Chapter 1
Chapter 1
CHAPTER 1
Learning Objectives:
What is Security?
Security is protection. Protection from adversaries – those who would do harm, intentionally or
otherwise – is the ultimate objective of security. Security is a state of being secure and free from danger
or harm. Also, the actions taken to make someone or something secure. A successful organization
should have multiple layers of security in place to protect its operations, physical infrastructure, people,
functions, communications, and information.
Information security is the protection of information and its critical elements, including the
systems and hardware that use, store, and transmit the information (Committee on National Security
Systems (CNSS).
Fig. 1 The Components of information technology and the C.I.A. Triangle Model
• Access. A subject or object’s ability to use, manipulate, modify, or affect another subject or
object. Authorized users have legal access to a system, whereas hackers must gain illegal access
to a system. Access controls regulate this ability.
• Asset. The organizational resource that is being protected. An asset can be logical, such as a
Web site, software information, or data; or an asset can be physical, such as a person, computer
system, hardware, or other tangible object. Assets, particularly information assets, are the focus
of what security efforts are attempting to protect.
• Attack. An intentional or unintentional act than can damage or otherwise compromise
information and the systems that support. Attacks can be active or passive, intentional or
unintentional, and direct or indirect.
• Someone who casually reads sensitive information not intended for his or her use is
committing a passive attack.
• A hacker attempting to break into an information system is an intentional attack.
• A lightning strike that causes a building fire is an unintentional attack.
• A direct attack is perpetrated by a hacker using a PC to break into a system.
• An indirect attack is a hacker compromising a system and using it to attack other
systems.
• Direct attacks originate from the threat itself.
• Indirect attacks originate from a compromised system or resource that is malfunctioning
or working under the control of a threat.
• Control, safeguard, or countermeasure. Security mechanisms, policies, or procedures that can
successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve
security within an organization.
• Exploit. A technique used to compromise a system. Threat agents may attempt to exploit a
system or other information asset by using it illegally for their personal gain. Or, an exploit can
be a documented process to take advantage of a vulnerability or exposure, usually in software,
that is either inherent in the software or created by the attacker. Exploits make use of existing
software tools or custom-made software components.
• Exposure. A condition or state of being exposed; in information security, exposure exists when
a vulnerability is known to an attacker.
• Loss. A single instance of an information asset suffering damage or destruction, unintended or
unauthorized modification or disclosure, or denial of use When an organization’s information
is stolen, it has suffered a loss.
• Protection profile or security posture. The entire set of controls and safeguards, including
policy, education, training and awareness, and technology, that the organization implements to
protect the asset.
• Risk. The probability of an unwanted occurrence, such as an adverse event or loss.
Organizations must minimize risk to match their risk appetite – the quantity and nature or risk
they are willing to accept.
• Subjects and Objects. A computer can be either the subject of an attack – an agent entity used
to conduct the attack – or the object of an attack: the target entity. The computer can also be
both the subject and object of an attack.
• Threat. A category of objects, people, or other entities that represents a danger to an asset.
Threats are always present and can be purposeful or undirected. Ex. Hackers purposefully
threaten unprotected information systems, while severe storms incidentally threaten buildings
and their contents.
• Threat agent. The specific instance or a component of a threat.
• Example, the threat of “trespass or espionage” is a category of potential danger to
information assets, while “external professional hacker” is a specific threat agent.
• A lightning strike, hailstorm, or tornado is a threat agent that is part of the threat agent
known as “acts of God/acts of nature.”
• Vulnerability. A weakness or fault in a system or protection mechanism that opens it to attack
or damage. Example of vulnerabilities are a flaw in a software package, an unprotected system
port, and an unlocked door.
The value of information comes from the characteristics it possesses. When a characteristic of
the information changes, the value of that information either increases or, more commonly, decreases.
For example, timeliness of information can be a critical factor because information loses much or all
of its value when delivered late.
• Availability. An attribute of information that describes how data is accessible and correctly
formatted for use without interference or obstruction.
• Accuracy. An attribute of information that describes how data is free of errors and has the value
that the user expects.
• Authenticity. An attribute of information that describes how data is genuine or original rather than
reproduced or fabricated.
• Confidentiality. An attribute of information that describes how data is protected from disclosure
or exposure to unauthorized individuals or systems. To protect the confidentiality of information,
you can use several measures, including the following:
• Information classification
• Secure document storage
• Application of general security policy
• Education of information custodians and end users
• Integrity. An attribute of information that describes how data is whole, complete, and uncorrupted.
• Possession. An attribute of information that describes how the data’s ownership or control is
legitimate or authorized.
• Utility. An attribute of information that describes how data has value or usefulness for an end
purpose.
Security Model
The model, which was created by John McCumber in 1991, provides a graphical representation
of the architectural approach widely used in computer and information security; it is now known as the
McCumber Cube. It is commonly shown as a cube composed of 3x3x3 cells, similar to a Rubik’s
Cube.
An Information system (IS) is the entire set of software, hardware, data, people, procedures,
and networks that enable the use of information resources in the organization. These components
enable information to be input, processed, output and stored. Each of these IS components has its own
strengths and weaknesses, as well as its own characteristics and uses. Each component of the
information system also has its own security requirements.
2. Hardware – is the physical technology that houses and executes the software, stores and
transports the data, and provides interfaces for the entry and removal of information from the
system.
Physical security policies deal with hardware as a physical asset and with the protection
of physical assets from the harm or theft.
Applying the traditional tools of physical security, such as locks and keys, restricts
access to and interaction with the hardware components of an information system.
Securing physical location of computers and the computers themselves is important
because a breach of physical security can result in a loss of information.
6. Networks. Networking is the IS component that created much of the need for increased
computer and information security.
When information systems are connected to each other to form local area networks, and
these LANs are connected to other networks such as the Internet, net security challenges rapidly
emerge.
The physical technology that enables network functions is becoming more accessible to
organizations of every size.
Applying the traditional tools of physical security, such as locks and keys, to restrict
access to the system’s hardware components is still important.
However, when computer systems are networked, this approach is no longer enough.
Steps to provide network security are essential, as is implementing alarm and intrusion
systems to make system owners aware of ongoing compromises.
Information security must be managed like any other major system in an organization. One
approach for implementing an information security system in an organization with little or no formal
security in place is to use a variation of a system development life cycle (SDLC): the security systems
development life cycle (SecSDLC).
A System Development Life Cycle (SDLC) is a methodology for the design and
implementation of an information system. The SDLC contains different phases depending on the
methodology deployed, but generally the phases address the investigation, analysis, design,
implementation and maintenance of an information system.
The Security systems development life cycle (SecSDLC) is a methodology for the design and
implementation of security systems based on the systems development life cycle. The two life cycles
contain the same general phases.
Investigation
Analysis
Logical Design
Physical Design
Implementation
- Data owners, who are responsible for the security and use of a particular set of
information
- Data custodians, who are responsible for the storage, maintenance, and protection of
the information
- Data users, who work with the information to perform their jobs and support the mission
of the organization.
Each organization has a culture in which communities of interest are united by similar values
and share common objectives. The three communities in information security are general management,
IT management, and information security management.