Module 01 Introduction to Information Security 1 - Tagged.pdf

Full Transcript

Official Business

Module 1
Introduction to Information
Security
ITS165
Official Business

Introduction
What is Information Security?
- a “well-informed sense of assurance that the information
risks & controls are in balance.” – Jim Anderson, Emagined
Security.
Official Business

History of Information Security
Computer security began immediately after the first mainframes were
developed.
- Groups developing code-breaking computations during world war II
created the first modern computers.
- Multiple levels of security were implemented to protect these devices
During these early years, information security was a straightforward
process predominantly of physical security & simple document
classification schemes.
The primary threats to security were physical theft of equipment,
espionage against product of systems, and sabotage.
Official Business

The Enigma
Earlier versions of the German code
machine Enigma were first broken by the
Poles in the 1930s. The British and
Americans managed to break later, more
complex versions of the Enigma, especially
the submarine or Unterseeboot version of
the Enigma, caused considerable anguish to
Allied forces before finally being cracked.
The information gained from decrypted
transmissions was used to anticipate the
actions of German armed forces. “Some ask
why, if we were reading the Enigma, we did
not win the war earlier. One might ask
instead, when, if ever, we would have won
the war if we hadn’t read it.”
Official Business

Key Dates in Information Security (1 of 3)
Date Documents

1968 Maurice Wilkes discusses password security in Time-Sharing Computer Systems.

1970 Willis H. Ware authors the report “ Security Controls for Computer Systems: Report of
Defense Science Board Task Force on Computer Security – RAND Report R-609,” which
was not declassified until 1979. It became known as the seminal work identifying the need
for computer security.

1973 Schell, Downey, and Popek examine the need for additional security in military systems in
“Preliminary Notes on the Design of Secure Military Computer Systems.”

1975 The Federal Information Processing Standards (FIPS) examines Digital Encryption
Standard (DES) in the Federal Register.
Official Business

Key Dates in Information Security (2 of 3)

Date Documents
1978 Bisbey and Hollingworth publish their study “Protection Analysis: Final Report.” which
discussed the Protection Analysis project created by ARPA to better understand the
vulnerabilities of operating system security and examine possibility of automated
vulnerability detection techniques in existing system software.
1979 Morris and Thompson author “Password Security: A Case History.” published the
Communications of the Association for Computing Machinery (ACM). The paper examined
designed history of a password security scheme on a remotely accessed, time-sharing
system.

1982 The U.S. Department of Defense Computer Security Evaluation Center publishes the first
version of the Trusted Computer Security (TSEC) documents, which came to be known as
the Rainbow Series.
Official Business

Key Dates in Information Security (3 of 3)

Date Documents

1984 Grampp and Morris write “The UNIX System: UNIX Operating System Security.” In this
report, the authors examined four “important handles to computer security”: physical control
of premises and computer facilities, management commitment to security objectives,
education of employees, an administrative procedures aimed at increased security.

1992 Researchers for Internet Engineering Task Force, working at the Naval Research
Laboratory, develop the Simple Internet Protocol Plus (SIPP) Security protocols, creating
what is now known as IPSEC security.
Official Business

The 1960s
During the Cold War, many more mainframe computers were brought
online to accomplish more complex and sophisticated tasks.
The Advanced Research Projects Agency (ARPA) began to examine the
feasibility of a redundant networked communication system.
Larry Roberts led the development of ARPANET, which evolved into what
we know as the Internet.
Official Business

Development of Arpanet
ARPANET, developed by
the U.S. Department of
Defense’s ARPA in the late
1960s, was the pioneering
network that introduced
packet switching and
TCP/IP protocols, enabling
reliable, decentralized
communication and laying
the foundation for the
modern internet.
Official Business

The 1970s and ‘80s (1 of 2)
ARPANET grew in popularity, increasing the potential for misuse.
Fundamental problems with ARPANET security were identified.
- Individual remote sites did not have sufficient controls and
safeguards to protect data from unauthorized remote users.
- Other problems included:
- Vulnerability of password structure and formats.
- Lack of safety procedures for dial-up connections.
- Nonexistent user identification and authorizations
Official Business

The 1970s and ‘80s (2 of 2)
Information security began with RAND Report R-609 – the paper that
started the study of computer security and identified the role of
management and policy issues in it.
The scope of computer security grew from physical security to include:
– Securing the data
– Limiting random and unauthorized access to data
– Involving personnel from multiple levels of the organization in
information security.
Official Business

Computer Network and Vulnerabilities

Computer network
vulnerabilities are weaknesses
that can be exploited by
attackers to gain unauthorized
access or disrupt services.
Common vulnerabilities include
unpatched software, weak
passwords, misconfigured
firewalls, phishing attacks,
malware, and insufficient
encryption. Addressing these
issues involves regular updates,
strong authentication, proper
configuration, user education,
and robust security measures.
Official Business

MULTICS
Early research on computer security research centered on a system called
Multiplexed Information and Computing Service (MULTICS).
The first operating system was created with security integrated into core
functions.
Mainframe, time-sharing OS was developed in the mid-1960s by General
Electric (GE), Bell Labs, and Massachusetts Institute of Technology (MIT).
Several MULTICS key players created UNIX.
– The primary purpose of UNIX was text processing.
Late 1970s: The microprocessor expanded computing capabilities and
security threats.
Official Business

The 1990s
Network of computers became more common, as did the need to connect
them to each other.
The Internet became the first global network of networks.
Initially, network connections were based on de facto standards.
In early Internet deployments, security was treated as low priority.
In the late 1990s and into the 2000s, many large corporations began
publicly integrating security into their organizations.

