MODULE 1

Introduction
Information
Security

 security is “the quality or being free from danger

Information security

 To protect the confidentiality, integrity and availability of information

assets, whether in storage, processing, or transmission.
 It is achieved via the application of policy, education, training and
awareness, and technology.
 Introduction
 Information security is a multidisciplinary field that focuses
on protecting information, data, and information systems
from unauthorized access, disclosure, disruption,
modification, or destruction.

 As our world becomes increasingly interconnected and

reliant on digital technology, the importance of information
security has grown exponentially.

 The goal of information security is to ensure the

confidentiality, integrity, and availability of information.
C.I.A
 Key Components
Confidentiality: This involves ensuring that information is only
accessible to those who have the proper authorization. Measures such
as encryption and access controls help maintain confidentiality.

Integrity: Information integrity ensures that data remains accurate and

unaltered. Protection against unauthorized modifications or tampering
is crucial to maintaining trust in the information.

Availability: Information should be available and accessible to

authorized users when needed. Measures such as backup systems and
disaster recovery plans help ensure that information remains available,
even in the face of disruptions or attacks.
History of Information Security

 The 1960s
 During the Cold War, many more mainframe computers were brought to
accomplish more complex and sophisticated tasks.
 These mainframes required a less cumbersome process of communication
than mailing magnetic tapes between computer centers.
 In response to this need, the Department of Defense’s Advanced Research
Projects Agency (ARPA) began examining the feasibility of a
redundant, networked communications system to support the military’s
exchange of information.
 In 1968, Dr. Larry Roberts developed the ARPANET. ARPANET evolved into
what we now know as the Internet.
History of Information Security

 The 1970s and 80s

 During the next decade, ARPANET became more popular and saw wider use,
increasing the potential for its misuse.
 In 1973, Internet pioneer Robert M. Metcalf identified fundamental problems
with ARPANET security. He knew that individual remote sites did not have
sufficient controls and safeguards to protect data from unauthorized remote
users.
 Other problems abounded: vulnerability of password structure and
formats; lack of safety procedures for dial-up connections; and
nonexistent user identification and authorizations.
 Phone numbers were widely distributed and openly publicized on the walls of
phone booths, giving hackers easy access to ARPANET.
History of Information Security

 In June 1967, ARPA formed a task force to study the process of securing
classified information systems.
 The task force was assembled in October 1967 and met regularly to
formulate recommendations, which ultimately became the contents of
Rand Report R-609.
 It was the first widely recognized published document to
identify the role of management and policy issues in computer
security.
 It noted that the wide use of networking components in military
information systems introduced security risks that could not be
mitigated by the routine practices then used to secure these system.
History of Information Security

 Much of the early research on computer security centered on a system

called Multiplexed Information and Computing Service (MULTICS).
 Although it is now obsolete MULTICS is noteworthy because it was the
first operating system to integrate security into its core functions.
 It was a mainframe, time-sharing operating system developed in the
mid1960s by a consortium of General Electric (GE), Bell Labs, and the
Massachusetts Institute of Technology (MIT).
 In 1969, not long after the restructuring of the MULTICS project, several of
its developers created a new operating system called UNIX.
 The UNIX system's primary function, text processing, did not require the
same level of security as that of its predecessor.
 Not until the early 1970s did even the simplest component of security, the
password function, become a component of UNIX
History of Information Security

 In the late 1970s, the microprocessor brought the personal computer

(PC) and a new age of computing.
 The PC became the workhorse of modern computing, moving it out of
the data center.
 This decentralization of data processing systems in the 1980s gave
rise to networking—the interconnecting of PCs and mainframe
computers, which enabled the entire computing community to make all
its resources work together.
 In the mid-1980s, the U.S. Government passed several key pieces of
legislation that formalized the recognition of computer security as a
critical issue for federal information systems.
History of Information Security

