INFO 333 - Introduction to Information Security

Week 1:
Chapter 1:
- First OS was created with security as its primary goal
- Security was treated with a low priority in early internet deployments
- Internet became a global network of networks in the 90s based on standards
- Security: “the quality or state of being secure---to be free of danger”
- Successful organizations should have multiple layers of security in place:
- Physical
- Personal
- Operations
- Communications
- Network
- Information
- Necessary tools for security:
- Policy
- Awareness
- Training
- Education
- Technology
- CIA triangle:
- Standard formerly based on confidentiality, integrity, and availability
- Expanded into list of critical characteristics of information
- Value of information comes from the characteristics it possesses:
- Availability
- Accuracy
- Authenticity
- Confidentiality
- Integrity
- Utility
- Possession
- Impossible to obtain perfect security:
- It’s a process not an absolute
- Security should be considered a balance between protection and availability
- Level of security must allow reasonable access yet protect business from threats
to achieve this balance
- Legal typically decides tape destruction process and retention period
- Top-down approach to information security implementation
- Initiated by upper management
- Issue policy/procedures/processes
- Dictate goals and expected outcomes of project
- Determine accountability for each required action

- Systems Development Life Cycle (SDLC)

 - Investigation
- Analysis
- Logical design
- Physical design
- Implementation
- Maintenance and change
- Repeat when system no longer viable
- SDLC should apply to security as well!
- Data responsibilities:
- Data owner: responsible for the security and use of a particular set of information
- Data custodian: responsible for storage, maintenance, and protection of
information
- Data users: end users who work with information to perform their daily jobs
supporting the mission of the organization
- “Security artisan” idea: based on the way individuals perceive systems technologists
since computers became commonplace
- Security as art:
- No hard fast rules
- Security as science:
- Specific conditions cause virtually all actions that occur in computer systems
- Nearly every fault, security hole, and systems malfunction are a result of
interaction of specific hardware and software
- If developers had sufficient time, they could resolve and eliminate faults
- Security as a social science:
- Social science examines the behavior of individuals interacting with systems
- Security begins and ends with the people that interact with the system
- Security administrators can greatly reduce levels of risk caused by end users and
create more acceptable and supportable security profiles
Week Two
Chapter 2

Week Four
- Risk assessment
- Risk EQUALS
- Likelihood of vulnerability occurrence
- TIMES value (or impact)
- MINUS percentage risk already controlled
- PLUS an element of uncertainty
- Once ranked vulnerability risk worksheet is complete, you must choose one of five
strategies to handle the risk
- Defend
- Prevent exploitation of the vulnerability
- Preferred approach in the industry
 - Accomplished through countering threats, removing asset vulnerabilities,
limiting asset access, adding protective safeguards
- Three common methods of risk avoidance
- Application of policy
- Training and education
- Applying technology
- Transfer
- Shift risk to other assets, processes, or organizations
- If lacking, organization should hire individuals/firms that provide security
management and administration expertise
- Organization may then transfer risk associated with management of
complex systems to another organization experienced in dealing with
those risks
- Mitigate
- Attempts to reduce impact of vulnerability exploitation through planning
and preparation
- Approach includes three types of plans
- Incident response plan (IRP): define the actions to take while
incident is in progress
- Disaster recovery plan (DRP): most common mitigation procedure
- Business continuity plan (BCP): encompasses continuation of
business activities if catastrophic event occurs
- Accept
- Doing nothing to protect a vulnerability and accepting the outcome of its
exploitation
- Valid only when the particular function, service, information, or asset does
not justify cost of protection
- Terminate
- Directs the organization to avoid those business activities that introduce
uncontrollable risks
- May seek an alternate mechanism to meet customer needs
- Rules of thumb on strategy selection:
- When a vulnerability exists
- When a vulnerability can be exploited
- When attacker’s cost is less than potential gain
- When potential loss is substantial
- Feasibility studies should be performed before deciding a strategy
- All information about economic/noneconomic consequences of vulnerability of
information asset must be explored
- A number of ways exist to determine advantage of a specific control
- Cost benefit analysis (CBA)
- Evaluate worth of assets to be protected and the loss in value if they are
compromised
 - Formal process to document this is called cost benefit analysis or economic
feasibility study
- Items that affect cost of a control or safeguard include: cost of development or
acquisition; training fees; implementation cost; service costs; cost of
maintenance
- Benefit: value an organization realizes using to controls to prevent losses from a
vulnerability

Week 6
Information security blueprint:
- There are a lot of frameworks to approach security policy
- RFC 2196
- FASP provides best practices for public agencies
- Organizations keep a repository of policies and keep them under tight wraps
- Baseline policies based on the typical policies for your industry
Spheres of security:
- Management controls
- Operational controls
- Technical controls
Defense in depth
- Implementation of security in layers
- Organization must establish sufficient security controls and safeguards so that an
attacker faces multiple levels of controls
Proxy servers
- Used to make traffic appear from one server
- Exchange server example, usually resides in DMZ

Chapter 6: Firewalls and VPN’s

Mandatory access controls: use data classification schemes

Chapter 8: Encryption

Exclusive OR (XOR)
- 0 XOR 0 = 0
- 0 XOR 1 = 1
- 1 XOR 0 = 1
- 1 XOR 1 = 0

Chapter 11 (Security and Personnel)

- SecSDLC implementation is accomplished through changing configuration and operation
of org’s info systems
- ISC^2 cert
 - CISSP
- SSCP
- Associate of ISC^2
- CAP
- ISACA Certifications
- CISA
- CISM