knowt logo

Module 1: Introduction to Information Security

The History of Information Security

King Henry IV of France intercepted mail communications, read, and resealed them to avoid discovery in 1590.

The French telegraph system was compromised in 1836 for government bond market manipulation.

Telephone system toll fraud attacks are recorded as early as the late 1800s.

“The Black Chamber” an early predecessor to the NSA started in 1919, and was shut down in 1929, because the government thought it was rude to break other peoples encryption.

The Enigma

Earlier versions of the German code machine Enigma were first broken by the Poles in the 1930s. The British and Americans managed to break later, more complex versions during WW2. The increasingly complex versions of the Enigma, especially the submarine or Unterseeboot version of the enigma caused considerable anguish to Allied forces before finally being cracked. The information gained from decrypted transmissions was used to anticipate the actions of German armed forces. ‘Some ask why, if we were reading the Enigma, we did not win the war earlier. One might ask, instead, when, if ever, we would have won the war if we hadn’t read it.'“

Continuation of History of Information Security

Computer Security began immediately after the first mainframes were developed. Groups developing code-breaking computations during WW2 created the first modern computers. Multiple levels of security were implemented to protect these devices.

During these early years, information security was a straightforward process composed predominantly of physical security and simple document classification schemes.

The primary threats to security were physical theft of equipment, espionage against products of the systems, and sabotage.

The 1960s

During the Cold War, many more mainframe computers were brought online to accomplish more complex and sophisticated tasks.

The Advanced Research Projects Agency (ARPA) began to examine the feasibility of a redundant networked communication tasks.

Larry Roberts led the development of the ARPANET, which evolved into what we now know as the internet.

The 1970s and ‘80s

ARPANET grew in popularity, increasing the potential for misuse.

Fundamental problems with ARPANET security were identified. Individual remote sites did not have sufficient controls and safeguards to protect data from unauthorized remote users. Other problems included vulnerability of password structure and formats, lack of safety procedures for dial-up connections, and nonexistent user identification and authorizations.

Information security began with RAND Report R-609 -- the paper that started the study of computer security and identified the role of management and policy issues in it.

The scope of computer security grew from physical security to include securing the data, limiting random and unauthorized access to data, and involving personnel from multiple levels of the organization in information security.

MULTICS

Early research on computer security research centered on a system called Multiplexed Information and Computing Service (MULTICS)

The first operating system was created with security integrated into core functions.

Mainframe, time-sharing OS was developed in the mid-1960s by General Electric (GE), Bell Labs, and MIT.

Several MULTICS key players created UNIX. The primary purpose of UNIX was text processing.

Late 1970s: The microprocessor expanded computing capabilities and security threats.

The 1990s

Networks of computers became more common, as did the need to connect them to each other.

The internet became the first global network of networks.

Initially, network connections were based on de facto standards.

In early internet deployments, security was treated as a low priority.

In the late 1990s and into the 2000s, many large corporations began publicly integrating security into their organizations.

Information security began to emerge as an independent discipline.

2000 to Present

The internet brings millions of unsecured computer networks and billions of computer systems into continuous communication with each other.

The ability to secure a computers data was influenced by the security of every computer to which it is connected.

The growing threat of cyberattacks has increased the awareness of need for improved security.

The threat environment has grown from the semiprofessional hacker defacing Web sites for amusement to professional cybercriminals maximizing revenue from theft and extortion, as well as government-sponsored cyberwarfare groups striking military, government, and commercial targets.

What is Security?

“A state of being secure and free from danger or harm; the actions taken to make someone or something secure.”

“The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information” (CNSS).

InfoSec Includes information security management, data security, and network security.

C.I.A. triad of confidentiality, integrity, and availability: is a standard based on confidentiality, integrity, and availability, now viewed as inadequate. Expanded model consists of a list of critical characteristics of information.

Critical Characteristics of Information

The value of information comes from the characteristics it possesses: Confidentiality, Integrity, Availability, Accuracy, Authenticity, Utility, Possession.

Confidentiality- The quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

Integrity- The quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.

Availability- Enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format.

Accuracy- Free from mistake or error and having the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Authenticity- The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Utility- The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Possession- The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.

Components of an Information System

An information system (IS) is the entire set of hardware, software data, people, procedures, and networks that enable a business to use information.

