Introduction to Information

Security
 Information Security
Course Code: IT 211
Credits: 3(3,0,1)
Level:
Instructure:
Tutor:
Textbook:
”Principles of Information Security” by Michael E. Whitman and Herbert J. Mattord, 5th
ed., Thomson/Cengage Learning, 2014
2 References:
1. “Roadmap to information security for IT and Infosec management” by Michael E.
Whitman and Herbert J. Mattord.
2. “Information Security: The Complete Reference”, By Mark Rhodes-Ousley, Roberta
Bragg, Keith Strassberg, McGraw-Hill, 2nd edition,2013.
3. “Network Security: The Complete Reference”, By Mark Rhodes-Ousley, Roberta
Bragg, Keith Strassberg, McGraw-Hill, 2nd edition,2013.
Lectures: Monday
Tutorial:
Evaluation:
 Course Contents

No Topics
1 Introduction to Information Security
2 Threats and attacks
3 Legal, Ethical and security issues
4 Risk management
5 Security planning
6 Network Security I
3
7 Network Security II
8 Scanning and Analysis Tools
9 Cryptology
10 Physical security
11 Security and Personal
12 Review
 Lecture outline
4
o History of information security
o What security is
o CNSS security model
o Components of an information security
o Balancing of information security and access
o Approach to information security implementation
o The system Development Life Cycle
o The security system Development Life Cycle
o Security professionals and the organization
 Learning Objectives
5

Upon completion of this lecture, you should be

able to:
• Define information security
• Relate the history of computer security and how it
evolved into information security
• Define key terms and critical concepts of information
security as presented in this chapter
• Discuss the phases of the security systems development
life cycle
• Present the roles of professionals involved in information
security within an organization
 Introduction
6
• Information security: a “well-informed sense of assurance that the information risks
and controls are in balance.” — Jim Anderson, Inovant (2002).
• Information Security refers to the processes and methodologies which are designed
and implemented to protect print, electronic, or any other form of confidential, private
and sensitive information or data from unauthorized access, use, misuse, disclosure,
destruction, modification, or disruption. SANS
• Necessary to review the origins of this field and its impact on our understanding of
information security today
 The History of Information Security
7
• Began immediately after the first mainframes were developed,
i.e. WWII
• Groups developing code-breaking computations during World
War II created the first modern computers
• Physical controls to limit access to sensitive military locations
to authorized personnel
• Rudimentary in defending against physical theft, espionage,
and sabotage
 The 1960s
8

Computer security
• Department of defence, Advanced Research Project Agency (ARPA) began to
examine feasibility of redundant networked communications systems
• Larry Roberts developed ARPANET from its inception
9
 The 1970s and 80s
10
• ARPANET grew in popularity as did its potential for misuse
• Fundamental problems with ARPANET security were identified

- No control to remote access

- No safety procedures for dial-up connections to ARPANET
- Non-existent user identification and authorization to system
• Late 1970s: microprocessor expanded computing capabilities and security threats
 The 1970s and 80s
11
• ARPANET grew in popularity as did its potential for misuse
• Fundamental problems with ARPANET security were identified

- No control to remote access

- No safety procedures for dial-up connections to ARPANET
- Non-existent user identification and authorization to system
• Late 1970s: microprocessor expanded computing capabilities and security threats
 The 1970s and 80s (continued)
12

• Information security began with Rand Report R-609 (paper that started the study of
computer security)

• Define multiple controls and mechanism necessary for the

protection
• Scope of computer security grew from physical security to include:

- Safety of data
- Limiting unauthorized access to data
- Involvement of personnel from multiple levels of an
organization
 MULTICS
13

• Early focus of computer security research was a system called Multiplexed

Information and Computing Service (MULTICS)
• First operating system created with security as its primary goal
• Mainframe, time-sharing OS developed in mid-1960s by General Electric (GE),
Bell Labs, and Massachusetts Institute of Technology (MIT)
• Several MULTICS key players created UNIX
• Primary purpose of UNIX was text processing
 The 1990s
14

