SQUARE NORTH TECHNOLOGIES

Information Security Training

Chapter 1
Introduction to Information Security

Muhammad Lawal
Chief Executive Officer
[email protected]
08124350304
 Learning Objectives
 Understand what information security is and how it came to
mean what it does today.
 Comprehend the history of computer security and how it
evolved into information security.
 Understand the key terms and critical concepts of information
security as presented in the chapter.
 Outline the phases of the security systems development life
cycle.
 Understand the role professionals involved in information
security in an organizational structure.
 Understand the business need for information security.
 Understand a successful information security program is the
responsibility of an organization‘s general management and I
T management.
 Understand the some threats posed to information security
and the more common attacks associated with those threats.
Introduction
 Some hundreds of years ago, we would have been
making living on agriculture.

 Say a hundred years ago you were likely to be

making a living working in a factory.

 Today, we live in the information age where

everyone has a job somehow connected to
information stored in digital form on a network.
 The History Of Information
Security
Computer security began immediately after the
first mainframes were developed

Physical controls were needed to limit access to

authorized personnel to sensitive military
locations

Only rudimentary controls were available to

defend against physical theft, espionage, and
sabotage
The 1960s
• Department of Defense’s Advanced Research
Project Agency (ARPA) began examining the
feasibility of a redundant networked communi
cations
 The 1970s and 80s
• ARPANET grew in popularity as did its potential
for misuse
• Fundamental problems with ARPANET security
were identified
– No safety procedures for dial-up connections
to the ARPANET
– User identification and authorization to the
system were non-existent
• In the late 1970s the microprocessor expanded
computing capabilities and security threats
 R-609 – The Start of the Study of
Computer Security
• Information Security began with Rand Report
R-609
• The scope of computer security grew from
physical security to include:
– Safety of the data
– Limiting unauthorized access to that data
– Involvement of personnel from multiple levels of
the organization
 The 1990s
• Networks of computers became more
common, so too did the need to interconnect
the networks
• Resulted in the Internet, the first
manifestation of a global network of networks
• In early Internet deployments, security was
treated as a low priority
 The Present
• The Internet has brought millions of computer
networks into communication with each
other – many of them unsecured
• Ability to secure each now influenced by the
security on every computer to which it is
connected
 What is Security?
 The quality or state of being secure—to be fre
e from danger
 A successful organization should have multipl
e layers of security in place:
• Physical security
• Personal security
• Operations security
• Communications security
• Network security
• Information security
 Critical Characteristics of Information
• The value of information comes from the char
acteristics it possesses:
– Availability
– Accuracy
– Authenticity
– Confidentiality
– Integrity
– Utility
– Possession
 Components of an Information System

• Information system (IS) is the entire set of

software, hardware, data, people, procedures,
and networks necessary to use information as
a resource in the organisation
 Bottom Up Approach
• Security from a grass-roots effort - systems
administrators attempt to improve the security
of their systems
• Key advantage - technical expertise of the
individual administrators
• Seldom works, as it lacks a number of critical
features:
– participant support
– organizational staying power
 Top-down Approach
• Initiated by upper management:
– issue policy, procedures, and processes
– dictate the goals and expected outcomes of the
project
– determine who is accountable for each of the
required actions
• This approach has strong upper management support,
a dedicated champion, dedicated funding, clear
planning, and the chance to influence organizational
culture
• May also involve a formal development strategy
referred to as a systems development life cycle
– Most successful top-down approach
 The Systems Development Life
Cycle
• Information security must be managed in a
manner similar to any other major system
implemented in the organization
• Using a methodology
– ensures a rigorous process
– avoids missing steps
• The goal is creating a comprehensive security
posture/program
 The Security Systems Development Life Cycle
• The same phases used in traditional SDLC may be adapte
d to support specialized implementation of an IS project
• Investigation
• Analysis
• Logical design
• Physical design
• Implementation
• Maintenance & change
• Identification of specific threats and creating controls to
counter them
• SecSDLC is a coherent program rather than a seri
es of random, seemingly unconnected actions
 Investigation
• Identifies process, outcomes, goals, and const
raints of the project

• Begins with enterprise information security po

licy

• Organizational feasibility analysis is performed

 Analysis
• Documents from investigation phase are studied

• Analyzes existing security policies or programs, a

long with documented current threats and assoc
iated controls

• Includes analysis of relevant legal issues that co

uld impact design of the security solution

• The risk management task begins

 Logical Design
• Creates and develops blueprints for information secu
rity
• Incident response actions planned:
– Continuity planning
– Incident response
– Disaster recovery
• Feasibility analysis to determine whether project sho
uld continue or be outsourced
 Physical Design
• Needed security technology is evaluated,
alternatives generated, and final design
selected

• At end of phase, feasibility study determines

readiness of organization for project
 Implementation
• Security solutions are acquired, tested,
implemented, and tested again

