L1- Introduction to Information Security

Information security

a "well-informed sense of assurance that the information risks and controls are in balance." —James Anderson, Inovant (2002)

INFOSEC

The U.S. Government's National Information Assurance Glossary defines _____________ as:

"Protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats."

mainframes

The history of information security

Began immediately after the first _______________ were developed

code-breaking computations

The history of information security

Groups developing __________________ during World War II created the first modern computers

military locations

The history of information security

Physical controls to limit access to sensitive __________________ to authorized personnel

physical theft, espionage, and sabotage

The history of information security

Rudimentary in defending against ________________, ________________, and ________________

Enigma

The history of information security

Earlier versions of the German code machine _____________ were first broken by the Poles in the 1930s. The British and Americans managed to break later, more complex versions during World War II.

submarine or Unterseeboot

The history of information security

. The increasingly complex versions of the Enigma, especially the _____________ or _____________ version of the Enigma, caused considerable anguish to Allied forces before finally being cracked. The information gained from decrypted transmissions was used to anticipate the actions of German armed forces. "Some ask why, if we were reading the Enigma, we did not win the war earlier. One might ask, instead, when, if ever, we would have won the war if we hadn't read it."

Advanced Research Procurement Agency (ARPA)

The 1960's

________________ began to examine feasibility of redundant networked communications

Larry Roberts

The 1960's

developed ARPANET from its inception

The 1970's and 80's

•ARPANET grew in popularity as did its potential for misuse

•Fundamental problems with ARPANET security were identified

•No safety procedures for dial-up connections to ARPANET

•Non-existent user identification and authorization to system

Late 1970s

microprocessor expanded computing capabilities and security threats

R-609

•Scope of computer security grew from physical security to include:

•Safety of data

•Limiting unauthorized access to data

•Involvement of personnel from multiple levels of an organization

Rand Report R-609

Information security began with ________________ (paper that started the study of computer security)

The 1990'2

•Networks of computers became more common; so too did the need to interconnect networks

•Internet became first manifestation of a global network of networks

•In early Internet deployments, security was treated as a low priority

2000 to The present

•The Internet brings millions of computer networks into communication with each other—many of them unsecured

•Ability to secure a computer's data influenced by the security of every computer to which it is connected

Security

•"The quality or state of being secure—to be free from danger"

•A successful organization should have multiple layers of security in place:

•Physical security

•Personal security

•Operations security

•Communications security

•Network security

•Information security

Physical security

to protect the physical items, objects, or areas of an organization from unauthorized access and misuse.

Personal security

to protect the individual or group of individuals who are authorized to access the organization and its operations

Operations security

to protect the details of a particular operation or series of activities.

Communications security

to protect an organization's communications media, technology, and content

Network security

to protect networking components, connections, and contents.

Information Security

•The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information

•Necessary tools: policy, awareness, training, education, technology

C.I.A. triangle

standard based on confidentiality, integrity, and availability. This has now expanded into list of critical characteristics of information

C.I.A. triangle

- confidentiality

- integrity

- availability

Confidentiality

refers to an organization's efforts to keep their data private or secret. In practice, it's about controlling access to data to prevent unauthorized disclosure. Typically, this involves ensuring that only those who are authorized have access to specific assets and that those who are unauthorized are actively prevented from obtaining access. As an example, only authorized Payroll employees should have access to the employee payroll database.

Integrity

refers to the quality of something being whole or complete. In InfoSec, __________ is about ensuring that data has not been tampered with and, therefore, can be trusted. It is correct, authentic, and reliable. Ecommerce customers, for example, expect product and pricing information to be accurate, and that quantity, pricing, availability, and other information will not be altered after they place an order. Banking customers need to be able to trust that their banking information and account balances have not been tampered with.

Availability

Systems, applications, and data are of little value to an organization and its customers if they are not accessible when authorized users need them. Quite simply, ____________ means that networks, systems, and applications are up and running. It ensures that authorized users have timely, reliable access to resources when they are needed.

Least Privilege

users should be granted the minimum amount of access (authorization) required to do their jobs, but no more

Need to Know

is more granular than least privilege, as the user must need to know that specific piece of information before accessing it

Non-Repudiation

a user cannot deny (repudiate) having perfumed a transaction.