• Networks of computers became more common; so too did the need to

interconnect networks
• Internet became first manifestation of a global network of networks
• In early Internet deployments, security was treated as a low priority
 The Present
15

• The Internet brings millions of computer networks into communication with

each other—many of them unsecured
• Ability to secure a computer’s data influenced by the security of every computer
to which it is connected
• Protect data, infrastructure, systems
• By 2015, 3.14 billion users. By 2020 5 billion users
 What is Security?
16

• “The quality or state of being secure—to be free from danger”

• A successful organization should have multiple layers of security in place:

- Physical security
- Personal security
- Operations security
- Communications security
- Network security
- Information security
 What is security?
17
- Physical security – To protect the physical items, objects, or
areas of an organization from unauthorized access and misuse.
- Personal security – To protect the individual or group of
individuals who are authorized to access the organization and its
operations.
- Operations security – To protect the details of a particular
operation or series of activities.
- Communications security – To protect an organization’s
communications media, technology, and content.
- Network security – To protect networking components,
connections, and contents.
 What is Information Security?
18

• The protection of information and its critical elements, including

systems and hardware that use, store, and transmit that information
• Necessary tools: policy, awareness, training, education, technology
• C.I.A. triangle based on three characteristics: confidentiality,
integrity, and availability
• C.I.A. triangle now expanded into list of critical characteristics of
information
19

information security includes the broad areas of information security

management, computer and data security, and network security.
 Security terminologies and concepts
20

• Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or
object. Authorized users have legal access to a system, whereas hackers have illegal access
to a system. Access controls regulate this ability.
• Asset: The organizational resource that is being protected. An asset can be logical, such as
a Web site, information, or data; or an asset can be physical, such as a person, computer
system, or other tangible object. Assets, and particularly information assets, are the focus
of security efforts; they are what those efforts are attempting to protect.
 Security terminologies and concepts
21

• Attack: An intentional or unintentional act that can cause damage to or otherwise

compromise information and/or the systems that support it. Attacks can be active or
passive, intentional or unintentional, and direct or indirect.
• Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures
that can successfully counter attacks, handle risk, and otherwise improve the security
within an organization. The various levels and types of controls are discussed later.
 Security terminologies and concepts
22
• Compromise: means to break into it or crack it without
authorization.
Exploit: A technique used to compromise a system. This term can
be a verb or a noun. Threat agents may attempt to exploit a system
or other information asset by using it illegally for their personal
gain. Or, an exploit can be a documented process to take
advantage of a vulnerability or exposure, usually in software, that
is either inherent in the software or is created by the attacker.
Exploits make use of existing software tools or custom-made
software components.
• Disclosure: means of revealing secret information without
authorization or permission
 Security terminologies and concepts
23
• Exposure: A condition or state of being exposed. In information
security, exposure exists when a vulnerability known to an attacker is
present.

• Risk: The probability that something unwanted will happen.

Organizations must handle risk to match their risk appetite—the
quantity and nature of risk the organization is willing to accept.

• Threat: A category of objects, persons, or other entities that presents a danger

to an asset. Threats are always present and can be purposeful or undirected. For
example, hackers purposefully threaten unprotected information systems, while
severe storms incidentally threaten buildings and their contents.
 Security terminologies and concepts
24

• Threat agent: The specific instance or a component of a threat. For example, all hackers
in the world present a collective threat, while Kevin Mitnick, who was convicted for
hacking into phone systems, is a specific threat agent. Likewise, a lightning strike,
hailstorm, or tornado is a threat agent that is part of the threat of severe storms.
• Vulnerability: A weaknesses or fault in a system or protection mechanism that opens it
to attack or damage. Some examples of vulnerabilities are a flaw in a software pack- age,
an unprotected system port, and an unlocked door. Some well-known vulnerabilities have
been examined, documented,Vulnerability
and published; others remain latent (or undiscovered).
• Attack?
• Threat? Security
Controls

Threat Attack
 Subjects and objects
25

• Computer can be subject of an attack and/or the object of an attack

- When the subject of an attack, computer is used as an active tool
to conduct attack
- When the object of an attack, computer is the entity being
attacked
 Critical Characteristics of Information
26
• The value of information comes from the characteristics it
possesses:
- Confidentiality
Confidentiality
- Integrity
- Availability
Security
- Authenticity Triangle
C.I.A.

