Introduction to Information Security

ITSECUR 01

ITSECUR | Introduction to Information Security

A Brief History of Information Security

2
A Brief History of Information Security

● 1940s - Need to secure communication code-breaking mainframes during

WWII
○ Straightforward approach of preventing physical theft of equipment, espionage and sabotage

● 1960s – More mainframes with more sophisticated tasks == communication

○ Birth of ARPANET – first networked communication system

3
A Brief History of Information Security

● 1970s and 80s – sudden growth of users (and misusers) of ARPANET, birth of
PCs and the client-server concept
○ Expansion of security beyond physical protection to include data and personnel
○ Rand Report R-609 identified management and policy issues

4
A Brief History of Information Security

● 1990s – The Internet becomes available to the public -> pervasive technology
○ De facto standards had little security assurance
○ Users were scientists who were presumes to be trustworthy

● 2000 to present – millions of computer networks communicate on the

Internet
○ Growing awareness of need to improve infosec
○ Realization that infosec is a national defense aspect

5
What Does Information Security Involve?

6
What Does Information Security Involve?

● It’s not just about computers!

● Has a wide base that touches different areas of an organization that are
interrelated
○ People
○ Process
○ Technology
■ Network
■ Data

7
Essential Terminologies
Information

● Has value to an individual or an organization

● Exists in many forms
○ Can be printed or written on paper
○ Stored electronically
○ Transmitted by post or using electronic means
○ Shown on films
○ Spoken in conversation

9
Information is an asset

● Business value generation capability is driven by information

● Must be complete, accurate, and timely

● Basis for competitive advantage

10
Why does it matter?

Any information always has an equivalent value.

There are consequences when something wrong happens to anything

with value.

11
What is security?

● The quality or state of being free from danger

● Protection from those that would do harm intentionally or unintentionally

12
What is Information Security?

● Protecting information and information systems from unauthorized access,

use, disclosure, disruption, modification, or destruction

● Protection of data and systems from those who would seek to misuse it

13
Information Security == Minimizing Risk

Exploits Insecure Code Breach of

DOS x Unpatched Applications = Confidentiality, Integrity,
Phishing Undetected Misconfigurations and Availability

THREATS VULNERABILITIES RISK

Threats Possible danger (Intent, Opportunity, Capability)

Vulnerabilities Weaknesses in a system, service, or process that can be exploited

Risk Probability of a threat crossing or touching a vulnerability

14
Information Security == Minimizing Risk

Exploits Insecure Code Breach of

DOS x Unpatched Applications = Confidentiality, Integrity,
Phishing Undetected Misconfigurations and Availability

THREATS VULNERABILITIES RISK

Threats Possible danger (Intent, Opportunity, Capability)

Vulnerabilities Weaknesses in a system, service, or process that can be exploited

Risk Probability of a threat crossing or touching a vulnerability

15
Threat?

● Action or event that may compromise security

● A potential violation of security
● Considered as the most important risk component in information
security
● This is due to its three main components:
○ Intent
○ Opportunity
○ Capability

16
Information Security == Minimizing Risk

Exploits Insecure Code Breach of

DOS x Unpatched Applications = Confidentiality, Integrity,
Phishing Undetected Misconfigurations and Availability

THREATS VULNERABILITIES RISK

Threats Possible danger (Intent, Opportunity, Capability)

Vulnerabilities Weaknesses in a system, service, or process that can be exploited

Risk Probability of a threat crossing or touching a vulnerability

17
What is Intent?

● Is described as the reason why adversaries are after your organization

● Immutable and is driven by the industry

18
Information Security == Minimizing Risk

Exploits Insecure Code Breach of

DOS x Unpatched Applications = Confidentiality, Integrity,
Phishing Undetected Misconfigurations and Availability

THREATS VULNERABILITIES RISK

Threats Possible danger (Intent, Opportunity, Capability)

Vulnerabilities Weaknesses in a system, service, or process that can be exploited

Risk Probability of a threat crossing or touching a vulnerability

19
What is Opportunity?

● Timing and knowledge of the target space

20
Information Security == Minimizing Risk

Exploits Insecure Code Breach of

DOS x Unpatched Applications = Confidentiality, Integrity,
Phishing Undetected Misconfigurations and Availability

THREATS VULNERABILITIES RISK

Threats Possible danger (Intent, Opportunity, Capability)

Vulnerabilities Weaknesses in a system, service, or process that can be exploited

Risk Probability of a threat crossing or touching a vulnerability

21
What is Capability?

● Ability of adversaries to successfully achieve their intended goal and leverage

opportunity

● Influenced by the adversaries’ skills and resources

22
Vulnerability?

● Sometimes replaced with exposure, it is the existence of a weakness, or a

design or implementation error that can lead to an undesirable event that
compromises security

● Both mutable and ephemeral. This is good because it means this component
of risk can be affected by individuals and organizations

● Applying the principle of least privilege, network segmentation,

robust system management, and adherence to SDLC best-practices
are but a few but high-level examples of how vulnerability is minimized or
reduced NOT eliminated 23
Vulnerability?

● Examples:
○ Buggy application and operating system software
○ Inherent weaknesses in the design of technologies
○ Misconfigured infrastructure devices
○ Weak security practices in an organization
○ Users who lack an understanding of security

24
What is Information Security?

Exploits Insecure Code

Breach of Confidentiality,
DOS x Unpatched Applications = Integrity, and Availability
Phishing Undetected Misconfigurations

THREATS VULNERABILITIES RISK

Threats Possible danger (Intent, Opportunity, Capability)

Vulnerabilities Weaknesses in a system, service, or process that can be exploited

Risk Probability of a threat crossing or touching a vulnerability

Therefore we can also say that information security is a set of strategies for managing the processes,
people, and technology needed for managing Threats, Vulnerabilities, and Risk.

25
CIA Triad - The Three Pillars of Information Security

Confidentiality
(vs. Disclosure)

Integrity
(vs. Alteration)

Availability
(vs. Destruction)

Confidentiality The protection of information from unauthorized access

The condition where information is kept accurate and consistent unless authorized
Integrity
changes are made

Availability The situation where information is available when and where it is rightly needed

26
Exploit

● A defined way to breach the security of an IT system through a vulnerability

● Examples
○ ETERNALBLUE SMBv1 Remote Code Execution Exploit
○ CVE-2018-7600 – Drupal remote code execution vulnerability
○ CVE-2018-8174 – DOUBLEKILL Windows VBScript Remote Code Execution Flaw

27
Attack

● A breach in the security of a protected system that compromises its

confidentiality, integrity or availability
● Has different forms:

Interception Unauthorized access to data or resources

Interruption Attacks that cause data or resources to be unusable on a temporary or permanent basis

Modification Tampering with existing data or resources

Fabrication Generating data, process, communications

28
Conclusion

29
Conclusion

● Why does a security breach cost so much?

○ Hacking can be used to steal and distribute intellectual property == business loss
○ Availability loss can lead to business downtime == revenue and productivity loss
○ Theft of information can lead to lawsuits and reputation loss

30
Computers and the information that they
carry have become a big part of our lives,
that it has made security a necessity rather
than just a luxury

31
Possible Careers in Information Security

● Ethical Hacker
● Digital Forensics and Incident Response Expert
● Malware Analyst
● Web Application Penetration Tester
● Chief Information Security Officer
● And a whole lot more! INFORMATION SECURITY IS EVERYWHERE

32