an introduction to information security why there’s more to hide than you might think and why...

An Introduction to An Introduction to Information SecurityInformation Security

Why there’s more to hide than you might think and why hiding it is a lot tougher than you ever dreamed of

in your wildest, most paranoid nightmare

This Document was Funded by the National Science Foundation Federal Cyber Service Scholarship For Service Program: Grant No. 0113627

Distributed October 2002

Embry-Riddle Aeronautical University • Prescott, Arizona • USA

An Introduction to Information Security. ©2002, Matt Jaffe, Jan G. Hogle, Susan Gerhart. http://nsfsecurity.pr.erau.edu


Roadmap: IntroductionRoadmap: Introduction

IntroductionIntroduction Purpose Motivation Audience Goals and objectives Context Some key vocabulary, including some integrating concepts


PurposePurpose

Provide an overview of the context of digital information security, including the key “soft” factors beyond the specific hardware and software technologies typically considered to be at the core of digital information security

Provide an introduction to the key concepts, vocabulary, and issues of digital information security technology itself


MotivationMotivation

There is more information that is sensitive to someone some time somehow than seems obvious

The consequences of undesired disclosure are growing ever more significant

It is more difficult to protect sensitive information than most people, even technically sophisticated ones, appreciate

More and more facets of modern life are being impacted by the necessity to protect sensitive information or mitigate the consequences of our inability to do so


The Intended AudienceThe Intended Audience

Students in an introductory Information or Computer Security course looking for an overview of the context for the subject

Computer Science or Software Engineering students in specialized courses (e.g., operating systems, database management systems, networking, cryptography, or software engineering) needing the information security context within which to understand the contributions and limitations of the specialized discipline(s) they’re studying


The GoalsThe Goals

Understand the complexities involved in protecting information (in other words, be depressed ;-)

Understand the key concepts and vocabulary for discussing information security

Understand the key elements of information security

Understand both the potential contribution and the limitations of each key element

Understand the major inter-dependencies among the key elements

Go one layer deeper into part of the onion and provide a basic understanding of the key concepts and vocabulary within computer security itself


The ObjectivesThe Objectives

For students in an introductory course on information security: Be able to describe the purpose of, and types of information necessary for, a security policy Be able to define at least 6 of the possible dimensions of a security architecture For each dimension, be able to state another dimension on which it is heavily depends and another on

which it does not Be able to define trusted software and describe why it is expensive Be able to state the key limitation on software based cryptography as a security mechanism


The Objectives The Objectives (cont’d)(cont’d)

For students in an operating systems course, all of the introductory objectives, plus: Be able to define a trusted computing base Be able to define the relationship between an operating system and a trusted

computing base

For students in a data base management systems course, all of the introductory objectives, plus: Be able to define the terms: subject, object, access modes, and access right Be able to identify at least three levels of granularity in the definition of

possible objects in a data base management system Be able to state why subjects and users are not interchangeable concepts Be able to state the relationship between DBMS software and TCB software


The Objectives The Objectives (cont’d)(cont’d)

For students in an introductory networking course, the introductory objectives plus: Be able to define the relationship between COMPUSEC, COMSEC,

cryptography and network security Be able to state the key limitation on software based cryptography as a network

protection mechanism

For students in an introductory cryptography course, the introductory objectives plus: Be able to state the key limitation on software based cryptography as an

INFOSEC mechanism

For students in a software engineering course, all of the introductory objectives plus: Be able to define trusted software and level of assurance Be able to describe the limitations of testing in providing high levels of

assurance


The Context of Information SecurityThe Context of Information Security

INFOSECINFOSEC

Information Assurance

Information SecurityInformation Security

Informally:Informally: Information assurance is making sure that information is accessible to the Information assurance is making sure that information is accessible to the

right people when you want it to be and hasn’t been improperly accessed by right people when you want it to be and hasn’t been improperly accessed by the wrong peoplethe wrong people

Information security is about protecting information from unauthorized Information security is about protecting information from unauthorized disclosure or modification but not specifically about assuring all aspects of its disclosure or modification but not specifically about assuring all aspects of its accessibilityaccessibility

INFOSEC is an abbreviation of Information Systems Security, the protection INFOSEC is an abbreviation of Information Systems Security, the protection of information of information systemssystems --- which correctly highlights the fact that electronic --- which correctly highlights the fact that electronic data systems are by no means the only places that information can be data systems are by no means the only places that information can be compromisedcompromised


About this ProjectAbout this Project

This presentation is part of a larger package of materials on security issues. For This presentation is part of a larger package of materials on security issues. For more information, go to: more information, go to: http://nsfsecurity.pr.erau.edu

Other material available on this topic are:Other material available on this topic are: Overview of the key concepts and vocabulary

The Key Mechanisms of Information Security: their strengths, weaknesses and inter-The Key Mechanisms of Information Security: their strengths, weaknesses and inter-

dependenciesdependencies

Exercises (html): Decision Maze, Crossword Puzzle, Security SceneExercises (html): Decision Maze, Crossword Puzzle, Security Scene

Quizzes (html): Multiple choice, Fill-in-the-blankQuizzes (html): Multiple choice, Fill-in-the-blank

Please complete a feedback form at Please complete a feedback form at http://nsfsecurity.pr.erau.edu/feedback.html to tell us how you used this material and to offer suggestions for improvements.

an introduction to information security why there’s more to hide than you might think and why...

Documents