Module 1

Introduction to Information
Security

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 1
 Module Objectives

By the end of this module, you should be able to:

1.1 Define information security
1.2 Discuss the history of computer security and explain how it evolved into
information security
1.3 Define key terms and critical concepts of information security
1.4 Describe the information security roles of professionals within an
organization
 Introduction

● Every organization, whether public or private and regardless of size, has

information it wants to protect.
● Organizations have a responsibility to all their stakeholders to protect that
information.
● Unfortunately, there aren’t enough security professionals to go around.
● If you’re not part of the solution, you’re part of the problem.
 The History of Information Security
● Computer security began immediately after the first mainframes were
developed.
○ Groups developing code-breaking computations during World War II created
the first modern computers.
○ Multiple levels of security were implemented to protect these devices.
● During these early years, information security was a straightforward process
composed predominantly of physical security and simple document
classification schemes.
● The primary threats to security were physical theft of equipment, espionage
against products of the systems, and sabotage.
The Enigma
 The 1960s

● During the Cold War, many more mainframe computers were brought online to
accomplish more complex and sophisticated tasks.
● The Advanced Research Projects Agency (ARPA) began to examine the
feasibility of a redundant networked communication system.
● Larry Roberts led the development of the ARPANET, which evolved into what
we now know as the Internet.
Development of the ARPANET
 The 1970s and ’80s (1 of 2)

● ARPANET grew in popularity, increasing the potential for misuse.

● Fundamental problems with ARPANET security were identified.
○ Individual remote sites did not have sufficient controls and safeguards to
protect data from unauthorized remote users.
○ Other problems included:
■ Vulnerability of password structure and formats
■ Lack of safety procedures for dial-up connections
■ Nonexistent user identification and authorizations
 The 1970s and ’80s (2 of 2)

● Information security began with RAND Report R-609—the paper that started the
study of computer security and identified the role of management and policy
issues in it.
● The scope of computer security grew from physical security to include:
○ Securing the data
○ Limiting random and unauthorized access to data
○ Involving personnel from multiple levels of the organization in information
security
Computer Network Vulnerabilities
 MULTICS
● Early research on computer security research centered on a system called
Multiplexed Information and Computing Service (MULTICS).
● The first operating system was created with security integrated into core
functions.
● Mainframe, time-sharing OS was developed in the mid-1960s by General
Electric (GE), Bell Labs, and Massachusetts Institute of Technology (MIT).
● Several MULTICS key players created UNIX.
○ The primary purpose of UNIX was text processing.
● Late 1970s: The microprocessor expanded computing capabilities and security
threats.
 The 1990s
● Networks of computers became more common, as did the need to connect
them to each other.
● The Internet became the first global network of networks.
● Initially, network connections were based on de facto standards (those which
have been accepted as the best standard).
● In early Internet deployments, security was treated as a low priority.
● In the late 1990s and into the 2000s, many large corporations began publicly
integrating security into their organizations.
● Information security began to emerge as an independent discipline.
 2000 to Present
● The Internet brings millions of unsecured computer networks and billions of
computer systems into continuous communication with each other.
● The ability to secure a computer’s data was influenced by the security of every
computer to which it is connected.
● The growing threat of cyber attacks has increased the awareness of need for
improved security.
● The threat environment has grown from the semi professional hacker defacing
Websites for amusement to professional cybercriminals maximizing revenue
from theft and extortion, as well as government-sponsored cyber war groups
striking military, government, and commercial targets.
 Key Dates in Information Security (1 of 3)

Date Document
1968 Maurice Wilkes discusses password security in Time-Sharing Computer Systems.
1970 Willis H. Ware authors the report "Security Controls for Computer Systems: Report of Defense
Science Board Task Force on Computer Security-RAND Report R-609," which was not declassified
until 1979. It became known as the seminal work identifying the need for computer security.
1973 Schell, Downey, and Popek examine the need for additional security in military systems in
Preliminary Notes on the Design of Secure Military Computer Systems.
1975 The Federal Information Processing Standards (FIPS) examines DES (Digital Encryption Standard)
in the Federal Register.
1978 Bisbey and Hollingworth publish their study “Protection Analysis: Final Report," which discussed the
Protection Analysis project created by ARPA to better understand the vulnerabilities of operating
system security and examine the possibility of automated vulnerability detection techniques in
existing system software.
 Key Dates in Information Security (2 of 3)