All of them work together to support personal and professional operations.

Each one has its own strengths and weaknesses, as well as its own characteristics and uses.

Each one has its own security requirements.

Balancing Information Security and Access

It is impossible to obtain perfect information security, it is a process, not a goal.

Security should be considered a balance between protection and availability.

To achieve balance, the level of security must allow reasonable access, yet protect against threats.

Approaches to Information Security Implementation: Bottom-Up Approach

Grassroots effort: systems administrators work to improve security of their systems.

Key advantage: technical expertise of individual administrators.

Seldom works, as it lacks a number of critical features: participant support, organizational staying power.

Approaches to Information Security Implementation: Top-Down Approach

Initiated by upper management, Issue policy procedures and processes. Dictate goals and expected outcomes of project. Determine accountability for each required action.

The most successful type of top-down approach also involves a formal development strategy referred to as a systems development life cycle.

Approaches to Information Security Implementation

CEO

CFO

CIO

COO

CISO

VP-Systems

VP-Networks

Security Mgr

Systems Mgr

Network Mgr

Security Admin

Systems Admin

Network Admin

Security Tech

Systems Tech

Network Tech

Top-Down: Starts from CEO

Bottom-Up: Starts from Techs

Security Professionals and the Organization

A wide range of professionals are required to support a diverse information security program.

Senior management support is the key component.

Additional administrative support and technical expertise are required to implement details of an IS program.

Senior Management

Chief Information Officer (CIO): Senior technology officer. Primarily responsible for advising the senior executives on strategic planning that affects the management of information in the organization.

Chief Information Security Officer (CISO): Has primary responsibility for assessment, management, and implementation of InfoSec in the organization. Usually reports directly to the CIO.

The CISO’s Place and Roles

CEO

CIO

CISO

Policy

Risk Management

Technology

Information Security and Project Team

A small functional team of people who are experienced in one or multiple facets of required technical and nontechnical areas: Champion, Team leader, Security policy developers, Risk assessment specialists, Security Professionals, Systems administrators, End Users.

Data Responsibilities

Data owners: Senior management responsible for the security and use of a particular set of information.

Data Custodian: Responsible for information and systems that process, transmit, and store it.

Data trustees: appointed by data owners to oversee the management of a particular set of information and to coordinate with data custodians for its storage, protection, and use.

Data users: have access to information and thus an information security role.

Communities of Interest

Group of individuals united by similar interests/values within an organization.

Information security management and professionals.

Information technology management and professionals.

Organizational management and professionals.

Information Security: Is it an Art or a Science?

Implementation of information security is often described as a combination of art and science.

“Security artisan” idea: based on the way individuals perceive system technologists and their abilities.

Security as art: no hard and fast rules nor many universally accepted complete solutions; no manual for implementing security through the entire system.

Security as science; technology is developed by scientists and engineers; specific conditions cause virtually all actions in computer systems; almost every security issue is a result of the interaction of specific hardware and software; with sufficient time, developers could resolve all faults.

Security as a Social Science

Social science examines the behavior of individuals interacting with systems.

Security begins and ends with the people that interact with the system, intentionally or otherwise.

Security administrators can greatly reduce the levels of risk caused by end users and create more acceptable and supportable security profiles.

Summary

Information security has been around for a long time.

Modern information security evolved from the early field of computer security.

Security is protection from danger. There are many types of security: physical security, personal security, and network security, to name a few.

Information security is the protection of information assets that use, store or transmit information through the application of policy, education, and technology.

The critical characteristics of information, including confidentiality, integrity, and availability (The C.I.A. Triad), must be protected at all times. This protection is implemented by multiple measures that include policies, education, training and awareness, and technology.

Information systems are made up of the major components of hardware, software, data, people, procedures, and networks.

Upper management drives the top-down approach to security implementation, in contrast with the bottom-up approach or grassroots effort, in which individuals choose security implementation strategies.

The control and use of data in the organization is accomplished by the following parties: data owners, data custodians, data trustees, and data users.

Each organization has a culture in which communities of interest are united by similar values and share common objectives. The three communities in information security are general management, IT management, and information security management.

Information security has been described as both an art and a science, and it comprises many aspects of social science as well.

