0% found this document useful (0 votes)
46 views

1-Information Security - Lec 01

This document discusses key concepts in information security including the security development lifecycle. It covers topics such as security definitions, the CIA triad of confidentiality, integrity and availability, components of an information system, and approaches to implementing security. Balancing security and access is important, and a top-down management approach with participation across levels tends to be most effective. Building security into each phase of the system development lifecycle from the start helps ensure secure systems.

Uploaded by

EHTISHAM NAZIR
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
46 views

1-Information Security - Lec 01

This document discusses key concepts in information security including the security development lifecycle. It covers topics such as security definitions, the CIA triad of confidentiality, integrity and availability, components of an information system, and approaches to implementing security. Balancing security and access is important, and a top-down management approach with participation across levels tends to be most effective. Building security into each phase of the system development lifecycle from the start helps ensure secure systems.

Uploaded by

EHTISHAM NAZIR
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Information Security

Topics Include...

 Key Information Security Concepts


 Characteristics of Information
 Components of an information system
 Security systems development life cycle

2
Key Information Security
Concepts

3
What is Security?
 “The quality or state of being secure—to be free from danger”
 A successful organization should have multiple layers of
security in place:
 Physical security [physical items, objects, or areas]
 Personal security [individual or group of individuals]
 Operations security [the details of a particular operation or series
of activities]
 Communications security [to protect communications media,
technology, and content]

4
What is Security? (continued)
 Network security [to protect networking components,
connections, and contents]
 Information security [to protect the confidentiality, integrity
and availability of information assets, whether in storage,
processing, or transmission]

5
What is Security? (continued)
 The protection of information and its critical elements,
including systems and hardware that use, store, and
transmit that information
 Necessary tools: policy, awareness, training, education,
technology
 C.I.A. triangle was standard based on
confidentiality, integrity, and availability

6
CIA Triad
 Confidentiality
 Confidentiality means that people cannot read sensitive
information, either while it is on a computer or while it is
traveling across a network.
 Integrity
 Integrity means that attackers cannot change or destroy
information, either while it is on a computer or while it is
traveling across a network. Or, at least, if information is
changed or destroyed, then the receiver can detect the
change or restore destroyed data.

7
CIA Triad
 Availability
 Availability means that people who are authorized to use
information are not prevented from doing so

8
Some More Terms
 Access: Ability to use, manipulate, modify, or
affect another subject or object. Authorized users
have legal access to a system, whereas hackers
have illegal access to a system. Access controls
regulate this ability.
 Asset: The organizational resource that is being
protected. Can a Web site, data; or a person.
 Attack: An intentional or unintentional act that can
cause damage to or compromise information
and/or the systems that support it.
9
Some More Terms
 Control, safeguard, or countermeasure: Security
mechanisms, policies, or procedures that can
successfully counter attacks, reduce risk, resolve
vulnerabilities, and improve the security within an
organization.
 Exploit: A technique used to compromise a
system, to take advantage of a vulnerability or
exposure.
 Risk: The probability that something unwanted will
happen.
10
Some More Terms
 Threat: A category of objects, persons, or other
entities that presents a danger to an asset.
 Vulnerability: A weaknesses or fault in a system
or protection mechanism that opens it to attack or
damage.

11
Characteristics of
Information

12
Critical Characteristics of Information
 The value of information comes from the characteristics it
possesses:
 Availability
 Accuracy
 Authenticity
 Confidentiality
 Integrity

13
Components of an
Information System

14
Components of an Information System
 Information system (IS) is entire set of software,
hardware, data, people, procedures, and networks
necessary to use information as a resource in the
organization

15
Securing Components of an
Information System
 Computer can be subject of an attack and/or the
object of an attack
 When the subject of an attack, computer is used as
an active tool to conduct attack
 When the object of an attack, computer is the entity
being attacked

16
Approaches to IS
Implementation

17
Balancing Information Security and Access
 Impossible to obtain perfect security—Information
security cannot be absolute: it is a process, not a goal.

 Security should be considered while maintaining balance


between protection and availability.

 To achieve balance, level of security must allow


reasonable access, yet protect against threats.

18
Figure 1-6 – Balancing Security and
Access

19
Approaches to Information Security
Implementation: Bottom-Up Approach
 Grassroots effort: systems administrators attempt to
improve security of their systems

 Key advantage: technical expertise of individual


administrators/workers at lower levels

 Seldom works, as it lacks:


 Participant support
 Organizational commitment

20
Approaches to Information Security
Implementation: Top-Down Approach
 Initiated by upper management
 Issue policy, procedures, and processes
 Dictate goals and expected outcomes of project
 Determine accountability for each required action

 This approach has strong upper-management support, a


dedicated champion, usually dedicated funding, a clear
planning and implementation process, and the means of
influencing organizational culture.

21
Securing the SDLC

23
Securing the SDLC
 The cost of fixing a security bug varies depending
on where it is discovered.
 If it is discovered in the production environment, the
cost of fixing it would include the tangible costs of
the developer effort, tester effort, user acceptance
testing effort and deployment effort, and the
intangible cost of reputation and customer trust.
 If it is discovered during the design phase, then it is
very easy to correct the design flaw and introduce a
security measure during the development phase.
24
Securing the SDLC
 The principal intent is to build security within the life
cycle of software applications from ground zero that
potentially and gradually reduces the flaws in
security, design, implementation and deployment.
 Proper adherence to such assurance best practices
will result in applications devoid of vulnerabilities
that might have been introduced accidentally or
intentionally at any point of time in their life cycle.

25
Securing the SDLC
 This means that each implementation of a system
is secure and does not risk compromising the
confidentiality, integrity, and availability of the
organization’s information assets.
 NIST Special Publication 800-64, rev. 1, provides
an overview of the security considerations for each
phase of the SDLC.

26
Securing the SDLC

27
Securing the SDLC

28
References

Principles of Information Security, Micheal


Whitman 3rd Edition
Chapter 01
Subject and Object o

29
For the geeks!

30

You might also like