CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

CHAPTER 1

INTRODUCTION TO INFORMATION SECURITY

Learning Objectives:

Upon completion of this material, you should be able to:

• Define information security

• Define key terms and critical concepts of information security
• Enumerate the phases of the security systems development life cycle

What is Security?

Security is protection. Protection from adversaries – those who would do harm, intentionally or
otherwise – is the ultimate objective of security. Security is a state of being secure and free from danger
or harm. Also, the actions taken to make someone or something secure. A successful organization
should have multiple layers of security in place to protect its operations, physical infrastructure, people,
functions, communications, and information.

Information security is the protection of information and its critical elements, including the
systems and hardware that use, store, and transmit the information (Committee on National Security
Systems (CNSS).

There are many types of security. It includes:

• Physical security
• Personal security
• Operations security
• Communications security
• National security
• Network security

Information security is the protection of the confidentiality, integrity, and availability of

information assets, whether in storage, processing, or transmission, via the application of policy,
education, training and awareness, and technology.

Information security includes:

• Management of information security
• Data security
• Network security

• Communications security – the protection of all communications media, technology, and

content
• Network security – a subset of communications security; the protection of voice and data
networking components, connections, and content.
• Physical security – the protection of physical items, objects or areas from unauthorized access
and misuse
• C.I.A. triangle – the industry standard for computer security since the development of the
mainframe. The standard is based on three characteristics that describe the utility of
information: confidentiality, integrity, and availability.

Ms. Olga Llanera Course Facilitator Page | 1

CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

Fig. 1 The Components of information technology and the C.I.A. Triangle Model

Key Information Security Concepts

• Access. A subject or object’s ability to use, manipulate, modify, or affect another subject or
object. Authorized users have legal access to a system, whereas hackers must gain illegal access
to a system. Access controls regulate this ability.
• Asset. The organizational resource that is being protected. An asset can be logical, such as a
Web site, software information, or data; or an asset can be physical, such as a person, computer
system, hardware, or other tangible object. Assets, particularly information assets, are the focus
of what security efforts are attempting to protect.
• Attack. An intentional or unintentional act than can damage or otherwise compromise
information and the systems that support. Attacks can be active or passive, intentional or
unintentional, and direct or indirect.
• Someone who casually reads sensitive information not intended for his or her use is
committing a passive attack.
• A hacker attempting to break into an information system is an intentional attack.
• A lightning strike that causes a building fire is an unintentional attack.
• A direct attack is perpetrated by a hacker using a PC to break into a system.
• An indirect attack is a hacker compromising a system and using it to attack other
systems.
• Direct attacks originate from the threat itself.
• Indirect attacks originate from a compromised system or resource that is malfunctioning
or working under the control of a threat.
• Control, safeguard, or countermeasure. Security mechanisms, policies, or procedures that can
successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve
security within an organization.
• Exploit. A technique used to compromise a system. Threat agents may attempt to exploit a
system or other information asset by using it illegally for their personal gain. Or, an exploit can
be a documented process to take advantage of a vulnerability or exposure, usually in software,
that is either inherent in the software or created by the attacker. Exploits make use of existing
software tools or custom-made software components.
• Exposure. A condition or state of being exposed; in information security, exposure exists when
a vulnerability is known to an attacker.
• Loss. A single instance of an information asset suffering damage or destruction, unintended or
unauthorized modification or disclosure, or denial of use When an organization’s information
is stolen, it has suffered a loss.

Ms. Olga Llanera Course Facilitator Page | 2

CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

• Protection profile or security posture. The entire set of controls and safeguards, including
policy, education, training and awareness, and technology, that the organization implements to
protect the asset.
• Risk. The probability of an unwanted occurrence, such as an adverse event or loss.
Organizations must minimize risk to match their risk appetite – the quantity and nature or risk
they are willing to accept.
• Subjects and Objects. A computer can be either the subject of an attack – an agent entity used
to conduct the attack – or the object of an attack: the target entity. The computer can also be
both the subject and object of an attack.
• Threat. A category of objects, people, or other entities that represents a danger to an asset.
Threats are always present and can be purposeful or undirected. Ex. Hackers purposefully
threaten unprotected information systems, while severe storms incidentally threaten buildings
and their contents.
• Threat agent. The specific instance or a component of a threat.
• Example, the threat of “trespass or espionage” is a category of potential danger to
information assets, while “external professional hacker” is a specific threat agent.
• A lightning strike, hailstorm, or tornado is a threat agent that is part of the threat agent
known as “acts of God/acts of nature.”
• Vulnerability. A weakness or fault in a system or protection mechanism that opens it to attack
or damage. Example of vulnerabilities are a flaw in a software package, an unprotected system
port, and an unlocked door.

