Information Security

Topics Include...

 Key Information Security Concepts

2
Key Information Security
Concepts

3
What is Security?
 “The quality or state of being secure—to be free from danger”
 A successful organization should have multiple layers of
security in place:
 Physical security [physical items, objects, or areas]
 Personal security [individual or group of individuals]
 Operations security [the details of a particular operation or series
of activities]
 Communications security [to protect communications media,
technology, and content]

4
What is Security? (continued)
 Network security [to protect networking components,
connections, and contents]
 Information security [to protect the confidentiality, integrity
and availability of information assets, whether in storage,
processing, or transmission]

5
What is Security? (continued)
 The protection of information and its critical elements,
including systems and hardware that use, store, and
transmit that information
 Necessary tools: policy, awareness, training, education,
technology
 C.I.A. triangle was standard based on
confidentiality, integrity, and availability

6
CIA Triad
 Confidentiality
 Confidentiality means that people cannot read sensitive
information, either while it is on a computer or while it is
traveling across a network.
 Integrity
 Integrity means that attackers cannot change or destroy
information, either while it is on a computer or while it is
traveling across a network. Or, at least, if information is
changed or destroyed, then the receiver can detect the
change or restore destroyed data.

7
CIA Triad
 Availability
 Availability means that people who are authorized to use
information are not prevented from doing so

8
 Some More Terms
 Access: Ability to use, manipulate, modify, or
affect another subject or object. Authorized users
have legal access to a system, whereas hackers
have illegal access to a system. Access controls
regulate this ability.
 Asset: The organizational resource that is being
protected. Can a Web site, data; or a person.
 Attack: An intentional or unintentional act that can
cause damage to or compromise information
and/or the systems that support it.
9
 Some More Terms
 Control, safeguard, or countermeasure: Security
mechanisms, policies, or procedures that can
successfully counter attacks, reduce risk, resolve
vulnerabilities, and improve the security within an
organization.
 Exploit: A technique used to compromise a
system, to take advantage of a vulnerability or
exposure.
 Risk: The probability that something unwanted will
happen.
10
 Some More Terms
 Threat: A category of objects, persons, or other
entities that presents a danger to an asset.
 Vulnerability: A weaknesses or fault in a system
or protection mechanism that opens it to attack or
damage.

11
Characteristics of
Information

12
Critical Characteristics of Information
 The value of information comes from the characteristics it
possesses:
 Availability
 Accuracy
 Authenticity
 Confidentiality
 Integrity

13
Components of an
Information System

14
Components of an Information System
 Information system (IS) is entire set of software,
hardware, data, people, procedures, and networks
necessary to use information as a resource in the
organization

15
Securing Components of an
Information System
 Computer can be subject of an attack and/or the
object of an attack
 When the subject of an attack, computer is used as
an active tool to conduct attack
 When the object of an attack, computer is the entity
being attacked

16
Approaches to IS
Implementation

17
Balancing Information Security and Access
 Impossible to obtain perfect security—Information
security cannot be absolute: it is a process, not a goal.

 Security should be considered while maintaining balance

 To achieve balance, level of security must allow

18
Figure 1-6 – Balancing Security and
Access

19
 Approaches to Information Security
Implementation: Bottom-Up Approach
 Grassroots effort: systems administrators attempt to
improve security of their systems

 Key advantage: technical expertise of individual

 Seldom works, as it lacks:

20
Approaches to Information Security
Implementation: Top-Down Approach
 Initiated by upper management
 Issue policy, procedures, and processes
 Dictate goals and expected outcomes of project
 Determine accountability for each required action

 This approach has strong upper-management support, a

21
Securing the SDLC

23
 Securing the SDLC
 The cost of fixing a security bug varies depending
on where it is discovered.
 If it is discovered in the production environment, the
cost of fixing it would include the tangible costs of
the developer effort, tester effort, user acceptance
testing effort and deployment effort, and the
intangible cost of reputation and customer trust.
 If it is discovered during the design phase, then it is
very easy to correct the design flaw and introduce a
security measure during the development phase.
24
 Securing the SDLC
 The principal intent is to build security within the life
cycle of software applications from ground zero that
potentially and gradually reduces the flaws in
security, design, implementation and deployment.
 Proper adherence to such assurance best practices
will result in applications devoid of vulnerabilities
that might have been introduced accidentally or
intentionally at any point of time in their life cycle.

25
 Securing the SDLC
 This means that each implementation of a system
is secure and does not risk compromising the
confidentiality, integrity, and availability of the
organization’s information assets.
 NIST Special Publication 800-64, rev. 1, provides
an overview of the security considerations for each
phase of the SDLC.

26
Securing the SDLC

27
Securing the SDLC

28
References

Principles of Information Security, Micheal

29
For the geeks!

30