Introduction To Information Security

INTRODUCTION TO
INFORMATION
SECURITY
JOHN PAUL B. PALMA
Source: M. E. Whitman and H. J. Mattord, Principles of Information Security, 6th ed. Boston, Mass.: Cengage Learning, 2018.
LEARNING OBJECTIVES
• Define Information Security
• History of Computer Security and Evolution to Information Security
• Key Terms and Critical Concepts of Information Security
• Role of Security in the Systems Development Life Cycle (SDLC)
• Information Security Roles
WHAT IS INFORMATION SECURITY?
Information1 – is a processed, organized and
structured data. It provides context for data and
enables decision making.
Security2 – is the combination of people, policies,

processes and technologies employed by an
enterprise to protect its cyber and physical
assets.
Information Security3 – is defined as the

protection of information and systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide
Confidentiality, Integrity and Availability.
[1]Wikipedia Contributors, “Information,” Wikipedia, Mar. 14, 2019. https://en.wikipedia.org/wiki/Information.

[2]“Definition of Security - Gartner Information Technology Glossary,” Gartner. https://www.gartner.com/en/information-technology/glossary/security.
[3]M. Nieles, K. L. Dempsey, and V. Y. Pillitteri, “An Introduction to Information Security,” Special Publication (NIST SP) - 800-12 Rev. 1, Nov. 10, 2018. https://www.nist.gov/publications/introduction-information-security.
HISTORY OF INFORMATION SECURITY
• Computer security began after the first
mainframes were developed.
• First modern computers were created
by the groups developing code-
breaking computations during World
War II.
• Physical controls were needed to limit
access to authorized personnel to
sensitive military locations.
• Only rudimentary controls were
available to defend against physical
theft, espionage, and sabotage.
“Advice about keeping secrets: it’s a lot easier if you don’t know them in the first place” – Alan Turning, The Imitation Game
Wikipedia Contributors, “Alan Turing,” Wikipedia, Mar. 23, 2019. https://en.wikipedia.org/wiki/Alan_Turing.
1960 1970 1980
• During the Cold War  More • ARPANET grew in popularity as did its • Information Security began with RAND
mainframe computers were potential for misuse report R-609. Scope of computer
brough online security grew from physical security to
• Internet pioneer Robert M. Metcalfe include:
• Department of Defense’s identified fundamental problems with
Advanced Research Projects ARPANET security:  Safety of data
Agency (ARPA) began examining  Limiting random and unauthorized
the feasibility of Networking and  No sufficient controls and safeguard access to that data
Resource Sharing. to protect data from unauthorized  Involvement of personnel from
remote users. multiple levels of an organization
• 1968, Dr. Larry Roberts developed  Vulnerability of password structure in information security
the ARPANET and formats
 Lack of safety procedures for dial-
• ARPANET evolved into what we up connections to ARPANET
now know as the INTERNET  Non-existent user identification and
authorization to system
1970 1980 1990
• UNIX operating system was created. • Early 1980s, Transmission Control • US Government passed several key
Password function become the Protocol (TCP) and Internet Protocol (IP) pieces of legislation that formalized the
simplest component of security for were developed and became the primary recognition of Computer Security as a
this system. protocols for the ARPANET. critical issue for federal information
systems.
• Microprocessor brought the personal • Domain Name System (DNS) was
computer (PC) and a new age of developed  Computer Fraud and Abuse Act
computing. of 1986
• First dial-up Internet service provider  Computer Security Act of 1987
• PC became the workhorse of modern (ISP) – The World, operated by Standard
computing, moving it out of the data Tool & Die goes online. • In 1988, Defense Advanced Research
center. Projects Agency (DARPA) within the
• Internet access made available to home Department of Defense created the
users. Computer Emergency Response Team
(CERT) to address network security.
1990 2000 Present
• Internet was commercialized. First • In 1993, the first DEFCON conference was • Internet brings millions of unsecured
global network of networks. held in Vegas. Interesting venue for the computer networks and billions of
exchange of information between two computer systems into continuous
• Early Internet deployment treated adversarial groups: communication with each other.
security as a LOW priority.
 White hats – Law enforcement and • Growing threat of cyberattacks
• As networked computers became the security professionals
dominant style of computing, the  Black hats – hackers and computer • Growing concern about the threat of
ability to physically secure a criminals nation-states engaging in information
networked computer was lost, and warfare
the stored information became more • Large corporations began publicly
exposed to security threats integrating security into their • Laws were amended to support
organizations. Information Security
• Sarbanes-Oxley (SOX) – Laws
• Antivirus products became extremely related privacy and corporate
popular, and information security began to responsibility
emerge as an independent discipline. • USA Patriot Act of 2001 – Major
legislation changes to facilitate
law enforcement’s ability to
collect information about
terrorism.
WHAT IS SECURITY?
• Security – A state of being secure and free from danger or harm. Also, the actions taken to
make someone or something secure.
“SECURITY IS PROTECTION”
• Key Terms:
• C.I.A Triad – The industry standard for computer security since the development of the mainframe. The
standard is based on three characteristics that describe the utility of information: confidentiality, integrity, and
availability.
• Communication Security – The protection of all communications media, technology, and content.
• Information Security – Protection of the confidentiality, integrity and availability of information assets,
whether in storage, processing, or transmission, via the application of policy, education, training and
awareness, and technology.
• Network Security – A subset of communications security; the protection of voice and data networking
components, connections and content.
WHAT IS SECURITY?
AVAILABILITY ACCURACY
CRITICAL
AUTHENTICITY CONFIDENTIALITY INTEGRITY
CHARACTERISTICS
OF INFORMATION
Expanded CIA triad
UTILITY POSSESSION
KEY INFORMATION SECURITY CONCEPTS
Access Asset Attack Control Exploit
Protection
Exposure Loss Risk Subjects
Profile
Threat
Threat Threat agent Threat event Vulnerability
source
COMPONENTS OF
INFORMATION
SYSTEM
Information System (IS) - The entire set
of software, hardware, data, people,
procedures, and networks that enable the
use of information resources in the
organization.
Physical Security – The protection of

