Information Security Lecture for week 5 October 19, 2014 Abhinav Dahal
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Information Security
Lecture for week 5
October 19, 2014
Abhinav Dahal
Agenda (Today…)
What is information? Security Risks Characteristics of Information Information Security (IS) Approaches to IS History of IS Components of IS Security Systems Development Life Cycle Good practices in IS Information Security careers
“Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected”
BS ISO 27002:2005
Information can be
Printed or written on paper
Stored electronically
Transmitted by post or using electronics means
Displayed / published on web
Verbal – spoken in conversations
• Security risks start when the power is turned on.• The only way to deal with security risks is via risk
management.• Risks can be identified and reduced, but never
eliminated.• No matter how secure you make a system, it can always
be broken into, given sufficient resources, time, motivation and money.
Security risks
• Since you cannot protect yourself if you do not know what you are protecting against, a risk assessment must be performed.
• A risk assessment answers 3 fundamental questions: Identify assets – what am I trying to protect? Identify threats – what am I protecting against? Calculating risks – how much time, effort and
money am I willing to expend to obtain adequate protection?
• After risks are determined, you can then develop the policies and procedures needed to reduce the risks.
Security risks (Contd…)
• Earthquake, flood, hurricane, lightning.• Utility loss i.e. power, telecommunication.• Theft of hardware, software, data.• Terrorists, both political and information• Software bugs, malicious code, viruses, spam, mail
bombs.• Hackers.
Threats
Why is information vulnerable?
The great skill divide Application security people are from Mars, software
developers are from Venus. Most application security people are not software
people, cannot write code (properly) or vice versa.
Security <Performance < Functionality
Priority
• Unable to understand or quantify security threats and technical vulnerabilities.
• Begin the analysis with a preconceived notion that the cost of controls will be excessive or the security technology doesn’t exist.
• Belief that the security solution will interfere with the performance or appearance of the business product.
Why is information vulnerable? (Contd…)
Characteristics of Information
• Three characteristics of information must be protected by information security:
Confidentially
Integrity
Availability
ISO 27002:2005 defines Information Security as the
preservation of:
Confidentiality
Ensuring that information is accessible only to those authorized to have access
Integrity
Safeguarding the accuracy and completeness of information and processing methods
Availability
Ensuring that authorized users have access to information and associated assets when required
What is Information Security?
The architecture where an integrated combination of appliances, systems and solutions, software, and vulnerability scans are working together.
Information security is all about protecting and preserving information. It’s all about protecting and preserving the confidentiality, integrity, authenticity, availability, and reliability of information.
Monitored 24 x7
Figure 1-4 – NSTISSC Security ModelNSTISSC Security Model
The History of Information Security
• Began immediately after the first mainframes were developed
• Physical controls to limit access to sensitive military locations to authorized personnel
• Rudimentary in defending against physical theft, espionage, and sabotage
The History of Information Security (Contd…)• The 1960s
Advanced Research Projects Agency (ARPA) began to examine feasibility of redundant networked communications
Lawrence Roberts developed ARPANET from its inception
The History of Information Security (Contd…)• The 1970s and 80s
ARPANET grew in popularity as did its potential for misuse
Fundamental problems with ARPANET security were identified• No safety procedures for dial-up connections
to ARPANET• Non-existent user identification and
authorization to systemLate 1970s: microprocessor expanded computing
capabilities and security threats.
The History of Information Security (Contd…)• R - 609
Information security began with Rand Report R-609 (paper that started the study of computer security)
Scope of computer security grew from physical security to include:
• Safety of data
• Limiting unauthorized access to data
• Involvement of personnel from multiple levels of an organization
The History of Information Security (Contd…)• The 1990s
Networks of computers became more common; so too did the need to interconnect networks
Internet became first manifestation of a global network of networks
In early Internet deployments, security was treated as a low priority
The present
• The Internet brings millions of computer networks into communication with each other—many of them unsecured
Securing Components
• Computer can be subject of an attack and/or the object of an attack
– When the subject of an attack, computer is used as an active tool to conduct attack
– When the object of an attack, computer is the entity being attacked
Attack
Balancing Information Security and Access
• Impossible to obtain perfect security—it is a process, not an absolute
• Security should be considered balance between protection and availability
• To achieve balance, level of security must allow reasonable access, yet protect against threats
Approaches to Information Security Implementation: Bottom-Up Approach• Grassroots effort: systems administrators attempt to
improve security of their systems
• Key advantage: technical expertise of individual administrators
• Seldom works, as it lacks a number of critical features:
– Participant support
– Organizational staying power
Approaches to Information Security Implementation: Top-Down Approach
• Initiated by upper management– Issue policy, procedures and processes– Dictate goals and expected outcomes of project– Determine accountability for each required action
• The most successful also involve formal development strategy referred to as systems development life cycle
Security Systems Development Life Cycle (SecSDLC)
Investigation
• Identifies process, outcomes, goals, and constraints of the project
• Begins with enterprise information security policy
• Organizational feasibility analysis is performed
Analysis
• Documents from investigation phase are studied
• Analyzes existing security policies or programs, along with documented current threats and associated controls
• Includes analysis of relevant legal issues that could impact design of the security solution
• The risk management task begins
Logical Design
• Creates and develops blueprints for information security
• Incident response actions planned:– Incident response
– Disaster recovery
• Feasibility analysis to determine whether project should continue or be outsourced
Physical Design
• Needed security technology is evaluated, alternatives generated, and final design selected
• At end of phase, feasibility study determines readiness of organization for project
Implementation
• Security solutions are acquired, tested, implemented, and tested again
• Personnel issues evaluated; specific training and education programs conducted
• Entire tested package is presented to management for final approval
Maintenance and Change
• Perhaps the most important phase, given the ever-changing threat environment
• Often, reparation and restoration of information is a constant duel with an unseen adversary
• Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve
Good Practices
One of the best ways to protect your information is to make sure that your computer is not vulnerable to attack from the outside. Here are some steps you can take:
Keep your computer patches up to date Install anti-virus and anti-spyware software
and keep it up to dateRemove all services from your computer that
you do not need Don't click on links in suspicious email
Speed of attacks
Sophistication of attacks
Faster detection of weaknesses
Distributed attacks
Difficulties of patching
A number of trends illustrate why security is becoming increasingly difficult:
Understanding the Importance of Information Security
• Information security is important to businesses:
Prevents data theft
Avoids legal consequences of not securing information
Maintains productivity- an estimated loss of $213,000
Foils cyber terrorism
Thwarts identify theft
Information Security Careers
Information security is one of the fastest growing career fields
As information attacks increase, companies are becoming more aware of their vulnerabilities and are looking for ways to reduce their risks and liabilities
Sometimes divided into three general roles:
- Security manager develops corporate security plans and policies, provides education and awareness, and communicates with executive management about security issues
- Security engineer designs, builds, and tests security solutions to meet policies and address business needs
- Security administrator configures and maintains security solutions to ensure proper service levels and availability
Related Documents
