BlueCrest College

Information Security (BIT 327)

Chapter 1
Introduction to Information Security
Pkd2013@yahoo.co.uk
0201849384

Learning Objectives
Understand what information security is and how it came to
mean what it does today.
Comprehend the history of computer security and how it
evolved into information security.
Understand the key terms and critical concepts of information
security as presented in the chapter.
Outline the phases of the security systems development life
cycle.
Understand the role professionals involved in information
security in an organizational structure.
Understand the business need for information security.
Understand a successful information security program is the
responsibility of an organizations general management and IT
management.
Understand the some threats posed to information security
and the more common attacks associated with those threats.

Introduction
security
Some hundreds of years ago, we would have been
making living on agriculture.
Say a hundred years ago you were likely to be making
a living working in a factory.
Today, we live in the information age where everyone
has a job somehow connected to information stored
in digital form on a network.

The History Of Information

Security

Computer security began immediately after the

first mainframes were developed
Physical controls were needed to limit access to
authorized personnel to sensitive military
locations
Only rudimentary controls were available to
defend against physical theft, espionage, and
sabotage

The 1960s
Department of Defenses Advanced Research
Project Agency (ARPA) began examining the
feasibility of a redundant networked
communications

The 1970s and 80s

ARPANET grew in popularity as did its potential
for misuse
Fundamental problems with ARPANET security
were identified
No safety procedures for dial-up connections
to the ARPANET
User identification and authorization to the
system were non-existent
In the late 1970s the microprocessor expanded
computing capabilities and security threats

R-609 The Start of the Study of

Computer Security
Information Security began with Rand Report
R-609
The scope of computer security grew from
physical security to include:
Safety of the data
Limiting unauthorized access to that data
Involvement of personnel from multiple levels of
the organization

The 1990s
Networks of computers became more
common, so too did the need to interconnect
the networks
Resulted in the Internet, the first
manifestation of a global network of networks
In early Internet deployments, security was
treated as a low priority

The Present
The Internet has brought millions of computer
networks into communication with each
other many of them unsecured
Ability to secure each now influenced by the
security on every computer to which it is
connected

What is Security?
The quality or state of being secureto be
free from danger
A successful organization should have multiple
layers of security in place:

Physical security
Personal security
Operations security
Communications security
Network security
Information security

Critical Characteristics of Information

The value of information comes from the
characteristics it possesses:

Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
Possession

Components of an Information System

Information system (IS) is the entire set of
software, hardware, data, people, procedures,
and networks necessary to use information as
a resource in the organisation

Bottom Up Approach
Security from a grass-roots effort - systems
administrators attempt to improve the security
of their systems
Key advantage - technical expertise of the
individual administrators
Seldom works, as it lacks a number of critical
features:
participant support
organizational staying power

Top-down Approach
Initiated by upper management:
issue policy, procedures, and processes
dictate the goals and expected outcomes of the
project
determine who is accountable for each of the
required actions
This approach has strong upper management support,
a dedicated champion, dedicated funding, clear
planning, and the chance to influence organizational
culture
May also involve a formal development strategy
referred to as a systems development life cycle
Most successful top-down approach

The Systems Development Life

Cycle
Information security must be managed in a
manner similar to any other major system
implemented in the organization
Using a methodology
ensures a rigorous process
avoids missing steps

The goal is creating a comprehensive security

posture/program

The Security Systems Development Life Cycle

The same phases used in traditional SDLC may be
adapted to support specialized implementation of an IS
project

Investigation
Analysis
Logical design
Physical design
Implementation
Maintenance & change

Identification of specific threats and creating controls to

counter them

SecSDLC is a coherent program rather than a

series of random, seemingly unconnected actions

Investigation
Identifies process, outcomes, goals, and
constraints of the project
Begins with enterprise information security
policy
Organizational feasibility analysis is performed

Analysis
Documents from investigation phase are studied

Analyzes existing security policies or programs,

along with documented current threats and
associated controls
Includes analysis of relevant legal issues that
could impact design of the security solution
The risk management task begins

Logical Design
Creates and develops blueprints for information
security
Incident response actions planned:
Continuity planning

Incident response
Disaster recovery

Feasibility analysis to determine whether project

should continue or be outsourced

Physical Design
Needed security technology is evaluated,
alternatives generated, and final design
selected
At end of phase, feasibility study determines
readiness of organization for project

Implementation
Security solutions are acquired, tested,
implemented, and tested again
Personnel issues evaluated; specific training
and education programs conducted
Entire tested package is presented to
management for final approval

