Layers of Security

Physical security: to protect physical items, objects, or areas from unauthorized access and misuse

Personnel security: to protect the individual or group of individuals who are authorized to access the
organization and its operations

Operations security: to protect the details of a particular operation or series of activities

Communications security: to protect communications media, technology, and content

Network security: to protect networking components, connections, and contents

Information security: to protect the confidentiality, integrity and availability of information assets,
whether in storage, processing, or transmission. It is achieved via the application of policy,
education, training and awareness, and technology.

Key Information Security Concepts

Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or object.
Authorized users have legal access to a system, whereas hackers have illegal access to a system.
Access controls regulate this ability.

Asset: The organizational resource that is being protected. An asset can be logical, such as a Web
site, information, or data; or an asset can be physical, such as a person, computer system, or other
tangible object. Assets, and particularly information assets, are the focus of security efforts; they are
what those efforts are attempting to protect.

Attack: An intentional or unintentional act that can cause damage to or otherwise com- promise
information and/or the systems that support it. Attacks can be active or passive, intentional or
unintentional, and direct or indirect.

Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures that can

successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security
within an organization. The various levels and types of controls are discussed more fully in the
following chapters.

Exploit: A technique used to compromise a system. This term can be a verb or a noun. Threat agents
may attempt to exploit a system or other information asset by using it illegally for their personal
gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure,
usually in software, that is either inherent in the software or is created by the attacker.

Exposure: A condition or state of being exposed. In information security, exposure exists when a
vulnerability known to an attacker is present.

Loss: A single instance of an information asset suffering damage or unintended or unauthorized

modification or disclosure. When an organization’s information is stolen, it has suffered a loss.

Protection profile or security posture: The entire set of controls and safeguards, including policy,
education, training and awareness, and technology, that the organization implements (or fails to
implement) to protect the asset. The terms are sometimes used interchangeably with the term
security program, although the security program often comprises managerial aspects of security,
including planning, personnel, and subordinate programs.

Risk: The probability that something unwanted will happen. Organizations must minimize risk to
match their risk appetite the quantity and nature of risk the organization is willing to accept.

Subjects and objects: A computer can be either the subject of an attack—an agent entity used to
conduct the attack or the object of an attack the target entity, as shown in Figure 1-5. A computer
can be both the subject and object of an attack, when, for example, it is compromised by an attack
(object), and is then used to attack other systems (subject).
Threat: A category of objects, persons, or other entities that presents a danger to an asset. Threats
are always present and can be purposeful or undirected. For example, hackers purposefully threaten
unprotected information systems, while severe storms incidentally threaten buildings and their
contents.

Threat agent: The specific instance or a component of a threat. For example, all hack- ers in the
world present a collective threat, while Kevin Mitnick, who was convicted for hacking into phone
systems, is a specific threat agent. Likewise, a lightning strike, hailstorm, or tornado is a threat agent
that is part of the threat of severe storms.

Vulnerability: A weaknesses or fault in a system or protection mechanism that opens it to attack or

damage. Some examples of vulnerabilities are a flaw in a software pack- age, an unprotected system
port, and an unlocked door. Some well-known vulnerabilities have been examined, documented,
and published; others remain latent (or undiscovered).

Critical Characteristics of Information

Availability - enables authorized users’ persons or computer systems to access information without
interference or obstruction and to receive it in the required format. Consider, for example, research
libraries that require identification before entrance.

Accuracy - Information has accuracy when it is free from mistakes or errors and it has the value that
the end user expects. If information has been intentionally or unintentionally modified, it is no
longer accurate.

Authenticity - of information is the quality or state of being genuine or original, rather than a
reproduction or fabrication. Information is authentic when it is in the same state in which it was
created, placed, stored, or transferred. Consider for a moment some common assumptions about e-
mail.

Confidentiality - Information has confidentiality when it is protected from disclosure or exposure to

unauthorized individuals or systems. Confidentiality ensures that only those with the rights and
privileges to access information are able to do so.

Integrity - Information has integrity when it is whole, complete, and uncorrupted. The integrity of
information is threatened when the information is exposed to corruption.

Utility - The utility of information is the quality or state of having value for some purpose or end.
Information has value when it can serve a purpose. If information is available, but is not in a format
meaningful to the end user, it is not useful.

Possession - The possession of information is the quality or state of ownership or control.

Information is said to be in one’s possession if one obtains it, independent of format or other
characteristics. While a breach of confidentiality always results in a breach of possession, a breach of
possession does not always result in a breach of confidentiality.

