LESSON 1.pdf

Full Transcript

Introduction to
Information Security
SUBJECT: AISPRE 5
PROFESSOR: MR. MARK ANGELO I. ALVAREZ
DATE: SEPTEMBER 21, 2024
Learning Objectives
At the end of the lesson, the students must be able to:
Identify the history of information security
Understand what is security
Enumerate the components of information system
Discuss the approaches to information security implementation
Classify the security in the systems development life cycle
Define the communities of interest in information security
 The History of
Information Security
COMPUTER SECURITY - In the early days of
computers, this term specified the need to secure
the physical location of computer technology from
outside threats. This term later came to represent
all actions taken to preserve computer systems
from losses. It has evolved into the current concept
of information security as the scope of protecting
information in an organization has expanded.
 The History of Information Security
The history of information security begins with the
concept of computer security.

The need for computer security arose during World
War II when the first mainframe computers were
developed and used to aid computations for
communication code breaking messages from enemy.
 The 1960s
During the Cold War, many more mainframe
computers were brought online to accomplish
more complex and sophisticated tasks. These
mainframes required a less cumbersome process
of communication than mailing magnetic tapes
between computer centers.
In response to this need, the Department of Defense’s
Advanced Research Projects Agency (ARPA) began
examining the feasibility of a redundant, networked
communications system to support the military’s
exchange of information. In 1968, Dr. Larry Roberts
developed the ARPANET.
ARPANET evolved into what we now know as the
Internet, and Roberts became known as its founder.
 The 1970s and 80s
During the next decade, ARPANET became more
popular and saw wider use, increasing the potential for
its misuse. In 1973, Internet pioneer Robert M.
Metcalfe identified fundamental problems with
ARPANET security. He knew that individual remote
sites did not have sufficient controls and safeguards to
protect data from unauthorized remote users.
Other problems abounded: vulnerability of
password structure and formats; lack of safety
procedures for dial-up connections; and
nonexistent user identification and authorizations.
Phone numbers were widely distributed and
openly publicized on the walls of phone booths,
giving hackers easy access to ARPANET.
In June 1967, ARPA formed a task force to study
the process of securing classified information
systems.

The task force was assembled in October 1967 and
met regularly to formulate recommendations,
which ultimately became the contents of RAND
Report R-609.
RAND Report R-609 was the first widely recognized
published document to identify the role of
management and policy issues in computer security.
This paper signaled a pivotal moment in computer
security history:
Securing the data
Limiting random and unauthorized access to that
data
Involving personnel from multiple levels of the
organization in information security
Much of the early research on computer security
centered on a system called Multiplexed Information
and Computing Service (MULTICS). Although it is
now obsolete, MULTICS is noteworthy because it was
the first operating system to integrate security into
its core functions. It was a mainframe, time-sharing
operating system developed in the mid 1960s by a
consortium of General Electric (GE), Bell Labs, and
the Massachusetts Institute of Technology (MIT).
In 1969, not long after the restructuring of the
MULTICS project, several of its developers created a
new operating system called UNIX. While the
MULTICS system implemented multiple security
levels and passwords, the UNIX system did not. Its
primary function, text processing, did not require the
same level of security as that of its predecessor. Not
until the early 1970s did even the simplest component
of security, the password function, become a
component of UNIX.
In the late 1970s, the microprocessor brought the
personal computer (PC) and a new age of
computing. The PC became the workhorse of
modern computing, moving it out of the data
center. This decentralization of data processing
systems in the 1980s gave rise to networking - the
interconnecting of PCs and mainframe computers,
which enabled the entire computing community to
make all its resources work together.
In the early 1980s, TCP (the Transmission
Control Protocol) and IP (the Internet Protocol)
were developed and became the primary protocols
for the ARPANET, eventually becoming the
protocols we use on the Internet to this day.

