Principles of Security

(COMP1843)
Introduction to the Course
and to Infosec

Dr Irfan Chishti
Module Team

⚫ Dr Irfan Chishti – Module Leader

⚫ Email: [email protected]

⚫ QM420 (office hours: Tue–12 pm–1 pm)

Administrative Matters
Attendance is Compulsory!
⚫ Lecture @ 9-11 am Tuesdays – Stockwell St
11_003
• Tutorial/01–Tue, 11:00-12:00, KW116 Black

• Tutorial/02–Tue, 11:00-12:00, KW116 Blue

• Tutorial/03 – Tue, 12:00-13:00, KW116 Black

⚫ Tutorial/04 – Tue, 12:00-13:00, KW116 Blue

Aims of the course
⚫ Understand and acquire knowledge of Information
security (InfoSec) risks
⚫ Critically analyse the risks for their impact to
information systems (IS) and other assets
⚫ Utillise methods to evaluate and manage InfoSec
risks to a recognised international standard e.g.
ISO, NIST etc.
⚫ Derive effective InfoSec control approaches for
their application to real-worl scenarios
Assessment Details

⚫ Coursework - 100%
⚫ Case Study based on all learning outcomes

⚫ Harvard Style Referencing

⚫ 3000 words

⚫ Due by 07/04/2022
Coursework - Important
Start your coursework early as
statistics shows, the students who
have started their coursework early
they are highly likely to score high
grades than the students who have
started at a later stage
 Recommended Reading
⚫ Information Security Principles and Practices –
Merkow.M and Breithaupt,J. Pearson Education.
⚫ Management of Information Security –
Whitman,M.E and Herbert, J.M. Cengage
Learning.
⚫ Whitman,M.E and Herbert, J.M. 2012. Principles of
Information security.4th Edition. Cengage Learning.
http://almuhammadi.com/sultan/sec_books/Whitma
n.pdf
Today’s Lecture - Outline
⚫ Information Security (InfoSec) Overview
➢ History, Definitions, Components, Challenges, &
characteristics
⚫ CIA Triad & the McCumbers Cube
⚫ Information Assets & Other Key Terms

⚫ Balancing – InfoSec & Access

⚫ Stakeholders & Implementation Approaches

History of Information Security
⚫ Began immediately after the first
mainframes were developed

⚫ Groups developing code-breaking

computations during World War II created
the first modern computers
The 1960s
⚫ Advanced Research Projects Agency
(ARPA) began to examine feasibility of
redundant networked communications

⚫ Larry Roberts developed ARPANET from

its inception
 The 1970s and 1980s’
⚫ ARPANET grew in popularity so did its
security concerns:
➢ No safety procedures for dial-up connections

➢ Non-existent user identification &

authorization to system
⚫ Microprocessor expanded computing
capabilities and security threats
 Rand Report – R-609
⚫A paper that started the study of computer
security
⚫ Scope: grew from physical security
including:
⚫ Safety of data
⚫ Limiting unauthorized access to data

⚫ Involvement of personnel from multiple levels

of an organisation
The 1990s
⚫ Networks of computers became more
common; so too did the need to
interconnect networks
⚫ Internet
became first manifestation of a
global network of networks
⚫ In
early Internet deployments, security
was treated as a low priority
The Present
⚫ Internet
used for global communication
but many networks are not secured.
⚫ How to secure every computer to which it
is connected to.
⚫ The same rule applies for emerging
networked systems (e.g., smartphones,
IoT devices)
 15

Definitions
⚫ To be protected from adversaries and
from those who would do harm,
intentionally or otherwise.
⚫A well-informed sense of assurance that
the information risks and controls are in
balance (J. Anderson, 2002)
Definitions (Cont’d)
Protection of information and its critical
elements including systems that use,
store, and transmit that information (CNSS).
⚫ InfoSec risk and controls cover a broad
range of issues:
○ From
protection of data to protection of
human resources
Components of InfoSec

Figure 1-1 Components of Information security

Source: Course Technology/Cengage Learning

 Challenges
1. Computer security is not simple
2. Potential (unexpected) attacks
3. Procedures used are often counter-intuitive
4. Must decide where to deploy mechanisms
5. A battle of wits between attacker / admin
6. Requires constant monitoring
7. Regarded as impediment to using system
Impact-Business
Value
Lack of security
control can lead to
• lowered market
value
• Loss of revenue
• Legal liability
InfoSec - Characteristics
Confidentiality - Accessible to those with
sufficient privileges
Integrity - The quality or state of being
whole, complete, and uncorrupted
⚫ Problems – If information is exposed them it
could be damaged. destroyed, or cause other
disruption to its authentic state while its’
compilation, storage, or transmission
InfoSec – Characteristics (cont’d)
Availability-Accessible to a
user(human/agent) in a required format,
without interference or obstruction.