Non-Repudiation

It combines authenticity and integrity. ____________ authenticates the identity of a user who performs a transaction and ensures the integrity of the transaction

Identity

IAAA

Is a claim

Authentication

IAAA

Is the proof of identity

Authorization

IAAA

Describes the actions you can perform on a system once you have identified and authenticated

Accountability

IAAA

Holds users accountable for their actions

Critical characteristics of Information

The value of information comes from the characteristics it possesses:

•Availability

•Accuracy

•Authenticity

•Confidentiality

•Integrity

•Utility

•Possession

Components of an information system

- hardware

- software

- data

- people

- procedures

- networks

Software

Components of an information system

comprises applications, operating systems, and assorted command utilities. ___________ is perhaps the most difficult IS component to secure

Software

Components of an information system

The exploitation of errors in software programming accounts for a substantial portion of the attacks on information. The information technology industry is rife with reports warning of holes, bugs, weaknesses, or other fundamental problems in software. In fact, many facets of daily life are affected by buggy software, from smartphones that crash

Hardware

Components of an information security

physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. Physical security policies deal with hardware as a physical asset and with the protection of physical assets from harm or theft

Hardware

Components of an information security

Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information.

Networks

Components of an information security

The IS component that created much of the need for increased computer and information security is networking. When information systems are connected to each other to form local area networks (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge.

Networks

Components of an information security

The physical technology that enables network functions is becoming more and more accessible to organizations of every size. Applying the traditional tools of physical security, such as locks and keys, to restrict access to and interaction with the hardware components of an information system are still important; but when computer systems are networked, this approach is no longer enough.

People

Components of an information security

Though often overlooked in computer security considerations, people have always been a threat to information security. Legend has it that around 200 B.C. a great army threatened the security and stability of the Chinese empire. So ferocious were the invaders that the Chinese emperor commanded the construction of a great wall that would defend against the Hun invaders. Whether this event actually occurred or not, the moral of the story is that people can be the weakest link in an organization's information security program. And unless policy, education and training, awareness, and technology are properly employed to prevent people from accidentally or intentionally damaging or losing information, they will remain the weakest link.

Securing components

Computer can be subject of an attack and/or the object of an attack

-When the subject of an attack, computer is used as an active tool to conduct attack

-When the object of an attack, computer is the entity being attacked

Balancing information security & access

•Impossible to obtain perfect security—it is a process, not an absolute

•Security should be considered balance between protection and availability

•To achieve balance, level of security must allow reasonable access, yet protect against threats

Approaches to information security implementation:

Bottom-up approach

•Grassroots effort: systems administrators attempt to improve security of their systems

•Key advantage: technical expertise of individual administrators

•Seldom works, as it lacks a number of critical features:

-Participant support

-Organizational staying power

Approaches to information security implementation:

Top-down approach

•Initiated by upper management

-Issue policy, procedures and processes

-Dictate goals and expected outcomes of project

-Determine accountability for each required action

Approaches to information security implementation:

Top-down approach

The most successful also involve formal development strategy referred to as systems development life cycle

Systems development life cycle (SDLC)

•methodology and design for implementation of information security within an organization

•Methodology is formal approach to problem-solving based on structured sequence of procedures

•Using a methodology

•ensures a rigorous process

•avoids missing steps

•Goal is creating a comprehensive security posture/program

•Traditional SDLC consists of six general phases

The systems development life cycle: investigation

•What problem is the system being developed to solve?

•Objectives, constraints and scope of project are specified

•Preliminary cost-benefit analysis is developed

•At the end, feasibility analysis is performed to assesses economic, technical, and behavioral feasibilities of the process

The systems development life cycle: analysis

•Consists of assessments of the organization, status of current systems, and capability to support proposed systems

•Analysts determine what new system is expected to do and how it will interact with existing systems

•Ends with documentation of findings and update of feasibility analysis

The systems development life cycle: logical design

•Main factor is business need; applications capable of providing needed services are selected

•Data support and structures capable of providing the needed inputs are identified

•Technologies to implement physical solution are determined

•Feasibility analysis performed at the end

The systems development life cycle: physical design

•Technologies to support the alternatives identified and evaluated in the logical design are selected

•Components evaluated on make-or-buy decision

•Feasibility analysis performed; entire solution presented to end-user representatives for approval

The systems development life cycle: implementation

•Needed software created; components ordered, received, assembled, and tested

•Users trained and documentation created

•Feasibility analysis prepared; users presented with system for performance review and acceptance test

The systems development life cycle: maintenance & change

•Consists of tasks necessary to support and modify system for remainder of its useful life

•Life cycle continues until the process begins again from the investigation phase

•When current system can no longer support the organization's mission, a new project is implemented

The security systems development life cycle

The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project. While the two processes may differ in intent and specific activities, the overall methodology is the same. At its heart, implementing information security involves identifying specific threats and creating specific controls to counter those threats.

