Lecture 1

Introduction to
Information Security
LEARNING OBJECTIVES:

Upon completion of this material, you should be able to:

• Define information security
• Recount the history of computer security, and explain how it
evolved into information security
• Define key terms and critical concepts of information security
• Enumerate the phases of the security systems development life
cycle
• Describe the information security roles of professionals within an
organization
The History of Information
Security
THE ENIGMA
• Earlier versions of the German code
machine Enigma were first broken by
the Poles in the 1930s.
• The British and Americans managed to
break later, more complex versions
during World War II.
• The increasingly complex versions of
the Enigma, especially the submarine
version of the Enigma, caused
considerable anguish to Allied forces
before finally being cracked.
The 1960s
During the Cold War, many more mainframes were brought
online to accomplish more complex
and sophisticated tasks.

The 1970s and 80s

During the next decade, ARPANET became popular and more
widely used, and the potential
for its misuse grew.
Key Dates for Seminal Works in Early
Computer Security
The 1990s
At the close of the twentieth century, networks of computers became more
common, as did the need to connect these networks to each other.
professionals.

2000 to Present
Today, the Internet brings millions of unsecured computer networks into
continuous communication with each other. The security of each computer’s
stored information is now contingent on the level of security of every other
computer to which it is connected.
What Is Security?

In general, security is “the quality or state of being secure—

to be free from danger.” In other words, protection against
adversaries—from those who would do harm, intentionally
or otherwise—is the objective.
A successful organization should have the following multiple layers of
security in place to protect its operations:

● Physical security, to protect physical items, objects, or areas from

unauthorized access and misuse.
● Personnel security, to protect the individual or group of individuals who are
authorized to access the organization and its operations
● Operations security, to protect the details of a particular operation or series
of activities.
● Communications security, to protect communications media, technology,
and content
● Network security, to protect networking components, connections, and
contents
● Information security, to protect the confidentiality, integrity and availability
of information assets, whether in storage, processing, or transmission.
Components of Information Security
Key Information Security Concepts
• Access: A subject or object’s ability to use, manipulate,
modify, or affect another subject or object.
• Asset: The organizational resource that is being protected. An
asset can be logical, such as a Web site, information, or data;
or an asset can be physical, such as a person, computer
system, or other tangible object.
• Attack: An intentional or unintentional act that can cause
damage to or otherwise compromise information and/or the
systems that support it.
Control, safeguard, or countermeasure: Security mechanisms,
policies, or procedures that can successfully counter attacks,
reduce risk, resolve vulnerabilities, and otherwise improve the
security within an organization.
Exploit: A technique used to compromise a system.
Exposure: A condition or state of being exposed. In information
security, exposure exists when a vulnerability known to an
attacker is present.
Loss: A single instance of an information asset suffering damage
or unintended or unauthorized modification or disclosure
Protection profile or security posture: The entire set of controls
and safeguards, including policy, education, training and
awareness, and technology, that the organization implements (or
fails to implement) to protect the asset.
Risk: The probability that something unwanted will happen.
Subjects and objects: A computer can be either the subject of an
attack—an agent entity used to conduct the attack—or the object
of an attack—the target entity.
Threat: A category of objects, persons, or other entities that
presents a danger to an asset. Threats are always present and
can be purposeful or undirected.
Threat agent: The specific instance or a component of a
threat.
Vulnerability: A weaknesses or fault in a system or protection
mechanism that opens it to attack or damage.
Critical Characteristics of Information
Critical Characteristics of Information

Availability - enables authorized users—persons or computer

systems—to access information without interference or obstruction
and to receive it in the required format.

Accuracy - Information has accuracy when it is free from mistakes or

errors and it has the value that the end user expects. If information
has been intentionally or unintentionally modified, it is no longer
accurate.
 Critical Characteristics of Information
Authenticity - of information is the quality or state of being genuine
or original, rather than a reproduction or fabrication.

Integrity - Information has integrity when it is whole, complete, and

uncorrupted. The integrity of information is threatened when the
information is exposed to corruption,

Confidentiality - Information has confidentiality when it is protected

from disclosure or exposure to unauthorized individuals or systems.
To protect the confidentiality of information, you can use a
number of measures, including the following:

● Information classification
● Secure document storage
● Application of general security policies
● Education of information custodians and end users
 Critical Characteristics of Information

Utility - The utility of information is the quality or state of

having value for some purpose or end.

