INFORMATION SECURITY CSC-440

WHAT IS SECURITY

• The protection of information and its critical elements,

including systems and hardware that use, store, and transmit
that information.
• Includes information security management, data
security, and network security
• C.I.A. triad
– Is a standard based on confidentiality, integrity, and
availability, now viewed as insufficient.
– Expanded model consists of a list of critical
characteristics of information.
WHAT IS SECURITY Include
WHAT IS SECURITY
 WHAT IS SECURITY

• The protection of information and its critical elements,

including systems and hardware that use, store, and transmit
that information.
• Includes information security management, data
security, and network security
• C.I.A. triad
– Is a standard based on confidentiality, integrity, and
availability, now viewed as insufficient.
– Expanded model consists of a list of critical
characteristics of information.
KEY INFORMATION SECURITY CONCEPTS
• Access:
➢ Authorized users have legal access to a system, whereas
hackers have illegal access to a system.
➢ Access controls regulate this ability.
• Asset:
➢ The organizational resource that is being protected. An asset
can be logical, such as a Web site, information, or data; or an
asset can be physical, such as a person, computer system, or
other tangible object.
➢ Assets, and particularly information assets, are the focus of
security efforts; they are what those efforts are attempting to
protect.
KEY INFORMATION SECURITY CONCEPTS
• Attack
➢ An intentional or unintentional act that can cause damage to
or otherwise compromise information and/or the systems that
support it.
➢ Attacks can be active or passive, intentional or unintentional,
and direct or indirect.
• Control, safeguard, or countermeasure
➢ Security mechanisms, policies, or procedures that can
successfully counter attacks, reduce risk, resolve
vulnerabilities, and otherwise improve the security within an
organization.
• Exploit
➢ Threat agents may attempt to exploit a system or other
information asset by using it illegally for their personal gain.
KEY INFORMATION SECURITY CONCEPTS
• Exposure
➢ A condition or state of being exposed. In information security,
exposure exists when a weakness known to an attacker is
present.
• Loss
➢ A single instance of an information asset suffering damage or
unintended or unauthorized modification or disclosure.
➢ When an organization’s information is stolen, it has suffered a
loss.
• Protection profile or security posture
➢ The entire set of controls and safeguards, including policy,
education, training and awareness, and technology, that the
organization implements (or fails to implement) to protect the
asset.
KEY INFORMATION SECURITY CONCEPTS
• Risk
➢ The probability that something unwanted will happen.
➢ Organizations must minimize risk to match their risk
desire—the quantity and nature of risk the organization is
willing to accept.
• Subjects and objects of attack
➢ A computer can be either the subject of an attack—an agent
entity used to conduct the attack—or the object of an attack—
the target entity.
• Threat
➢ A category of objects, persons, or other entities that presents
a danger to an asset. Threats are always present and can be
purposeful or undirected.
KEY INFORMATION SECURITY CONCEPTS
• Threat agent
➢ The specific instance or a component of a threat.
• Vulnerability
➢ A weakness or fault in a system or protection mechanism that
opens it to attack or damage. Some examples of
vulnerabilities are a flaw in a software package, an
unprotected system port, and an unlocked do.
KEY INFORMATION SECURITY CONCEPTS
• A computer can be the subject of an attack and/or the
object of an attack.
– When it is the subject of an attack, the computer is used
as an active tool to conduct the attack.
– When it is the object of an attack, the computer is the
entity being attacked.
 CRITICAL CHARACTERISTICS OF
INFORMATION
• The value of information comes from the
characteristics it possesses/owns.
• When a characteristic of information changes, the value
of that information either increases or, more commonly,
decreases.
• Some characteristics affect information’s value to users
more than others do.
• This can depend on circumstances; for example, the
appropriateness of information can be a critical factor,
because information loses much or all of its value when
it is delivered too late.
 CRITICAL CHARACTERISTICS OF
INFORMATION
• The value of information comes from the characteristics
it possesses:
– Availability: Availability allows authorized users'
persons or computer systems to access information
without interference or obstacle and to receive it in
the required format.
– Accuracy: Information is accurate when it is free
from mistakes or errors and has the value that the
end user expects.
 CRITICAL CHARACTERISTICS OF
INFORMATION
– Authenticity: Authenticity of information is the
quality or state of being genuine or original, rather
than a reproduction or fabrication.
– Information is authentic when it is in the same state
in which it was created, placed, stored, or
transferred.
– Email spoofing is a threat that involves sending
email messages with a fake sender address. Email
protocols cannot, on their own, authenticate the
source of an email. Therefore, it is relatively easy for
a spammer or other malicious actors to change the
metadata of an email.
 CRITICAL CHARACTERISTICS OF
INFORMATION
– Confidentiality: Information is confidential when it
is protected from disclosure or exposure to
unauthorized individuals or systems.
– Confidentiality ensures that only those with the
rights and privileges to access information can do so.
– When unauthorized individuals or systems can view
information, confidentiality is breached.
– Integrity: Information has integrity when it is
whole, complete, and uncorrupted. The integrity of
information is threatened when the information is
exposed to corruption damage, destruction, or other
disruption of its authentic state.
 CRITICAL CHARACTERISTICS OF
INFORMATION

