History, What is Information Security?, Critical Characteristics of Information, Components of an
Information System, Securing the Components, Balancing Security and Access,
1. INFORMATION
SECURITY
Unit I
History, What is Information Security?, Critical Characteristics of Information, Components of an
Information System, Securing the Components, Balancing Security and Access,
4. • 1960s: Organizations start to protect their computers
• 1970s:The first hacker attacks begin
• 1980s: Governments become proactive in the fight against
cybercrime
• 1990s: Organized crime gets involved in hacking
• 2000s: Cybercrime becomes treated like a crime
• 2010s: Information security becomes serious
5. VARIOUS
ASPECTS OF
SECURITY
Physical Security - to protect the physical items, objects, or
areas of an organization from unauthorized access and misuse.
Personal Security – to protect the individual or group of
individuals who are authorized to access the organization and
its operations.
Operations Security – to protect the details of a particular
operation or series of activities.
Communications Security – to protect an organization’s
communications media, technology, and content.
Network Security – to protect networking components,
connections, and contents.
Information Security – to protect information assets
6. A
C
I
CIA Triad:
1. Confidentiality
ensures information is inaccessible
to unauthorized people
2. Integrity
ensures the data is accurate and
trustworthy by preventing
unauthorized modification
3. Availability
ensures authorized people can
access the information when needed
Fundamental principles of Information Security
7. CRITICAL
CHARACTERISTICS
OF INFORMATION
• The value of information comes from the characteristics it
possesses:
• Availability – available to authorized user on demand
• Accuracy – error free to expected standards
• Authenticity – original & genuine, not fabrication
• Confidentiality – undisclosed to unauthorized people
• Integrity – whole, complete, and uncorrupted
• Utility – serves the purpose & available in meaningful form
• Possession - Information is said to be in possession if one
obtains it, independent of format or other characteristic.
While a breach of confidentiality always results in a breach of possession,a breach of
possession does not always result in a breach of confidentiality.
8. COMPONENTS OF
INFORMATION
SYSTEM
• Information System (IS) is entire set of software,
hardware, data, people and networks necessary to
use information as a resource in the organization
• Software
• Exploitation substantial portion of attacks on
information
• Hardware
• Physical security policies
• Securing physical location important
• Data
• Often most valuable asset
• Main target of intentional attacks
• People
• Weakest link
• Must be well trained and informed
• Networks
• Locks and keys won’t work
9. COMPONENTS OF
INFORMATION
SECURITY
• Management of Information Security primarily focuses on the
managerial aspects of information security, such as
• access control models
• information security governance
• information security program assessment and metrics
• Network security consists of the policies and practices
adopted to prevent and monitor unauthorized access, misuse,
modification, or denial of a computer network and network-
accessible resources.
• Computer Security is the protection of computing systems
and the data that they store or access.
• Computer and Data security refers to protective digital
privacy measures that are applied to prevent unauthorized
access to computers, databases and websites. Data security
also protects data from corruption. Data security is an
essential aspect of IT for organizations of every size and type.
10. Approaches to
Information Security
The approaches are
based on:
1. where planning is
sourced and
2. from which direction
the pressure for
success if driven
11. APPROACHES TO INFO. SECURITY
Bottom Up approach
• Grassroots effort: systems administrators
attempt to improve security of their systems
• Key advantage: technical expertise of
individual administrators
• Seldom works, as it lacks several critical
features:
• Participant support
• Scalability
Top Down approach
• Initiated by upper management
• Issue policy, procedures and processes
• Dictate goals and expected outcomes of
project
• Determine accountability for each required
action
• The most successful also involve formal
development strategy referred to as systems
development life cycle
13. PHASES OF SECSDLC
INVESTIGATION
• Directive from
management
• Creation of security policy
• Teams:
– Analyse problem
– Define Scope
– Specify Goals
– Identify Constraints
• Feasibility Analysis
• Determine:
– Resources
– Commitment
ANALYSIS
Analysis of:
• Existing security policies
• Known threats
• Current controls
• Legal issues –privacy laws on
personal info
Risk Management
– Identify, assess & evaluate risks
levels
– Prioritise risks and manage
them
Threat:
• Threat agent: the cause of danger –
object, person or entity
• Vulnerability: weakness, exposure,
helplessness, defenceless
DESIGN
• LOGICAL DESIGN
Team members:
• Create & develop blue
print for security
• Examine & implement
key policies
• PHYSICAL DESIGN
Team members:
• Evaluate technology to
support security blue
print
• Generate alternative
solutions
• Agree on final design
• Also includes developing
criteria for determining
the definition of
successful solution.