 The 1990s
 The Internet was made available to the general public in the 1990s after
decades of being the domain of government, academia, and dedicated
industry professionals.
 As networked computers became the dominant style of computing, the
ability to physically secure a networked computer was lost, and the
stored information became more exposed to security threats.
 In 1993, the first DEFCON conference was held in Las Vegas. Originally it
was established as a gathering for people interested in information
security.
 In the late 1990s and into the 2000s, many large corporations began
publicly integrating security into their organizations. Antivirus products
became extremely popular.
History of Information Security

 ‡ 2000 to Present
 Today, the Internet brings millions of unsecured computer networks
into continuous communication with each other.
 The security of each computer’s stored information is contingent on
the security level of every other computer to which it is connected.
 Recent years have seen a growing awareness of the need to improve
information security, as well as a realization that information security
is important to national defense.
 Another growing concern is the threat of nation-states engaging in
information warfare, and the possibility that business and personal
information systems could become casualties if they are
undefended.
Components of Information systems
Components of Information systems

 Software
 The software component of an IS includes applications, operating
systems, and assorted command utilities.
 Software is perhaps the most difficult IS component to secure.
 The exploitation of errors in software programming accounts for a
substantial portion of the attacks on information.
 Software carries the lifeblood of information through an organization.
 Unfortunately, software programs are often created under the
constraints of project management, which limit time, costs, and
manpower.
Components of Information systems

 Hardware
 Hardware is the physical technology that houses and executes the
software, stores and transports the data, and provides interfaces for the
entry and removal of information from the system.
 Physical security policies deal with hardware as a physical asset and
with the protection of physical assets from harm or theft.
 Applying the traditional tools of physical security, such as locks and
keys, restricts access to and interaction with the hardware components
of an information system.
 Securing the physical location of computers and the computers
themselves is important because a breach of physical security can result
in a loss of information.
 Unfortunately, most information systems are built on hardware
platforms that cannot guarantee any level of information security if
Components of Information systems

 Data
 Data stored, processed, and transmitted by a computer system must be
protected.
 Data is often the most valuable asset of an organization and therefore is the
main target of intentional attacks.
 Systems developed in recent years are likely to make use of database
management systems. When used properly, they should improve the security
of the data and the applications that rely on the data.
 Unfortunately, many system development projects do not make full use of the
database management system’s security capabilities, and in some cases the
database is implemented in ways that make them less secure than traditional
file systems.
 Because data and information exist in physical form in many organizations as
paper reports, handwritten notes, and computer printouts, the protection of
physical information is as important as the protection of electronic, computer-
based information.
Components of Information systems

 People
 People can be the weakest link in an organization’s information
security program.
 Unless policy, education and training, awareness, and technology are
properly employed to prevent people from accidentally or
intentionally damaging or losing information, they will remain the
weakest link.
 Social engineering can prey on the tendency to cut corners and the
commonplace nature of human error.
 It can be used to manipulate people to obtain access information
about a system.
Components of Information systems

 Networks
 Networking is the IS component that created much of the need for
increased computer and information security.
 When information systems are connected to each other to form local
area networks (LANs), and these LANs are connected to other
networks such as the Internet, new security challenges rapidly
emerge.
 The physical technology that enables network functions is becoming
more accessible to organizations of every size.
 When computer systems are networked, traditional lock and key
approach is no longer enough. Steps to provide network security are
essential.
 It is also important to implement alarm and intrusion systems to
make system owners aware of ongoing compromises
Components of Information systems

 Procedures
 Procedures are written instructions for accomplishing a specific task.
When an unauthorized user obtains an organization’s procedures, it
poses a threat to the integrity of the information.
 Most organizations distribute procedures to employees so they can
access the information system, but many of these companies often
fail to provide proper education for using the procedures safely.
 Educating employees about safeguarding procedures is as important
as physically securing the information system.
 Therefore, knowledge of procedures, as with all critical information,
should be disseminated among members of an organization on a
need-to-know basis.
Security Systems Development Life
Cycle
 The same phases used in the traditional SDLC can be adapted to
support the implementation of an information security project.
 While the two processes may differ in intent and specific activities, the
overall methodology is the same.
 At its heart, implementing information security involves identifying
specific threats and creating specific controls to counter them.
 The SecSDLC unifies this process and makes it a coherent program
rather than a series of random, seemingly unconnected actions.
Phases in SecSDLC

