Download - (412500528) IAS_CH1_LECTURE
-
8/9/2019 (412500528) IAS_CH1_LECTURE
1/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
Chapter 1
Introduction to Information Security
Chapter Overview
This opening chapter establishes the foundation for understandingthe broader eld of information security.This is accomplished bydening key terms, explaining essential concepts, and reviewing theorigins of the eld and its impact on the understanding of informationsecurity.
Chapter Objectives
When you complete this chapter, you will be able to: Dene information security
elate the history of computer security and how it evolved intoinformation
security
Dene key terms and critical concepts of information security aspresented in
this chapter Discuss the phases of the security systems development lifecycle !resent the roles of professionals involved in informationsecurity within an
organi"ation
Introduction
#nformation security in today$s enterprise is a %well&'informed sense ofassurance thatthe information risks and controls are in balance.()im *nderson,#novant +--
/efore we can begin analy"ing the details of information security,it is necessary to review the origins of this eld and its impact on
our understanding of information security today.
The History of Information Security
The need for computer security, or the need to secure the physicallocation of hardware from outside threats, began almost immediatelyafter the rst mainframes were developed.
0roups developing code&'breaking computations during World War ##created the rstmodern computers.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
2/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
-
8/9/2019 (412500528) IAS_CH1_LECTURE
3/31
/adges, keys, and facial recognition of authori"ed personnel controlled access tosensitive military locations.
#n contrast, information security during these early years was
rudimentary and mainlycomposed of simple document classication schemes.
There were no application classication pro1ects for computers oroperating systems at this time, because the primary threats tosecurity were physical theft of e2uipment, espionage against theproducts of the systems, and sabotage.
The 1960sDuring the 345-s, the Department of Defense$s *dvancedesearch !rocurement *gency +*!* began examining the
feasibility of a redundant networked communications systemdesigned to support the military$s need to exchange information.
6arry oberts, known as the founder of the #nternet, developed thepro1ect from itsinception.
The 190s and !0sDuring the next decade, the *!*78T grew in popularity and use, andso did itspotential for misuse.
#n December of 349, obert ;. ;etcalfe indicated that there werefundamentalproblems with *!*78T security.
#ndividual remote users$ sites did not have su
-
8/9/2019 (412500528) IAS_CH1_LECTURE
4/31
multilevel computer system.
The scope of computer security grew from physical security to include:
>afety of the data itself
6imiting of random and unauthori"ed access to that data
-
8/9/2019 (412500528) IAS_CH1_LECTURE
5/31
#nvolvement of personnel from multiple levels of the organi"ation
*t this stage, the concept of computer security evolved into the moresophisticated
system we call information security.
"#$TICS
;uch of the focus for research on computer security centered ona system called ;=6T#?> +;ultiplexed #nformation and ?omputing>ervice.
#n mid&'3454, not long after the restructuring of the ;=6T#?> pro1ect, several of the keyplayers created a new operating system called =7#@.
While the ;=6T#?> system had planned security with multiple security levels andpasswords, the =7#@ system did not.
#n the late 349-s, the microprocessor brought in a new age ofcomputing capabilitiesand security threats as these microprocessors were networked.
The 1990s
*t the close of the -th century, as networks of computers becamemore common, so too did the need to connect the networks to eachother.This gave rise to the #nternet, the rst manifestation of a globalnetwork of networks.
There has been a price for the phenomenal growth of the #nternet,however. Whensecurity was considered at all, early #nternet deployment treated it as alow priority.
*s there2uiremen
tfor
networked
computers
became
the
dominan
t
style of computing, the ability to physically secure the physicalcomputer was lost, and the stored information became more exposed to security threats.
The %resent
Today, the #nternet has brought millions of unsecured computernetworks into
-
8/9/2019 (412500528) IAS_CH1_LECTURE
6/31
communication with each other.
Aur ability to secure each computer$s stored information is nowinBuenced by thesecurity on each computer to which it is connected.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
7/31
&hat is Security'
#n general, security is %the 2uality or state of being secureCto be freefrom danger.( #t means to be protected from adversaries, from thosewho would do harm, intentionally or otherwise.