Date Document
1979 Morris and Thompson author “Password Security: A Case History," published in the Communications
of the Association for Computing Machinery (ACM). The paper examined the design history of a
password security scheme on a remotely accessed, time-sharing system.
Dennis Ritchie publishes “On the Security of UNIX" and "Protection of Data File Contents," which
discussed secure user IDs, secure group IDs, and the problems inherent in the systems.
1982 The U.S. Department of Defense Computer Security Evaluation Center publishes the first version of
the Trusted Computer Security (TCSEC) documents, which came to be known as the Rainbow
Series.
 Key Dates in Information Security (3 of 3)

Date Document
1984 Grampp and Morris write “The UNIX System: UNIX Operating System Security." In this report, the
authors examined four "important handles to computer security": physical control of premises and
computer facilities, management commitment to security objectives, education of employees, and
administrative procedures aimed at increased security.
Reeds and Weinberger publish “File Security and the UNIX System Crypt Command." Their premise
was: “No technique can be secure against wiretapping or its equivalent on the computer. Therefore,
no technique can be secure against the system administrator or other privileged users . . . the naive
user has no chance.“
1992 Researchers for the Internet Engineering Task Force, working at the Naval Research Laboratory,
develop the Simple Internet Protocol Plus (SIPP) Security protocols, creating what is now known as
IPSEC security.
 What Is Security?
● “A state of being secure and free from danger or harm; the actions taken to
make someone or something secure.”
● A successful organization should have multiple layers of security in place
to protect:
– Operations
– Physical Infrastructure
– People
– Functions
– Communications
– Information
 Information Security
● InfoSec “The protection of information and its critical elements, including
systems and hardware that use, store, and transmit that information” (CNSS).
● InfoSec Includes information security management, data security, and network
security.
● C.I.A. triad (triplet) of confidentiality, integrity, and availability:
○ Is a standard based on confidentiality, integrity, and availability, now viewed
as inadequate.
○ Expanded model consists of a list of critical characteristics of information
 Knowledge Check Activity 1

What is security?
a. Freedom from fear
b. Protection from loss
c. Keeping secrets
d. Being secure and free from danger
 Knowledge Check Activity 1: Answer

What is security?

Answer: D. Being secure and free from danger

Only this answer is complete. Fear has little to do with security; many are fearful
even when secure. Security does not mean losses cannot occur, just that they are
planned for and survivable. Confidentiality (secrets) is just one of the three key
aspects of security.
Components of Information Security
The C.I.A. Triad
 Key Information Security Concepts

● Access ● Protection profile or security posture

● Asset ● Risk
● Attack ● Subjects and objects
● Control, safeguard, or ● Threat
countermeasure ● Threat agent
● Exploit ● Threat event
● Exposure
● Threat source
● Loss ● Vulnerability
 Key Concepts
● Access—a subject or object’s (e.g., user) ability to use, manipulate, modify, or
affect another subject or object (e.g., data).
● Asset—the organizational resource that is being protected such as information
and systems that support it
● Attack—an intentional or unintentional act that can damage or otherwise
compromise information and the systems that support it.
● Control, safeguard, or countermeasure—Security mechanisms, policies, or
procedures that can successfully counter attacks, reduce risk, resolve
vulnerabilities, and otherwise improve security within an organization.
● Exploit—a technique used to compromise a system.
● Exposure—a condition or state of being exposed.
 Key Concepts
● Loss—a single instance of an information asset suffering damage or destruction, unauthorized
modification or disclosure, or denial of use.
● Protection profile or security posture—entire set of controls and safeguards that the organization
implements to protect the asset.
● Risk—the probability of an unwanted occurrence.
● Subjects and objects—a computer can be either an agent entity used to conduct an attack or
the target entity.
 Key Concepts

● Threat- a danger to an asset

● Threat agent—the specific instance or a component of a threat.
● Threat source—a category of objects, people, or other entities that represents a
danger to an asset.
● Vulnerability—weaknesses or faults in a system or protection mechanism that
expose information to attack or damage.
Key Concepts in Information Security
 Critical Characteristics of Information

● The value of information comes from the characteristics it possesses:

○ Confidentiality
○ Integrity
○ Availability
○ Accuracy
○ Authenticity
○ Utility
○ Possession
 Critical Characteristics of Information

● Availability—Enables users who need to access information to do so without

interference or obstruction and in the required format. The information is said to
be available to an authorized user when and where needed and in the correct
format.
● Accuracy—Free from mistake or error and having the value that the end user
expects. If information contains a value different from the user’s expectations
due to the intentional or unintentional modification of its content, it is no longer
accurate.
● Authenticity—The quality or state of being genuine or original, rather than a
reproduction or fabrication. Information is authentic when it is the information
that was originally created, placed, stored, or transferred.
 Critical Characteristics of Information
● Confidentiality—The quality or state of preventing disclosure or exposure to unauthorized
individuals or systems.
● Integrity—The quality or state of being whole, complete, and uncorrupted. The integrity of
information is threatened when the information is exposed to corruption, damage, destruction, or
other disruption of its authentic state.
● Utility—The quality or state of having value for some purpose or end. Information has value
when it serves a particular purpose. This means that if information is available, but not in a
format meaningful to the end user, it is not useful.
● Possession—The quality or state of having ownership or control of some object or item.
Information is said to be in possession if one obtains it, independent of format or other
characteristic. While a breach of confidentiality always results in a breach of possession, a
breach of possession does not always result in a breach of confidentiality
Committee on National Security Systems (CNSS)
Security Model
 Components of an Information System

