Communities of Interest • InfoSec community: protect information assets from threats • IT community: support business objectives by supplying appropriate information technology • Business community: policy and resources Management of Information Security 2 Specialized Areas of Security • Physical security • Personal security • Operations security • Communications security • Network security • Information Security • Computer Security
Management of Information Security 3
Information Security
• InfoSec includes information
security management, computer security, data security, and network security • Policy is central to all information security efforts Management of Information Security 4 History • Persons desiring secure communications have used wax seals. • Julius Caesar is credited with the invention of the Caesar cipher ca. 50 B.C. • The end of the 20th century and early years of the 21st century saw rapid advancements in telecommunications, computing hardware and software, and data encryption The History of Information Security • Computer security began immediately after the first mainframes were developed • Groups developing code-breaking computations during World War II created the first modern computers • Physical controls were needed to limit access to authorized personnel to sensitive military locations • Only rudimentary controls were available to defend against physical theft, espionage, and sabotage
Principles of Information Security - Chapter
Slide 7 1 Figure 1-1 – The Enigma
Principles of Information Security - Chapter
Slide 8 1 The 1960s • Department of Defense’s Advanced Research Project Agency (ARPA) began examining the feasibility of a redundant networked communications • Larry Roberts developed the project from its inception
Principles of Information Security - Chapter
Slide 9 1 The 1970s and 80s • ARPANET grew in popularity as did its potential for misuse • Fundamental problems with ARPANET security were identified – No safety procedures for dial-up connections to the ARPANET – User identification and authorization to the system were non-existent • In the late 1970s the microprocessor expanded computing capabilities and security threats Principles of Information Security - Chapter Slide 10 1 R-609 – The Start of the Study of Computer Security • Information Security began with Rand Report R-609 • The scope of computer security grew from physical security to include: – Safety of the data – Limiting unauthorized access to that data – Involvement of personnel from multiple levels of the organization Principles of Information Security - Chapter Slide 11 1 The 1990s • Networks of computers became more common, so too did the need to interconnect the networks • Resulted in the Internet, the first manifestation of a global network of networks • In early Internet deployments, security was treated as a low priority
Principles of Information Security - Chapter
Slide 12 1 The Present • The Internet has brought millions of computer networks into communication with each other – many of them unsecured • Ability to secure each now influenced by the security on every computer to which it is connected Principles of Information Security - Chapter Slide 13 1 Security • Multidisciplinary area of study and professional activity • Physical security, which encompasses strategies to protect people, physical assets, and the workplace from various threats including fire, unauthorized access, or natural disasters • Personal security, which overlaps with physical security in the protection of the people within the organization • Operations security, which focuses on securing the organization’s ability to carry out its operational activities without interruption or compromise • Communications security, which encompasses the protection of an organization’s communications media, technology, and content, and its ability to use these tools to achieve the organization’s objectives • Network security, which addresses the protection of an organization’s data networking devices, connections, and contents, and the ability to use that network to accomplish the organization’s data communication functions Balancing Security and Access • It is impossible to obtain perfect security - it is not an absolute; it is a process • Security should be considered a balance between protection and availability • To achieve balance, the level of security must allow reasonable access, yet protect against threats Principles of Information Security - Chapter Slide 15 1 Figure 1-6 – Balancing Security and Access
Principles of Information Security - Chapter
Slide 16 1 Critical Characteristics of Information • Confidentiality is the concealment of information or resources. – E.g., only sender, intended receiver should “understand” message contents • Authenticity is the identification and assurance of the origin of information. • Integrity refers to the trustworthiness of data or resources in terms of preventing improper and unauthorized changes. • Availability refers to the ability to use the information or resource desired. Critical Characteristics of Information Accuracy: Free from mistake or error and having the value that the end-user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate. Utility: The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end- user, it is not useful. Possession: The possession of Information security is the quality or state of having ownership or control of some object or item. Critical Characteristics of Information Privacy: The information that is collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected. This definition of privacy does focus on freedom from observation (the meaning usually associated with the word), but rather means that information will be used only in ways known to the person providing it. Identification: An information system possesses the characteristic of identification when it is able to recognize individual users. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. Critical Characteristics of Information Accountability: The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. For example, audit logs that track user activity on an information system provide accountability. Authorization: After the identity of a user is authenticated, a process called authorization provides assurance that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset. NSTISSC Security Model
• National Training Standard for Information security professionals
Components of a Computer-Based Information system • Hardware: machinery, computer ,CPU, and input and output devices, storage devices and communications devices. • Software: computer programs and the manuals Programs are generally stored on some input / output medium,often a disk or tape. • Data: Data are facts that are used by programs to produce useful information. stored in machine- readable form on disk or tape until the computer needs them. • Procedures: Procedures are the policies that govern the operation of a computer system. Procedures are to people what software is to hardware. • People: Every system needs people if it is to be useful. Security Threats and Attacks • A threat is a potential violation of security. – Flaws in design, implementation, and operation. • An attack is any action that violates security. – Active adversary • An attack has an implicit concept of “intent” – Router mis-configuration or server crash can also cause loss of availability, but they are not attacks Figure 1-5 – Subject and Object of Attack
Principles of Information Security - Chapter
Slide 24 1 Securing Components • Protecting the components from potential misuse and abuse by unauthorized users. • Subject of an attack – Computer is used as an active tool to conduct the attack. • Object of an attack – Computer itself is the entity being attacked