– Availability does not imply that the

information is accessible to any user
– Implies availability to authorized users
InfoSec – Characteristics (cont’d)
Privacy – Data owner should be notified
the purpose of information collection,
usage & storage at the time iof collection
– It does not signify freedom from
observation
– Information will be used only in ways
known to the data owbers.
InfoSec – Characteristics (cont’d)
Identification - Ability to recognise
individual users
Authentication - Ability to map the
identity provided with available credentials
⚫ The above characteristics are essential
to establish the level of access for
authorization.
InfoSec – Characteristics (cont’d)
⚫ Authorization - Ability to ensure that the
user has been specifically and explicitly
authorized by the authority to access,
update, or delete
– User may be a person or a computer
– Authorization occurs after authentication
InfoSec – Characteristics (cont’d)
Accountability – Ability to ensure that
every activity undertaken can be
attributed to a named person or
automated process (also known as Non-
repudiation
– one cannot claim “I didn’t sign this”
CIA Triad
Measures protecting CIA Triad
⚫ Information classification

⚫ Secure document storage

ensuring its state is intact &
available to authorized usrs
⚫ Application of general
security policies
▪ Awareness & Education
CNSS Security Model

The McCumbers Cube

 The McCumbers Cube
⚫ Provides a more detailed perspective on
security covering 3 dimensions of
InfoSec.(3x3x3=27)
⚫ Omits discussion of detailed guidelines
and policies that direct the
implementation of controls
⚫ Need to include all three communities of
interest
 29

Information Assets
Key information assets include
⚫ Software,

⚫ Hardware,

⚫ Data,

⚫ People,

⚫ Procedures,

⚫ Networks
Assets - Subject/Object - Attack
Subject: attackers use computers actively
to launch attacks against targets
Object computers are under attack!
Other Key Terms
⚫ Access: Ability to use/manipulate/modify/
affect another subject or object
⚫ Attack: An (un)intentional act to damage or
compromise information & systems
⚫ Risk: Likelihood of an unwanted occurrence

⚫ Threat: Any event that has the potential to

adversely affect operations & assets.
⚫ Loss: Asset damage/destruction
Other Key Terms (Cont’d)
⚫ Exposure: A state of being exposed
⚫ Exploit: A technique used to compromise a
system.
⚫ Vulnerability: weaknesses or faults in a
system or protection mechanism that expose
information to attack or damage
⚫ Control: Security measures, procedures,
policies that can successfully counter attacks
 Examples: CIA Triad & Impact
⚫ Student grade information - high
➢ The grades should only be accessible to
students without any unauthorized changes.
⚫ Student enrollment information – moderate
➢ less damage if disclosed
⚫ Directory information-low
➢ Publicly available
Balancing-InfoSec & Access
• Data protection
• Privacy

• Standards Law Ethics

IS Security • IPR
• Health and safety Manager • Codes of conduct

Security and
Control

• Risk management
• Disaster Recovery
• Security awareness program
 35

Balancing-InfoSec & Access (Cont’d)

⚫ Impossible to obtain perfect
security—it is a process, not an
absolute
• Balance between
protection and availability
e.g. level of security must
allow reasonable access,
yet protect against
threats.
 Stakeholders
Security decisions should involve three
distinct groups of communities of interest.
⚫ InfoSec Professionals: protects the
organisation’s assets from attacks.
⚫ IT Professionals: supports the business
objectives by supplying and supporting the
technology appropriate to the business
needs
InfoSec-Stakeholders (Cont’d)

⚫ Non-Technical Professionals
Articulates & communicates
organisational policies & allocates
resources to the relevant groups.
Stakeholders’ Common Goals
The three communities of interest are also
responsible for the following:
⚫ Evaluating the risk controls

⚫ Determining which control options are cost

effective for the organisation.
⚫ Acquiring or installing the needed controls

⚫ Ensuring that the controls remain effective

InfoSec – Implementation Approaches
Bottom – Up: Low level implementation
Top-Down: High level & successful
a[[rpach providing planning, support,
processes, procedures, & policy
⚫ Dictate goals & expected outcomes
⚫ Determineaccountability
⚫ Systems development life cycle (SDLC)
• CIO: Advise the senior
executives on strategic
planning

• CISO: Assess, manage,

& implement IS
Summary
⚫ InfoSec is to protect information assets
that use, store, and transmit data.
⚫ Access controls ensures the CIA of data.

⚫ Balancing of InfoSec & access impacts

the business value
InfoSec implementation methods
Bottom – UP & Top Down