– Utility: The utility of information is the quality or

state of having value for some purpose or end.
Information has value when it can serve a purpose.
– If information is available, but is not in a format
meaningful to the end user, it is not useful.
– Possession: The possession/ownership of information
is the quality or state of ownership or control.
– Information is said to be in one’s possession if one
obtains it, independent of format or other
characteristics.
 CNSS SECURITY MODEL
➢ CNSS (Committee on National Security Systems) is
a three-dimensional security model that has become a
standard security model for many currently operating
information systems.
➢ The CNSS model has three key goals of security:
Confidentiality, Integrity, and Availability
➢ Also called National Training Standard for
Information Systems Security Professionals
NSTISSI.
 CNSS SECURITY MODEL
➢ It was created by John McCumber in 1991.
➢ Provides a graphical representation of the
architectural approach widely used in computer and
information security, now called McCumber Cube.
➢ Three dimensions of each axis become a 3*3* 3 cube
with 27 cells representing areas that must be
addressed to secure today’s information systems.
➢ To ensure system security, each of the 27 areas must
be properly addressed during the security process.
CNSS SECURITY MODEL
 COMPONENTS OF AN INFORMATION
SYSTEMS
➢ Information systems are collections of multiple
information resources to gather, process, store, and
disseminate information.
➢ Examples:
•Transaction Processing System
•Management Information System
•Customer Relationship Systems
•Decision Support System
•Office Automation System
•Business Intelligence Systems
•Knowledge Management Systems
•Enterprise Collaboration System
COMPONENTS OF AN INFORMATION
SYSTEMS
 COMPONENTS OF AN
INFORMATION SYSTEM
• Information system (IS) is the entire set of people,
procedures, and technology that enable business to use
information.
– Software
– Hardware
– Data
– People
– Procedures
– Networks
 BALANCING INFORMATION
SECURITY AND ACCESS
➢ Recall James Anderson’s statement from the
beginning “The need to balance security and access”.
➢ Information security cannot be complete: it is a
process, not a goal.
➢ It is possible to make a system available to anyone,
anywhere, anytime, through any means.
➢ To achieve balance, the level of security must
allow reasonable access, yet protect against
threats.
 BALANCING INFORMATION
SECURITY AND ACCESS

chief information security officer

 APPROACHES TO INFORMATION
SECURITY IMPLEMENTATION
Bottom-Up Approach:
• Grassroots (Popular) effort: Systems
administrators attempt to improve the security of
their systems.
• Key advantage: technical expertise of
individual administrators
• Seldom works, as it lacks several critical features:
– Participant support
– Organizational staying power
 APPROACHES TO INFORMATION
SECURITY IMPLEMENTATION
Top Down Approach:
➢ Initiated by upper management
➢ Issue policy, procedures, and processes
➢ Order goals and expected outcomes of the project
➢ Determine accountability for each required action
➢ The most successful type of top-down approach also
involves a formal development strategy referred to
as a systems development life cycle.
APPROACHES TO INFORMATION
SECURITY IMPLEMENTATION
 SECURITY IN THE SYSTEMS
Include DEVELOPMENT LIFE
CYCLE
Systems development life cycle (SDLC):
• A methodology for the design and implementation of an
information system
• Methodology: a formal approach to solving a
problem based on a structured sequence of
procedures
• Using a methodology:
– Ensures a rigorous process with a clearly defined goal
– Increases probability of success
SECURITY IN THE SYSTEMS DEVELOPMENT
LIFE CYCLE
 INVESTIGATION

• What problem is the system being developed

to solve?
• Objectives, constraints, and scope of project are
specified.
• Preliminary cost-benefit analysis is developed.
• At the end of all phases, a process is undertaken to
assess economic, technical, and behavioral
feasibilities and ensure implementation is worth
the time and effort.
 ANALYSIS
• Consists of assessments of:
– The organization
– Current systems
– Capability to support proposed systems
• Analysts determine what the new system is expected to
do and how it will interact with existing systems.
• Analysis ends with documentation of findings and an
update of feasibility.
 LOGICAL DESIGN
• The first and driving factor is the business need.
– Applications are selected to provide needed services.
• Data support and structures capable of providing the
needed inputs are identified.
• Specific technologies are defined to implement the
physical solution.
• Analysts generate estimates of costs and benefits to
compare available options.
• Feasibility analysis is performed at the end.
 PHYSICAL
DESIGN
• Specific technologies are selected to support the
alternatives identified and evaluated in the logical
design.
• Selected components are evaluated on make-or-buy
decisions.
• Feasibility analysis is performed.
• The entire solution is presented to the
organization’s management for approval.
 IMPLEMENTATION

• Needed software is created.

