Scribd
Upload
0 views

Lesson One

The document provides an overview of the principles of information security, tracing its history from the 1960s to the present, highlighting key developments and challenges in the field. It discusses the importance of layered security measures, the roles of security professionals, and the need for a balanced approach to security and access. Additionally, it outlines the Systems Development Life Cycle (SDLC) and the Security Systems Development Life Cycle (SecSDLC) as methodologies for implementing information security.

Uploaded by

littlelotus157
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
0 views

Lesson One

The document provides an overview of the principles of information security, tracing its history from the 1960s to the present, highlighting key developments and challenges in the field. It discusses the importance of layered security measures, the roles of security professionals, and the need for a balanced approach to security and access. Additionally, it outlines the Systems Development Life Cycle (SDLC) and the Security Systems Development Life Cycle (SecSDLC) as methodologies for implementing information security.

Uploaded by

littlelotus157
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

23-Jan-24

Introduction
Principles of • Information security: a “well-informed sense of assurance that

Information Security, the information risks and controls are in balance.” — Jim
Anderson, Inovant (2002)
• Security professionals must review the origins of this field to
Fourth Edition understand its impact on our understanding of information

Principles of Information
Security, Fourth Edition
security today
Chapter 1
Introduction to Information Security

The History of Information


Security
The 1960s
• Began immediately following development first • Original communication by mailing tapes
mainframes • Advanced Research Project Agency (ARPA)
• Developed for code-breaking computations • Examined feasibility of redundant networked
• During World War II communications
Security, Fourth Edition

Security, Fourth Edition


Principles of Information

Principles of Information
• Multiple levels of security were implemented • Larry Roberts developed ARPANET from its inception
• Physical controls • Plan
• Rudimentary • Link computers
• Resource sharing
• Defending against physical theft, espionage, and
• Link 17 Computer Research Centers
sabotage
• Cost 3.4M
3 • ARPANET is predecessor to the Internet 4

The 1970s and 80s The 1970s and 80s (cont’d.)


• ARPANET grew in popularity • Rand Report R-609
• Potential for misuse grew • Paper that started the study of computer security
• Fundamental problems with ARPANET security • Information Security as we know it began
• Individual remote sites were not secure from unauthorized users • Scope of computer security grew from physical security to
Principles of Information
Security, Fourth Edition

Principles of Information
Security, Fourth Edition

• Vulnerability of password structure and formats include:


• No safety procedures for dial-up connections to ARPANET • Safety of data
• Non-existent user identification and authorization to system • Limiting unauthorized access to data
• Involvement of personnel from multiple levels of an organization

5 6

1
23-Jan-24

MULTICS The 1990s


• Early focus of computer security research • Networks of computers became more common
• System called Multiplexed Information and Computing Service • Need to interconnect networks grew
(MULTICS)
• Internet became first manifestation of a global network of
• First operating system created with security as its primary goal networks
• Mainframe, time-sharing OS developed in mid-1960s

Principles of Information
Security, Fourth Edition

Principles of Information
Security, Fourth Edition
• Initially based on de facto standards
• GE, Bell Labs, and MIX • In early Internet deployments, security was treated as a low
• Several MULTICS key players created UNIX priority
• Late 1970s
• Microprocessor expanded computing capabilities
• Mainframe presence reduced
• Expanded security threats
7 8

2000 to Present Vulnerabilities


• Millions of computer networks communicate
• Many of the communication unsecured
• Ability to secure a computer’s data influenced by the security
of every computer to which it is connected
Security, Fourth Edition

Security, Fourth Edition


Principles of Information

Principles of Information
• Growing threat of cyber attacks has increased the need for
improved security

9 10

What is Security? What is Security? (cont’d.)


