Bachelors in ICT

By

Ezer Osei Yeboah-Boateng. Ph.D.

Food4Thought

2
 Books & Resources
 Principles of Information Security, 4th Edition, 2011, by
Michael Whitman & Herbert Mattord, Cengage
Learning.
 A Practical Guide to Security Engineering &
Information Assurance, by Debra S. Hermann, CRC
Press, 2002.
 A Guide to Computer Security, by Joseph M. Kizza,
Springer, 2009.
 Information Security Management Handbook, edited
by Ed. Skoudis, CRC Press, 2002.

3
 Learning Outcomes
 To discuss the fact that information security goes
beyond technical controls and encompasses people,
technology, policy, and operations in a way that few
other business objectives do.
 To discuss areas which are essential for the successful
and strategic execution of the CISO’s responsibilities.

4
 InfoSec Essentials
 Cyber-security is NOT an IT problem; it is a Business
problem.
 Information security is defined as the protection of
information and information systems from
unauthorized access, use, disclosure, disruption,
modification or destruction.
 There are 3 main cyber-security processes:
 Prevention;
 Detection;
 Recovery.

5
 InfoSec Essentials
 Key objectives of Information Security:
 Intelligence;
 Trusted alliances;
 Innovative thinking;
 Risk management (liability protection);
 Compliance challenges:
 Contractual;
 Statutory & Regulatory;
 Industry Standards.

6
 InfoSec Essentials
 CISO’s Key Functions:
 Information & Computer Security;
 Business Continuity or Continuity of Operations (CCOP) or
Disaster Recovery Planning;
 Privacy;
 Critical Infrastructure Protection Policy
 Emergency Communications.

7
 InfoSec Essentials
• Strategic Security Plan Elements:
• Organization & Authority Controls;
• Policy
• Risk Management Program;
• Intelligence program;
• Audit & Compliance Program;
• Privacy Program;
• Incident Management;
• Education & Awareness program;
• Operational Management;
• Technical Security & Access Controls;
• Monitoring, Measurement & Reporting;
• Physical & Environment Security;
• Asset Identification & Classification;
• Employee & Related Account Management Practices.

8
 InfoSec Essentials
 The Moving parts of InfoSec:
 Governance;
 Policy;
 Organizational;
 Personnel (incl. background checks)
 Access controls;
 Risk management;
 Technology oversight (e.g. what are your security
requirements?);
 Compliance;
 Incident Response;
 Forensics & investigations;
 Legal;
 Cryptography.

9
 InfoSec Essentials
 Unintended consequences of embracing the Internet:
 1 in 25 end-users are socio-pathetic???//**
 That is, in the world of networked computers, every
sociopath is your neighbor…..

 “A person with a personality disorder manifesting itself

in extreme antisocial attitudes and behavior and a lack
of conscience.” – definition of Sociopath or psychopath

10
InfoSec Essentials

11
 InfoSec Essentials
3R’s of Accountable Systems: 4th dimension “R” added by Endicott-Popovsky
Survivability Strategy Tools
Resistance – ability to repel attacks Firewalls;
User Authentication;
Diversification, e.g. backups;
Recognition Intrusion detection systems;
– ability to detect an attack or a probe; Internal Integrity checks;
- Ability to react or adapt during an
attack
Recovery Incident response;
- Provide essential services during Replication;
attack; Backup systems;
- Restore services following an attack; Fault tolerant designs;
Redress Computer forensics;
- Ability to hold intruders accountable Legal remedies;
in a court of law; Active defense;
- Ability to retaliate;

12
 InfoSec Essentials
 4 Protection mechanisms are:
i. Deterrence – first line of defense against intruders who may
try to gain access;
ii. Prevention – a process of trying to stop intruders from
gaining access to resources of the system;
 E.g. firewalls, DMZs, access items, such as keys, access cards,
biometrics, and other access control measures;
iii. Detection – occurs when the intruder has succeeded or is in
the process of gaining access to the system;
 E.g. alerts to the existence of an intruder; it could be real-time
or stored for further analysis.
iv. Response – is an after-effect process that tries to respond to
the failure of any of the first 3 mechanisms;
 E.g. try to stop and/or prevent future damage or access to the
facility.

13
 InfoSec Essentials
 Computer security focuses on creating a secure
environment for the use of computer; usually focused
on “behavior of users”
 It has 4 areas of interest:
 Computer ethics;
 Development of software protocols;
 Development of hardware protocols;
 Development of best practices;

14
 InfoSec Essentials
 Network security – involves creating an environment
in which a computer network, including all its
resources; all the data in it both in storage and in
transit; and all its users are secure;
 Its areas of interest are:
 Cryptography;
 Communications;
 Transport;
 Exchange of protocols;
 Best practices;

15
 InfoSec Essentials
 Information security – involves the creation of a state
in which information and data are secure;
 Its areas of interest are:
 Computer science (incl. computer & network security);
 Business management;
 Information studies;
 Engineering;
 The model object is information or data, which is
either in motion through the communication channels
or in storage in databases on a server;
 State of both data and information in motion;

16
 InfoSec Essentials
 CSVA Model, ●

●
Loss of revenues
Loss of corporate image
RISK ● Loss of investor confidence

(Yeboah-

Risk
● Loss of customer confidence
● Cost due to security breaches
● Cost of mitigation

Boateng, ● Possible business closure

URGENCY CRITICALITY
● Tangible assets

2012)

Assets Value
● Intangible assets
● Classification
● Identification
● Characterization

● Motivation
THREAT ● Capability
Threats

AGENTS ● Opportunity
● Impact (attractiveness)

● Technical
● Human
Vulnerabilities

● Physical (environment)
● Operational
CONFIDENTIALITY AVAILABILITY
● Business continuity

● Human errors
● Transmission errors
● Data storage
● Data disposal
● Destruction
● Removal
INTEGRITY
● Interruption
● Human errors
● Natural disasters

● Human errors
● Transmission errors
● Software bugs
● Hardware malfunction
● Natural disasters

17
 Availability Confidentiality Vulnerabilities

& Availability

Customer who feels cheated by Consultant whose contract is Motivation

firm & intends to cause harm terminated

Tech savvy customer Capability

Obviously a Techie
Threats

Very attractive Has had access to IPs and have Opportunity

insights into systems

Defaced or brought down Tampers with current settings & Impact

InfoSec Essentials

brings down system

To be repaired within 2 hours To be restored within 1 hour Urgency

Vital business asset Critical business asset Criticality

Assets Value

Risks
MAJOR
SEVERE

(impact)

Web server: Vulnerabilities = NAT server: Vulnerabilities = {very-

{secured}; Threat agent ={high}; secure}; Threat agent = {very-high};
Asset value = {vital} Asset value = {critical}
Remarks

18
InfoSec Essentials

19
 Summary
 We have learnt, understood and discussed the concepts of
cyber-security, various aspects and attributes of it..
 We have emphasized that Information Security is essential
for today’s businesses and daily living;
 We have underscored the fact that Information Security is
NOT a technology problem but rather a BUSINESS case.
 We can now define risk parameters and assess them; as
well as to distinguish between vulnerabilities and threats …

 We have acquainted ourselves with Information Security…

20
 Thank You All!!!

 Any comments & contributions????

21