Possession -The possession of information is the quality or

state of ownership or control.
Components of an Information System
 Components of an Information System
Software is perhaps the most difficult IS component to
secure. The exploitation of errors in software programming
accounts for a substantial portion of the attacks on
information.
Hardware - is the physical technology that houses and
executes the software, stores and transports the data, and
provides interfaces for the entry and removal of
information from the system.
Components of an Information System

Data - Data stored, processed, and transmitted by a

computer system must be protected.

People - Though often overlooked in computer security

considerations, people have always been a threat to
information security.
Components of an Information System
Procedures - Another frequently overlooked component of an IS
is procedures. Procedures are written instructions for
accomplishing a specific task. When an unauthorized user
obtains an organization’s procedures, this poses a threat to the
integrity of the information.

Networks - The IS component that created much of the need for

increased computer and information security is networking.
Balancing Information Security and Access
Approaches to Information Security
Implementation

• Bottom-up Approach
• Top-down Approach
Approaches to Information Security Implementation

The implementation of information security in an organization

must begin somewhere, and cannot happen overnight.
Securing information assets is in fact an incremental process
that requires coordination, time, and patience. Information
security can begin as a grassroots effort in which systems
administrators attempt to improve the security of their
systems. This is often referred to as a bottom-up approach.
Approaches to Information Security Implementation

The top-down approach—in which the project is

initiated by upper-level managers who issue policy,
procedures and processes, dictate the goals and
expected outcomes, and determine accountability for
each required action—has a higher probability of
success.
Security Professionals and
the Organization
The following sections describe the typical information
security responsibilities of various professional roles in
an organization.

• Senior Management
• Information Security Project Team
• Data Responsibilities
• Communities of Interest
Information Security Project Team

Members of the security project team fill the

• Champion
following roles:
• Team leader
• Security policy developers
• Risk assessment specialists
• Security professionals
• Systems administrators
• End users
• Champion - A senior executive who promotes the project and
ensures its support, both financially and administratively, at the
highest levels of the organization.
• Team leader - A project manager, who may be a departmental line
manager or staff unit manager, who understands project
management, personnel management, and information security
technical requirements.
• Security policy developers - People who understand the
organizational culture, existing policies, and requirements for
developing and implementing successful policies.
● Risk assessment specialists: People who understand financial risk
assessment techniques, the value of organizational assets, and the
security methods to be used.
● Security professionals: Dedicated, trained, and well-educated
specialists in all aspects of information security from both a
technical and nontechnical standpoint.
● Systems administrators: People with the primary responsibility
for administering the systems that house the information used by
the organization.
End users: Those whom the new system will most directly affect.
Ideally, a selection of users from various departments, levels, and
degrees of technical knowledge assist the team in focusing on the
application of realistic controls applied in ways that do not
disrupt the essential business activities they seek to safeguard.
Data Responsibilities
The three types of data ownership and their
respective responsibilities are outlined below:
Data owners: Those responsible for the security and use of a
particular set of information.
Data custodians: Working directly with data owners, data
custodians are responsible for the storage, maintenance, and
protection of the information.
Data users: End users who work with the information to perform
their assigned roles supporting the mission of the organization.
Communities of Interest
Information Security Management and Professionals. The roles of
information security professionals are aligned with the goals and mission
of the information security community of interest.
Information Technology Management and Professionals.
The community of interest made up of IT managers and skilled
professionals in systems design, programming, networks, and other related
disciplines has many of the same objectives as the information security
community.
Organizational Management and Professionals
The organization’s general management team and the rest of the resources
in the organization make up the other major community of interest.
Information Security: Is it an Art or a Science?

Security as Art
The administrators and technicians who implement security can
be compared to a painter applying oils to canvas. A touch of
color here, a brush stroke there, just enough to represent the
image the artist wants to convey without overwhelming the
viewer, or in security terms, without overly restricting user
access.
Security as Science
Technology developed by computer scientists and
engineers—which is designed for rigorous performance
levels—makes information security a science as well as
an art. Most scientists agree that specific conditions
cause virtually all actions in computer systems.
Security as a Social Science
A third view to consider is information security as a social
science, which integrates some of the components of art
and science and adds another dimension to the discussion.
Social science examines the behavior of individuals as they
interact with systems, whether these are societal systems
or, as in this context, information systems