The security systems development life cycle

•Identification of specific threats and creating controls to counter them

•SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions

Investigation

The security systems development life cycle

•Identifies process, outcomes, goals, and constraints of the project

•Begins with enterprise information security policy

•Organizational feasibility analysis is performed

Analysis

The security systems development life cycle

•Documents from investigation phase are studied

•Analyzes existing security policies or programs, along with documented current threats and associated controls

•Includes analysis of relevant legal issues that could impact design of the security solution

•The risk management task begins

Logical Design

The security systems development life cycle

•Creates and develops blueprints for information security

•Incident response actions planned:

-Continuity planning

-Incident response

-Disaster recovery

•Feasibility analysis to determine whether project should continue or be outsourced

Physical Design

The security systems development life cycle

•Needed security technology is evaluated, alternatives generated, and final design selected

•At end of the phase, a feasibility study determines readiness of organization for project

Implementation

The security systems development life cycle

•Security solutions are acquired, tested, implemented, and tested again

•Personnel issues evaluated; specific training and education programs conducted

•Entire tested package is presented to management for final approval

Maintenance and Change

The security systems development life cycle

•Perhaps the most important phase, given the ever-changing threat environment

•Often, reparation and restoration of information is a constant duel with an unseen adversary

•Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve

security professionals & the organization

Wide range of professionals required to support a diverse information security program

Senior management

security professionals & the organization

___________________ is key component; also, additional administrative support and technical expertise required to implement details of IS program

Chief Information Officer (CIO)

Senior management

-Senior technology officer

-Primarily responsible for advising senior executives on strategic planning

Chief Information Security Officer (CISO)

Senior management

-Primarily responsible for assessment, management, and implementation of IS in the organization

-Usually reports directly to the CIO

Information security project team

A number of individuals who are experienced in one or more facets of technical and non-technical areas:

-Champion

-Team leader

-Security policy developers

-Risk assessment specialists

-Security professionals

-Systems administrators

-End users

Data Owner

Data responsibilities

responsible for the security and use of a particular set of information

Data Custodian

Data responsibilities

responsible for storage, maintenance, and protection of information

Data Users

Data responsibilities

end users who work with information to perform their daily jobs supporting the mission of the organization

Protection profile or security posture

Key information security concepts

The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements (or fails to implement) to protect the asset. The terms are sometimes used interchangeably with the term security program, although the security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs.

Risk

Key information security concepts

The probability that something unwanted will happen. Organizations must minimize risk to match their risk appetite—the quantity and nature of risk the organization is willing to accept.

Subjects and objects

Key information security concepts

A computer can be either the subject of an attack—an agent entity used to conduct the attack—or the object of an attack—the target entity.

Threat

Key information security concepts

A category of objects, persons, or other entities that presents a danger to an asset. Threats are always present and can be purposeful or undirected. For example, hackers purposefully threaten unprotected information systems, while severe storms incidentally threaten buildings and their contents.

Threat agent

Key information security concepts

The specific instance or a component of a threat. For example, all hackers in the world present a collective threat, while Kevin Mitnick, who was convicted for hacking into phone systems, is a specific threat agent. Likewise, a lightning strike, hailstorm, or tornado is a threat agent that is part of the threat of severe storms.

Vulnerability

Key information security concepts

A weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known vulnerabilities have been examined, documented, and published; others remain latent (or undiscovered).

Access

Key information security concepts

A subject or object's ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers have illegal access to a system. Access controls regulate this ability.

Asset

Key information security concepts

The organizational resource that is being protected. An asset can be logical,

such as a Web site, information, or data; or an asset can be physical, such as a person, computer system, or other tangible object. Assets, and particularly information assets, are the focus of security efforts; they are what those efforts are attempting to protect.

Attack

Key information security concepts

An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect.

Control, safeguard, or countermeasure

Key information security concepts

Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.

Exploit

Key information security concepts

A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or is created by the attacker. Exploits make use of existing software tools or custom-made software components.

Exposure

Key information security concepts

A condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present.

Loss

Key information security concepts

A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure. When an organization's information is stolen, it has suffered a loss.