system Examine legal issues with existing system Perform risk analysis Document findings and update feasibility analysis Assess current business needs Phase 3: Logical Design against plan developed in Develop security blueprint Phase 2 IT 107 – Information Assurance and Security I SDLC and SecSLDC Phase Summary Steps common to both Steps unique to the Phases SDLC and SecSDLC SecSDLC Select applications, data Plan incident response actions support, and structures Plan business response to Generate multiple solutions for disaster Phase 3: Logical Design consideration Determine feasibility of Document findings and update continuing and/or outsourcing feasibility analysis the project Select technologies needed to Select technologies to support support security blueprint solutions developed in Phase 3 Develop definition of successful Select the best solution solution Phase 4: Physical Design Decide to make or buy Design physical security components measures to support techno Document findings and update logical solutions feasibility analysis Review and approve project IT 107 – Information Assurance and Security I SDLC and SecSLDC Phase Summary Steps common to both Steps unique to the Phases SDLC and SecSDLC SecSDLC Develop or buy software Order components Buy or develop security Document the system solutions Train users Phase 5: Implementation At end of phase, present tested Update feasibility analysis package to management for Present system to users approval Test system and review performance Support and modify system during its useful life Constantly monitor, test, Test periodically for compliance Phase 6: Maintenance and Change modify, update, and repair to with business needs meet changing threats Upgrade and patch as necessary IT 107 – Information Assurance and Security I Security Professionals and the Organization It takes a wide range of professionals required to support a diverse information security program Senior management is the key component; also, additional administrative support and technical expertise required to implement details of IS program IT 107 – Information Assurance and Security I Senior Management Senior Technology Officer ▪ Chief Information Officer (CIO) | VPIT | VPS | VPI ▪ Primarily responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization ▪ CIO’s work with subordinate managers to develop tactical and operational plans Chief Information Security Officer (CISO) ▪ Primarily responsible for assessment, management, and implementation of information security in the organization ▪ Usually reports directly to the CIO IT 107 – Information Assurance and Security I Senior Management Senior Technology Officer ▪ Chief Information Officer (CIO) | VPIT | VPS | VPI ▪ Primarily responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization ▪ CIO’s work with subordinate managers to develop tactical and operational plans Chief Information Security Officer (CISO) ▪ Primarily responsible for assessment, management, and implementation of information security in the organization ▪ Usually reports directly to the CIO IT 107 – Information Assurance and Security I

Intro to Information Security PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue