Chapter 1

INTRODUCTION TO
INFORMATION
SECURITY
Objectives
1. Define the concept of information security;
2. Describe the evolution of computer security into
information security by recounting the history of
computer security;
3. Define the important terms and concepts in
information security;
4. Identify the stages of the development cycle for
security systems; and
5. Describe the functions of information security
specialists in the company.
Information Security in the Past

 Information security, sometimes shortened to

InfoSec, is the practice of protecting information
by mitigating information risks. It is part of
information risk management.
 Information security was a simple procedure in
those days, consisting primarily of physical security
and rudimentary document classification
techniques.
The History of Information
Security
 Computer security began immediately after the
first mainframes were developed
 Groups developing code-breaking computations
during World War II created the first modern
computers
 Physical controls were needed to limit access to
authorized personnel to sensitive military locations
 Only rudimentary controls were available to defend
against physical theft, espionage, and sabotage
The History of Information
Security

Source: National Security Agency

The decade of 1960s

 Department of Defense's Advanced Research

Project Agency (ARPA) began examining the
feasibility of a redundant networked
communications
 Larry Roberts developed the project from its
inception
The decade of 1960s

Source: Courtesy of Dr. Lawrence Roberts

The 1970s and 1980s

 ARPANET grew in popularity as did its potential

for misuse
 Fundamental problems with ARPANET security
were identified
 No safety procedures for dial-up connections to the
ARPANET
 User identification and authorization to the system were
non- existent
 In the late 1970s the microprocessor expanded
computing capabilities and security threats
R-609 - The Start of the Study of
Computer Security
 Information Security began with Rand Report R-
609
 The scope of computer security grew from physical
security to include:
 Safety of the data
 Limiting unauthorized access to that data
 Involvement of personnel from multiple levels of
the organization
The Decade of the 1990s

 Computer networks grew more prevalent or

common, the requirement to Join the networks
together
 Resulted in the creation of the Internet, the
appearance of a worldwide network of networks
 Early Internet deployments had security
problems and were given little priority.
From 2000 to the present

 The Internet has helped hundreds of thousands of

communication through computer networks
numerous of them together unsecured
 Now, each's ability to safeguard each is affected by
every computer's security to which it is related
Today’s IT Environment
Image result for use of technology in business

Increased
Organizations are more connectivity,
information dependent availability of
systems

High-speed information
Heavy reliance on processing has become
technology to be indispensable
competitive

Made processes and

procedures more
effective and efficient
Recent Technologies
Impacting Organizations…
 Enterprise Resource
Planning (ERP)

 Big Data

 Cloud Computing

 Mobile Device
Management

 The Internet of Things

(IoT)
Also True…

White-collar crime, information theft,

manipulation, abuse, computer fraud,
etc.
What Exactly is Security?
 "The quality or state of being secure--to be free
from risk or danger"
 To be protected from adversaries
 A successful organization should have multiple
layers of security in place:
 Physical security
 Personnel security
 Operations security
 Communications security
 Network security
Information Security

 The protection of information and its critical

elements, including the systems and hardware that
use, store, and transmit that information
 Tools, such as policy, awareness, training,
education, and technology are necessary
 The C.I.A. triangle was the standard based on
confidentiality, integrity, and availability
 The C.I.A. triangle has expanded into a list of
critical characteristics of information
The Basics of Information
Security
 Access – The ability of a subject to manipulate or modify
another subject or object.
 Asset – The resource that is being safeguarded within the
organization.
 Attack – An act that can harm information and the
systems that support it, whether intentionally or
unintentionally.
 Control, Safeguard, or Countermeasure –
Mechanism or methods for successfully countering assaults
and otherwise improving an organization security.
 Exploit – A method for compromising a system.
 Exposure – Being exposed is a condition or state.
The Basics of Information
Security
 Loss – A single instance of an information asset being
damaged or disclosed in an unanticipated or illegal
manner.
 Protection profile or Security posture – The whole
collection of controls and protections that the business
adopts to preserve assets.
 Risk – The likelihood that something unfavorable will
occur.
 Subjects and objects – A computer can be subject of an
attack.
The Basics of Information
Security
 Threat – Group of items, people, or other entities that
pose a threat to a valuable asset.
 Threat agent – A threat's specific instance or component.
 Vulnerability – A flaw in a system or defense mechanism
allows it to be attacked or damaged.
Identify the threat category

