Professional Documents
Culture Documents
Lecture 1
Lecture 1
Security
Information Security
Course Code: IT 211
Credits: 3(3,0,1)
Level:
Instructure:
Tutor:
Textbook:
”Principles of Information Security” by Michael E. Whitman and Herbert J. Mattord, 5th
ed., Thomson/Cengage Learning, 2014
2 References:
1. “Roadmap to information security for IT and Infosec management” by Michael E.
Whitman and Herbert J. Mattord.
2. “Information Security: The Complete Reference”, By Mark Rhodes-Ousley, Roberta
Bragg, Keith Strassberg, McGraw-Hill, 2nd edition,2013.
3. “Network Security: The Complete Reference”, By Mark Rhodes-Ousley, Roberta
Bragg, Keith Strassberg, McGraw-Hill, 2nd edition,2013.
Lectures: Monday
Tutorial:
Evaluation:
Course Contents
No Topics
1 Introduction to Information Security
2 Threats and attacks
3 Legal, Ethical and security issues
4 Risk management
5 Security planning
6 Network Security I
3
7 Network Security II
8 Scanning and Analysis Tools
9 Cryptology
10 Physical security
11 Security and Personal
12 Review
Lecture outline
4
o History of information security
o What security is
o CNSS security model
o Components of an information security
o Balancing of information security and access
o Approach to information security implementation
o The system Development Life Cycle
o The security system Development Life Cycle
o Security professionals and the organization
Learning Objectives
5
Computer security
• Department of defence, Advanced Research Project Agency (ARPA) began to
examine feasibility of redundant networked communications systems
• Larry Roberts developed ARPANET from its inception
9
The 1970s and 80s
10
• ARPANET grew in popularity as did its potential for misuse
• Fundamental problems with ARPANET security were identified
• Information security began with Rand Report R-609 (paper that started the study of
computer security)
- Safety of data
- Limiting unauthorized access to data
- Involvement of personnel from multiple levels of an
organization
MULTICS
13
- Physical security
- Personal security
- Operations security
- Communications security
- Network security
- Information security
What is security?
17
- Physical security – To protect the physical items, objects, or
areas of an organization from unauthorized access and misuse.
- Personal security – To protect the individual or group of
individuals who are authorized to access the organization and its
operations.
- Operations security – To protect the details of a particular
operation or series of activities.
- Communications security – To protect an organization’s
communications media, technology, and content.
- Network security – To protect networking components,
connections, and contents.
What is Information Security?
18
• Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or
object. Authorized users have legal access to a system, whereas hackers have illegal access
to a system. Access controls regulate this ability.
• Asset: The organizational resource that is being protected. An asset can be logical, such as
a Web site, information, or data; or an asset can be physical, such as a person, computer
system, or other tangible object. Assets, and particularly information assets, are the focus
of security efforts; they are what those efforts are attempting to protect.
Security terminologies and concepts
21
• Threat agent: The specific instance or a component of a threat. For example, all hackers
in the world present a collective threat, while Kevin Mitnick, who was convicted for
hacking into phone systems, is a specific threat agent. Likewise, a lightning strike,
hailstorm, or tornado is a threat agent that is part of the threat of severe storms.
• Vulnerability: A weaknesses or fault in a system or protection mechanism that opens it
to attack or damage. Some examples of vulnerabilities are a flaw in a software pack- age,
an unprotected system port, and an unlocked door. Some well-known vulnerabilities have
been examined, documented,Vulnerability
and published; others remain latent (or undiscovered).
• Attack?
• Threat? Security
Controls
Threat Attack
Subjects and objects
25
Integrity Availability
Critical Characteristics of Information (Cont.)
27
• Authenticity of information is the quality or state of being genuine or original, rather than
a reproduction or fabrication, as created, placed, stored, or transferred.
The McCumber Cube Security Model
29
• CNSS (Committee on National Security System) security model
• Contains 27 cells
This graphic informs the fundamental approach that can be used to illustrate the
intersection of information states (x-axis), key objectives of C.I.A. (y-axis), and the
three primary means to implement (policy, education, and technology).
Security Elements
30
• Security is addressed in three elements
People, everyone in the business needs to be aware of their
role in preventing and reducing cyber threats. IT People
should be up-to-date
Processes, is the key to the implementation of an effective
cyber security.
Technology, (Hardware and software) is obviously a crucial
elements to cyber security.
Components of an Information System
31
• Information system (IS) is entire set of:
- Software
- Hardware
- Data
- People
- Procedures
- Networks
Balancing Information Security and Access
32
• Even with the best planning and implementation, it is impossible to obtain perfect
information security
• Impossible to obtain perfect security - it is a running process, not an absolute
• Security should be considered balance between protection and availability
• To achieve balance, level of security must allow reasonable access, yet protect
against threats
• Accessibility = usability
Balancing Information Security and Access
33
Approaches to Information Security
Implementation:
34
Requires Co-ordination, Time, Patience, Power and
Support from upper-level managers.
Bottom-Up Approach
• Grassroots effort: systems administrators attempt to improve security of their
systems
• Key advantage: technical expertise of individual administrators
• Seldom works, as it lacks a number of critical features:
- Participant support
- Organizational staying power
Approaches to Information Security
Implementation:
35
Requires Co-ordination, Time, Patience, Power and Support
from upper-level managers.
Top-Down Approach
• Initiated by upper management
- Issue policy, procedures, and processes
- Dictate goals and expected outcomes of project
- Determine accountability for each required action
• Perhaps the most important phase, given the ever-changing threat environment
• Often, reparation and restoration of information is a constant duel with an
unseen adversary
• Information security profile of an organization requires constant adaptation as
new threats emerge and old threats evolve
Security Professionals and the Organization
52