● An information system (IS) is the entire set of hardware, software data, people,
procedures, and networks that enable a business to use information.
● All of them work together to support personal and professional operations.
● Each one has its own strengths and weaknesses, as well as its own
characteristics and uses.
● Each one has its own security requirements.
 Balancing Information Security and Access

● It is impossible to obtain perfect information security—it is a process, not a goal.

● Security should be considered a balance between protection and availability.
● To achieve balance, the level of security must allow reasonable access, yet
protect against threats.
Approaches to Information Security Implementation:
Bottom-Up Approach
● Grassroots effort: systems administrators work to improve security of their
systems.
● Key advantage: technical expertise of individual administrators
● Seldom works, as it lacks a number of critical features:
○ Participant support
○ Organizational staying power
Approaches to Information Security Implementation:
Top-Down Approach
● Initiated by upper management
○ Issue policy, procedures, and processes
○ Dictate goals and expected outcomes of project
○ Determine accountability for each required action
● The most successful type of top-down approach also involves a formal
development strategy referred to as a systems development life cycle (SDLC).
Approaches to Information Security Implementation
 Security Professionals and the Organization

● A wide range of professionals are required to support a diverse information

security program.
● Senior management support is the key component.
● Additional administrative support and technical expertise are required to
implement details of an IS program.
 Senior Management
● Chief information officer (CIO)
○ Senior technology officer
○ Primarily responsible for advising the senior executives (CEO) on strategic
planning that affects the management of information in the organization
● Chief information security officer (CISO)
○ Has primary responsibility for assessment, management, and
implementation of InfoSec in the organization
○ Usually reports directly to the CIO
 Knowledge Check Activity 2

What title is given to the person with primary responsibility for assessment,
management, and implementation of InfoSec in the organization?

a. CIO
b. CISO
c. CEO
d. CFO
 Knowledge Check Activity 2: Answer

What title is given to the person with primary responsibility for assessment,
management, and implementation of InfoSec in the organization?

Answer: B. CISO, or chief information security officer

The CISO usually reports to the CIO. While in some organizations, the CISO
could report to the Chief Financil Officer (CFO), that is not common.
The CISO’s Place and Roles
 Information Security Project Team
● A small functional team of people who are experienced in one or multiple facets
of required technical and nontechnical areas:
○ Champion
○ Team leader
○ Security policy developers
○ Risk assessment specialists
○ Security professionals
○ Systems administrators
○ End users
 Information Security Project Team

● The champion: A senior executive who promotes (sponsors) the project and
ensures its support, both financially and administratively, at the highest levels of
the organization.
● The team leader: A project manager, who may be a departmental line manager
or staff unit manager, who understands project management, personnel
management, and information security technical requirements.
● Security policy developers: Individuals who understand the organizational
culture, policies, and requirements for developing and implementing successful
policies.
 Information Security Project Team
● Risk assessment specialists: People who understand financial risk
assessment techniques, the value of organizational assets, and the security
methods to be used.
● Security professionals: Dedicated, trained, and well-educated specialists in all
aspects of information security from both technical and nontechnical
standpoints.
● Systems administrators: People with the primary responsibility for
administering the systems that house the information used by the organization.
● End users: Those whom the new system will most directly impact. Ideally, a
selection of users from various departments, levels, and degrees of technical
knowledge assist the team in focusing on the application of realistic controls
applied in ways that do not disrupt the essential business activities they seek to
safeguard.
 Data Responsibilities
● Data owners: senior management responsible for the security and use of a particular set of
information. The data owners work with subordinate managers to oversee the day-to-day
administration of the data.