Module 1: Introduction to Information Security

The History of Information Security

King Henry IV of France intercepted mail communications, read, and resealed them to avoid discovery in 1590.

The French telegraph system was compromised in 1836 for government bond market manipulation.

Telephone system toll fraud attacks are recorded as early as the late 1800s.

“The Black Chamber” an early predecessor to the NSA started in 1919, and was shut down in 1929, because the government thought it was rude to break other peoples encryption.

The Enigma

Earlier versions of the German code machine Enigma were first broken by the Poles in the 1930s. The British and Americans managed to break later, more complex versions during WW2. The increasingly complex versions of the Enigma, especially the submarine or Unterseeboot version of the enigma caused considerable anguish to Allied forces before finally being cracked. The information gained from decrypted transmissions was used to anticipate the actions of German armed forces. ‘Some ask why, if we were reading the Enigma, we did not win the war earlier. One might ask, instead, when, if ever, we would have won the war if we hadn’t read it.'“

Continuation of History of Information Security

Computer Security began immediately after the first mainframes were developed. Groups developing code-breaking computations during WW2 created the first modern computers. Multiple levels of security were implemented to protect these devices.

During these early years, information security was a straightforward process composed predominantly of physical security and simple document classification schemes.

The primary threats to security were physical theft of equipment, espionage against products of the systems, and sabotage.

The 1960s

During the Cold War, many more mainframe computers were brought online to accomplish more complex and sophisticated tasks.

The Advanced Research Projects Agency (ARPA) began to examine the feasibility of a redundant networked communication tasks.

Larry Roberts led the development of the ARPANET, which evolved into what we now know as the internet.

The 1970s and ‘80s

ARPANET grew in popularity, increasing the potential for misuse.

Fundamental problems with ARPANET security were identified. Individual remote sites did not have sufficient controls and safeguards to protect data from unauthorized remote users. Other problems included vulnerability of password structure and formats, lack of safety procedures for dial-up connections, and nonexistent user identification and authorizations.

Information security began with RAND Report R-609 -- the paper that started the study of computer security and identified the role of management and policy issues in it.

The scope of computer security grew from physical security to include securing the data, limiting random and unauthorized access to data, and involving personnel from multiple levels of the organization in information security.

MULTICS

Early research on computer security research centered on a system called Multiplexed Information and Computing Service (MULTICS)

The first operating system was created with security integrated into core functions.

Mainframe, time-sharing OS was developed in the mid-1960s by General Electric (GE), Bell Labs, and MIT.

Several MULTICS key players created UNIX. The primary purpose of UNIX was text processing.

Late 1970s: The microprocessor expanded computing capabilities and security threats.

The 1990s

Networks of computers became more common, as did the need to connect them to each other.

The internet became the first global network of networks.

Initially, network connections were based on de facto standards.

In early internet deployments, security was treated as a low priority.

In the late 1990s and into the 2000s, many large corporations began publicly integrating security into their organizations.

Information security began to emerge as an independent discipline.

2000 to Present

The internet brings millions of unsecured computer networks and billions of computer systems into continuous communication with each other.

The ability to secure a computers data was influenced by the security of every computer to which it is connected.

The growing threat of cyberattacks has increased the awareness of need for improved security.

The threat environment has grown from the semiprofessional hacker defacing Web sites for amusement to professional cybercriminals maximizing revenue from theft and extortion, as well as government-sponsored cyberwarfare groups striking military, government, and commercial targets.

What is Security?

“A state of being secure and free from danger or harm; the actions taken to make someone or something secure.”

“The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information” (CNSS).

InfoSec Includes information security management, data security, and network security.

C.I.A. triad of confidentiality, integrity, and availability: is a standard based on confidentiality, integrity, and availability, now viewed as inadequate. Expanded model consists of a list of critical characteristics of information.

Critical Characteristics of Information

The value of information comes from the characteristics it possesses: Confidentiality, Integrity, Availability, Accuracy, Authenticity, Utility, Possession.

Confidentiality- The quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

Integrity- The quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.

Availability- Enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format.

Accuracy- Free from mistake or error and having the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Authenticity- The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Utility- The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Possession- The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.

Components of an Information System

An information system (IS) is the entire set of hardware, software data, people, procedures, and networks that enable a business to use information.