Description / Example Threat Category

Unreliable or untrustworthy systems that may Human error or
cause untested failure conditions. failure
Less experienced person, improper training, Espionage or
wrong assumptions, and other circumstances can trespass
cause threats to organizational information assets.
Developer knowingly or unknowingly distributes Theft
software with hidden faults.
Array of electronic or human activities that can Technical software
cause threat to information. failures or errors
Using information asset without permission. Technological
Obsolescence
The CIA Triad
 The value of information comes from the characteristics it
possesses.
 Confidentiality
 Integrity
 Availability
 Accuracy
 Authenticity
 Utility
 Possession
The CIA Triad
 When information is safeguarded from disclosure or
exposure to unauthorized individuals or systems, it is said
to be confidential.
 When information is whole, complete, and uncorrupted, it
has integrity.
 Availability permits authorized users – persons or
computer systems, to access information without
interference or obstruction and to receive it in the proper
format.
The CIA Triad
 The attribute or state of having value for some goal or end
is known as information utility.
 If one acquires information, regardless of format or other
features, it is said to be in one’s possession or custody.
Components of Information
System
Securing the components
 The computer can be either or both the subject of an attack
and/or the object of an attack
 When a computer is
 the subject of an attack, it is used as an active tool to
conduct the attack
 the object of an attack, it is the entity being attacked
Balancing Information Security
and Access
 It is impossible to obtain perfect security – it is not an
absolute; it is a process
 Security should be considered a balance between protection
and availability
 To achieve balance, the level of security must allow
reasonable access, yet protect against threats
Approaches to Information
Security Implementation
 Information Security deployment – in a business
must start somewhere and cannot happen overnight.
 Securing data assets is a gradual process that involves
teamwork, time, and patience.
Bottom-up approach
 Security from a grass to roots effort – systems
administrators attempt to improve the security of their
systems
 Key advantage: technical expertise of the individual
administrators
 Seldom works, as it lacks a number of critical features:
 Participation support
 Organizational staying power
The Systems Development Life
Cycle
 Information security must be managed in a manner similar
to any other major system implemented in the organization
 Using a methodology
 ensures a rigorous process
 avoids missing steps
 The goal is creating a comprehensive security
posture/program
Methodology and Phases
 The SecSDLC may be
 event-driven – started in response to some occurrence
or
 plan-driven – as a result of a carefully developed
implementation strategy

 At the end of each phase comes a structured review

Methodology and Phases
 Investigation
 Analysis
 Logic Design
 Physical Design
 Implementation
 Maintenance & Change
Investigation
 What is the problem the system is being developed to solve?
 The objectives, constraints, and scope of the project are
specified
 A preliminary cost/benefit analysis is developed
 A feasibility analysis is performed to assess the economic,
technical, and behavioral feasibilities of the process
Analysis
 Consists primarily of
 assessments of the organization
 the status of current systems
 capability to support the proposed systems
 Analysts begin to determine
 what the new system is expected to do
 how the new system will interact with existing systems
 Ends with the documentation of the findings and a
feasibility analysis update
Logical Design
 Based on business need, applications are selected capable
of providing needed services
 Based on applications needed, data support and structures
capable of providing the needed inputs are identified
 Finally, based on all of the above, select specific ways to
implement the physical solution are chosen
 At the end, another feasibility analysis is performed
Physical Design
 Specific technologies are selected to support the
alternatives identified and evaluated in the logical design
 Selected components are evaluated based on a make-or-buy
decision
 Entire solution is presented to the end-user representatives
for approval
Implementation
 Components are ordered, received, assembled, and tested
 Users are trained and documentation created
 Users are then presented with the system for a performance
review and acceptance test
Maintenance & Change
 Tasks necessary to support and modify the system for the
remainder of its useful life
 The life cycle continues until the process begins again from
the investigation phase
 When the current system can no longer support the mission
of the organization, a new project is implemented
Security Professionals and the
Organization
 It takes a wide range of professionals to support a diverse
information security program
 To develop and execute specific security policies and
procedures, additional administrative support and
technical expertise is required.
 Senior Management
 Chief Information Officer (CIO) – The senior
technology officer
 Chief Information Security Officer (CISO) – May
also referred to as the Manager for Security, the Security
Administrator, or a similar title.
Information Security Project
Team
 A number of individuals who are experienced in one or
multiple requirements of both the technical and non-
technical areas:
 The champion
 The team leader
 Security policy developers
 Risk assessment specialists
 Security professionals
 Systems administrators
 End users
Data Ownership
 Data Owner – responsible for the security and use of a
particular set of information
 Data Custodian – responsible for the storage,
maintenance, and protection of the information
 Data Users – the end systems users who work with the
information to perform their daily jobs supporting the
mission of the organization
Security as Art
 No hard and fast rules nor are there many universally
accepted complete solutions
 No magic user's manual for the security of the entire system
 Complex levels of interaction between users, policy, and
technology controls
Security as Science
 Dealing with technology designed to perform at high levels
of performance
 Specific conditions cause virtually all actions that occur in
computer systems
 Almost every fault, security hole, and systems malfunction
is a result of the interaction of specific hardware and
software
 If the developers had sufficient time, they could resolve and
eliminate these faults
Security as Social Science
 Social science examines the behavior of individuals
interacting with systems
 Security begins and ends with the people that interact with
the system
 End users may be the weakest link in the security chain
 Security administrators can greatly reduce the levels of risk
caused by end users, and create more acceptable and
supportable security profiles
END OF CHAPTER 1