 Investigation
 The investigation phase of the SecSDLC begins with a directive from
upper management that dictates the process, outcomes, and goals
of the project, as well as its budget and other constraints.
 Frequently, this phase begins with an enterprise information security
policy (EISP), which outlines the implementation of a security
program within the organization.
 Teams of responsible managers, employees, and contractors are
organized; problems are analyzed; and the scope of the project is
defined along with specific goals and objectives and any additional
constraints not covered in the program policy.
 Finally, an organizational feasibility analysis is performed to
determine whether the organization has the resources and
commitment necessary to conduct a successful security analysis and
design.
Phases in SecSDLC

 Analysis
 In the analysis phase, the documents from the investigation phase
are studied. The development team conducts a preliminary analysis
of existing security policies or programs, documented current
threats, and associated controls.
 This phase also includes an analysis of relevant legal issues that
could affect the design of the security solution.
 Risk management also begins in this stage. Risk management
focuses on identifying, assessing, and evaluating the levels of risk in
an organization, specifically the threats to its security and to the
information it stores and processes
Phases in SecSDLC

 Logical Design
 The logical design phase creates and develops the blueprints for
information security and examines and implements key policies that
influence later decisions.
 At this stage, the team also plans incident response actions to be
taken in the event of partial or catastrophic loss.
 The planning answers the following questions:
 Continuity planning: How will business continue in the event of a
loss?
 Incident response: What steps are taken when an attack occurs?
 Disaster recovery: What must be done to recover information and
vital systems immediately after a disastrous event?
Phases in SecSDLC
 Physical Design
 The physical design phase evaluates the information security
technology needed to support the blueprint as it has been outlined in
the logical design.
 The final physical design is usually chosen from several competing
alternatives, each of which could meet the Security in the Systems
Life Cycle
 Criteria for determining the definition of successful solutions are also
prepared during this phase.
 This phase includes designs for physical security measures to
support the proposed technological solutions.
 At the end of this phase, a feasibility study determines the
organization’s readiness for the proposed project, and then the
champion and sponsors are presented with the design.
 All parties involved have a chance to approve the project before
implementation begins.
Phases in SecSDLC

 Implementation
 The implementation phase of the SecSDLC is like that of the
traditional SDLC.
 The security solutions are acquired (made or bought), tested,
implemented, and tested again.
 Personnel issues are evaluated, and specific training and education
programs are conducted.
 Finally, the entire tested package is presented to upper management
for final approval
Phases in SecSDLC

 Maintenance and Change

 Maintenance and change is the last phase, and perhaps the most
important one, given the ever-changing threat environment.
 Today’s information security systems need constant monitoring,
testing, modification, updating, and repairing.
 In information security, the battle for stable, reliable systems is a
defensive one. Often, repairing damage and restoring information is
a constant effort against an unseen adversary.
 As new threats emerge and old threats evolve, an organization’s
information security profile must constantly adapt to prevent threats
from successfully penetrating sensitive data.
Security professionals in the organization

 Senior Management
 The senior technology officer is typically the chief information officer
(CIO), although other titles such as vice president of information, VP
of information technology, and VP of systems may be used.
 The CIO is primarily responsible for advising the chief executive
officer, president, or company owner on strategic planning that
affects the management of information in the organization.
 The CIO translates the strategic plans of the organization as a whole
into strategic information plans for the information systems or data
processing division of the organization.
 Once this is accomplished, CIOs work with subordinate managers to
develop tactical and operational plans for the division and to enable
planning and management of the systems that support the
organization
Security professionals in the organization

