280 likes | 405 Views
Chapter 1. Introduction. Overview. Relevance Background Terms General procedures. Relevance. Why study information security? Demand BLS estimates Bureau of Labor Studies US Govt data collection organization Classified as 15-1122 15 = Computing occupations 15-112 = analysts.
E N D
Chapter 1 Introduction
Overview • Relevance • Background • Terms • General procedures
Relevance • Why study information security? • Demand • BLS estimates • Bureau of Labor Studies • US Govt data collection organization • Classified as 15-1122 • 15 = Computing occupations • 15-112 = analysts
Relevance (contd.) • Total employment in 15-1122 • BLS, May 2010 • Count = 243,330 • Mean wage = $79,370 • Industry estimates • International Information Systems Security Certification Consortium – IISSCC, (ISC)2 • 2.28 million information security professionals worldwide • 900,000 in the Americas • Growth rate of 13% • Median wage $78,000 (probably US-centric)
Demand drivers • Increasing criticality of information • To individuals • Photographs, school work • And organizations • Payroll, intellectual property, business processes etc • Increasing quantity of information • Customer details, purchase history, clickstream etc • Increasing computerization of information • No more paper ledgers
Demand drivers (contd.) • More copies of information • Laptops (can be stolen) • Smart phones • BYOD (personally owned devices) • More diverse population of users • Not necessarily computer-savvy • Less aware • Hence, more committed attackers • Recent incidents generally motivated by profit
A day in the life • What do information security professionals do? • Technical work • BLS • Plan, implement, upgrade, monitor • security measures for the protection of computer networks and information • May ensure appropriate security controls are in place to safeguard digital files and vital electronic infrastructure • May respond to computer security breaches and viruses • Non-technical work • Research new technologies • Internal/ political issues • Regulatory compliance • Develop internal security policies, standards and procedures
A day in the life (contd.) • Time spent by information security professionals • Source: (ISC)2
Brief history • Many current security procedures are the result of well-known past incidents • Part of industry folklore • Professional vocabulary • More comprehensive list available from many sources • Online (e.g. Wikipedia) • Industry publications (e.g. InformationWeek, ComputerWorld) • 1981 • TCP/ IP finalized • No mention of security • Internet community generally considered benign
Brief history (contd.) • 1982-83 • Gang of 414’s • 6 teenagers from Milwaukee, WI • Hence the name (from area code) • Looking for excitement • Broke into 60 high-profile computer systems • E.g. Los Alamos • Newsweek cover story • Introduced term “hacker” into information security vocabulary • U.S. Congress hearings on computer security • Computer Fraud and Abuse act, 1986
Brief history (contd.) • 1988 • Morris Worm • Nov. 2, 1988 • Robert Morris Jr. • Graduate student at Cornell • 99-line program designed to count the size of the Internet • Program bug caused computers to crash • 10% of Internet crashed • Possibly largest percentage damage of Internet ever • First conviction under 1986 act • CERT/ CC established at CMU
Brief history (contd.) • 1995-1998 • Windows 95 released on 8/24/1995 • Low cost • Widely expanded computer ownership • Windows 95 designed primarily as stand-alone desktop • Almost no security • Windows 95 + TCP/ IP • Fertile ground for information security problems • Windows 98 released on 6/25/1998 • Added Internet • But almost no improvement in security
Brief history (contd.) • 1996 • Health insurance portability and accountability act (HIPAA) • Push for electronic health records (EHR) • Hopes are to reduce wastage and hence healthcare costs • Healthcare industry responsible for ensuring confidentiality of patient information • Push to move completely to EHR by 2014
Brief history (contd.) • 2000 • I LOVE YOU virus • May 5, 2000 • Deleted images on affected computers • Estimates damage exceeded $ 8bn globally • Primarily lost employee time in cleaning infected computers • Created by 2 college students • In the Philippines • ReomelRamores and Onel de Guzman • Traced immediately • But no charges filed • Virus writing not an offense in the Philippines at the time • Differences even today across countries
Brief history (contd.) • 2002 • Sarbanes-Oxley act • Corporate fraud • MCI-Worldcom, Enron • Publicly traded companies • Affected pension investments • Key executives personally accountable for correctness in financial reporting • All financial statements produced by IT systems • Section 404 • Formal internal controls
Brief history (contd.) • 2005 – 2007 • Retail industry • TJ Maxx, BJ’s wholesale club, Office Max etc • Millions of credit card and debit cards stolen • Many sold on specialized black markets • Exploited IT insecurities • Store wireless networks • Unencrypted • Web applications • SQL injection • Albert Gonzalez identified as ring-leader • March 2010 • Sentenced to 20 years
Brief history (contd.) • 2008 • War between Georgia and Russia • Accompanied by Cyberwar • Massive denial of service attacks in Georgia • Many government web sites defaced • Russian state involvement suspected • If true • First known state-sponsored cyber warfare
Brief history (contd.) • June 23, 2009 • Establishment of US Cyber Command • Defend US military computer networks • Respond in cyberspace as necessary • Following numerous alarming media reports • Joint Strike Fighter • $300 Bn weapons program • Largest ever weapons program of the US military • Terabytes of data stolen from project contractors • US electricity grid • Reported to be penetrated by other countries • Could be stopped at will
Brief history (contd.) • January 12, 2010 • Google-China • Operation Aurora • Attempt to steal code base • Unencrypted version control system • Access emails of Chinese human-rights activists • Attacks traced to two educational institutions in China • China called attacks an attempt by students to refine their skills • Congress announced intention to investigate
Brief history (contd.) • April 17, 2011 • SONY PlayStation Network compromised • 70 million subscribers on the network • Credit card information suspected to have been stolen • Network down almost all of summer break • Difficult time for parents • Students had planned to catch up on new games over the summer break
Brief history (contd.) • February 2013 • Mandiant report released • Identifies APT1 unit of Chinese army as source of most cyber attacks on US entities • Demonstrates state-sponsored industrial espionage
Definitions • Information security • Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability • US code section 3542, chapter 35, title 44 • RFC 2196 • CIA triad • Confidentiality • Integrity • Availability
Definitions (contd.) • Confidentiality • Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information • Individual right to privacy • Extends to personal information • Confidentiality is the mechanism by which custodians of information maintain privacy of individual information • Most common interpretation of information security • But social expectations keep changing • E.g. Facebook
Definitions (contd.) • Integrity • Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity • Makes information actionable • Huge focus of regulators • E.g. Sarbanes-Oxley • Availability • Ensuring timely and reliable access to and use of information • Very important to end-users • Has revenue implications in e-commerce systems
Personal information security • Recommendations • From the authors’ perspective • Your mileage may vary • Anti-virus • Automatic software updates • At least two passwords • One for financial institutions • Preferably separate password for each financial institution • A different password for “fun” accounts • Websites, coupons, email etc
Example case - Wikileaks • February 2010 • Wikileaks released classified memos from U.S. State Department archives • Published in leading newspapers of the world • E.g. New York Times • Cables went back to 1966 • Very embarrassing to U.S. government • Violated trust of foreign leaders in U.S. Government’s ability to keep secrets • Source: Pfc Bradley Manning • One of 3 million U.S. personnel with access to the cables • Part of U.S. Government effort to leverage information to stop terrorist attacks
Summary • Overview of information security • Professional relevance of information security • Brief history of information security incidents • Definition of information security • Confidentiality • Integrity • Availability