All of them work together to support personal and professional operations.

Each one has its own strengths and weaknesses, as well as its own characteristics and uses.

Each one has its own security requirements.

Balancing Information Security and Access

It is impossible to obtain perfect information security, it is a process, not a goal.

Security should be considered a balance between protection and availability.

To achieve balance, the level of security must allow reasonable access, yet protect against threats.

Approaches to Information Security Implementation: Bottom-Up Approach

Grassroots effort: systems administrators work to improve security of their systems.

Key advantage: technical expertise of individual administrators.

Seldom works, as it lacks a number of critical features: participant support, organizational staying power.

Approaches to Information Security Implementation: Top-Down Approach

Initiated by upper management, Issue policy procedures and processes. Dictate goals and expected outcomes of project. Determine accountability for each required action.

The most successful type of top-down approach also involves a formal development strategy referred to as a systems development life cycle.

Approaches to Information Security Implementation

CEO

CFO

CIO

COO

CISO

VP-Systems

VP-Networks

Security Mgr

Systems Mgr

Network Mgr

Security Admin

Systems Admin

Network Admin

Security Tech

Systems Tech

Network Tech

Top-Down: Starts from CEO

Bottom-Up: Starts from Techs

Security Professionals and the Organization

A wide range of professionals are required to support a diverse information security program.

Senior management support is the key component.

Additional administrative support and technical expertise are required to implement details of an IS program.

Senior Management

Chief Information Officer (CIO): Senior technology officer. Primarily responsible for advising the senior executives on strategic planning that affects the management of information in the organization.

Chief Information Security Officer (CISO): Has primary responsibility for assessment, management, and implementation of InfoSec in the organization. Usually reports directly to the CIO.

The CISO’s Place and Roles

CEO

CIO

CISO

Policy

Risk Management

Technology

Information Security and Project Team

A small functional team of people who are experienced in one or multiple facets of required technical and nontechnical areas: Champion, Team leader, Security policy developers, Risk assessment specialists, Security Professionals, Systems administrators, End Users.

Data Responsibilities

Data owners: Senior management responsible for the security and use of a particular set of information.

Data Custodian: Responsible for information and systems that process, transmit, and store it.

Data trustees: appointed by data owners to oversee the management of a particular set of information and to coordinate with data custodians for its storage, protection, and use.

Data users: have access to information and thus an information security role.

Communities of Interest

Group of individuals united by similar interests/values within an organization.

Information security management and professionals.

Information technology management and professionals.

Organizational management and professionals.

Information Security: Is it an Art or a Science?

Implementation of information security is often described as a combination of art and science.

“Security artisan” idea: based on the way individuals perceive system technologists and their abilities.

Security as art: no hard and fast rules nor many universally accepted complete solutions; no manual for implementing security through the entire system.

Security as science; technology is developed by scientists and engineers; specific conditions cause virtually all actions in computer systems; almost every security issue is a result of the interaction of specific hardware and software; with sufficient time, developers could resolve all faults.

Security as a Social Science

Social science examines the behavior of individuals interacting with systems.

Security begins and ends with the people that interact with the system, intentionally or otherwise.

Security administrators can greatly reduce the levels of risk caused by end users and create more acceptable and supportable security profiles.

Summary

Information security has been around for a long time.

Modern information security evolved from the early field of computer security.

Security is protection from danger. There are many types of security: physical security, personal security, and network security, to name a few.

Information security is the protection of information assets that use, store or transmit information through the application of policy, education, and technology.

The critical characteristics of information, including confidentiality, integrity, and availability (The C.I.A. Triad), must be protected at all times. This protection is implemented by multiple measures that include policies, education, training and awareness, and technology.

Information systems are made up of the major components of hardware, software, data, people, procedures, and networks.

Upper management drives the top-down approach to security implementation, in contrast with the bottom-up approach or grassroots effort, in which individuals choose security implementation strategies.

The control and use of data in the organization is accomplished by the following parties: data owners, data custodians, data trustees, and data users.

Each organization has a culture in which communities of interest are united by similar values and share common objectives. The three communities in information security are general management, IT management, and information security management.

Information security has been described as both an art and a science, and it comprises many aspects of social science as well.

robot