• “The quality or state of being secure—to be free from danger” • The protection of information and its critical elements,
• A successful organization should have multiple layers of including systems and hardware that use, store, and
security in place: transmit that information
• Physical security • Necessary tools: policy, awareness, training, education,
Principles of Information
Security, Fourth Edition

Principles of Information
Security, Fourth Edition

• Personal security technology


• Operations security • C.I.A. triangle
• Communications security
• Was standard based on confidentiality, integrity, and
• Network security
availability
• Information security
• Now expanded into list of critical characteristics of
information
11 12

2
23-Jan-24

Key Information Security


Concepts
• Access • Protection Profile or Security
• Asset Posture
• Attack • Risk
• Control, Safeguard, or • Subjects and Objects

Principles of Information
Security, Fourth Edition
Countermeasure • Threat
• Exploit • Threat Agent
• Exposure • Vulnerability
• Loss

Figure 1-3 Components of Information Security 13 14

Principles of Information Security, Fourth Edition

Key Information Security Figure 1-5 – Subject and Object of


Concepts (cont’d.) Attack
• Computer can be subject of an attack
• Computer can be the object of an attack
• When the subject of an attack
Security, Fourth Edition
Principles of Information

• Computer is used as an active tool to conduct


attack
• When the object of an attack
• Computer is the entity being attacked

Figure 1-5 Computer as the Subject and Object of an Attack


15 16

Principles of Information Security, Fourth Edition

Critical Characteristics of
CNSS Security Model
Information
• The value of information comes from the characteristics it
possesses:
• Availability
• Accuracy
• Authenticity
Principles of Information
Security, Fourth Edition

Principles of Information
Security, Fourth Edition

• Confidentiality
• Integrity
• Utility
• Possession

17 Figure 1-6 The McCumber Cube 18

3
23-Jan-24

Components of an Information Balancing Information Security


System and Access
• Information system (IS) is entire set of components • Impossible to obtain perfect security
necessary to use information as a resource in the
organization
• Process, not an absolute
• Software • Security should be considered balance between
protection and availability

Principles of Information
Security, Fourth Edition

Principles of Information
Security, Fourth Edition
• Hardware
• Data • Must allow reasonable access, yet protect
• People against threats
• Procedures
• Networks

19 20

Approaches to Information
Figure 1-6 – Balancing Security
Security Implementation:
and Access
Bottom-Up Approach
• Grassroots effort -systems administrators drive
• Key advantage: technical expertise of individual
administrators

Security, Fourth Edition


Principles of Information
• Seldom works
• Lacks number of critical features:
• Participant support
• Organizational staying power
Figure 1-8 Balancing Information Security and Access 21 22

Principles of Information Security, Fourth Edition

Approaches to Information
Security Implementation: Top-
Down Approach
• Initiated by upper management
• Issue policy, procedures, and processes
• Dictate goals and expected outcomes of project
Principles of Information
Security, Fourth Edition

• Determine accountability for each required action


• Most successful
• Involves formal development strategy
• Systems development life cycle

23 Figure 1-9 Approaches to Information Security Implementation 24

Principles of Information Security, Fourth Edition

4
23-Jan-24

The Systems Development Life


Cycle
• Systems Development Life Cycle (SDLC):
• Methodology for design and implementation of
information system
• Methodology:

Principles of Information
Security, Fourth Edition
• Formal approach to problem solving
• Based on structured sequence of procedures
• Using a methodology:
• Ensures a rigorous process
• Increases probability of success
• Traditional SDLC consists of six general phases 25 Figure 1-10 SDLC Waterfall Methodology 26

Principles of Information Security, Fourth Edition

Investigation Analysis
• What problem is the system being developed to • Consists of assessments of:
solve? • The organization
• Objectives, constraints, and scope of project • Current systems
specified • Capability to support proposed systems
Security, Fourth Edition

Security, Fourth Edition


Principles of Information

Principles of Information
• Determine what new system is expected to do
• Preliminary cost-benefit analysis developed
• Determine how it will interact with existing systems
• At end
• Ends with documentation
• Feasibility analysis performed
• Assess economic, technical, and behavioural
feasibilities
27 28

Logical Design Physical Design


• Main factor is business need • Technologies to support the alternatives identified and
• Applications capable of providing needed services are evaluated in the logical design are selected
selected • Components evaluated on make-or-buy decision
• Necessary data support and structures identified • Feasibility analysis performed
Principles of Information
Security, Fourth Edition

Principles of Information
Security, Fourth Edition

• Entire solution presented to end-user representatives for


• Technologies to implement physical solution determined approval
• Feasibility analysis performed at the end

29 30

5
23-Jan-24

Implementation Maintenance and Change


• Needed software created • Longest and most expensive phase
• Components ordered, received, and tested • Tasks necessary to support and modify system
• Users trained and documentation created • Last for product useful life
• Feasibility analysis prepared • Life cycle continues

