Principles of Information Security,

Fourth Edition

Chapter 1
Introduction to Information Security

1
 Learning Objectives

• Upon completion of this material, you should be

able to:
– Define information security
– Recount the history of computer security and how it
evolved into information security
– Define key terms and critical concepts of
information security
– Enumerate the phases of the security systems
development life cycle
– Describe the information security roles of
professionals within an organization
2
 Introduction

• Information security: a “well-informed sense of

assurance that the information risks and controls
are in balance.” — Jim Anderson, Inovant (2002)
• Security professionals must review the origins of
this field to understand its impact on our
understanding of information security today

3
 The History of Information Security

• Computer security began immediately after the

first mainframes were developed
– Groups developing code-breaking computations
during World War II created the first modern
computers
– Multiple levels of security were implemented
• Physical controls to limit access to sensitive
military locations to authorized personnel
• Rudimentary in defending against physical theft,
espionage, and sabotage

4
Figure 1-1 – The Enigma

Figure 1-1 The Enigma

Source: Courtesy of National Security Agency
5
 The 1960s

• Advanced Research Project Agency (ARPA)

began to examine feasibility of redundant
networked communications
• Larry Roberts developed ARPANET from its
inception

6
 Figure 1-2 - ARPANET

Figure 1-2 Development of the ARPANET Program Plan3

Source: Courtesy of Dr. Lawrence Roberts

7
 The 1970s and 80s

• ARPANET grew in popularity as did its potential for

misuse
• Fundamental problems with ARPANET security
were identified
– No safety procedures for dial-up connections to
ARPANET
– Nonexistent user identification and authorization to
system
• Late 1970s: microprocessor expanded computing
capabilities and security threats

8
 The 1970s and 80s (cont’d.)

• Information security began with Rand Report

R-609 (paper that started the study of computer
security)
• Scope of computer security grew from physical
security to include:
– Safety of data
– Limiting unauthorized access to data
– Involvement of personnel from multiple levels of an
organization

9
 MULTICS

• Early focus of computer security research was a

system called Multiplexed Information and
Computing Service (MULTICS)
• First operating system created with security as its
primary goal
• Mainframe, time-sharing OS developed in
mid-1960s by General Electric (GE), Bell Labs,
and Massachusetts Institute of Technology (MIT)
• Several MULTICS key players created UNIX
• Primary purpose of UNIX was text processing
10
Table 1-1 Key Dates for Seminal Works in Early Computer Security
11
 The 1990s

• Networks of computers became more common; so

too did the need to interconnect networks
• Internet became first manifestation of a global
network of networks
• Initially based on de facto standards
• In early Internet deployments, security was treated
as a low priority

12
 2000 to Present

• The Internet brings millions of computer networks

into communication with each other—many of
them unsecured
• Ability to secure a computer’s data influenced by
the security of every computer to which it is
connected
• Growing threat of cyber attacks has increased the
need for improved security

13
 What is Security?

• “The quality or state of being secure—to be free

from danger”
• A successful organization should have multiple
layers of security in place:
– Physical security
– Personal security
– Operations security
– Communications security
– Network security
– Information security

14
 What is Security? (cont’d.)

• The protection of information and its critical

elements, including systems and hardware that
use, store, and transmit that information
• Necessary tools: policy, awareness, training,
education, technology
• C.I.A. triangle
– Was standard based on confidentiality, integrity, and
availability
– Now expanded into list of critical characteristics of
information

15
Figure 1-3 Components of Information Security

16
 Key Information Security Concepts
• Access • Protection Profile or
• Asset Security Posture
• Attack • Risk
• Control, Safeguard, or
• Subjects and Objects
Countermeasure
• Exploit • Threat
• Exposure • Threat Agent
• Loss • Vulnerability

17
 Key Information Security Concepts
(cont’d.)
• Computer can be subject of an attack and/or the
object of an attack
– When the subject of an attack, computer is used as
an active tool to conduct attack
– When the object of an attack, computer is the entity
being attacked

18
Figure 1-4 Information Security Terms
19
Figure 1-5 – Subject and Object of
Attack

Figure 1-5 Computer as the Subject and Object of an

Attack

20
 Critical Characteristics of Information

• The value of information comes from the

characteristics it possesses:
– Availability
– Accuracy
– Authenticity
– Confidentiality
– Integrity
– Utility
– Possession

21
CNSS Security Model

Figure 1-6 The McCumber Cube

22
Components of an Information System

• Information system (IS) is entire set of components

necessary to use information as a resource in the
organization
– Software
– Hardware
– Data
– People
– Procedures
– Networks

23
 Balancing Information Security and
Access
• Impossible to obtain perfect security—it is a
process, not an absolute
• Security should be considered balance between
protection and availability
• To achieve balance, level of security must allow
reasonable access, yet protect against threats

24
Figure 1-6 – Balancing Security and
Access

Figure 1-8 Balancing Information Security and

Access
25
 Approaches to Information Security
Implementation: Bottom-Up Approach
• Grassroots effort: systems administrators attempt
to improve security of their systems
• Key advantage: technical expertise of individual
administrators
• Rarely works, as it lacks a number of critical
features:
– Participant support
– Organizational staying power

26
 Approaches to Information Security
Implementation: Top-Down Approach
• Initiated by upper management
– Issue policy, procedures, and processes
– Dictate goals and expected outcomes of project
– Determine accountability for each required action
• The most successful also involve formal
development strategy referred to as systems
development life cycle