● Data custodian: guardian responsible for information and systems that process, transmit, and
store it. Depending on the size of the organization, this may be a dedicated position, such as the
CISO, or it may be an additional responsibility of a systems administrator or other technology
manager. The duties of a data custodian often include overseeing data storage and backups,
implementing the specific procedures and policies laid out in the security policies and plans,
and reporting to the data owner.
 Data Responsibilities

● Data trustees: appointed by data owners to oversee the management of a

particular set of information and to coordinate with data custodians for its
storage, protection, and use
● Data users: have access to information and thus an information security role
‫ﺑﺑﺳﺎطﺔ‬:
‫ ھو اﻟﻠﻲ ﺑﯾﺣط اﻟﻘواﻋد واﻟﺳﯾﺎﺳﺎت‬:‫ﻣﺎﻟك اﻟﺑﯾﺎﻧﺎت‬.
‫ ھو اﻟﻠﻲ ﺑﯾﻧﻔذ اﻟﻘواﻋد وﯾﺣﻣﻲ اﻟﺑﯾﺎﻧﺎت‬:‫ﺣﺎرس اﻟﺑﯾﺎﻧﺎت‬.
‫ ھو اﻟﻠﻲ ﺑﯾﻧﺳﻖ ﺑﯾن اﻟﻣﺎﻟك واﻟﺣﺎرس‬:‫اﻟوﺻﻲ ﻋﻠﻰ اﻟﺑﯾﺎﻧﺎت‬.
‫ ﺑس ﻻزم ﯾﻠﺗزم ﺑﺎﻟﻘواﻋد‬،‫ ھو اﻟﻠﻲ ﺑﯾﺳﺗﻌﻣل اﻟﺑﯾﺎﻧﺎت‬:‫ﻣﺳﺗﺧدم اﻟﺑﯾﺎﻧﺎت‬.
 Knowledge Check Activity 3

Which group in the organization is appointed by data owners to oversee the

management of a particular set of information and to coordinate with data
custodians for its storage, protection, and use?
a. Data owners
b. Data custodian
c. Data trustee
d. Data user
 Knowledge Check Activity 3: Answer

Which group in the organization is appointed by data owners to oversee the

management of a particular set of information and to coordinate with data
custodians for its storage, protection, and use?

Answer: C. Data trustee

Only this selection is correct since data owners would not appoint themselves,
data custodians are responsible for the infrastructure that supports information
processing in general, and data users do not have the responsibilities listed.
 Communities of Interest

● Group of individuals united by similar interests/values within an organization

○ Information security management and professionals
○ Information technology management and professionals
○ Organizational management and professionals
 Information Security: Is It an Art or a Science?

● Implementation of information security is often described as a combination of art

and science.
● “Security artisan” idea: based on the way individuals perceive system
technologists and their abilities
● Security as art: no hard and fast rules nor many universally accepted complete
solutions; no manual for implementing security through entire system
● Security as science: technology is developed by scientists and engineers;
specific conditions cause virtually all actions in computer systems; almost every
security issue is a result of the interaction of specific hardware and software;
with sufficient time, developers could resolve all faults.
 Security as a Social Science

● Social science examines the behavior of individuals interacting with systems.

● Security begins and ends with the people that interact with the system,
intentionally or otherwise.
● End users that need the very information the security personnel are trying to
protect may be the weakest link in the security chain.
● By understanding some of the behavioral aspects of organizational science and
change management, security administrators can greatly reduce the levels of
risk caused by end users and create more acceptable and supportable security
profiles.
 Summary (1 of 4)

● Information security evolved from the early field of computer security.

● Security is protection from danger. There are many types of security: physical
security, personal security, operations security, communications security,
national security, and network security, to name a few.
● Information security is the protection of information assets that use, store, or
transmit information through the application of policy, education, and technology.
● The critical characteristics of information, including confidentiality, integrity, and
availability (the C.I.A. triad), must be protected at all times. This protection is
implemented by multiple measures that include policies, education, training and
awareness, and technology.
 Summary (2 of 4)

● Information systems are made up of the major components of hardware,

software, data, people, procedures, and networks.
● Upper management drives the top-down approach to security implementation, in
contrast with the bottom-up approach or grassroots effort, in which individuals
choose security implementation strategies.
 Summary (3 of 4)

● The control and use of data in the organization is accomplished by the following
parties:
○ Data owners, who are responsible for the security and use of a particular set
of information
○ Data custodians, who are responsible for the storage, maintenance, and
protection of the information
○ Data trustees, who are appointed by data owners to oversee the
management of a particular set of information and to coordinate with data
custodians for its storage, protection, and use
○ Data users, who work with the information to perform their daily jobs and
support the mission of the organization
 Summary (4 of 4)

● Each organization has a culture in which communities of interest are united by

similar values and share common objectives. The three communities in
information security are general management, IT management, and
information security management.
● Information security has been described as both an art and a science, and it
comprises many aspects of social science as well.
 Self-Assessment

● What is information security?

● How has the concept of security for the use of computer systems changed over
time?
● Information has many characteristics. What are the most critical of these
characteristics that need to be kept secure?