Critical Characteristics of Information

The value of information comes from the characteristics it possesses. When a characteristic of
the information changes, the value of that information either increases or, more commonly, decreases.
For example, timeliness of information can be a critical factor because information loses much or all
of its value when delivered late.

The following are the characteristics of information:

• Availability. An attribute of information that describes how data is accessible and correctly
formatted for use without interference or obstruction.
• Accuracy. An attribute of information that describes how data is free of errors and has the value
that the user expects.
• Authenticity. An attribute of information that describes how data is genuine or original rather than
reproduced or fabricated.
• Confidentiality. An attribute of information that describes how data is protected from disclosure
or exposure to unauthorized individuals or systems. To protect the confidentiality of information,
you can use several measures, including the following:
• Information classification
• Secure document storage
• Application of general security policy
• Education of information custodians and end users
• Integrity. An attribute of information that describes how data is whole, complete, and uncorrupted.
• Possession. An attribute of information that describes how the data’s ownership or control is
legitimate or authorized.
• Utility. An attribute of information that describes how data has value or usefulness for an end
purpose.

Security Model

The model, which was created by John McCumber in 1991, provides a graphical representation
of the architectural approach widely used in computer and information security; it is now known as the
McCumber Cube. It is commonly shown as a cube composed of 3x3x3 cells, similar to a Rubik’s
Cube.

Ms. Olga Llanera Course Facilitator Page | 3

CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

Fig. 2 The McCumber Cube

Components of an Information System

An Information system (IS) is the entire set of software, hardware, data, people, procedures,
and networks that enable the use of information resources in the organization. These components
enable information to be input, processed, output and stored. Each of these IS components has its own
strengths and weaknesses, as well as its own characteristics and uses. Each component of the
information system also has its own security requirements.

1. Software –includes applications, operating systems, and assorted command utilities.

Software is perhaps the most difficult IS component to secure.
Software carries the lifeblood of information through an organization.
Software programs become an easy target of accidental or intentional attacks.

2. Hardware – is the physical technology that houses and executes the software, stores and
transports the data, and provides interfaces for the entry and removal of information from the
system.
Physical security policies deal with hardware as a physical asset and with the protection
of physical assets from the harm or theft.
Applying the traditional tools of physical security, such as locks and keys, restricts
access to and interaction with the hardware components of an information system.
Securing physical location of computers and the computers themselves is important
because a breach of physical security can result in a loss of information.

3. Data stored, processed, and transmitted by a computer system must be protected.

Data is often the most valuable asset of an organization and therefore is the main target
of intentional attacks.
Systems developed in recent years are likely to make use of database management
systems. When used properly, they should improve the security of the data and the applications
that rely on the data.
Because data and information exist in physical form in many organizations as paper
reports, handwritten notes, and computer printouts, the protection of physical information is as
important as the protection of electronic, computer-based information.

4. People have been a threat to information security.

People can be the weakest link in an organization’s information security program.
Policy, education and training, awareness, and technology must be properly employed
to prevent people from accidentally or intentionally damage or loss information.
Social engineering can prey on the tendency to cut corners and the common place nature
of human error.
It can be used to manipulate people to obtain access information about a system.

Ms. Olga Llanera Course Facilitator Page | 4

CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

5. Procedures are written instructions for accomplishing a specific task.

When an unauthorized user obtains an organization’s procedures, it poses a threat to the
integrity of the information.
Most organizations distribute procedures to employees so they can access the
information system, but many of these companies often fail to provide proper educating for
using the procedures safely.
Educating employees about safeguarding procedures is as important as physically
securing the information system.
Procedures are information in their own right.
Therefore, knowledge of procedures, as with all critical information, should be
disseminated among members of an organization on a need-to-know basis.