27
Figure 1-9 Approaches to Information Security
Implementation
28
The Systems Development Life Cycle

• Systems Development Life Cycle (SDLC):

methodology for design and implementation of
information system within an organization
• Methodology: formal approach to problem solving
based on structured sequence of procedures
• Using a methodology:
– Ensures a rigorous process
– Increases probability of success
• Traditional SDLC consists of six general phases

29
Figure 1-10 SDLC Waterfall Methodology

30
 Investigation

• What problem is the system being developed to

solve?
• Objectives, constraints, and scope of project are
specified
• Preliminary cost-benefit analysis is developed
• At the end, feasibility analysis is performed to
assess economic, technical, and behavioral
feasibilities of the process

31
 Analysis

• Consists of assessments of:

– The organization
– Current systems
– Capability to support proposed systems
• Analysts determine what new system is expected
to do and how it will interact with existing systems
• Ends with documentation of findings and update of
feasibility analysis

32
 Logical Design

• Main factor is business need

– Applications capable of providing needed services
are selected
• Data support and structures capable of providing
the needed inputs are identified
• Technologies to implement physical solution are
determined
• Feasibility analysis performed at the end

33
 Physical Design

• Technologies to support the alternatives identified

and evaluated in the logical design are selected
• Components evaluated on make-or-buy decision
• Feasibility analysis performed
– Entire solution presented to end-user
representatives for approval

34
 Implementation

• Needed software created

• Components ordered, received, and tested
• Users trained and documentation created
• Feasibility analysis prepared
– Users presented with system for performance
review and acceptance test

35
 Maintenance and Change

• Longest and most expensive phase

• Consists of tasks necessary to support and modify
system for remainder of its useful life
• Life cycle continues until the process begins again
from the investigation phase
• When current system can no longer support the
organization’s mission, a new project is
implemented

36
 The Security Systems Development
Life Cycle
• The same phases used in traditional SDLC may be
adapted to support specialized implementation of
an IS project
• Identification of specific threats and creating
controls to counter them
• SecSDLC is a coherent program rather than a
series of random, seemingly unconnected actions

37
 Investigation

• Identifies process, outcomes, goals, and

constraints of the project
• Begins with Enterprise Information Security Policy
(EISP)
• Organizational feasibility analysis is performed

38
 Analysis

• Documents from investigation phase are studied

• Analysis of existing security policies or programs,
along with documented current threats and
associated controls
• Includes analysis of relevant legal issues that
could impact design of the security solution
• Risk management task begins

39
 Logical Design

• Creates and develops blueprints for information

security
• Incident response actions planned:
– Continuity planning
– Incident response
– Disaster recovery
• Feasibility analysis to determine whether project
should be continued or outsourced

40
 Physical Design

• Needed security technology is evaluated,

alternatives are generated, and final design is
selected
• At end of phase, feasibility study determines
readiness of organization for project

41
 Implementation

• Security solutions are acquired, tested,

implemented, and tested again
• Personnel issues evaluated; specific training and
education programs conducted
• Entire tested package is presented to
management for final approval

42
 Maintenance and Change

• Perhaps the most important phase, given the ever-

changing threat environment
• Often, repairing damage and restoring information
is a constant duel with an unseen adversary
• Information security profile of an organization
requires constant adaptation as new threats
emerge and old threats evolve

43
 Security Professionals and the
Organization
• Wide range of professionals required to support a
diverse information security program
• Senior management is key component
• Additional administrative support and technical
expertise are required to implement details of IS
program

44
 Senior Management

• Chief Information Officer (CIO)

– Senior technology officer
– Primarily responsible for advising senior executives
on strategic planning
• Chief Information Security Officer (CISO)
– Primarily responsible for assessment, management,
and implementation of IS in the organization
– Usually reports directly to the CIO

45
 Information Security Project Team

• A number of individuals who are experienced in

one or more facets of required technical and
nontechnical areas:
– Champion
– Team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users

46
 Data Responsibilities

• Data owner: responsible for the security and use of

a particular set of information
• Data custodian: responsible for storage,
maintenance, and protection of information
• Data users: end users who work with information
to perform their daily jobs supporting the mission
of the organization

47
 Communities of Interest

• Group of individuals united by similar interests/

values within an organization
– Information security management and professionals
– Information technology management and
professionals
– Organizational management and professionals

48
 Information Security: Is it an Art or a
Science?
• Implementation of information security often
described as combination of art and science
• “Security artesan” idea: based on the way
individuals perceive systems technologists since
computers became commonplace

49
 Security as Art

• No hard and fast rules nor many universally

accepted complete solutions
• No manual for implementing security through
entire system

50
 Security as Science

• Dealing with technology designed to operate at

high levels of performance
• Specific conditions cause virtually all actions that
occur in computer systems
• Nearly every fault, security hole, and systems
malfunction are a result of interaction of specific
hardware and software
• If developers had sufficient time, they could
resolve and eliminate faults

51
 Security as a Social Science

• Social science examines the behavior of

individuals interacting with systems
• Security begins and ends with the people that
interact with the system
• Security administrators can greatly reduce levels
of risk caused by end users, and create more
acceptable and supportable security profiles

52
 Summary

• Information security is a “well-informed sense of

assurance that the information risks and controls
are in balance”
• Computer security began immediately after first
mainframes were developed
• Successful organizations have multiple layers of
security in place: physical, personal, operations,
communications, network, and information

53
 Summary (cont’d.)

• Security should be considered a balance between

protection and availability
• Information security must be managed similarly to
any major system implemented in an organization
using a methodology like SecSDLC
• Implementation of information security often
described as a combination of art and science

54