Maintenance and Change

Perhaps the most important phase, given the
ever-changing threat environment
Often, reparation and restoration of information
is a constant duel with an unseen adversary
Information security profile of an organization
requires constant adaptation as new threats
emerge and old threats evolve

Professionals involved in information security

within an organization
Senior Management
Chief Information Officer (CIO)
Senior technology officer
Primarily responsible for advising senior executives on
strategic planning

Chief Information Security Officer (CISO)

Primarily responsible for assessment, management,
and implementation of IS in the organization
Usually reports directly to the CIO

Information Security Project Team

A number of individuals who are experienced
in one or more facets of required technical
and nontechnical areas:

Champion
Team leader
Security policy developers
Risk assessment specialists
Security professionals
Systems administrators
End users

Data Ownership
Data owner: responsible for the security and
use of a particular set of information
Data custodian: responsible for storage,
maintenance, and protection of information
Data users: end users who work with
information to perform their daily jobs
supporting the mission of the organization

How Can Information Security Be Achieved

Information Security is achieved by implementing a suitable set of controls, which
could be:
These controls need to be established in order to ensure that the specific security
objectives of the organization are met.

Passwords
will be 8
characters
long

Passwords
should include
one non-alpha
and not found
in dictionary

Access to
network resource
will be granted
through a unique
user ID and
password

What is Information Security?

The concepts, techniques, technical measures, and
administrative measures used to protect information assets
from deliberate or inadvertent unauthorised acquisition,
damage, disclosure, manipulation, modification, loss, or use is
information security.
or
means protecting information and information systems from
unauthorised access, use, disclosure, modification or
destruction.
or
Implementing suitable controls - policies, practices,
procedures, organisational structures, software, etc, to
secure information for any information user.

 The protection of information and its critical

elements, including systems and hardware
that use, store, and transmit that information
Necessary tools: policy, awareness, training,
education, technology

C.I.A. triangle was standard based on

confidentiality, integrity, and availability
C.I.A. triangle now expanded into list of critical
characteristics of information

Information Security Goals

Confidentiality - making sure that those who should
not see the information can not see it.
Integrity - making sure the information has not been
changed from how it was intended to be.
Availability making sure the information is available
for use when needed.

Security Goals
Confidentiality

Integrity

Availability

Securing Components
Computer can be subject of an attack and/or the
object of an attack
When the subject of an attack, computer is used as an
active tool to conduct attack
When the object of an attack, computer is the entity
being attacked

Balancing security and access

Balancing Information Security and Access

Impossible to obtain perfect securityit is a
process, not an absolute
Security should be considered balance
between protection and availability
To achieve balance, level of security must
allow reasonable access, yet protect against
threats

The Need for Information Security

Business Needs First
Technology Needs Last
Information security performs three important functions
for an organization:
Protects the organizations ability to function
Communities of interest must argue for information security in
terms of impact and cost

Enables the safe operation of applications implemented on

the organizations IT systems
Organizations must create integrated, efficient, and capable
applications
Organization need environments that safeguard applications

 Protects the data the organization collects and

uses
One of the most valuable assets is data
Without data, an organization loses its record of
transactions and/or its ability to deliver value to its
customers
An effective information security program is essential
to the protection of the integrity and value of the
organizations data

Technology Needs
Safeguards the technological assets in use at the
organization
Organizations must have secure infrastructure services
based on the size and scope of the enterprise

Areas of Information System Security

Data security
Computer security
LAN or Network security
Internet security

Major Threats & Issues

Basic Threats
Theft of password
E-mail based threats

E-mail based extortion

Launch of malicious codes (trojans)

Corporate threats
Web defacement
Corporate espionage
Website based launch of malicious code cheating and fraud
Exchange of criminal ideas and tools
Cyber harassment
Forge websites

Online threats
E-mail spamming
Theft of software and electronic records
Cyber stalking
E-mail bombing
Denial of service attacks

Protecting your computer and network

Physical security
Securing desktop computers
Securing laptops/notebooks/handheld computers
Securing network security

Software security
Protect against internet intruders with
firewalls and IDS
Protect against viruses and other malware
Protect against spyware and adware
Protect against unwanted email

General spam protection practices

Do not give out your email address indiscriminately
Leave your email signature line blank if you post to a
newsgroup
Do not reply to junk messages
Do not open obvious spam mails
Report to appropriate person systems
administrator