SDLC Phases

Investigation - The first phase, investigation, is the most important. The investigation phase begins
with an examination of the event or plan that initiates the process. During the investigation phase,
the objectives, constraints, and scope of the project are specified.

Analysis - The analysis phase begins with the information gained during the investigation phase. This
phase consists primarily of assessments of the organization, its current systems, and its capability to
support the proposed systems.

Logical Design - In the logical design phase, the information gained from the analysis phase is used
to begin creating a systems solution for a business problem. In any systems solution, it is imperative
that the first and driving factor is the business need.
Physical Design - During the physical design phase, specific technologies are selected to support the
alternatives identified and evaluated in the logical design. The selected components are evaluated
based on a make-or-buy decision (develop the components in-house or purchase them from a
vendor).

Implementation - In the implementation phase, any needed software is created. Components are
ordered, received, and tested. Afterward, users are trained and supporting documentation created.
Once all components are tested individually, they are installed and tested as a system.

Maintenance and Change - The maintenance and change phase is the longest and most expensive
phase of the process. This phase consists of the tasks necessary to support and modify the system
for the remain- der of its useful life cycle.

Securing the SDLC - Each of the phases of the SDLC should include consideration of the security of
the system being assembled as well as the information it uses. Whether the system is custom and
built from scratch, is purchased and then customized, or is commercial off-the-shelf software (COTS),
the implementing organization is responsible for ensuring it is used securely.

1. Why is a methodology important in the implementation of information security? How

does a methodology improve the process?
Methodologies are vital in information security implementation as they provide structured
frameworks for risk assessment and protection of assets. By offering clear steps and
procedures, methodologies ensure consistency and efficiency in security measures across
organizations.
2. How has computer security evolved into a modern information security?
The evolution of computer security into modern information security reflects the growing
complexity and interconnectedness of digital systems. Initially focused on safeguarding
individual computers and networks, computer security gradually expanded to encompass
broader concepts such as data protection, access control, and risk management.
3. Who should lead a security team? Should the approach to security be more managerial or
technical?
The specific role of a security leader may vary depending on organizational structure and
size, a balanced approach that combines managerial and technical skills is often preferred. In
larger organizations, a Chief Information Security Officer (CISO) or equivalent executive
typically provides leadership, overseeing security operations and setting strategic objectives.
4. What is the impact of technical obsolescence on information security?
Technical obsolescence poses significant challenges to information security by exposing
organizations to increased risks and vulnerabilities. When technology becomes outdated or
unsupported, it may lack critical security patches, leaving systems vulnerable to exploitation
by cyber threats.

Access: The ability to interact with or use a resource or system.

Asset: Any valuable item or resource that an organization owns or controls.

Attack: An intentional act to disrupt, damage, or gain unauthorized access to a system or network.

Exploit: A software or hardware technique used to take advantage of a vulnerability.

Loss: The negative impact or harm resulting from a security breach or incident.

Risk: The likelihood of a threat exploiting a vulnerability and causing harm.

Threat: Any potential danger or harm that may exploit vulnerabilities.

Vulnerability: Weaknesses or flaws in a system that could be exploited by threats.

Availability: Ensuring that resources or services are accessible and usable when needed.
Authenticity: Verifying the identity or origin of a message, user, or resource.

Accuracy: Ensuring that data is correct, precise, and free from errors.

Confidentiality: Protecting sensitive information from unauthorized access or disclosure.

Integrity: Ensuring the accuracy and reliability of data and resources.

Utility: The usefulness or value provided by a system or resource.

Possession: Having control or ownership over a resource or asset.

Software: Programs or applications used to perform tasks on a computer or device.

Hardware: Physical components of a computer system or device.

Data: Raw facts, figures, or information collected, stored, and processed by a system.

Networks: Interconnected systems or devices that facilitate communication and data exchange.

Procedures: Established steps or processes for performing tasks or operations.

Investigation: The process of examining and analyzing evidence to uncover security incidents or
breaches.

Analysis: The examination of data or information to identify patterns, trends, or insights.

Logical Design: Planning and structuring systems or processes based on logical relationships and
requirements.

Physical Design: Designing the physical layout and components of a system or network.

Maintenance and Change: Activities aimed at keeping systems operational and adapting them to
changing needs.

Phishing: A form of cyber-attack that uses deceptive emails or messages to trick individuals into
revealing sensitive information.

Phreaker: An individual who exploits vulnerabilities in telecommunications systems.

Virus: Malicious software that replicates itself and infects other files or systems.

Worm: A self-replicating program that spreads across networks without user intervention.

Trojan Horse: Malware disguised as legitimate software that tricks users into installing it, allowing
unauthorized access or harm.