* successful organi"ation should have the following multiple layers ofsecurity in placefor the protection of its operations: %hysica( security to protect the physical items, ob1ects, or areas ofan organi"ation
from unauthori"ed access and misuse
%ersona( security to protect the individual or group of individualswho are
authori"ed to access the organi"ation and its operations Operations security to protect the details of a particular
operation or series ofactivities
Communications security to protect an organi"ation$scommunications media,
technology, and content )etwor* security to protect networking components,connections, and contents Information security to protect information assets
#nformation security, therefore, is the protection of information and its
criticalelements,
including
the
systems
and
hardware
th
atuse,
store,
and transmit that information. /ut to protect the information and itsrelated systems from danger, tools, such as policy, awareness, training, education, and technology, are necessary.
The ?.#.*. triangle has been considered the industry standard forcomputer security since the development of the mainframe. #t wassolely based on three characteristics that described the utility ofinformation: condentiality, integrity, and availability.The ?.#.*. triangle has expanded into a list of critical characteristics ofinformation.
Critica( Characteristics of Information
The value of information comes from the characteristics it possesses.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
8/31
+vai(abi(ity enables users who need to access information to do sowithout interference or obstruction and to retrieve that information in the re2uired format.
+ccuracy occurs when information is free from mistakes or errors andhas the value that the end user expects. #f information contains a valuedierent from the user$s expectations due to the intentional orunintentional modication of its content, it is no longer accurate.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
9/31
+uthenticity is the 2uality or state of being genuine or original, ratherthan a reproduction or fabrication. #nformation is authentic when it isthe information that was originally created, placed, stored, ortransferred.
Con,dentia(ity is the 2uality or state of preventing disclosure orexposure tounauthori"ed individuals or systems.
Inte-rity is the 2uality or state of being whole, complete, anduncorrupted.The integrity of information is threatened when theinformation is exposed to corruption, damage, destruction, or otherdisruption of its authentic state.
#ti(ity is the 2uality or state of having value for some purpose or end.#nformation has value when it serves a particular purpose.This means
that if information is available, but not in a format meaningful to theend user, it is not useful.
%ossession is the 2uality or state of having ownership or control ofsome ob1ect or item. #nformation is said to be in oneEs possession ifone obtains it, independent of format or other characteristics. While abreach of condentiality always results in a breach of possession, abreach of possession does not always result in a breach ofcondentiality.
)STISSC Security "ode(
The security model, as represented in Figure 3&'G, shows the threedimensions. #f you extrapolate the three dimensions of each axis, youend up with a H H cube with 9 cells representing areas thatmust be addressed to secure the information systems of today.Iourprimary responsibility is to make sure that each of the 9 cells isproperly addressed during the security process.
Components of an Information System
To fully understand the importance of information security, it isnecessary to brieBy review the elements of an information system. *ninformation system +#> is much more than computer hardwareJ it is theentire set of software, hardware, data, people, procedures, and
-
8/9/2019 (412500528) IAS_CH1_LECTURE
10/31
networks necessary to use information as a resource in theorgani"ation.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
11/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
Securin- Components
When considering the security of information systems components, itis important to understand the concept of the computer as the sub1ectof an attack, as opposed to the computer as the ob1ect of an attack.
Computer as the Subject and Object of an +ttac*
When a computer is the sub1ect of an attack, it is used as an active toolto conduct theattack. When a computer is the ob1ect of an attack, it is the entitybeing attacked.
.a(ancin- Information Security and +ccess
When considering information security, it is important to reali"e that itis impossible toobtain perfect security. >ecurity is not an absoluteJ it is a process andnot a goal.>ecurity should be considered a balance between protection andavailability.To achievebalance, the level of security must allow reasonable access, yet protectagainst threats.
+pproaches to Information Security Imp(ementation
>ecurity can begin as a grassroots eort when systems administratorsattempt toimprove the security of their systems.This is referred to as the bottom&'up approach.
The key advantage of the bottom&'up approach is the technicalexpertise of the individual administrators. =nfortunately, thisapproach seldom works, as it lacks a number of critical features,such as participant support and organi"ational staying power.
*n alternative approach, which has a higher probability of success, iscalled the top&'down approach.The pro1ect is initiated by uppermanagement who issue policy, procedures, and processes, dictate thegoals and expected outcomes of the pro1ect, and determine who isaccountable for each of the re2uired actions.
The top&'down approach has strong upper&'management support, adedicated champion, dedicated funding, clear planning, and theopportunity to inBuence organi"ational culture.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
12/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
The most successful top&'down approach also involves a formaldevelopmen t strategyreferred to as a systems development life cycle.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
13/31
The Systems /eve(opment $ife Cyc(e
#nformation security must be managed in a manner similar to any otherma1or systemimplemented in the organi"ation.