Integrity Availability
 Critical Characteristics of Information (Cont.)
27

• Confidentiality: Protects information or system from disclosure or

exposure by unauthorized parties. Confidentiality can be achieved
by a number of measures, including the following:
- Information classification
- Secure document storage
- Application of general security policies

- Education of information custodians and end users

• Integrity: Involves maintaining the consistency, accuracy, and
trustworthiness of data over its entire life cycle and its originality.
 Critical Characteristics of Information (Cont.)
28

• Availability: enables authorized users (persons, computer

or systems) to access information when it is required
without interference or obstruction.

• Authenticity of information is the quality or state of being genuine or original, rather than
a reproduction or fabrication, as created, placed, stored, or transferred.
 The McCumber Cube Security Model
29
• CNSS (Committee on National Security System) security model
• Contains 27 cells

This graphic informs the fundamental approach that can be used to illustrate the
intersection of information states (x-axis), key objectives of C.I.A. (y-axis), and the
three primary means to implement (policy, education, and technology).
 Security Elements
30
• Security is addressed in three elements
 People, everyone in the business needs to be aware of their
role in preventing and reducing cyber threats. IT People
should be up-to-date
 Processes, is the key to the implementation of an effective
cyber security. 
 Technology, (Hardware and software) is obviously a crucial
elements to cyber security.
 Components of an Information System
31
• Information system (IS) is entire set of:
- Software
- Hardware
- Data
- People
- Procedures
- Networks
 Balancing Information Security and Access
32

• Even with the best planning and implementation, it is impossible to obtain perfect
information security
• Impossible to obtain perfect security - it is a running process, not an absolute
• Security should be considered balance between protection and availability
• To achieve balance, level of security must allow reasonable access, yet protect
against threats
• Accessibility = usability
 Balancing Information Security and Access
33
 Approaches to Information Security
Implementation:
34
Requires Co-ordination, Time, Patience, Power and
Support from upper-level managers.

Bottom-Up Approach
• Grassroots effort: systems administrators attempt to improve security of their
systems
• Key advantage: technical expertise of individual administrators
• Seldom works, as it lacks a number of critical features:
- Participant support
- Organizational staying power
 Approaches to Information Security
Implementation:
35
Requires Co-ordination, Time, Patience, Power and Support
from upper-level managers.

Top-Down Approach
• Initiated by upper management
- Issue policy, procedures, and processes
- Dictate goals and expected outcomes of project
- Determine accountability for each required action

• The most successful also involve formal development strategy referred to as

systems development life cycle
 Top-Down and Bottom-Up Approach
36
 The Systems Development Life Cycle
37
• Systems Development Life Cycle (SDLC) is methodology for design and
implementation of information system within an organization
• Methodology is formal approach to problem solving based on structured sequence
of procedures
• Using a methodology:
- Ensures a rigorous process
- Avoids missing steps
- Increases the probability of success

• Goal is creating a comprehensive security posture/program

• Traditional SDLC consists of six general phases
 The Systems Development Life Cycle (cont.)
38
 Investigation
39 • What problem is the system being developed to solve?
• Objectives, constraints, and scope of project are specified
• Preliminary cost-benefit analysis is developed
• At the end, feasibility analysis is performed to assess economic, technical, and
behavioural feasibilities of the process
 Analysis
40

• Consists of assessments of the organization, status of current systems, and

capability to support proposed systems
• Analysts determine what new system is expected to do and how it will interact
with existing systems
• Ends with documentation of findings and update of feasibility analysis
 Logical Design
41
• The information gained from the analysis phase is used to begin creating a
solution system for a business problem.
• Main factor is business need; applications capable of providing needed services
are selected
• Data support and structures capable of providing the needed inputs are
identified
• Technologies to implement physical solution are determined
• Feasibility analysis performed at the end
 Physical Design
42
• During the physical design phase, specific technologies to support the alternatives
identified and evaluated in the logical design are selected
• Components evaluated on make-or-buy decision
• Feasibility analysis performed; entire solution presented to end-user representatives
for approval
 Implementation
43

