Introduction

Information security involves three distinct

communities of interest:

– Information security managers and professionals

– Information technology managers and

professionals

– Non-technical business managers and

professionals

Management of Information Security 1

 Communities of Interest
• InfoSec community: protect
information assets from threats
• IT community: support business
objectives by supplying
appropriate information
technology
• Business community: policy and
resources
Management of Information Security 2
Specialized Areas of Security
• Physical security
• Personal security
• Operations security
• Communications security
• Network security
• Information Security
• Computer Security

Management of Information Security 3

 Information Security

• InfoSec includes information

security management, computer
security, data security, and
network security
• Policy is central to all information
security efforts
Management of Information Security 4
 History
• Persons desiring secure communications
have used wax seals.
• Julius Caesar is credited with the invention of
the Caesar cipher ca. 50 B.C.
• The end of the 20th century and early years of
the 21st century saw rapid advancements in
telecommunications, computing hardware
and software, and data encryption
 The History of Information Security
• Computer security began immediately after the first
mainframes were developed
• Groups developing code-breaking computations
during World War II created the first modern
computers
• Physical controls were needed to limit access to
authorized personnel to sensitive military locations
• Only rudimentary controls were available to defend
against physical theft, espionage, and sabotage

Principles of Information Security - Chapter

Slide 7
1
Figure 1-1 – The Enigma

Principles of Information Security - Chapter

Slide 8
1
 The 1960s
• Department of Defense’s Advanced Research
Project Agency (ARPA) began examining the
feasibility of a redundant networked
communications
• Larry Roberts developed the project from its
inception

Principles of Information Security - Chapter

Slide 9
1
 The 1970s and 80s
• ARPANET grew in popularity as did its potential for
misuse
• Fundamental problems with ARPANET security were
identified
– No safety procedures for dial-up connections to the
ARPANET
– User identification and authorization to the system were
non-existent
• In the late 1970s the microprocessor expanded
computing capabilities and security threats
Principles of Information Security - Chapter
Slide 10
1
R-609 – The Start of the Study of Computer
Security
• Information Security began with Rand Report
R-609
• The scope of computer security grew from
physical security to include:
– Safety of the data
– Limiting unauthorized access to that data
– Involvement of personnel from multiple levels of
the organization
Principles of Information Security - Chapter
Slide 11
1
 The 1990s
• Networks of computers became more
common, so too did the need to interconnect
the networks
• Resulted in the Internet, the first
manifestation of a global network of networks
• In early Internet deployments, security was
treated as a low priority

Principles of Information Security - Chapter

Slide 12
1
 The Present
• The Internet has brought millions of
computer networks into
communication with each other –
many of them unsecured
• Ability to secure each now
influenced by the security on every
computer to which it is connected
Principles of Information Security - Chapter
Slide 13
1
 Security
• Multidisciplinary area of study and professional activity
• Physical security, which encompasses strategies to protect
people, physical assets, and the workplace from various threats
including fire, unauthorized access, or natural disasters
• Personal security, which overlaps with physical security in the
protection of the people within the organization
• Operations security, which focuses on securing the organization’s
ability to carry out its operational activities without interruption
or compromise
• Communications security, which encompasses the protection of
an organization’s communications media, technology, and
content, and its ability to use these tools to achieve the
organization’s objectives
• Network security, which addresses the protection of an
organization’s data networking devices, connections, and
contents, and the ability to use that network to accomplish the
organization’s data communication functions
 Balancing Security and Access
• It is impossible to obtain perfect security
- it is not an absolute; it is a process
• Security should be considered a balance
between protection and availability
• To achieve balance, the level of security
must allow reasonable access, yet
protect against threats
Principles of Information Security - Chapter
Slide 15
1
Figure 1-6 – Balancing Security and
Access

Principles of Information Security - Chapter

Slide 16
1
 Critical Characteristics of Information
• Confidentiality is the concealment of information
or resources.
– E.g., only sender, intended receiver should
“understand” message contents
• Authenticity is the identification and assurance
of the origin of information.
• Integrity refers to the trustworthiness of data or
resources in terms of preventing improper and
unauthorized changes.
• Availability refers to the ability to use the
information or resource desired.
 Critical Characteristics of Information
Accuracy: Free from mistake or error and having the
value that the end-user expects. If information
contains a value different from the user’s expectations
due to the intentional or unintentional modification of
its content, it is no longer accurate.
Utility: The quality or state of having value for some
purpose or end. Information has value when it serves
a particular purpose. This means that if information is
available, but not in a format meaningful to the end-
user, it is not useful.
Possession: The possession of Information security is
the quality or state of having ownership or control of
some object or item.
 Critical Characteristics of Information
Privacy: The information that is collected, used, and
stored by an organization is to be used only for the
purposes stated to the data owner at the time it was
collected. This definition of privacy does focus on
freedom from observation (the meaning usually
associated with the word), but rather means that
information will be used only in ways known to the
person providing it.
Identification: An information system possesses the
characteristic of identification when it is able to
recognize individual users. Identification and
authentication are essential to establishing the level
of access or authorization that an individual is
granted.
 Critical Characteristics of Information
Accountability: The characteristic of accountability
exists when a control provides assurance that
every activity undertaken can be attributed to a
named person or automated process. For
example, audit logs that track user activity on an
information system provide accountability.
Authorization: After the identity of a user is
authenticated, a process called authorization
provides assurance that the user (whether a
person or a computer) has been specifically and
explicitly authorized by the proper authority to
access, update, or delete the contents of an
information asset.
 NSTISSC Security Model

• National Training Standard for Information security professionals

 Components of a Computer-Based
Information system
• Hardware: machinery, computer ,CPU, and input and
output devices, storage devices and communications
devices.
• Software: computer programs and the manuals
Programs are generally stored on some input / output
medium,often a disk or tape.
• Data: Data are facts that are used by programs to
produce useful information. stored in machine-
readable form on disk or tape until the computer
needs them.
• Procedures: Procedures are the policies that govern
the operation of a computer system. Procedures are
to people what software is to hardware.
• People: Every system needs people if it is to be useful.
 Security Threats and Attacks
• A threat is a potential violation of security.
– Flaws in design, implementation, and operation.
• An attack is any action that violates security.
– Active adversary
• An attack has an implicit concept of “intent”
– Router mis-configuration or server crash can also
cause loss of availability, but they are not attacks
Figure 1-5 – Subject and Object of
Attack

Principles of Information Security - Chapter

Slide 24
1
 Securing Components
• Protecting the components from potential
misuse and abuse by unauthorized users.
• Subject of an attack – Computer is used as an
active tool to conduct the attack.
• Object of an attack – Computer itself is the
entity being attacked