Information security began to emerge as an independent discipline.
Official Business

What Is Security?
“ A state of being secure and free from danger or harm; the actions taken
to make someone or something secure.”
“The protection of information and its critical elements, including systems
and hardware that use, store, and transmit that information” (CNSS).
InfoSec includes information security management, data security, and
network security.
C.I.A triad
– Is a standard based on confidentiality, integrity, and availability,
now viewed as inadequate.
– Expanded model consists of a list of critical characteristics of
information.
Official Business

Components of Information Security
The components of information
security are confidentiality,
integrity, and availability, often
referred to as the CIA triad, which
together ensure that information is
protected from unauthorized
access, remains accurate and
unaltered, and is accessible to
authorized users when needed.
Official Business

The C.I.A Triad
When expanded, it includes additional
critical characteristics of information
security, often referred to as
the Parkerian Hexad.
Here are the six key elements:

1.Confidentiality: Ensuring that
information is accessible only to those
authorized to have access.
2.Integrity: Maintaining the accuracy
and completeness of information and
processing methods.
Official Business

The C.I.A Triad
3. Availability: Ensuring that authorized users
have access to information and associated
assets when required.
4. Authenticity: Verifying that users are who
they claim to be and that each input arriving at
the system came from a trusted source.
5. Non-repudiation: Ensuring that a party in a
communication cannot deny the authenticity of
their signature on a document or the sending of a
message that they originated.
6. Accountability: Ensuring that actions of an
entity can be traced uniquely to that entity.
Official Business

Key Information Security Concept
Access
Asset
Attack
Control, safeguard, or
countermeasure
Exploit
Loss
Protection profile or security
posture
Official Business

Key Information Security Concept

Risk
Subjects and objects
Threat
Threat agent
Threat event
Threat source
Vulnerability
Official Business

Critical Characteristics of Information

The value of information comes from the characteristics it possesses:
– Confidentiality
– Integrity
– Availability
– Accuracy
– Authenticity
– Utility
– Possession
Official Business

CNSS Security Model

The CNSS (Committee on
National Security Systems)
Security Model, also known as
the McCumber Cube, is a
comprehensive framework for
understanding and addressing
information security.
Official Business

Components of an Information System

An information system (IS) is the entire set of hardware, software data,
people, procedures, and networks that enable a business to use
information.

All of them work together to support personal and professional operations.

Each one has its own strengths and weaknesses, as well as its own
characteristics and use.

Each one has its own security requirements.
Official Business
Approaches to Information Security
Implementation: Top-Down Approach

Initiated by upper management.
– Issue policy, procedures, and processes
– Dictate goals and expected outcomes of project
– Determine accountability for each required action

The most successful type of top-down approach also involves a
formal development strategy referred to as a systems
development life cycle.
Official Business

Approaches to Information Security Implementation

The implementation of information
security in an organization must
begin somewhere and cannot
happen overnight. These
approaches provide a structured
way to ensure that security
measures are effectively integrated
into an organization’s operations.
Official Business

Security Professionals and the Organization

A wide range of professionals are required to support a diverse
information security program.

Senior management support is the key component.

Additional administrative support and technical expertise are
required to implement details of an IS program.
Official Business

The CISO’s Place and Roles
Official Business

Information Security Project Team
A small functional team of people who are experience in one or more
multiple facets of required technical and nontechnical areas:
– Champion
– Team Leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– System administrators
– End users
Official Business

Data Responsibilities

The types of data ownership and their respective responsibilities are
outlined below:
Data owners
Data custodian
Data trustees
Data users
Official Business

Communities of Interest
Group of individuals united by similar interests/values
within an organization
– Information security management and
professionals.
– Information technology management and
professionals.
– Organizational management and professionals.
Official Business

Information Security: Is IT an Art or a Science?

Implementation of information security is often described as a combination
of art and science.
“Security artisan” idea: based on the way individuals perceive system
technologists and their abilities.
Security as art: np hard and fast rules nor many universally accepted
complete solutions; no manual for implementing security through entire
system.
Security as science: technology is developed by scientists and engineers;
specific conditions cause virtually all actions in computer systems; almost
every security issue is a result of the interaction of specific hardware and
software; with sufficient time, developers could resolve all faults.