HCSEC111 Introduction to Information Security

CNSS Security Model

Prepared By
T. G. Rebanowako
 CNSS Security Model
• The model, which was created by John McCumber in 1991, provides a graphical
representation of the architectural approach widely used in computer and information
security: now known as the McCumber Cube.
• As shown in Figure 1.3, the McCumber Cube shows three dimensions.
• When extrapolated, the three dimensions of each axis become a 3 by 3 by 3 cube with
27 cells representing areas that must be addressed to secure today’s information
systems.
• To ensure comprehensive system security, each of the 27 areas must be properly
addressed during the security process.
• For example, the intersection of technology, integrity, and storage requires a set of
controls or safeguards that address the need to use technology to protect the integrity
of information while in storage.
• One such control might be a system for detecting host intrusion that protects the
integrity of information by alerting security administrators to the potential
modification of a critical file.
• A common omission from such a model is the need for guidelines and policies that
provide direction for the practices and implementations of technologies.
CNSS Security Model

Fig 1.3 The McCumber Cube

 Components of an Information System

An information system (IS) is much more than computer

hardware;
•it is the entire set of people, procedures, and technology that
enable business to use information.
•The six critical components of hardware, software, networks,
people, procedures, and data enable information to be input,
processed, output, and stored.
•Each of these IS components has its own strengths and
weaknesses, as well as its own characteristics and uses.
•Each component of the IS also has its own security requirements.
 Components of an Information System
Software: The software component of an IS includes applications (programs),
operating systems, and assorted command utilities.
•Software is perhaps the most difficult IS component to secure.
•The exploitation of errors in software programming accounts for a substantial
portion of the attacks on information.
•The information technology (IT) industry is rife with reports warning of holes,
bugs, weaknesses, or other fundamental problems in software.
•Software carries the lifeblood of information through an organization.
•Unfortunately, software programs are often created under the constraints of
project management, which limit time, costs, and manpower.
•Information security is all too often implemented as an afterthought rather than
developed as an integral component from the beginning.
•In this way, software programs become an easy target of accidental or intentional
attacks.
 Components of an Information System
Hardware: is the physical technology that houses and executes the
software, stores and transports the data, and provides interfaces for the
entry and removal of information from the system.
•Physical security policies deal with hardware as a physical asset and with
the protection of physical assets from harm or theft.
•Applying the traditional tools of physical security, such as locks and keys,
restricts access to and interaction with the hardware components of an
information system.
•Securing the physical location of computers and the computers
themselves is important because a breach of physical security can result in
a loss of information.
•Unfortunately, most information systems are built on hardware platforms
that cannot guarantee any level of information security if unrestricted
hardware access is possible.
 Components of an Information System
Data stored, processed, and transmitted by a computer system must be
protected.
•Data is often the most valuable asset of an organization and therefore is
the main target of intentional attacks.
•Systems developed in recent years are likely to make use of database
management systems.
•When used properly, they should improve the security of the data and the
applications that rely on the data.
•Unfortunately, many system development projects do not make full use of
the database management system’s security capabilities,
•and in some cases the database is implemented in ways that make them
less secure than traditional file systems.
 Components of an Information System
• data and information exist in physical form in many organizations
as paper reports, handwritten notes, and computer printouts
• the protection of physical information is, therefore, as important
as the protection of electronic, computer-based information.
• the terms data and information are used interchangeably today.
• Information was originally defined as data with meaning, such as a
report or statistical analysis.
• For our purposes, we will use the term information to represent
both unprocessed data and actual information.
 Components of an Information System
People: Though often overlooked in computer security considerations,
people have always been a threat to information security.
•people can be the weakest link in an organization’s information
security program.
•Unless policy, education and training, awareness, and technology are
properly employed to prevent people from accidentally or intentionally
damaging or losing information, they will remain the weakest link.
•Social engineering can prey on the tendency to cut corners and the
commonplace nature of human error.
•It can be used to manipulate people to obtain access to information
about a system.
 Components of an Information System
Procedures: are another frequently overlooked component of an IS.
•Procedures are written instructions for accomplishing a specific task.
•When an unauthorized user obtains an organization’s procedures, it
poses a threat to the integrity of the information.
•For example, a consultant to a bank learned how to wire funds by using
the computer center’s procedures, which were readily available.
•By taking advantage of a security weakness (lack of authentication),
the bank consultant ordered millions of dollars to be transferred by wire
to his own account.
•Lax security procedures caused the loss of more than $10 million
before the situation was corrected.
 Components of an Information System
• Most organizations distribute procedures to employees so they
can access the information system,
• but many of these companies often fail to provide proper
education for using the procedures safely.
• Educating employees about safeguarding procedures is as
important as physically securing the information system.
• After all, procedures are information in their own right.
• Therefore, knowledge of procedures, as with all critical
information, should be disseminated among members of an
organization on a need-to-know basis.
 Components of an Information System
Networks: Networking is the IS component that created much of the need for
increased computer and information security.
•When information systems are connected to each other to form LANs, and these
LANs are connected to other networks such as the Internet, new security
challenges rapidly emerge.
•The physical technology that enables network functions is becoming more
accessible to organizations of every size.
•Applying the traditional tools of physical security, such as locks and keys, to
restrict access to the system’s hardware components is still important.
•However, when computer systems are networked, this approach is no longer
enough.
•Steps to provide network security such as installing and configuring firewalls are
essential,
•as is implementing intrusion detection systems to make system owners aware of
ongoing compromises.
 Balancing Information Security and Access
• Even with the best planning and implementation, it is impossible
to obtain perfect information security.
• Information security cannot be absolute: it is a process, not a goal.
• You can make a system available to anyone, anywhere, anytime,
through any means.
• However, such unrestricted access poses a danger to the security
of the information.
• On the other hand, a completely secure information system would
not allow anyone access.
 Balancing Information Security and Access
• To achieve balance—that is, to operate an information system that
satisfies the user and the security professional—the security level
must allow reasonable access, yet protect against threats.
• Figure 1.4 shows some of the competing voices that must be
considered when balancing information security and access.
Balancing Information Security and Access

Fig 1.4 Balancing information Security and Access

 Balancing Information Security and Access
• Because of today’s security concerns and issues, an information
system or data processing department can get too entrenched in
the management and protection of systems.
• An imbalance can occur when the needs of the end user are
undermined by obsessive focus on protecting and administering
the information systems.
• Information security technologists and end users must recognize
that both groups share the same overall goals of the organization
—to ensure that data is available when, where, and how it is
needed, with minimal delays or obstacles.
• In an ideal world, this level of availability can be met even after
addressing concerns about loss, damage, interception, or
destruction.
-----End-----