1 / 28

Learning Objectives Upon completion of this material, you should be able to:

Learning Objectives Upon completion of this material, you should be able to:. Define information security Relate the history of computer security and how it evolved into information security Define key terms and critical concepts of information security as presented in this chapter

heidik
Download Presentation

Learning Objectives Upon completion of this material, you should be able to:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Principles of Information Security, 3rd Edition Learning ObjectivesUpon completion of this material, you should be able to: • Define information security • Relate the history of computer security and how it evolved into information security • Define key terms and critical concepts of information security as presented in this chapter • Discuss the phases of the security systems development life cycle • Present the roles of professionals involved in information security within an organization

  2. Principles of Information Security, 3rd Edition Introduction • Information security: a “well-informed sense of assurance that the information risks and controls are in balance.” — Jim Anderson, Inovant (2002)‏ • Necessary to review the origins of this field and its impact on our understanding of information security today

  3. Principles of Information Security, 3rd Edition The History of Information Security Began immediately after the first mainframes were developed Groups developing code-breaking computations during World War II created the first modern computers Physical controls to limit access to sensitive military locations to authorized personnel Rudimentary in defending against physical theft, espionage, and sabotage

  4. Principles of Information Security, 3rd Edition Figure 1-1 – The Enigma

  5. Principles of Information Security, 3rd Edition The 1960s Advanced Research Project Agency (ARPA) began to examine feasibility of redundant networked communications Larry Roberts developed ARPANET from its inception

  6. Principles of Information Security, 3rd Edition Figure 1-2 - ARPANET

  7. Principles of Information Security, 3rd Edition The 1970s and 80s ARPANET grew in popularity as did its potential for misuse Fundamental problems with ARPANET security were identified No safety procedures for dial-up connections to ARPANET Nonexistent user identification and authorization to system Late 1970s: microprocessor expanded computing capabilities and security threats

  8. Principles of Information Security, 3rd Edition The 1970s and 80s (continued)‏ Information security began with Rand Report R-609 (paper that started the study of computer security)‏ Scope of computer security grew from physical security to include: Safety of data Limiting unauthorized access to data Involvement of personnel from multiple levels of an organization

  9. Principles of Information Security, 3rd Edition MULTICS Early focus of computer security research was a system called Multiplexed Information and Computing Service (MULTICS)‏ First operating system created with security as its primary goal Mainframe, time-sharing OS developed in mid-1960s by General Electric (GE), Bell Labs, and Massachusetts Institute of Technology (MIT)‏ Several MULTICS key players created UNIX Primary purpose of UNIX was text processing

  10. Principles of Information Security, 3rd Edition The 1990s Networks of computers became more common; so too did the need to interconnect networks Internet became first manifestation of a global network of networks In early Internet deployments, security was treated as a low priority

  11. Principles of Information Security, 3rd Edition The Present The Internet brings millions of computer networks into communication with each other—many of them unsecured Ability to secure a computer’s data influenced by the security of every computer to which it is connected

  12. Principles of Information Security, 3rd Edition What is Security? “The quality or state of being secure—to be free from danger” A successful organization should have multiple layers of security in place: Physical security Personal security Operations security Communications security Network security Information security

  13. Principles of Information Security, 3rd Edition What is Security? (continued)‏ The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology C.I.A. triangle was standard based on confidentiality, integrity, and availability C.I.A. triangle now expanded into list of critical characteristics of information

  14. Principles of Information Security, 3rd Edition

  15. Principles of Information Security, 3rd Edition Critical Characteristics of Information The value of information comes from the characteristics it possesses: Availability Accuracy Authenticity Confidentiality Integrity Utility Possession

  16. Principles of Information Security, 3rd Edition Figure 1-4 – NSTISS C NSTISSC Security Model

  17. Principles of Information Security, 3rd Edition Components of an Information System

  18. Principles of Information Security, 3rd Edition Components of an Information System Information system (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization enable information to be input, processed, output, and stored. has its own strengths and weaknesses, as well as its own characteristics and uses. also has its own security requirements

  19. Principles of Information Security, 3rd Edition Software • includes applications, operating systems, and assorted command utilities. • the most difficult IS component to secure. • errors in software programming accounts for a substantial portion of the attacks on information. • Software programs are often created under the constraints of project management, which limit time, costs, and manpower • software programs become an easy target of accidental or intentional attacks

  20. Principles of Information Security, 3rd Edition Hardware • physical technology - houses and executes the software, stores and transports the data, and provides interfaces for the entry & removal of information from the system. • Physical security policies-hardware as a physical asset, protection of physical assets from harm or theft. • traditional tools of security-locks and keys, restricts access to and interaction with the hardware components of an information system. • Securing the physical location of computers and the computers themselves is important - breach of physical security can result in a loss of information. • most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted hardware access is possible.

  21. Principles of Information Security, 3rd Edition Data • Data stored, processed, and transmitted by a computer system must be protected. • the most valuable asset of an organization-the main target of intentional attacks. • make use of database management systems. • When used properly, they should improve the security of the data and the applications that rely on the data. • do not make full use of the database management system’s security capabilities-less secure -traditional file systems. • data and information-physical form - paper reports, handwritten notes, and computer printouts • protection of physical information is as important as the protection of electronic, computer-based information.

  22. Principles of Information Security, 3rd Edition People • people have always been a threat to information security • people can be the weakest link in an organization’s information security program. • policy, education and training, awareness, and technology - to prevent people from accidentally or intentionally damaging or losing information

  23. Principles of Information Security, 3rd Edition Procedures • Written instructions for accomplishing a specific task. • When an unauthorized user obtains an organization’s procedures-a threat to the integrity of the information. • Educating employees about safeguarding procedures - important as physically securing the information system. • procedures are information in their own right. • knowledge of procedures, as with all critical information, should be disseminated among members of an organization on a need-to-know basis

  24. Principles of Information Security, 3rd Edition Networks • created much of the need for increased computer and information security. • systems connected –LANs-these LANs-connected to other networks such as the Internet- new security challenges • physical technology that enables network functions is becoming more accessible to organizations of every size. • traditional tools of physical security for networked systems-no longer enough. • implementing alarm and intrusion systems to make system owners aware of on going compromises.

  25. Principles of Information Security, 3rd Edition Securing Components Computer can be subject of an attack and/or the object of an attack When the subject of an attack, computer is used as an active tool to conduct attack When the object of an attack, computer is the entity being attacked

  26. Principles of Information Security, 3rd Edition Figure 1-5 – Subject and Object of Attack

  27. Principles of Information Security, 3rd Edition Balancing Information Security and Access Impossible to obtain perfect security—it is a process, not an absolute Security should be considered balance between protection and availability To achieve balance, level of security must allow reasonable access, yet protect against threats

More Related