ITM 2206 INFORMATION SECURITY AND ETHICS

Chapter 1
Introduction to Information
Security
 Slide 2

LEARNING OBJECTIVES:
Upon completion of this chapter you should be able to:
• Understand what information security is and how it came to
mean what it does today.
• Comprehend the history of computer security and how it
evolved into information security.
• Understand the key terms and critical concepts of
information security as presented in the chapter.
• Outline the phases of the security systems development life
cycle.
• Understand the role professionals involved in information
security in an organizational structure.
 Slide 3

WHAT IS INFORMATION SECURITY?

Information security in today’s enterprise is a “well-informed

sense of assurance that the information risks and controls are
in balance.” –Jim Anderson, Inovant (2002)
 Slide 4

THE HISTORY OF INFORMATION SECURITY

• Computer security began immediately after the first mainframes were
developed

• Groups developing code-breaking computations during World War II

created the first modern computers

• Physical controls were needed to limit access to authorized personnel to

sensitive military locations

• Only simple controls were available to defend against physical theft,

espionage, and sabotage
 Slide 5

FIGURE 1-1 – THE ENIGMA

 Slide 6

THE 1960S
• Department of Defense’s Advanced Research Project Agency
(ARPA) began examining the feasibility of a redundant networked
communications

• Larry Roberts developed the project from its inception

 Slide 7

FIGURE 1-2 - ARPANET

 Slide 8

THE 1970S AND 80S

• ARPANET grew in popularity as did its potential for

misuse
• Fundamental problems with ARPANET security were
identified
• No safety procedures for dial-up connections to the
ARPANET
• User identification and authorization to the system were non-
existent
• In the late 1970s the microprocessor expanded
computing capabilities and security threats
 Slide 9

R-609 – THE START OF THE STUDY OF

COMPUTER SECURITY
• Information Security began with Rand Report R-609
• The scope of computer security grew from physical security to
include:
• Safety of the data
• Limiting unauthorized access to that data
• Involvement of personnel from multiple levels of the organization
 Slide 10

THE 1990S
• Networks of computers became more common, so too did the need
to interconnect the networks

• Resulted in the Internet, the first manifestation of a global network

of networks

• In early Internet deployments, security was treated as a low priority

 Slide 11

THE PRESENT

• The Internet has brought millions of computer networks into

communication with each other – many of them unsecured

• Ability to secure each now influenced by the security on every

computer to which it is connected
 Slide 12

WHAT IS SECURITY?
• “The quality or state of being secure--to be free
from danger”
• To be protected from opponent
• A successful organization should have multiple
layers of security in place:
• Physical security
• Personal security
• Operations security
• Communications security
• Network security
 Slide 13

WHAT IS INFORMATION SECURITY?

• The protection of information and its critical elements,
including the systems and hardware that use, store, and
transmit that information
•
• Tools, such as policy, awareness, training, education, and
technology are necessary in order to protect from danger.

• The C.I.A. triangle was the standard based on

confidentiality, integrity, and availability

• The C.I.A. triangle has expanded into a list of critical

characteristics of information
 Slide 14

CRITICAL CHARACTERISTICS OF INFORMATION

The value of information comes from the characteristics it

possesses.
• Availability
• Accuracy
• Authenticity
• Confidentiality
• Integrity
• Utility
• Possession
 Slide 15
The National Security Telecommunications and Information
Systems Security Committee (NSTISSC)

FIGURE 1-3 – NSTISSC SECURITY MODEL

 Slide 16

COMPONENTS OF AN INFORMATION SYSTEM

• To fully understand the importance of information

security, you need to know the elements of an
information system

• An Information System (IS) is much more than computer

hardware; it is the entire set of software, hardware, data,
people, and procedures necessary to use information as
a resource in the organization
 Slide 17

SECURING THE COMPONENTS

• The computer can be either or both the subject of an
attack and/or the object of an attack

• When a computer is
• the subject of an attack, it is used as an active tool to
conduct the attack
• the object of an attack, it is the entity being attacked
 Slide 18

FIGURE 1-5 – SUBJECT AND OBJECT OF ATTACK

 Slide 19

BALANCING SECURITY AND ACCESS

• It is impossible to obtain perfect security - it is not an
absolute; it is a process

• Security should be considered a balance between

protection and availability

• To achieve balance, the level of security must allow

reasonable access, yet protect against threats
 Slide 20

FIGURE 1-6 – BALANCING SECURITY AND ACCESS

 Slide 21

BOTTOM UP APPROACH
• Security from a grass-roots effort - systems
administrators attempt to improve the security of
their systems

• Key advantage - technical expertise of the

individual administrators

• Seldom works, as it lacks a number of critical

features:
• participant support
• organizational staying power
 Slide 22

FIGURE 1-7 – APPROACHES TO SECURITY IMPLEMENTATION

 Slide 23

TOP-DOWN APPROACH
• Initiated by upper management:
• issue policy, procedures, and processes
• dictate the goals and expected outcomes of the project
• determine who is accountable for each of the required actions

• This approach has strong upper management support, a

dedicated champion, dedicated funding, clear planning, and
the chance to influence organizational culture

• May also involve a formal development strategy referred to

as a systems development life cycle
• Most successful top-down approach
 Slide 24

THE SYSTEMS DEVELOPMENT LIFE CYCLE

• Information security must be managed in a manner
similar to any other major system implemented in the
organization

• Using a methodology
• ensures a rigorous process
• avoids missing steps

• The goal is creating a comprehensive security

posture/program
 Slide 25

FIGURE 1-8 – SDLC WATERFALL METHODOLOGY

 Slide 26

SDLC AND THE SECSDLC

• The SecSDLC may be
• event-driven - started in response to some occurrence or
• plan-driven - as a result of a carefully developed
implementation strategy

• At the end of each phase comes a structured review

 Slide 27

INVESTIGATION
• What is the problem with the system being
developed and need to solve?

