Transcript Chapter 1 Introduction to Information Security
Principals of Information Security, Fourth Edition
Chapter 1 Introduction to Information Security
2 • • • • •
Learning Objectives
Define information security Recount the history of computer security, and explain how it evolved into information security Define key terms and critical concepts of information security Enumerate the phases of the security systems development life cycle Describe the information security roles of professionals within an organization Principals of Information Security, Fourth Edition
3
Introduction
• • Information security: a “well-informed sense of assurance that the information risks and controls are in balance.” — Jim Anderson, Inovant (2002) Security professionals must review the origins of this field to understand its impact on our understanding of information security today Principals of Information Security, Fourth Edition
4
Information security Definition
• The protection of information and its elements including systems, hardware that use, store and transmit the information Principals of Information Security, Fourth Edition
Threats Start
World War II when the first mainframes, developed to aid computations for communication code breaking
5 Figure 1-1 The Enigma Source: Courtesy of National Security Agency Principals of Information Security, Fourth Edition
Figure 1-2 - ARPANET
Figure 1-2 Development of the Advanced Research Project Agency (ARPANET) Program Plan 3 Source: Courtesy of Dr. Lawrence Roberts 6 Principals of Information Security, Fourth Edition
7
The 1970s and 80s
• • • ARPANET grew in popularity as did its potential for misuse Fundamental problems with ARPANET security were identified – No safety procedures for dial-up connections to ARPANET – Nonexistent user identification and authorization to system Late 1970s: microprocessor expanded computing capabilities and security threats Principals of Information Security, Fourth Edition
The 1970s and 80s (cont’d.)
8 • • Information security began with Rand Report R-609 (paper that started the study of computer security ) – secure physical locations , – hardware, and – software from threats Scope of computer security grew from physical security to include: – Safety of data – Limiting unauthorized access to data – Involvement of personnel from multiple levels of an organization Principals of Information Security, Fourth Edition
9
The 1990s
• • • Networks of computers became more common;
need to interconnect networks
Internet became first manifestation of a global network of networks In early Internet deployments, security was treated as a low priority Principals of Information Security, Fourth Edition
10
2000 to Present
• • • The Internet brings millions of computer networks into communication with each other—many of them unsecured Ability to secure a computer’s data influenced/affected by the security of every computer to which it is connected Growing threat of cyber attacks has increased the need for improved security Principals of Information Security, Fourth Edition
11
What is Security?
• • • The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology C.I.A. triangle – Was standard based on confidentiality, integrity, and availability – Now expanded into list of critical characteristics of information Principals of Information Security, Fourth Edition
Information Security
12 From wikipedia Principals of Information Security, Fourth Edition
Primary Goals
• 13 CIA triangle known as security tells the primary goals of IS – Confidentiality • Making sure that those who should not see information – Integrity • Making sure that the information has not been changed from its original – Availability • Making sure that the information is available for use when you need it Principals of Information Security, Fourth Edition
14 Critical Characteristics of Information • The value of information comes from the characteristics it possesses: – Availability – Accuracy – Authenticity – Confidentiality – Integrity – Utility – Possession Principals of Information Security, Fourth Edition
Key Information Security Concepts
• • • • • • • Access Asset Attack Control, Safeguard, or Countermeasure • • • Exploit • Exposure • • Loss Protection Profile or Security Posture Risk Subjects and Objects Threat Threat Agent Vulnerability 15 Principals of Information Security, Fourth Edition
CNSS Security ModelCenter for National
Security
Studies
16 Figure 1-6 The McCumber Cube Principals of Information Security, Fourth Edition
Components of an Information System
• Information system (IS) is entire set of components necessary to use information as a resource in the organization – Software – Hardware – Data – People – Procedures – Networks 17 Principals of Information Security, Fourth Edition
Data Types
• • Public: Data is shown to all the end users Private/internal: a group of company people only know, but outside peoples should not know like personal Identification Number (PIN) 18 Principals of Information Security, Fourth Edition
19
Data Types
• • Confidential: Data is used by limited number of private user, and should not be known to the majority of workers Secret: Data is known by the very high authority persons only.
Lose of this data may
cause critical damage to the company Principals of Information Security, Fourth Edition
Balancing Information Security and Access • • • Impossible to obtain perfect security—it is a process, not an absolute Security should be considered balance between protection and availability To achieve balance, level of security must allow reasonable access, yet protect against threats 20 Principals of Information Security, Fourth Edition
21 Figure 1-8 Balancing Information Security and Access Principals of Information Security, Fourth Edition
22 Principals of Information Security, Fourth Edition
Approaches to Information Security Implementation: Bottom-Up Approach • • • Grassroots effort: systems administrators attempt to improve security of their systems Key advantage: technical expertise of individual administrators Seldom works, as it lacks a number of critical features: – Participant support – Organizational staying power 23 Principals of Information Security, Fourth Edition
Security Types
• Physical Security: To protect physical items, objects or areas • Personal Security: To protect the individual or group of individuals who are authorized • Operation Security: To protect the details of a particular operation or activities • 24 Communication Security: To protect communication media, technology and content Principals of Information Security, Fourth Edition
Security Types
• • Network Security: To protect networking components, connections and contents Information Security: To protect information assets 25 Principals of Information Security, Fourth Edition
Approaches to Information Security Implementation: Top-Down Approach • • Initiated by upper management – Issue policy, procedures, and processes – Dictate goals and expected outcomes of project – Determine accountability for each required action The most successful also involve formal development strategy referred to as systems development life cycle 26 Principals of Information Security, Fourth Edition
27 Figure 1-9 Approaches to Information Security Implementation Principals of Information Security, Fourth Edition
The Systems Development Life Cycle
• • • • Systems Development Life Cycle (SDLC): methodology for design and implementation of information system within an organization Methodology: formal approach to problem solving based on structured sequence of procedures Using a methodology: – Ensures a rigorous process – Increases probability of success Traditional SDLC consists of six general phases 28 Principals of Information Security, Fourth Edition
29 Figure 1-10 SDLC Waterfall Methodology Principals of Information Security, Fourth Edition
The Security Systems Development Life Cycle • • The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project – – – Investigation Analysis Logical Design – – – Physical Design Implementation Maintenance & change Identification of specific threats and creating controls to counter them 30 Principals of Information Security, Fourth Edition
Senior Management
• • Chief Information Officer (CIO) – Senior technology officer – Primarily responsible for advising senior executives on strategic planning Chief Information Security Officer (CISO) – Primarily responsible for assessment, management, and implementation of IS in the organization – Usually reports directly to the CIO 31 Principals of Information Security, Fourth Edition
Information Security Project Team
• A number of individuals who are experienced in one or more facets of required technical and nontechnical areas: – Champion – – Team leader Security policy developers – – Risk assessment specialists Security professionals – – Systems administrators End users 32 Principals of Information Security, Fourth Edition
Information Security: Is it an Art or a Science?
• • Implementation of information security often described as combination of art and science “Security artesan” idea 33 Principals of Information Security, Fourth Edition
Security as Art
• • No hard and fast rules nor many universally accepted complete solutions No manual for implementing security through entire system 34 Principals of Information Security, Fourth Edition
35
Security as Science
• • • • Dealing with technology designed to operate at high levels of performance Specific conditions cause virtually all actions that occur in computer systems Nearly every fault, security hole, and systems malfunction are a result of interaction of specific hardware and software If developers had sufficient time, they could resolve and eliminate faults Principals of Information Security, Fourth Edition