The best approach for implementing an information security system inan organi"ation with little or no formal security in place is to use avariation of the systems development life cycle +>D6?: the securitysystems development life cycle +>ec>D6?.
"ethodo(o-y and %hases
The >D6? is a methodology for the design and implementation of aninformation systemin an organi"ation.
* methodology is a formal approach to solving a problem based on astructured se2uence of procedures. =sing a methodology ensures arigorous process and avoids missing those steps that can lead tocompromising the end goal.The goal is to create a comprehensive security posture.
The entire process may be initiated in response to specic conditions orcombinations ofconditions.
The impetus to begin the >ec>D6? may be event&'driven, started inresponse to someoccurrence, or plan&'driven as a result of a carefully developedimplementation strategy.
*t the end of each phase comes a structured review or %reality check(during which the team determines if the pro1ect should be continued,discontinued, outsourced, or postponed until additional expertise ororgani"ational knowledge is ac2uired.
Investi-ation
The rst phase, investigation, is the most important. What is theproblem the system is being developed to solveKThis phase beginswith an examination of the event or plan that initiates the process.
The ob1ectives, constraints, and scope of the pro1ect are specied. *preliminary costLbenet analysis is developed to evaluate the
-
8/9/2019 (412500528) IAS_CH1_LECTURE
14/31
perceived benets and the appropriate levels of cost an organi"ationis willing to expend to obtain those benets.
* feasibility analysis is performed to assess the economic,technical, and behavioral feasibilities of the process and to ensurethat implementation is worth the organi"ation$s time and eort.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
15/31
+na(ysis
The analysis phase begins with the information learned during theinvestigation phase.This phase consists primarily of assessments ofthe organi"ation, the status of current systems, and the capability tosupport the proposed systems.
*nalysts begin to determine what the new system is expected to doand how it will interact with existing systems.The phase ends withthe documentation of the ndings and a feasibility analysis update.
$o-ica( /esi-n
#n the logical design phase, the information gained from the analysisphase is used tobegin creating a solution system for a business problem.
Then, based on the business need, applications capable of providingneeded services are selected. /ased on the applications needed, datasupport and structures capable of providing the needed inputs areselected.
Finally, based on all of the above, specic technologies are selected toimplement thephysical solution. #n the end, another feasibility analysis is performed.
%hysica( /esi-n
During the physical design phase, specic technologies are selected tosupport thealternatives identied and evaluated in the logical design.
The selected components are evaluated based on a make&'or&'buydecision +develop in&'house or purchase from a vendor.
Final designs integrate various components and technologies.
*fter yet another feasibility analysis, the entire solution is presented tothe end&'userrepresentatives for approval.
Imp(ementation
-
8/9/2019 (412500528) IAS_CH1_LECTURE
16/31
#n the implementation phase, any needed software is created. ?omponents are ordered,received, and tested.
*fterwards, users are trained and supporting documentation iscreated. *gain, a feasibility analysis is prepared, and the usersare presented with the system for a performance review andacceptance test.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
17/31
-
8/9/2019 (412500528) IAS_CH1_LECTURE
18/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
The Security Systems /eve(opment $ife Cyc(e
The same phases used in the traditional >D6? can be adapted tosupport the speciali"edimplementation of a security pro1ect.
The fundamental process is the identication of specic threats andthe creation of specic controls to counter those threats.The >ec>D6?unies the process and makes it a coherent program rather than aseries of random, seemingly unconnected actions.
Investi-ation
The investigation of the >ec>D6? begins with a directive fromupper management, dictating the process, outcomes, and goals ofthe pro1ect, as well as the constraints placed on the activity.
Fre2uently, this phase begins with an enterprise informationsecurity policy +8#>! that outlines the implementation of security.
Teams of responsible managers, employees, and contractors areorgani"edJ problems are analy"edJ and the scope is dened, includinggoals, ob1ectives, and constraints not covered in the program policy.
Finally, an organi"ational feasibility analysis is performed todetermine whether the organi"ation has the resources andcommitment necessary to conduct a successful security analysis
and design.
+na(ysis
#n the analysis phase, the documents from the investigation phaseare studied.The developmen t team conducts a preliminary analysis of existing security policies or programs, along withdocumented current threats and associated controls.
This phase also includes an analysis of relevant legal issues that couldimpact the designof the security solution.