 The chief information security officer (CISO) has primary responsibility

for the assessment, management, and implementation of information
security in the organization.
 The CISO may also be referred to as the manager for IT security, the
security administrator, or by a similar title.
 The CISO usually reports directly to the CIO, although in larger
organizations, one or more layers of management might exist between
the two.
Security professionals in the organization
Information Security Project Team

 Champion: A senior executive who promotes the project and ensures its
support, both financially and administratively, at the highest levels of
the organization.
 Team leader: A project manager who may also be a departmental line
manager or staff unit manager, and who understands project
management, personnel management, and information security
technical requirements.
 Security policy developers: People who understand the
organizational culture, existing policies, and requirements for developing
and implementing successful policies.
 Risk assessment specialists: People who understand financial risk
assessment techniques, the value of organizational assets, and the
security methods to be used.
 Security professionals: Dedicated, trained, and well-educated
specialists in all aspects of information security from both a technical
Information Security Project Team

 Systems administrators: People with the primary responsibility for

administering systems that house the information used by the organization.
 End users: Those whom the new system will most directly affect. Ideally, a
selection of users from various departments, levels, and degrees of technical
knowledge assist the team in focusing on the application of realistic controls
that do not disrupt the essential business activities they seek to safeguard.
 Data owners: Members of senior management who are responsible for the
security and use of a particular set of information. The data owners usually
determine the level of data classification, as well as the changes to that
classification required by organizational change.
 Data custodians: Working directly with data owners, data custodians are
responsible for the information and the systems that process, transmit, and
store it.
 Data users: Everyone in the organization is responsible for the security of
data, so data users are included here as individuals with an information
security role
Communities of interest

 Information Security Management and Professionals: The roles of

information security professionals are aligned with the goals and mission
of the information security community of interest. These job functions
and organizational roles focus on protecting the organization’s
information systems and stored information from attacks.
 Information Technology Management and Professionals: The
community of interest made up of IT managers and skilled professionals
in systems design, programming, networks, and other related disciplines
has many of the same objectives as the information security community.
 ‡Organizational Management and Professionals: The
organization’s general management team and the rest of the resources
in the organization make up the other major community of interest. This
community serves as the greatest reminder that all IT systems and
information security objectives exist to further the objectives of the
broad organizational community
Security as Art

 The administrators and technicians who implement security can be

compared to a painter applying oils to canvas.
 A touch of color here, a brush stroke there, just enough to represent the
image the artist wants to convey without overwhelming the viewer—or
in security terms, without overly restricting user access.
 There are no hard and fast rules regulating the installation of various
security mechanisms, nor are there many universally accepted complete
solutions.
 While many manuals exist to support individual systems, no manual can
help implement security throughout an entire interconnected system.
Security as Science

 Most scientists agree that specific conditions cause virtually all actions
in computer systems.
 Almost every fault, security hole, and systems malfunction is a result of
the interaction of specific hardware and software.
 If the developers had sufficient time, they could resolve and eliminate
these faults. The faults that remain are usually the result of technology
malfunctioning for any of a thousand reasons.
 There are many sources of recognized and approved security methods
and techniques that provide sound technical security advice.
 Best practices, standards of due care, and other tried-and-true methods
can minimize the level of guesswork necessary to secure an
organization’s information and systems.
Security as a Social Science

 Social science examines the behavior of people as they interact with

systems, whether they are societal systems or, as in this context,
information systems.
 Information security begins and ends with the people inside the
organization and the people who interact with the system, intentionally
or otherwise.
 End users who need the very information that security personnel are
trying to protect may be the weakest link in the security chain.
 By understanding some behavioral aspects of organizational science and
change management, security administrators can greatly reduce the
levels of risk caused by end users and create more acceptable and
supportable security profiles.
 These measures, coupled with appropriate policy and training issues,
can substantially improve the performance of end users and result in a
more secure information system.