Principles of Information
Security, Fourth Edition

Principles of Information
Security, Fourth Edition
• Users presented with system for performance review • Process begins again from the investigation phase
and acceptance test • When current system can no longer support the
organization’s mission, a new project is implemented

31 32

The Security Systems


Investigation
Development Life Cycle
• The same phases used in traditional SDLC • Identifies process, outcomes, goals, and constraints of
• Need to adapted to support implementation of an IS the project
project • Begins with Enterprise Information Security Policy (EISP)
• Identify specific threats and creating controls to counter • Organizational feasibility analysis is performed
Security, Fourth Edition

Security, Fourth Edition


Principles of Information

Principles of Information
them
• SecSDLC is a coherent program not series of random,
seemingly unconnected actions

33 34

Analysis Logical Design


• Documents from investigation phase are studied • Creates and develops blueprints for information security
• Analysis of existing security policies or programs • Incident response actions planned:
• Analysis of documented current threats and associated • Continuity planning
controls • Incident response
Principles of Information
Security, Fourth Edition

Principles of Information
Security, Fourth Edition

• Analysis of relevant legal issues that could impact design • Disaster recovery
of the security solution • Feasibility analysis to determine whether project should
• Risk management task begins be continued or outsourced

35 36

6
23-Jan-24

Physical Design Implementation


• Needed security technology is evaluated • Security solutions are acquired, tested, implemented,
• Alternatives are generated and tested again
• Final design is selected • Personnel issues evaluated; specific training and
• At end of phase, feasibility study determines readiness of education programs conducted

Principles of Information
Security, Fourth Edition

Principles of Information
Security, Fourth Edition
organization for project • Entire tested package is presented to management for
final approval

37 38

Security Professionals and the


Maintenance and Change
Organization
• Perhaps the most important phase, given the ever- • Wide range of professionals required to support a
changing threat environment diverse information security program
• Often, repairing damage and restoring information is a • Senior management is key component
constant duel with an unseen adversary • Additional administrative support and technical expertise
Security, Fourth Edition

Security, Fourth Edition


Principles of Information

Principles of Information
• Information security profile of an organization requires are required to implement details of IS program
constant adaptation as new threats emerge and old
threats evolve

39 40

Information Security Project


Senior Management
Team
• Chief Information Officer (CIO) • A number of individuals who are experienced in one or
• Senior technology officer more facets of required technical and nontechnical
• Primarily responsible for advising senior executives on areas:
strategic planning • Champion
Principles of Information
Security, Fourth Edition

Principles of Information
Security, Fourth Edition

• Chief Information Security Officer (CISO) • Team leader


• Primarily responsible for assessment, management, • Security policy developers
and implementation of IS in the organization • Risk assessment specialists
• Usually reports directly to the CIO • Security professionals
• Systems administrators
• End users
41 42

7
23-Jan-24

Data Responsibilities Communities of Interest


• Data owner: responsible for the security and use of a • Group of individuals united by similar interests/values
particular set of information within an organization
• Data custodian: responsible for storage, maintenance, • Information security management and professionals
and protection of information • Information technology management and

Principles of Information
Security, Fourth Edition

Principles of Information
Security, Fourth Edition
• Data users: end users who work with information to professionals
perform their daily jobs supporting the mission of the • Organizational management and professionals
organization

43 44

Information Security: Is it an
Security as Art
Art or a Science?
• Implementation of information security often described • No hard and fast rules nor many universally accepted
as combination of art and science complete solutions
• “Security artisan” idea: based on the way individuals • No manual for implementing security through entire
perceive systems technologists since computers became system
Security, Fourth Edition

Security, Fourth Edition


Principles of Information

Principles of Information
commonplace

45 46

Security as Science Security as a Social Science


• Dealing with technology designed to operate at high • Social science examines the behaviour of individuals
levels of performance interacting with systems
• Specific conditions cause virtually all actions that occur in • Security begins and ends with the people that interact
computer systems with the system
Principles of Information
Security, Fourth Edition

Principles of Information
Security, Fourth Edition

• Nearly every fault, security hole, and systems • Security administrators can greatly reduce levels of risk
malfunction are a result of interaction of specific caused by end users, and create more acceptable and
hardware and software supportable security profiles
• If developers had sufficient time, they could resolve and
eliminate faults

47 48

You might also like