1-Information Security - Lec 01
1-Information Security - Lec 01
Topics Include...
2
Key Information Security
Concepts
3
What is Security?
“The quality or state of being secure—to be free from danger”
A successful organization should have multiple layers of
security in place:
Physical security [physical items, objects, or areas]
Personal security [individual or group of individuals]
Operations security [the details of a particular operation or series
of activities]
Communications security [to protect communications media,
technology, and content]
4
What is Security? (continued)
Network security [to protect networking components,
connections, and contents]
Information security [to protect the confidentiality, integrity
and availability of information assets, whether in storage,
processing, or transmission]
5
What is Security? (continued)
The protection of information and its critical elements,
including systems and hardware that use, store, and
transmit that information
Necessary tools: policy, awareness, training, education,
technology
C.I.A. triangle was standard based on
confidentiality, integrity, and availability
6
CIA Triad
Confidentiality
Confidentiality means that people cannot read sensitive
information, either while it is on a computer or while it is
traveling across a network.
Integrity
Integrity means that attackers cannot change or destroy
information, either while it is on a computer or while it is
traveling across a network. Or, at least, if information is
changed or destroyed, then the receiver can detect the
change or restore destroyed data.
7
CIA Triad
Availability
Availability means that people who are authorized to use
information are not prevented from doing so
8
Some More Terms
Access: Ability to use, manipulate, modify, or
affect another subject or object. Authorized users
have legal access to a system, whereas hackers
have illegal access to a system. Access controls
regulate this ability.
Asset: The organizational resource that is being
protected. Can a Web site, data; or a person.
Attack: An intentional or unintentional act that can
cause damage to or compromise information
and/or the systems that support it.
9
Some More Terms
Control, safeguard, or countermeasure: Security
mechanisms, policies, or procedures that can
successfully counter attacks, reduce risk, resolve
vulnerabilities, and improve the security within an
organization.
Exploit: A technique used to compromise a
system, to take advantage of a vulnerability or
exposure.
Risk: The probability that something unwanted will
happen.
10
Some More Terms
Threat: A category of objects, persons, or other
entities that presents a danger to an asset.
Vulnerability: A weaknesses or fault in a system
or protection mechanism that opens it to attack or
damage.
11
Characteristics of
Information
12
Critical Characteristics of Information
The value of information comes from the characteristics it
possesses:
Availability
Accuracy
Authenticity
Confidentiality
Integrity
13
Components of an
Information System
14
Components of an Information System
Information system (IS) is entire set of software,
hardware, data, people, procedures, and networks
necessary to use information as a resource in the
organization
15
Securing Components of an
Information System
Computer can be subject of an attack and/or the
object of an attack
When the subject of an attack, computer is used as
an active tool to conduct attack
When the object of an attack, computer is the entity
being attacked
16
Approaches to IS
Implementation
17
Balancing Information Security and Access
Impossible to obtain perfect security—Information
security cannot be absolute: it is a process, not a goal.
18
Figure 1-6 – Balancing Security and
Access
19
Approaches to Information Security
Implementation: Bottom-Up Approach
Grassroots effort: systems administrators attempt to
improve security of their systems
20
Approaches to Information Security
Implementation: Top-Down Approach
Initiated by upper management
Issue policy, procedures, and processes
Dictate goals and expected outcomes of project
Determine accountability for each required action
21
Securing the SDLC
23
Securing the SDLC
The cost of fixing a security bug varies depending
on where it is discovered.
If it is discovered in the production environment, the
cost of fixing it would include the tangible costs of
the developer effort, tester effort, user acceptance
testing effort and deployment effort, and the
intangible cost of reputation and customer trust.
If it is discovered during the design phase, then it is
very easy to correct the design flaw and introduce a
security measure during the development phase.
24
Securing the SDLC
The principal intent is to build security within the life
cycle of software applications from ground zero that
potentially and gradually reduces the flaws in
security, design, implementation and deployment.
Proper adherence to such assurance best practices
will result in applications devoid of vulnerabilities
that might have been introduced accidentally or
intentionally at any point of time in their life cycle.
25
Securing the SDLC
This means that each implementation of a system
is secure and does not risk compromising the
confidentiality, integrity, and availability of the
organization’s information assets.
NIST Special Publication 800-64, rev. 1, provides
an overview of the security considerations for each
phase of the SDLC.
26
Securing the SDLC
27
Securing the SDLC
28
References
29
For the geeks!
30