• Components are ordered, received, and tested.
• Users are trained and supporting documentation is
created.
• Feasibility analysis is prepared.
– Sponsors are presented with the system for a
performance review and acceptance test.
 MAINTENANCE AND CHANGE
• Longest and most expensive phase.
• Consists of the tasks necessary to support and modify
the system for the remainder of its useful life
• The life cycle continues until the team determines the
process should begin again from the investigation
phase
• When the current system can no longer support the
organization’s mission, a new project is implemented
THE NIST APPROACH TO SECURING THE SDLC

• NIST Special Publication 800-64, rev. 2, maintains that

early integration of security in the SDLC enables
agencies to maximize return on investment through:
– Early identification and mitigation of
security vulnerabilities and
misconfigurations
– Awareness of potential engineering challenges
– Identification of shared security services and reuse of
security strategies and tools
– Facilitation of informed executive decision-making
 THE NIST APPROACH: INITIATION
• Security at this point is looked at in terms of
business risks, with information security office
providing input.
• Key security activities include:
– Delineation of business requirements in terms of
confidentiality, integrity, and availability
– Determination of information categorization and
identification of known special handling requirements
to transmit, store, or create information
– Determination of any privacy requirements
 THE NIST APPROACH:
INITIATION
• Security at this point is looked at in terms of
business risks, with information security office
providing input.
• Key security activities include:
– Definition of business requirements in terms of
confidentiality, integrity, and availability
– Determination of information categorization and
identification of known special handling requirements
to transmit, store, or create information
– Determination of any privacy requirements
 THE NIST APPROACH:
DEVELOPMENT/ACQUISITION

• Key security activities include:

– Conducting risk assessment and using results to
supplement baseline security controls
– Analyzing security requirements
– Performing functional and security testing
– Preparing initial documents for system certification and
accreditation
– Designing security architecture
 THE NIST APPROACH:
IMPLEMENTATION/ASSESSMENT

• System is installed and evaluated in operational

environment.
• Key security activities include:
– Integrating information system into its environment
– Planning and conducting system certification
activities in synchronization with testing of security
controls
– Completing system accreditation activities
 THE NIST APPROACH: OPERATIONS
AND MAINTENANCE
• Systems are in place and operating, enhancements and/or
modifications to the system are developed and tested, and
hardware and/or software are added or replaced.
• Key security activities include:
– Conducting operational readiness review
– Managing configuration of system
– Instituting process and procedure for assured
operations and continuous monitoring of information
system’s security controls
– Performing reauthorization as required
 THE NIST APPROACH:
DISPOSAL
• Provides for disposal of system and closeout of any
contracts in place
• Key security activities include:
– Building and executing disposal/transition plan
– Archival of critical information
– Sanitization of media
– Disposal of hardware and software

end
 SECURITY PROFESSIONALS AND
start THE ORGANIZATION

• Wide range of professionals are required to support a

diverse information security program.
• Senior management is the key component.
• Additional administrative support and technical expertise
are required to implement details of the IS program.
 SENIOR MANAGEMENT

• Chief information officer (CIO)

– Senior technology officer
– Primarily responsible for advising the senior
executives on strategic planning
• Chief information security officer (CISO)
– Has primary responsibility for assessment,
management, and implementation of IS in the
organization
– Usually reports directly to the CIO
 INFORMATION SECURITY
PROJECT TEAM

• A small functional team of people who are

experienced in one or multiple facets of required
technical and nontechnical areas:
– Champion
– Team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users
 DATA RESPONSIBILITIES
• Data owners: senior management responsible for the
security and use of a particular set of information
• Data guardians: responsible for the information and
systems that process, transmit, and store it
• Data users: individuals with an information security
role
 COMMUNITIES OF INTEREST

• Group of individuals united by similar

interests/values within an organization
– Information security management and professionals
– Information technology management and
professionals
– Organizational management and professionals
 INFORMATION SECURITY: IS IT AN
ART OR A SCIENCE?

• Implementation security is often described as

a combination of art and science.
• ―Security artisan's idea: based on how individuals
perceive system technologists on of inform and
their abilities.
 SECURITY AS ART

• No hard and fast rules nor many universally

accepted complete solutions
• No manual for implementing security throughout the
entire system
 SECURITY AS SCIENCE
• Dealing with technology designed for
rigorous performance levels.
• Specific conditions cause virtually all
actions in computer systems.
• Almost every fault, security hole, and
system malfunction is a result of the
interaction of specific hardware and
software.
• If developers had sufficient time, they could
resolve and eliminate faults.
 you know there is a tool for hacking created by israel, call ati hai, ap attend kro
ya nai, no matter, only missed call, and your phone hacked, used by high, very
gigh author
SECURITY AS A SOCIAL
SCIENCE

• Social science examines the behavior of individuals

interacting with systems.
• Security begins and ends with the people that interact
with the system, intentionally or otherwise.
• Security administrators can greatly reduce the levels of
risk caused by end users and create more
acceptable and supportable security profiles.