The risk management taskCidentifying, assessing, and evaluating thelevels of riskfacing the organi"ationCalso begins in this stage.
$o-ica( /esi-n
The logical design phase creates and develops the blueprints forsecurity and examines and implements key policies that inBuence laterdecisions. *lso at this stage, critical planning is developed for incidentresponse actions to be taken in the event of partial or catastrophic loss.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
19/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
7ext, a feasibility analysis determines whether or not the pro1ectshould continue or be outsourced.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
20/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
%hysica( /esi-n
#n the physical design phase, the security technology needed tosupport the blueprint outlined in the logical design is evaluated,alternative solutions are generated, and a nal design is agreedupon.
The security blueprint may be revisited to keep it synchroni"ed with thechanges neededwhen the physical design is completed.
?riteria needed to determine the denition of successful solutions is alsopreparedduring this phase.
#ncluded at this time are the designs for physical security measures to
support theproposed technological solutions.
*t the end of this phase, a feasibility study should determine thereadiness of the organi"ation for the proposed pro1ect, and then thechampion and users are presented with the design. *t this time, allparties involved have a chance to approve the pro1ect before implementation begins.
Imp(ementation
The implementation phase is similar to the traditional >D6?.
The security solutions are ac2uired +made or bought, tested,implemented, and testedagain.
!ersonnel issues are evaluated and specic training and educationprograms areconducted.
Finally, the entire tested package is presented to upper managementfor nal approval.
"aintenance and Chan-e
The maintenance and change phase, though last, is perhaps the mostimportant, giventhe high level of ingenuity in today$s threats.
The reparation and restoration of information is a constant duel with anoften unseen
adversary.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
21/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
-
8/9/2019 (412500528) IAS_CH1_LECTURE
22/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
*s new threats emerge and old threats evolve, the informationsecurity prole of an organi"ation re2uires constant adaptation toprevent threats from successfully penetrating sensitive data.
Security %rofessiona(s and the Or-ani0ation
#t takes a wide range of professionals to support a diverse informationsecurity program.
To develop and execute specic security policies and procedures, additionaladministrative support and technical expertise is re2uired.
Senior "ana-ement
Chief Information Ocer2The senior technology oA may also bereferred to as the manager for security, the security administrator, or asimilar title.
Information Security %roject Team
The security pro1ect team consists of a number of individuals who areexperienced inone or multiple facets of the re2uired technical and nontechnical areas.
Champion2 * senior executive who promotes the pro1ect and ensuresits support, bothnancially and administratively, at the highest levels of the
organi"ation.
Team (eader2 * pro1ect manager, who may be a departmental linemanager or sta unit manager, who understands pro1ect management,personnel management, and information security technicalre2uirements.
Security po(icy deve(opers2 #ndividuals who understand the
organi"ational culture, policies, and re2uirements for developing
and implementing successful policies. 3is* assessment
specia(ists2 #ndividuals who understand nancial risk assessment
-
8/9/2019 (412500528) IAS_CH1_LECTURE
23/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security Systemtechni2ues, the value of organi"ational assets, and the security methods to be used.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
24/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
Security professiona(s2 Dedicated, trained, and well&'educatedspecialists in all aspects ofinformation security from both a technical and nontechnical standpoint.
Systems administrators2
#ndividuals whose primary responsibility isadministering thesystems that house the information used by the organi"ation.
4nd users2Those whom the new system will most directly impact.#deally, a selection of users from various departments, levels, anddegrees of technical knowledge assist the team in focusing on theapplication of realistic controls applied in ways that do not disrupt theessential business activities they seek to safeguard.
/ata Ownership7ow that you understand the responsibilities of both seniormanagement and the security pro1ect team, we can dene theroles of those who own and safeguard the data.
/ata Owners2Those responsible for the security and use of aparticular set of information. Data owners usually determine thelevel of data classication associated with the data, as well aschanges to that classication re2uired by organi"ational change.
/ata Custodians2Those responsible for the storage, maintenance,and protection of the information.The duties of a data custodian ofteninclude overseeing data storage and backups, implementing thespecic procedures and policies laid out in the security policies andplans, and reporting to the data owner.
/ata #sers2 8nd users who work with the information to perform their daily1obs supporting the mission of the organi"ation. 8veryonein the organi"ation is responsible for the security of data, so datausers are included here as individuals with an information securityrole.