• Personnel issues evaluated; specific training

and education programs conducted

• Entire tested package is presented to

management for final approval
 Maintenance and Change
• Perhaps the most important phase, given the
ever-changing threat environment

• Often, reparation and restoration of information

is a constant duel with an unseen adversary

• Information security profile of an organization

requires constant adaptation as new threats
emerge and old threats evolve
 Professionals involved in information security
within an organization
Senior Management
 Chief Information Officer (CIO)
• Senior technology officer
• Primarily responsible for advising senior executives on
strategic planning
 Chief Information Security Officer (CISO)
• Primarily responsible for assessment, management, an
d implementation of IS in the organization
• Usually reports directly to the CIO
Information Security Project Team
 A number of individuals who are experienced
in one or more facets of required technical an
d nontechnical areas:
• Champion
• Team leader
• Security policy developers
• Risk assessment specialists
• Security professionals
• Systems administrators
• End users
Data Ownership
• Data owner: responsible for the security and u
se of a particular set of information
• Data custodian: responsible for storage, maint
enance, and protection of information
• Data users: end users who work with informat
ion to perform their daily jobs supporting the
mission of the organization
 What is Information Security?
• “The concepts, techniques, technical measures, and adminis
trative measures used to protect information assets from deli
berate or inadvertent unauthorised acquisition, damage, discl
osure, manipulation, modification, loss, or use is information
security.”
or
• means protecting information and information systems from
unauthorised access, use, disclosure, modification or destructi
on.
or
• Implementing suitable controls - policies, practices, procedur
es, organisational structures, software, etc, to secure informa
tion for any information user.
• The protection of information and its critical e
lements, including systems and hardware that
use, store, and transmit that information
• Necessary tools: policy, awareness, training, e
ducation, technology
• C.I.A. triangle was standard based on confiden
tiality, integrity, and availability
• C.I.A. triangle now expanded into list of critica
l characteristics of information
 How Can Information Security Be Achieved
Information Security is achieved by implementing a suitable set of controls, which
could be:
These controls need to be established in order to ensure that the specific security
objectives of the organization are met.
Access to
network resource
will be granted
Passwords
through a unique
will be 8
user ID and
characters
password
long

Passwords
should include
one non-alpha
and not found
in dictionary
 Information Security Goals

 Confidentiality - making sure that those who should

not see the information can not see it.

 Integrity - making sure the information has not been

changed from how it was intended to be.

 Availability – making sure the information is available

for use when needed.
 Security Goals

Confidentiality

Integrity Availability
 Securing Components
• Computer can be subject of an attack and/or the obj
ect of an attack

– When the subject of an attack, computer is used as an

active tool to conduct attack

– When the object of an attack, computer is the entity b

eing attacked
Balancing Information Security and Access

• Impossible to obtain perfect security—it is a p

rocess, not an absolute

• Security should be considered balance betwee

n protection and availability

• To achieve balance, level of security must allo

w reasonable access, yet protect against threa
ts
Balancing security and access
 The Need for Information Security
Business Needs First
Technology Needs Last
Information security performs three important functions
for an organization:
• Protects the organization‘s ability to function
– Communities of interest must argue for information security in ter
ms of impact and cost
• Enables the safe operation of applications implemented on
the organization‘s IT systems
– Organizations must create integrated, efficient, and capable applic
ations
– Organization need environments that safeguard applications
• Protects the data the organization collects and
uses
– One of the most valuable assets is data
– Without data, an organization loses its record of trans
actions and/or its ability to deliver value to its custom
ers
– An effective information security program is essential
to the protection of the integrity and value of the orga
nization‘s data

Technology Needs
• Safeguards the technological assets in use at the organi
zation
• Organizations must have secure infrastructure services b
ased on the size and scope of the enterprise
 Areas of Information System Security

 Data security

 Computer security

 LAN or Network security

 Internet security
 Major Threats & Issues
Basic Threats

 Theft of password

 E-mail based threats

 E-mail based extortion

 Launch of malicious codes (trojans)

Corporate threats
• Web defacement
• Corporate espionage
• Website based launch of malicious code cheating and fraud
• Exchange of criminal ideas and tools
• Cyber harassment
• Forge websites

Online threats
• E-mail spamming
• Theft of software and electronic records
• Cyber stalking
• E-mail bombing
• Denial of service attacks
 Protecting your computer and network
 Physical security
 Securing desktop computers
 Securing laptops/notebooks/handheld computers
 Securing network security

 Software security
 Protect against internet intruders with firewall
s and IDS
 Protect against viruses and other malware
 Protect against spyware and adware
 Protect against unwanted email
 General spam protection practices
 Do not give out your email address indiscriminately

 Leave your email signature line blank if you post to a

newsgroup

 Do not reply to junk messages

 Do not open obvious spam mails

 Report to appropriate person – systems administrator