14. PHASES OF SECSDLC
DESIGN
• Policies
provides rules for protection
of information assets
– Gen/Security program policy
– Issue specific security policy
– System specific security
policy
• SETA
– Security education – building
in-depth education
– Security training – develop
skills & knowledge
– Security awareness –
improving awareness
• Design of controls
– Managerial
– Operational
– Technical
IMPLEMENTATION
• Security solutions acquired,
implemented and tested
• Personnel issues
– Training
– Education programs
• Management of project plan
• Staffing InfoSec function
– Position & name security function
– Understand impact of InfoSec
across IT
– Integrate InfoSec concepts into
personnel management practices
• Information Security
Professionals
– CIO, CISO, Security Manager,
Data Owner, Data Custodian, Data
users
• Professional Certification
MAINTENANCE
• Maintenance Model
• External
monitoring
• Internal monitoring
• Planning & risk
assessment
• Vulnerability
assessment &
remediation –
penetration testing
• Readiness & review -
functionality
15. MAINTENANCE
MODEL
• Fault Management – id and
address faults
• Configuration & Change
Management – change
components & change
administration
• Accounting Management &
Auditing – system monitoring
• Performance Management
16. THREATS TO
INFORMATION
SECURITY
Overview of various threats to the
information security.
Potential Acts of Human Error or Failure
Deliberate Acts of Espionage or
Trespass
Deliberate Acts of Information Extortion
Deliberate Acts of Sabotage or
Vandalism
Deliberate Acts of Theft
Deliberate Software Attacks
Forces of Nature
Potential Deviations in Quality of
Service from Service Providers
Technical Hardware Failures or Errors
Technical Software Failures or Errors
Technological Obsolescence
17.
18.
19. CLASSIFICATION OF
SECURITY VULNERABILITIES
Information security threats are through possible
contact with the gaps in the protection system,
or factors of vulnerability.
The main vulnerabilities are caused by the
following factors:
•Shortcomings of software or hardware
•Different characteristics of the structure of
automated systems in the information flow
•Some operational processes of the system are
inadequate
•Inaccuracy of information exchange protocols
and interface
•Difficult operating conditions and conditions in
which the information is located.
Most often the sources of threats are triggered
in order to obtain illegal benefits after damaging
information. However, accidental effect of
threats due to insufficient protection and mass
attack of a threatening factor is also possible.
If you eliminate or at least mitigate the impact
from vulnerabilities, you can avoid a significant
threat meant to damage the storage system.
Types of
Vulnerabilities
Objective Subjective Random
20. Random vulnerabilities
These factors vary depending on unforeseen circumstances and features of the information
environment. They are almost impossible to predict in the information space, but you must be prepared
to rapidly eliminate them.
Engineering and technical investigation or a response attack will help to mitigate the following
problems:
1. System failures:
•Caused by malfunctions of technical means at different levels of processing and storage of information
(including those responsible for system performance and access to it).
•Malfunctions and obsolete elements (demagnetization of data carriers, such as diskettes, cables,
connection lines and microchips).
•Malfunctions of different software that supports all links in the chain of information storage and
processing (antiviruses, application and service programs).
•Malfunctions of auxiliary equipment of information systems (power transmission failures).
2. Factors weakening information security:
•Damage to communications such as water supply, electricity, ventilation and sewerage.
•Malfunctions of enclosing devices (fences, walls in buildings, housing of the equipment where
information is stored).
21. Objective vulnerabilities
They depend on the technical design of the equipment which is installed on the object requiring protection, as well as its
characteristics. It is impossible to escape all these factors, but their partial elimination can be achieved through engineering
techniques in the following cases:
1. Related to emission technical means:
•Electromagnetic techniques (side emission and signals from cable lines, elements of technical means).
•Sound versions (acoustic or with vibration signals).
•Electrical (slip of signals into the circuits of electrical network, through the induction into the lines and conductors, because of
uneven current distribution).
2. Activated:
•Malware, illegal programs, technological exits from programs which are together called ‘implant tools’.
•Hardware implants: introduced directly into telephone lines, electrical networks or premises.
3. Due to the characteristics of a protected object:
•Object location (visibility and absence of a controlled zone around the information object, presence of vibration or sound reflecting
elements around the object, presence of remote elements of the object).
•Arrangement of information exchange channels (use of radio channels, lease of frequencies or use of shared networks).
4. Those that depend on the characteristics of carriers:
•Parts with electro-acoustic modifications (transformers, telephone devices, microphones and loudspeakers, inductors).
•Elements under the influence of electromagnetic field (carriers, microcircuits and other elements).
22. Subjective vulnerabilities
In most cases, the vulnerabilities of this subtype result from inadequate employee actions at the level of storage and
protection system development. Eliminating such factors is possible using hardware and software:
1. Inaccuracies and gross errors that violate information security:
•At the stage of loading the ready software or preliminary algorithm development, as well as during its use (possibly,
during daily use or during data entry).
•When managing programs and information systems (difficulties in the training to work with the system, individual set
up of services, manipulation of information flows).
•During the use of technical equipment (during switch-on or switch-off, the use of devices for transmitting or receiving
information).
2. System malfunctions in the information environment:
•The mode of protection of personal data (the problem may be caused by laid-off employees or current employees
during off-hours when they get unauthorized access to the system).
•Safety and security mode (when accessing facilities or technical devices).
•While working with devices (inefficient energy use or improper equipment maintenance).
•While working with data (change of information, its saving, search and destruction of data, elimination of defects and
inaccuracies).