6. Networks. Networking is the IS component that created much of the need for increased
computer and information security.
When information systems are connected to each other to form local area networks, and
these LANs are connected to other networks such as the Internet, net security challenges rapidly
emerge.
The physical technology that enables network functions is becoming more accessible to
organizations of every size.
Applying the traditional tools of physical security, such as locks and keys, to restrict
access to the system’s hardware components is still important.
However, when computer systems are networked, this approach is no longer enough.
Steps to provide network security are essential, as is implementing alarm and intrusion
systems to make system owners aware of ongoing compromises.

Approaches to Information Security Implementation

Information security must be managed like any other major system in an organization. One
approach for implementing an information security system in an organization with little or no formal
security in place is to use a variation of a system development life cycle (SDLC): the security systems
development life cycle (SecSDLC).

A System Development Life Cycle (SDLC) is a methodology for the design and
implementation of an information system. The SDLC contains different phases depending on the
methodology deployed, but generally the phases address the investigation, analysis, design,
implementation and maintenance of an information system.

The implementation of information security in an organization can be done through:

• Bottom-up approach - A method of establishing security policies that begins as a grassroots

effort in which systems administrators attempt to improve the security of their systems.
- The key advantage of this approach is the technical expertise of individual
administrators.
- The administrators possess in-depth knowledge that can greatly enhance the
development of an information security system.
- They know and understand the threats to their systems and the mechanism needed
to protect them successfully.
- Unfortunately, this approach seldom works because it lacks critical features such as
participant support and organizational staying power.
• Top-down approach – A methodology of establishing security policies that is initiated by
upper management.
- Has a higher probability of success
- The project is initiated by upper-level managers who issue policies, procedures, and
processes; dictate the goals and expected outcomes; and determine accountability
for each required action.

Ms. Olga Llanera Course Facilitator Page | 5

CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

Security in the Systems Life Cycle

The Security systems development life cycle (SecSDLC) is a methodology for the design and
implementation of security systems based on the systems development life cycle. The two life cycles
contain the same general phases.

Investigation

Analysis

Logical Design

Physical Design

Implementation

Repeat when system no longer viable Maintenance and

Change

Fig. 3 SDLC waterfall methodology

Phases Steps common to both the Steps unique to the security

systems development life cycle
and the security systems
development life cycle
Phase 1: • Outline project scope and
Investigation goals
• Estimate costs
• Evaluate existing resources
• Analyze feasibility
systems development life cycle
• Management defines project
processes and goals and
documents these in the program
security policy

Phase 2: • Assess current system • Analyze existing security policies

Analysis against plan developed in
Phase 1
• Develop preliminary system
requirements
• Study integration of new
system with existing system
• Document findings and
update feasibility analysis
and programs
• Analyze current threats and
controls
• Examine legal issues
• Perform risk analysis

Phase 3: • Assess current business needs • Develop security blueprint

Logical Design against plan developed in • Plan incident response actions
Phase 2 • Plan business response to disaster
• Select applications, data
support, and structures

Ms. Olga Llanera Course Facilitator Page | 6

CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

• Generate multiple solutions • Determine feasibility or

for consideration continuing and/or outsourcing the
• Document findings and project
update feasibility analysis

Phase 4: • Select technologies to support • Select technologies needed to

Physical Design solutions developed in Phase support security blueprint
3 • Develop definition of successful
• Select the best solution solution
• Decide to make or buy • Design physical security
components measures to support technological
• Document findings and solutions
update feasibility analysis • Review and approve project

Phase 5: • Develop or buy software • Buy or develop security solutions

Implementation • Order components • At end of phase, present tested
• Document the system package to management for
• Train users approval
• Update feasibility analysis
• Present system to users
• Test system and review
performance

Phase 6: • Support and modify system • Constantly monitor, test, modify,

Maintenance and during its useful life update, and repair to meet
Change • Test periodically for changing threats
compliance with business
needs
• Upgrade and patch as
necessary

Software assurance is a methodological approach to the development of software that seeks to

build security into the development life cycle rather than address it at later stages.

The control and use of data in the organization is accomplished by:

- Data owners, who are responsible for the security and use of a particular set of
information
- Data custodians, who are responsible for the storage, maintenance, and protection of
the information
- Data users, who work with the information to perform their jobs and support the mission
of the organization.

Each organization has a culture in which communities of interest are united by similar values
and share common objectives. The three communities in information security are general management,
IT management, and information security management.

Ms. Olga Llanera Course Facilitator Page | 7