• Needed software created; components ordered, received, assembled, and tested

• Users trained and documentation created
• Feasibility analysis prepared; users presented with system for performance
review and acceptance test
 Maintenance and Change
44
• The maintenance and change phase is the longest and most expensive phase of the
process.
• Consists of tasks necessary to support and modify system for remainder of its useful
life
• Life cycle continues until the process begins again from the investigation phase
• When current system can no longer support the organization’s mission, a new
project is implemented
 The Security Systems Development Life Cycle
45

• The same phases used in traditional SDLC may be adapted to support

specialized implementation of an IS project
• Identification of specific threats and creating controls to counter them
• SecSDLC is a coherent program rather than a series of random, seemingly
unconnected actions
 Investigation
46

• The investigation of the SecSDLC begins with a directive from upper

management,
• Identifies process, outcomes, goals, and constraints of the project
• Begins with Enterprise Information Security Policy (EISP)
• Organizational feasibility analysis is performed
 Analysis
47 • Documents from investigation phase are studied
• Analysis of existing security policies or programs, along with documented
current threats and associated controls
• Includes analysis of relevant legal issues that could impact design of the security
solution
• Risk management task begins
- Risk management is the process of identifying, assessing, and evaluating the levels of risk facing
the organization, specifically the threats to the organization’s security and to the information
stored and processed by the organization.
 Logical Design
48
• Creates and develops blueprints for information security
• Incident response actions planned:
- Continuity planning: How will business continue in the event of a loss?
- Incident response: What steps are taken when an attack occurs?
- Disaster recovery: What must be done to recover information and vital systems immediately after
a disastrous event?
• Feasibility analysis to determine whether project should be continued or
outsourced
 Physical Design
49
• In the physical design phase, Needed security
technology is evaluated, alternatives are
generated, and final design is selected
• At end of phase, feasibility study determines
readiness of organization for project
 Implementation
50

• Security solutions are acquired, tested, implemented, and tested again

• Personnel issues evaluated; specific training and education programs conducted
• Entire tested package is presented to management for final approval
 Maintenance and Change
51

• Perhaps the most important phase, given the ever-changing threat environment
• Often, reparation and restoration of information is a constant duel with an
unseen adversary
• Information security profile of an organization requires constant adaptation as
new threats emerge and old threats evolve
 Security Professionals and the Organization
52

• Wide range of professionals required to support a diverse information security

program
• Senior management is key component; also, additional administrative support
and technical expertise are required to implement details of IS program
 Senior Management
53

• Chief Information Officer (CIO)

- Senior technology officer
- Primarily responsible for advising senior executives on strategic planning (based in the
organization structure)
• Chief Information Security Officer (CISO)
- Primarily responsible for assessment, management, and implementation of IS in the organization
- Usually reports directly to the CIO (It is in the textbook)
- Should reports directly to the CEO or the board (It is the new approach to avoid conflict of
interest)
 Information Security Project Team
54

• A number of individuals who are experienced in one or more facets of required

technical and nontechnical areas:
- Champion
- Team leader
- Security policy developers
- Risk assessment specialists
- Security professionals
- Systems administrators
- End users
- …….etc.
 Data Ownership
55
Now that you understand the responsibilities of both senior management and the
security project team, we can define the roles of those who own and safeguard the
data.
• Data owner: responsible for the security and use of a particular set of
information. usually determine the level of data classification associated
with the data, as well as changes to that classification required by
organization change.
• Data custodian: responsible for storage, maintenance, and protection of
information. The duties of a data custodian often include overseeing
data storage and backups, implementing the specific procedures and
policies laid out in the security policies and plans, and reporting to the
data owner.
• Data users: end users who work with information to perform their daily
jobs supporting the mission of the organization
• Data owner  Data protection and date privacy
 Summary
56
o History of information security
o What is security
o CNSS security model
o Components of an information security
o Balancing of information security and Access
o Approach to information security implementation
o The system Development life cycle
o The security system Development life cycle
o Security professionals and the organization