physical items, objects, or areas from
unauthorized access and misuse.
BALANCING INFORMATION SECURITY AND ACCESS
• It is impossible to obtain perfect
information security.
• Information security cannot be
absolute
• It is a process, not a goal
• How to balance? Operate an
information system that satisfies the
user and the security professional..
APPROACHES TO INFORMATION SECURITY
IMPLEMENTATION
• Bottom-up approach – A method of
establishing security policies and/or
practices that begins as a grassroots
effort in which systems administrators
attempt to improve the security of
their systems.
• Top-down approach – A methodology
of establishing security policies and/or
practices that is initiated by upper
management.
SECURITY IN THE SYSTEMS DEVELOPMENT LIFE
CYCLE
• System Development Life Cycle (SDLC) – A
methodology for the design and
implementation of an information system.
• Waterfall model (Traditional) – A type of
SDLC in which each phase of the process
“flows from” the information gained in the
previous phase, with multiple
opportunities to return to previous phases
and make adjustment.
• Software Assurance (SA) – A
methodological approach to the “To be most effective, information security must be
development of software that seeks to integrated into the SDLC from system inception.” -
build security into the development life NIST Special Publication 800-64, rev. 2
cycle rather than address it at later stages.
CYCLE
1. Investigation (Most important)
• What problem is the system being
developed to solve?
• During this phase, the objectives,
constraints, and scope of the project are
specified.
• Cost-benefit analysis
2. Analysis
• Utilized the information gained from
Investigation phase to determine what
the new system is expected to do and
how it will interact with existing
systems.
CYCLE
3. Logical Design
• Creating of systems solution for a
business problem.
• Logical design, therefore, is the
blueprint for the desired solution.
4. Physical Design
• Specific technologies are selected to
support the alternatives identified and
evaluated in the logical design.
CYCLE
5. Implementation
• Any needed software is created.
• Components are ordered, received, and
tested.
• Users are trained and supporting
documentation created.
6. Maintenance and Change

• Longest and expensive of the process.
• Consists of tasks necessary to support
and modify the system for the remainder
of its useful life cycle. (Upgrades,
updates, and patching activities)
SECURITY PROFESSIONALS AND THE
ORGANIZATION
• Chief Executive Officer (CEO) – Highest
ranking person in a company
• Chief Information Officer (CIO) – An
executive-level position that oversees
the organization’s computing
technology and strives to create
efficiency in the processing and access
of the organization’s information.
• Chief Information Security Officer
(CISO) – Top information security
officer in an organization.
SECURITY PROFESSIONALS AND THE
ORGANIZATION
• A small functional team of people who
are experienced in one or multiple
Information facets of the required technical and non-
technical areas for the project to which
they are assigned.
Security Project • Champion
• Team Leader
Team • Security policy developers
• Risk assessment specialists
• Security professionals
• Systems administrators
• End users
DATA RESPONSIBILITIES
• Types of data ownership and their respective responsibilities
1. Data Owners - Members of senior management who are responsible for the security and
use of a particular set of information. The data owners usually determine the level of data
classification.
2. Data Custodians - Working directly with data owners, data custodians are responsible
for the information and the systems that process, transmit, and store it.
3. Data Users – Everyone in the organization.
SUMMARY
 Information security evolved from the early  The critical characteristics of information,
field of computer security. including confidentiality, integrity, and
availability (the C.I.A. triad) must be
 Security is protection from danger. There are protected all the time. This protection is
many types of security: implemented by multiple measures that
• Physical security include policies, education, training and
awareness, and technology.
• Personal security
• Operations security  Information systems are made up of the
major components of hardware, software,
• Communications security
data, people, procedures, and networks
• And many more…
 Upper management drives the top-down
 Information security is the protection of approach to security implementation, in
information assets that use, store, or transmit contrast with the bottom-up approach or
information through the application of policy, grassroots effort, in which individuals choose
education, and technology. security implementation strategies.
SUMMARY
 Information security should be  The control and use of data in the
implemented in every major system. organization is accomplished by:
One approach is to ensure that security • Data owners, who are responsible for
is a part of the organization’s system the security and use of a particular set
development methodology. DevOps and of information.
SecOps are emerging accelerated
• Data custodians, who are responsible
development models that merge
for the storage, maintenance, and
development and operational skills. protection of the information.
 Software assurance is a methodological • Data users, who work with the
approach to the development of information to perform their daily jobs
software that seeks to build security and support the mission of the
into the development life cycle rather organization
than address it at later stages.

Introduction To Information Security

Uploaded by

Copyright:

Available Formats

Introduction To Information Security

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To Information Security

Uploaded by

Copyright:

Available Formats

INTRODUCTION TO

Security2 – is the combination of people, policies,

Information Security3 – is defined as the

[1]Wikipedia Contributors, “Information,” Wikipedia, Mar. 14, 2019. https://en.wikipedia.org/wiki/Information.

Access Asset Attack Control Exploit

Physical Security – The protection of

6. Maintenance and Change

3. Data Users – Everyone in the organization.

You might also like