Communities of Interest
8ach organi"ation develops and maintains its own uni2ue culture andvalues. Within each organi"ational culture, there are communities ofinterest. *s dened here, a community of interest is a group ofindividuals who are united by similar interests or values within anorgani"ation and who share a common goal of helping the organi"ationto meet its ob1ectives.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
25/31
There can be many dierent communities of interest in anorgani"ation.The three that are most often encountered, and whichhave roles and responsibilities in information security, are listed here.#n theory, each role must complement the other but this is often notthe case.
#nformation security management and professionals #nformation technology management and professionals
Argani"ational management and professionals
Information Security2 Is it an +rt or a Science'
With the level of complexity in today$s information systems, theimplementation ofinformation security has often been described as a combination of art
and science.
The concept of the %security artesan( is based on the way individualshave perceived systems technologists since computers became commonplace.
Security as +rt
There are no hard and fast rules regulating the installation of varioussecurity mechanisms. 7or are there many universally accepted completesolutions.
While there are many manuals to support individual systems, oncethese systems are interconnected, there is no magic user$s manual forthe security of the entire system.This is especially true with thecomplex levels of interaction between users, policy, and technologycontrols.
Security as Science
We are dealing with technology developed by computer scientists andengineersC
technology designed to operate at rigorous levels of performance.
8ven with the complexity of the technology, most scientists wouldagree that specic scientic conditions cause virtually all actions thatoccur in computer systems. *lmost every fault, security hole, and
-
8/9/2019 (412500528) IAS_CH1_LECTURE
26/31
systems malfunction is a result of the interaction of specic hardwareand software.
#f developers had su
-
8/9/2019 (412500528) IAS_CH1_LECTURE
27/31
>ocial science examines the behavior of individuals as they interactwith systems,whether societal systems or, in our case, information systems.
>ecurity begins and ends with the people inside the organi"ation and
the people thatinteract with the system, planned or otherwise.
8nd users who need the very information the security personnel aretrying to protectmay be the weakest link in the security chain.
/y understanding some of the behavioral aspects of organi"ationalscience and change management, security administrators can greatly reduce the levels of risk caused by end users, and they can createmore acceptable and supportable security proles.
-
8/9/2019 (412500528) IAS_CH1_LECTURE
28/31
-
8/9/2019 (412500528) IAS_CH1_LECTURE
29/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
3eview 5uestions
16 What type of security was dominant in the early years ofcomputingK
. Who is known as the founder of the #nternetKTo what pro1ectdoes it trace its
originK Who initiated this pro1ect and for what purposeK
. What layers of security should a successful organi"ation have inplace to protect
its operationsK
G. The ;c?umber ?ube is a xx cube with 9 cellsrepresenting areas that must be addressed to secure today$sinformation systems. 6ist the three dimensions along each ofthe three axes.
M. What are the three components of the ?#* triangleK What are
they used forK5. #f the ?.#.*. triangle is incomplete, why is it so commonly usedin securityK
9. Describe the critical characteristics of information. Oow arethey used in the
study of computer securityK
P. #dentify the six components of an information system. Whichare most directly impacted by the study of computer securityKWhich are most commonly associated with this studyK
4. #n the history of the study of computer security, what system isthe father of
almost all multi&'user systemsK
3-. What paper is the foundation of all subse2uent studies ofcomputer securityK
33. Oow is the top down approach to information security superiorto the bottom up
approachK
3. Why is a methodology important in the implementation ofinformation securityK Oow does a methodology improve the
processK
3. Who is involved in the security development life cycleK Wholeads the processK
3G. Oow does the practice of information security 2ualify as both anart and a
scienceK Oow does security as a social science inBuence itspracticeK
3M. Who is ultimately responsible for the security of information inthe organi"ationK
35. What is the relationship between the ;=6T#?> pro1ect and early developmen t of
-
8/9/2019 (412500528) IAS_CH1_LECTURE
30/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
computer securityK
39. Oow has computer security evolved into modern informationsecurityK
3P. What was important about and eport &'5-4K
-
8/9/2019 (412500528) IAS_CH1_LECTURE
31/31
Systems Plus College Foundation College of Computing and Information SciencesInformation Assurance Security System
34. Describe the dierence between a computer being the%sub1ect of an attack( and the %ob1ect of an attack.( What isthe dierence between a direct and indirect attackK #s itpossible for one computer to be both the sub1ect of an attackand the ob1ect of an attackK #s so, howK
-: Who should lead a security teamK >hould the approach tosecurity be more
managerial or technicalK