• The objectives, constraints, and scope of the project are

specified
• A preliminary cost/benefit analysis is developed
• A feasibility analysis is performed to assesses the
economic, technical, and behavioral feasibilities of the
process
 Slide 28

ANALYSIS
• Consists primarily of
• assessments of the organization
• the status of current systems
• capability to support the proposed systems

• Analysts begin to determine

• what the new system is expected to do
• how the new system will interact with existing systems

• Ends with the documentation of the findings and a feasibility

analysis update
 Slide 29

LOGICAL DESIGN
• Based on business need, applications are selected
capable of providing needed services
•
• Based on applications needed, data support and structures
capable of providing the needed inputs are identified

• Finally, based on all of the above, select specific ways to

implement the physical solution are chosen

• At the end, another feasibility analysis is performed

 Slide 30

PHYSICAL DESIGN
• Specific technologies are selected to support the alternatives identified and
evaluated in the logical design

• Selected components are evaluated based on a make-or-buy decision

• Entire solution is presented to the end-user representatives for approval

 Slide 31

IMPLEMENTATION
• Components are ordered, received, assembled, and tested

• Users are trained and documentation created

• Users are then presented with the system for a performance

review and acceptance test
 Slide 32

MAINTENANCE AND CHANGE

• Tasks necessary to support and modify the system for the remainder of its
useful life

• The life cycle continues until the process begins again from the
investigation phase

• When the current system can no longer support the mission of the
organization, a new project is implemented
 Slide 33

SECURITY SYSTEMS DEVELOPMENT

LIFE CYCLE
• The same phases used in the traditional SDLC adapted to support the
specialized implementation of a security project

• Basic process is identification of threats and controls to counter them

• The SecSDLC is a coherent program rather than a series of random,

seemingly unconnected actions
 Slide 34

INVESTIGATION
• Identifies process, outcomes and goals of the project, and constraints

• Begins with a statement of program security policy

• Teams are organized, problems analyzed, and scope defined, including

objectives, and constraints not covered in the program policy

• An organizational feasibility analysis is performed

 Slide 35

ANALYSIS
• Analysis of existing security policies or programs, along with documented
current threats and associated controls

• Includes an analysis of relevant legal issues that could impact the design
of the security solution

• The risk management task (identifying, assessing, and evaluating the

levels of risk) also begins
 Slide 36

LOGICAL & PHYSICAL DESIGN

• Creates blueprints for security

• Critical planning and feasibility analyses to determine whether or not the

project should continue

• In physical design, security technology is evaluated, alternatives

generated, and final design selected

• At end of phase, feasibility study determines readiness so all parties

involved have a chance to approve the project
 Slide 37

IMPLEMENTATION
• The security solutions are acquired (made or bought), tested, and
implemented, and tested again

• Personnel issues are evaluated and specific training and education

programs conducted

• Finally, the entire tested package is presented to upper management for

final approval
 Slide 38

MAINTENANCE AND CHANGE

• The maintenance and change phase is perhaps most important, given the
high level of ingenuity in today’s threats

• The reparation and restoration of information is a constant duel with an

often unseen adversary

• As new threats emerge and old threats evolve, the information security
profile of an organization requires constant adaptation
 Slide 39

SECURITY PROFESSIONALS AND THE

ORGANIZATION
• It takes a wide range of professionals to support a diverse information security
program

• To develop and execute specific security policies and procedures, additional

administrative support and technical expertise is required
 Slide 40

SENIOR MANAGEMENT
• Chief Information Officer
• the senior technology officer
• primarily responsible for advising the senior executive(s) for
strategic planning

• Chief Information Security Officer

• responsible for the assessment, management, and
implementation of securing the information in the organization
• may also be referred to as the Manager for Security, the
Security Administrator, or a similar title
 Slide 41

SECURITY PROJECT TEAM

A number of individuals who are experienced in one or
multiple requirements of both the technical and non-
technical areas:
• The champion
• The team leader
• Security policy developers
• Risk assessment specialists
• Security professionals
• Systems administrators
• End users
 Slide 42

DATA OWNERSHIP
• Data Owner - responsible for the security and use of a
particular set of information

• Data Custodian - responsible for the storage, maintenance,

and protection of the information

• Data Users - the end systems users who work with the
information to perform their daily jobs supporting the mission
of the organization
 Slide 43

COMMUNITIES OF INTEREST
• Each organization develops and maintains its own
unique culture and values. Within that corporate
culture, there are communities of interest:

• Information Security Management and Professionals

• Information Technology Management and Professionals
• Organizational Management and Professionals
 Slide 44

INFORMATION SECURITY: IS IT AN
ART OR A SCIENCE?
• With the level of complexity in today’s information systems, the
implementation of information security has often been described as a
combination of art and science
 Slide 45

SECURITY AS ART
• No hard and fast rules nor are there many universally accepted complete
solutions

• No magic user’s manual for the security of the entire system

• Complex levels of interaction between users, policy, and technology controls

 Slide 46

SECURITY AS SCIENCE
• Dealing with technology designed to perform at high levels of
performance

• Specific conditions cause virtually all actions that occur in computer

systems

• Almost every fault, security hole, and systems malfunction is a result

of the interaction of specific hardware and software

• If the developers had sufficient time, they could resolve and eliminate
these faults
 Slide 47

SECURITY AS A SOCIAL SCIENCE

• Social science examines the behavior of individuals interacting with
systems

• Security begins and ends with the people that interact with the
system

• End users may be the weakest link in the security chain

• Security administrators can greatly reduce the levels of risk caused

by end users, and create more acceptable and supportable
security profiles