Also during this time frame, DNS, the hierarchical
Domain Name System, was developed.
 The 1990s
The Internet was made available to the general
public in the 1990s after decades of being the
domain of government, academia, and dedicated
industry professionals. The Internet brought
connectivity to virtually all computers that could
reach a phone line or an Internet connected Local
Area Network (LAN).
In the late 1990s and into the 2000s, many large
corporations began publicly integrating security
into their organizations. Antivirus products
became extremely popular, and information
security began to emerge as an independent
discipline.
 2000 to Present
Today, the Internet brings millions of unsecured
computer networks and billions of computer systems
into continuous communication with each other. The
security of each computer’s stored information is
contingent on the security level of every other
computer to which it is connected. Recent years have
seen a growing awareness of the need to improve
information security, as well as a realization that
information security is important to national defense.
What is Security?
SECURITY is protection. Protection from
adversaries, those who would do harm,
intentionally or otherwise - is the ultimate
objective of security. National security, for
example, is a multi-layered system that protects
the sovereignty of a state, its assets, its resources,
and its people.
The Committee on National Security Systems
(CNSS) defines INFORMATION SECURITY as the
protection of information and its critical elements,
including the systems and hardware that use, store,
and transmit the information.

The C.I.A. triad has been the standard for computer
security in both industry and government since the
development of the mainframe
KEY TERMINOLOGIES:
C.I.A. TRIAD - The industry standard for computer
security since the development of the mainframe. The
standard is based on three characteristics that describe
the utility of information: confidentiality, integrity,
and availability.
COMMUNICATIONS SECURITY - protection of
all communications media, technology, and content.
INFORMATION SECURITY - protection of the
confidentiality, integrity, and availability of information
assets, whether in storage, processing, or transmission, via
the application of policy, education, training and
awareness, and technology.
NETWORK SECURITY - a subset of communications
security; the protection of voice and data networking
components, connections, and content.
SECURITY – a state of being secure and free from danger
or harm. Also, the actions taken to make someone or
something secure.
KEY INFORMATION SECURITY CONCEPTS:
ACCESS - a subject or object’s ability to use,
manipulate, modify, or affect another subject or object.
ASSET - the organizational resource that is being
protected. An asset can be logical, such as a Web site,
software information, or data; or an asset can be
physical, such as a person, computer system,
hardware, or other tangible object.
ATTACK - an intentional or unintentional act that can
damage or otherwise compromise information and the
systems that support it. Attacks can be active or passive,
intentional or unintentional, and direct or indirect.
CONTROL/SAFEGUARD/COUNTERMEASURE -
Security mechanisms, policies, or procedures that can
successfully counter attacks, reduce risk, resolve
vulnerabilities, and otherwise improve security within an
organization.
EXPLOIT - a technique used to compromise a system.
Threat agents may attempt to exploit a system or other
asset by using it illegally for their personal gain.
EXPOSURE – a condition or state of being exposed; in
information security, exposure exists when a vulnerability is
known to an attacker.
LOSS - a single instance of an information asset suffering
damage or destruction, unintended or unauthorized
modification or disclosure, or denial of use.
PROTECTION PROFILE OR SECURITY POSTURE -
the entire set of controls and safeguards, including policy,
education, training and awareness, and technology, that the
organization implements to protect the asset.
RISK - the probability of an unwanted occurrence, such as
an adverse event or loss.
SUBJECTS AND OBJECTS OF ATTACK - a computer
can be either the subject of an attack (an agent) entity used
to conduct the attack or the object of an attack.
THREAT - any event or circumstance that has the
potential to adversely affect operations and assets.
THREAT AGENT - the specific instance or a
component of a threat.
THREAT EVENT - an occurrence of an event
caused by a threat agent. This term is commonly
used interchangeably with the term attack.
THREAT SOURCE - a category of objects, people, or
other entities that represents the origin of danger to an
asset, a category of threat agents. Threat sources are
always present and can be purposeful or undirected.

VULNERABILITY - a potential weakness in an asset
or its defensive control system(s). Some examples of
vulnerabilities are an unprotected system port, and an
unlocked door.
 Critical
Characteristics of
Information
AVAILABILITY - enables authorized users,
people or computer systems to access information
without interference or obstruction and to receive
it in the required format.

ACCURACY - information has accuracy when it
is free from mistakes or errors and has the value
that the end user expects.
AUTHENTICITY - authenticity of information is
the quality or state of being genuine or original,
rather than a reproduction or fabrication.

CONFIDENTIALITY - information has
confidentiality when it is protected from disclosure
or exposure to unauthorized individuals or
systems.
INTEGRITY - information has integrity when it
is whole, complete, and uncorrupted.

UTILITY - information is in the quality or state
of having value for some purpose or end.

POSSESSION - the possession of information is
the quality or state of ownership or control.
References:

Whitman, M. E., & Mattord, H. J. (2021). Principles of
Information Security. Course Technology.
THANK YOU!